- Disable firewall to allow VPN traffic
- Switch DNS from VPN server (10.0.1.65) to Cloudflare (1.1.1.1)
- Use direct IP endpoint (69.48.243.22) instead of DNS hostname to
prevent resolution failures when DNS routes through the tunnel
- Add pre/post routing rules to avoid routing loop by sending VPN
endpoint traffic via the local gateway
Constraint: endpoint must be an IP, not hostname, to avoid DNS chicken-and-egg
Rejected: keep DNS hostname endpoint | fails when DNS resolves through tunnel
Confidence: high
Scope-risk: moderate
Replace 0.0.0.0/0 allowedIPs with CIDR blocks covering everything except
10.0.0.0/24, which conflicts with the building's local network. Also switch
endpoint back to hostname and remove unused tailscale service block.
Replace hostname endpoint with resolved IP (69.48.243.22) so
wg-quick's native fwmark-based routing handles 0.0.0.0/0 correctly.
Remove preUp/postDown hooks that conflicted with wg-quick's own
policy routing.
postUp runs after wg-quick has already rerouted all traffic through
the tunnel, making external DNS unreachable. Use preUp to add the
host route before routing changes, and postDown to clean up after.
Add postUp/preDown hooks to create a host route for the VPN endpoint
via the real gateway, preventing a routing loop when allowedIPs is
0.0.0.0/0. Also add wg0 to firewall trustedInterfaces.
FreeCAD is a home-manager package, so its GSettings schema dependency
(org.gtk.Settings.FileChooser) must also be in home.packages for
home-manager to include it in XDG_DATA_DIRS. Having gtk3 only in
system packages left it invisible to the user session.
FreeCAD crashes with 'org.gtk.Settings.FileChooser is not installed'
because home-manager packages don't get their GSettings schemas compiled
into the system profile. Moving gtk3 to environment.systemPackages fixes this.
FreeCAD's save/open dialogs require the GTK portal backend for the
file chooser D-Bus service. The bare gtk3 package doesn't provide this,
so replace it with the portal package in the system config.
Enable gpg-agent with SSH support and pinentry-gnome3, add
yubikey-manager and pcscd service, configure GPG with hardened
preferences and scdaemon, disable gnome-keyring SSH agent, and
prepare git signing configuration.
The experimental xwayland-native-scaling feature causes XWayland
connection loss when KiCad fullscreens on the second monitor,
crashing the application. Fractional scaling is retained via
scale-monitor-framebuffer.
- Add nixpkgs-unstable input for latest Claude Code versions
- Remove duplicate home-manager config from configuration.nix (handled by flake)
- Remove fetchTarball/fetchGit calls incompatible with pure flake mode
- Add shell function to auto-update unstable on nixos-rebuild
Replace the default GNOME Console terminal with Ghostty by adding it to home packages, configuring it as the default terminal application via dconf settings, and excluding GNOME Console from installed packages.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
0xWheatyz
