commit all changes before flake update

3 files changed, 68 insertions, 3 deletions

diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix
index 5b44fc4..bf73117 100644
--- a/nix/modules/configuration.nix
+++ b/nix/modules/configuration.nix
@@ -22,6 +22,7 @@
     ./znc.nix
     ./docker.nix
     ./impermanence.nix
+    ./firejail.nix
   ];
 
   documentation = {
@@ -55,7 +56,10 @@
 
 
   boot = {
-
+    supportedFilesystems = {
+      btrfs = true;
+      ext4 = true;
+    };
     extraModprobeConfig = ''
   options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1
 '';
@@ -185,9 +189,49 @@
   };
 
   networking = {
-    useDHCP = lib.mkDefault true;
+    useDHCP = false;
+    dhcpcd.enable = false;
+    nameservers = [
+      "1.1.1.1"
+      "8.8.8.8"
+    ];
     networkmanager = {
   	  enable = true;
+      wifi.powersave = false;
+      ensureProfiles = {
+        profiles = {
+          home-wifi = {
+            connection = {
+              id = "home-wifi";
+              permissions = "";
+              type = "wifi";
+            };
+            ipv4 = {
+              dns-search = "";
+              method = "auto";
+            };
+            ipv6 = {
+              addr-gen-mode = "stable-privacy";
+              dns-search = "";
+              method = "auto";
+            };
+            wifi = {
+              mac-address-blacklist = "";
+              mode = "infrastructure";
+              ssid = "TELUS6572";
+            };
+            wifi-security = {
+              auth-alg = "open";
+              key-mgmt = "wpa-psk";
+              # when someone actually steals my internet then I will be concerned.
+              # This password only matters if you actually show up to my house in real life.
+              # That would perhaps allow for some nasty networking related shenanigans.
+              # I guess we'll cross that bridge when I get there.
+              psk = "b4xnrv6cG6GX";
+            };
+          };
+        };
+      };
     };
     firewall = {
   	  allowedTCPPorts = [ 22 11434 ];
@@ -275,6 +319,7 @@
 
     lockKernelModules = true;
     protectKernelImage = true;
+
     allowSimultaneousMultithreading = true;
     forcePageTableIsolation = true;
 
diff --git a/nix/modules/firejail.nix b/nix/modules/firejail.nix
new file mode 100644
index 0000000..054171a
--- /dev/null
+++ b/nix/modules/firejail.nix
@@ -0,0 +1,20 @@
+{ pkgs, lib, ... }:
+{
+  programs.firejail = {
+    enable = true;
+    wrappedBinaries = {
+      firefox = {
+        executable = "${lib.getBin pkgs.firefox-bin}/bin/firefox";
+        profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
+      };
+      emacs = {
+        executable = "${lib.getBin pkgs.emacs-pgtk}/bin/emacs";
+        profile = "${pkgs.firejail}/etc/firejail/emacs.profile";
+      };
+      zathura = {
+        executable = "${lib.getBin pkgs.zathura}/bin/zathura";
+        profile = "${pkgs.firejail}/etc/firejail/zathura.profile";
+      };
+    };
+  };
+}
diff --git a/nix/modules/impermanence.nix b/nix/modules/impermanence.nix
index aa876d9..d728b6a 100644
--- a/nix/modules/impermanence.nix
+++ b/nix/modules/impermanence.nix
@@ -32,7 +32,7 @@
     umount /btrfs_tmp
   '' else "");
 
-  boot.initrd.luks.devices = (if config.monorepo.profiles.impermanence.enable then {
+  boot.initrd.luks.devices = (if (! (config.monorepo.vars.fileSystem == "btrfs")) then {
     crypted = {
       device = "/dev/disk/by-partlabel/disk-main-luks";
     };