chore: update flake

system/dev/dn-pre7780/default.nix

@@ -55,6 +55,7 @@ in
     ../../modules/shells/noctalia
     ../../modules/sunshine.nix
     ../../modules/secure-boot.nix
+    ../../modules/card-reader.nix
   ];
 
   # Live Sync D

system/dev/dn-pre7780/home/default.nix

@@ -6,7 +6,7 @@
 }:
 let
   inherit (helper) getMonitors;
-  inherit (builtins) elemAt;
+  inherit (builtins) elemAt length;
   inherit (config.networking) hostName;
   inherit (config.systemConf) username;
   inherit (lib) optionalString mkForce;
@@ -24,7 +24,11 @@ in
     let
       monitors = getMonitors hostName config;
       mainMonitor = (elemAt monitors 0).criteria;
-      secondMonitor = (elemAt monitors 1).criteria;
+      secondMonitor =
+        let
+          index = if (length monitors) > 1 then 1 else 0;
+        in
+        (elemAt monitors index).criteria;
       mainMonitorSwayFormat = "desc:ASUSTek COMPUTER INC - ASUS VG32VQ1B";
     in
     {
@@ -58,6 +62,18 @@ in
             }
           ];
         }
+        {
+          profile.name = "AcerOnly";
+          profile.outputs = [
+            {
+              criteria = "Acer Technologies XV272U V3 1322131231233";
+              mode = "2560x1440@179.876999Hz";
+              position = "0,0";
+              transform = "normal";
+              scale = 1.0;
+            }
+          ];
+        }
       ];
 
       programs.ghostty.settings = {

system/dev/dn-server/network/services.nix

@@ -7,11 +7,10 @@
 let
   inherit (builtins) concatStringsSep;
   inherit (config.systemConf) security domain;
-  inherit (lib) mkForce optionalString;
+  inherit (lib) mkForce;
   inherit (helper.nftables) mkElementsStatement;
 
   netbirdCfg = config.services.netbird;
-  netbirdRange = "100.64.0.0/16";
 
   ethInterface = "enp0s31f6";
   sshPorts = [ 30072 ];
@@ -36,7 +35,6 @@ let
   allowedSSHIPs = concatStringsSep ", " [
     "122.117.215.55"
     "192.168.100.1/24"
-    netbirdRange
     personal.range
   ];
 
@@ -221,50 +219,41 @@ in
             }
 
             chain input {
-              type filter hook input priority 0; policy drop;
+              type filter hook input priority -10; policy drop;
 
               iif lo accept
-
-              meta nftrace set 1
               meta l4proto { icmp, ipv6-icmp } accept
-
               ct state vmap { invalid : drop, established : accept, related : accept }
 
-              # Allow Incoming DNS qeury
-              udp dport 53 accept
-              tcp dport 53 accept
-
               tcp dport { ${sshPortsString} } jump ssh-filter
 
-              # Allow Netbird UDP
-              udp dport { ${toString netbirdCfg.clients.wt0.port} } accept
-              iifname ${netbirdCfg.clients.wt0.interface} accept
-              iifname { ${ethInterface}, ${personal.interface} } udp dport { ${toString personal.port}  } accept
-              iifname ${infra.interface} ip saddr ${infra.range} accept
-              iifname ${personal.interface} ip saddr ${personal.range} jump wg-subnet
-
-              drop
+              iifname { ${personal.interface}, ${infra.interface}, ${netbirdCfg.clients.wt0.interface} } accept
             }
 
             chain output {
-              type filter hook output priority 0; policy drop;
+              type filter hook output priority -10; policy drop;
 
               iif lo accept
+              ct state vmap { invalid : drop, established : accept, related : accept }
+
+              # Time Sync
+              meta skuid ${toString config.users.users.systemd-timesync.uid} accept
+
+              # VPN
+              oifname { ${personal.interface}, ${infra.interface}, ${netbirdCfg.clients.wt0.interface} } accept
 
               # Allow DNS qeury
               udp dport 53 accept
               tcp dport 53 accept
 
-              # Allow UDP hole punching
-              ${optionalString (
-                netbirdCfg.clients ? wt0
-              ) "udp sport ${toString netbirdCfg.clients.wt0.port} accept"}
+              # UDP Hole Punching
+              meta mark 0x1bd00 accept
 
-              meta skuid ${toString config.users.users.systemd-timesync.uid} accept
+              # DHCP
+              udp sport 68 udp dport 67 accept
 
-              ct state vmap { invalid : drop, established : accept, related : accept }
+              # Allowed IPs
               ip saddr != @restrict_source_ips accept
-
               ip daddr @${security.rules.setName} accept
               ip6 daddr @${security.rules.setNameV6} accept
 
@@ -272,27 +261,10 @@ in
             }
 
             chain ssh-filter {
-              ip saddr { ${allowedSSHIPs} } accept
-              counter reject
-            }
+              iifname { ${personal.interface}, ${infra.interface}, ${netbirdCfg.clients.wt0.interface} } tcp dport { ${sshPortsString} } accept
+              ip saddr { ${allowedSSHIPs} } tcp dport { ${sshPortsString} } accept
 
-            chain forward {
-              type filter hook forward priority 0; policy drop;
-
-              meta l4proto { icmp, ipv6-icmp } accept
-
-              ct state vmap { invalid : drop, established : accept, related : accept }
-
-              iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
-              iifname ${infra.interface} ip saddr ${infra.ip} accept
-
-              counter
-            }
-
-            chain wg-subnet {
-              ip saddr ${personal.full} accept
-              ip saddr ${personal.restrict} ip daddr ${personal.range} accept
-              counter drop
+              counter log prefix "SSH-DROP: " flags all drop
             }
 
             chain postrouting {

system/dev/dn-server/services/mail-server.nix

@@ -18,6 +18,7 @@ in
     "api.docker.com"
     "cdn.segment.com"
     "api.segment.io"
+    "sa-update.surbl.org"
   ];
 
   mail-server =

system/dev/dn-server/services/metrics.nix

@@ -10,6 +10,7 @@ let
   inherit (lib) optionalAttrs optional;
   inherit (config.networking) hostName domain;
 
+  oidcEndpoint = "https://${config.services.keycloak.settings.hostname}/realms/master";
   grafanaHostname = "grafana.${domain}";
   prometheusHostname = "metrics.${domain}";
 
@@ -118,13 +119,13 @@ in
       extraSettings = {
         "auth.generic_oauth" =
           let
-            OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect";
+            OIDCBaseUrl = "${oidcEndpoint}/protocol/openid-connect";
           in
           {
             enabled = true;
             allow_sign_up = true;
             client_id = "grafana";
-            client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}'';
+            client_secret = "$__file{${config.sops.secrets."grafana/client_secret".path}}";
             scopes = "openid email profile offline_access roles";
             email_attribute_path = "email";
             login_attribute_path = "username";

system/dev/dn-server/sops/secret.yaml

@@ -41,7 +41,7 @@ postsrsd:
     secret: ENC[AES256_GCM,data:JZNwSymEjIFb8h3gnvFajxSaNYRxjA/NUruA4WX+uSqX0ufVcbVWgxQTr7U=,iv:ydGnCESCLbwyGKc+5witXDkT3OgW27LKen7PkqUL6mU=,tag:M3RGI6LgU5n2e6ZiXxTFfQ==,type:str]
 grafana:
     password: ENC[AES256_GCM,data:tySP1+vHkd+meSunzjE=,iv:09F8yEGw4j1Jd0HXDQyHbFxsr3Vg23mvWF5eZkU2KU8=,tag:6fmS38VUgNBNbo2BzxBuGA==,type:str]
-    client_secret: ENC[AES256_GCM,data:abk55RRC57xGiEpaBby0Drk4XS1+7INVie8wrpEg0XE=,iv:qywQIHIpgaS2pUcW1Uau//JU6UdMY52EVYCjhmnWJt4=,tag:fI01k/1nIqEXuPi90A00jQ==,type:str]
+    client_secret: ENC[AES256_GCM,data:bi1GSA2MSBQRTojgvmOvufjax/hathnXrPbnEF27SQc=,iv:IpzcIDWlgn5jfpA+ZRjji65AonarNjSzYRcfEzLxws8=,tag:ViEN0+67xFcpJ4Gl3blf8Q==,type:str]
 prometheus:
     powerdns:
         password: ENC[AES256_GCM,data:eliVy2619cZ/w/QOnayBt04ilCkXAXzck/RYr/c9oJEgirnqH1kATWJix3VzYng0/9yhGloOUHCm+jF3xOP6Uw==,iv:UI7UuJYJizYCO0ReC4SEPgmdPJNUnNuxgvkrhB1o/EQ=,tag:hEpJ64NcyaWl/e7KalOfGg==,type:str]
@@ -94,7 +94,7 @@ sops:
             OFloWEFuTC9GTXJsMG5NNktmdmIrY1kK0yN0ae0xNaydujV5lt2FiwXdyursG0DK
             9i/B3TTAm9csDMMSTSFbiAUJDzG7kIqn++JU/cxvsGScSnhMqjEK/g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-19T10:14:12Z"
-    mac: ENC[AES256_GCM,data:d9OAnjstk72GOnKqyDw2qbNfZho0mdqAMSQ4xH903b1COmgIn4MsqWiCzDJ5k6RxLE4wfCAPvn8JA+cXiox6/xctqfyqLoWN4fp2Q40IHjbA3mQGalwywRgmga74PVe3gJPZ7H8PJncN0TdU29A/lGcUtjCkAqjBuFS4e7wbQfA=,iv:e6aG+plaSDtaiqglY5S1svE/XZfs7n9dhSNCiB5pdTs=,tag:BsGItrtDVFF2kXgwE1zaFA==,type:str]
+    lastmodified: "2026-01-20T06:31:45Z"
+    mac: ENC[AES256_GCM,data:ad8EP8zk6mxlmMZaEijW0NWF72y2EikJPct7qxiCp6/sWGKKrGv8mRnC1zahgpRqpGR0jZKQ8Ot204EdGrJF9WI03+ZB9GgKi9ipQvXlGOCJq6m/Mp6WygI2hFAzRKCeoPqAPjVQxQ3Ctt/WEYXzvEp7CIKUq7WD6gTEFk6FDg0=,iv:20rJb79QnUW0DFbXTr0XXjiXjm7bK0CVs4oVan5SAKw=,tag:+mnMTBYQ1fhwe/abwGYNOA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

system/modules/card-reader.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  services.pcscd = {
+    enable = true;
+    plugins = with pkgs; [ ccid ];
+  };
+}

system/modules/gaming.nix

@@ -27,27 +27,10 @@ in
       protontricks.enable = true;
       gamescopeSession.enable = true;
       extest.enable = true;
-      extraCompatPackages =
-        with pkgs;
-        let
-          proton-ge-10-25 =
-            (proton-ge-bin.overrideAttrs (
-              _: finalAttrs: {
-                pname = "proton-ge-bin";
-                version = "GE-Proton10-25";
-
-                src = fetchzip {
-                  url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/${finalAttrs.version}/${finalAttrs.version}.tar.gz";
-                  hash = "sha256-RKko4QMxtnuC1SAHTSEQGBzVyl3ywnirFSYJ1WKSY0k=";
-                };
-              }
-            )).override
-              { steamDisplayName = "GE-Proton10-25"; };
-        in
-        [
-          proton-ge-bin
-          proton-ge-10-25
-        ];
+      extraCompatPackages = with pkgs; [
+        proton-ge-bin
+        proton-dw-bin
+      ];
       remotePlay.openFirewall = true;
       dedicatedServer.openFirewall = true;
       localNetworkGameTransfers.openFirewall = true;