switch laptop config

hosts/laptop.nix

@@ -1,4 +1,4 @@
-{
+{ pkgs, ...}: {
   imports = [
     ./common.nix
     ../modules/networking.nix
@@ -9,12 +9,58 @@
     ../modules/packages.nix
     ../modules/hyprland
     ../modules/tex.nix
+    ../modules/virt.nix
+    ../modules/arduino.nix
+    ../../perf_mode/perf_mode.nix
   ];
 
   nixpkgs.config.allowUnfree = true;
 
   networking.hostName = "laptop";
 
-  system.stateVersion = "23.11";
+  services.logind.settings.Login.HandlePowerKey = "suspend";
+
+  # stupid ISO keyboards
+  console.useXkbConfig = true;
+  services.xserver.xkb = {
+    variant = "";
+
+    layout = "us-custom";
+    extraLayouts.us-custom = {
+      description = "My custom US layout";
+      languages = [ "eng" ];
+
+      symbolsFile = pkgs.writeText "xkb-layout" ''
+        xkb_symbols "us-custom" {
+          include "us(basic)"
+          include "level3(ralt_switch)"
+          key <LSGT> { [ Shift_L ] };
+       };
+      '';
+    };
+  };
+
+  home-manager.users.may.home.packages = with pkgs; [ 
+    intel-gpu-tools
+    obsidian
+    chromium
+    libreoffice
+  ];
+
+  networking.firewall = {
+   allowedTCPPorts = [
+      #web
+      8000
+      8080
+
+      42069
+    ];
+
+    allowedUDPPorts = [
+      #spotify google cast
+      5353
+    ];
+  };
+
   home-manager.users.may.home.stateVersion = "25.11";
 }

modules/arduino.nix

@@ -0,0 +1,6 @@
+{ pkgs, ...}: {
+  home-manager.users.may.home.packages = with pkgs; [
+    arduino
+    arduino-ide
+  ];
+}

modules/gui.nix

@@ -0,0 +1,11 @@
+{ pkgs, ...}: {
+  home-manager.users.may.home.packages = with pkgs; [ 
+    firefox             # browser
+    nautilus            # gui file manager
+    alacritty           # terminal
+    imv                 # image viewer
+    file-roller         # archive manager
+    vscode              # text editor
+    gnome-disk-utility
+  ];
+}

modules/hyprland/default.nix

@@ -10,6 +10,7 @@ in {
     ./nwg-panel-conf.nix
     # assume any desktop env will have audio
     ../audio.nix
+    ../gui.nix
   ];
 
   
@@ -80,12 +81,6 @@ in {
     };
 
     home.packages = with pkgs; [
-      firefox  # browser
-      nautilus # gui file manager
-      alacritty # terminal
-      imv # image viewer
-      file-roller # archive manager
-
       # notifications
       libnotify
       dunst

modules/locale.nix

@@ -1,8 +1,8 @@
-{
+{ lib, ...}: {
   time.timeZone = "America/Toronto";
   i18n.defaultLocale = "en_CA.UTF-8";
 
-  services.xserver.xkb = {
+  services.xserver.xkb = lib.mkDefault {
     layout = "us";
     variant = "";
   };

modules/packages.nix

@@ -7,7 +7,6 @@
       openjdk21
       vlc
       spotify
-      vscode
       jetbrains.idea
       obs-studio
       discord

modules/saleae-logic.nix

@@ -0,0 +1,4 @@
+{ pkgs, ...}: {
+  services.udev.packages = [ pkgs.saleae-logic-2 ];
+  home-manager.users.may.home.packages = [ pkgs.saleae-logic-2 ];
+}

modules/virt.nix

@@ -0,0 +1,8 @@
+{
+  programs.virt-manager.enable = true;
+  users.groups.libvirtd.members = ["may"];
+  virtualisation = {
+    libvirtd.enable = true;
+    spiceUSBRedirection.enable = true;
+  };
+}

modules/wireguard-client.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+let
+
+in
+{
+   networking.firewall = {
+    # if packets are still dropped, they will show up in dmesg
+    logReversePathDrops = true;
+    # wireguard trips rpfilter up
+    extraCommands = ''
+      ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN
+      ip46tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN
+    '';
+    extraStopCommands = ''
+      ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 51820 -j RETURN || true
+      ip46tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 51820 -j RETURN || true
+    '';
+
+    allowedUDPPorts = [ 51820 ];
+  };
+}

secrets.nix

@@ -1,7 +1,21 @@
 let
-  desktop_may = builtins.readFile ./secrets/ssh/desktop_may_pub;
+  readFileOrNull = path: 
-  desktop_host = builtins.readFile ./secrets/ssh/desktop_host_pub;
+    if builtins.pathExists path
-  pub_keys = [ desktop_may desktop_host ];
+    then builtins.readFile path
+    else null;
+
+  desktop_may = readFileOrNull ./secrets/ssh/desktop_may_pub;
+  desktop_host = readFileOrNull ./secrets/ssh/desktop_host_pub;
+  
+  laptop_may = readFileOrNull ./secrets/ssh/laptop_may_pub;
+  laptop_host = readFileOrNull ./secrets/ssh/laptop_host_pub;
+  
+  pub_keys = builtins.filter builtins.isString [ 
+    desktop_may desktop_host 
+    laptop_may laptop_host 
+  ];
+  
+  _ = if builtins.length pub_keys == 0 then abort "pub_keys must have at least one key" else null;
 in {
   "secrets/wireguard/server_priv.age".publicKeys = pub_keys;
   "secrets/wireguard/home_psk.age".publicKeys = pub_keys;