tsandrini · tsandrini · Apr 20, 2026 · Mar 28, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/flake-parts/hosts/flatbundle/default.nix b/flake-parts/hosts/flatbundle/default.nix
@@ -13,7 +13,11 @@
 # Y88b. Y8b.     888  888      X88 Y88..88P 888     888    888 888 Y8b.          X88
 #  "Y888 "Y8888  888  888  88888P'  "Y88P"  888     888    888 888  "Y8888   88888P'
 { inputs }:
-{ pkgs, system, ... }:
+{
+  pkgs,
+  system,
+  ...
+}:
 let
   pkgs-osu-lazer-bin = import inputs.nixpkgs-osu-lazer-bin {
     inherit system;
@@ -97,6 +101,34 @@ in
   };
   # nix-mineral.enable = true;
 
+  tensorfiles.networking.firewall.subnets-firewall = {
+    nixosPassthrough = {
+      allowedTCPPorts = [
+        #
+      ];
+    };
+    defaultSubnets = {
+      allowedTCPPorts = [
+        # WG
+        51820
+        51821
+        # Dev ports
+        8000
+        8080
+        5173
+      ];
+      allowedUDPPorts = [
+        # WG
+        51820
+        51821
+        # Dev ports
+        8000
+        8080
+        5173
+      ];
+    };
+  };
+
   programs.nh.flake = "/home/tsandrini/ProjectBundle/tsandrini/tensorfiles";
   programs.nh.clean.enable = false; # NOTE We have enough space buddy
 
@@ -138,28 +170,6 @@ in
 
   services.tailscale.enable = true;
   networking.wireguard.enable = true;
-  networking.firewall = {
-    allowedUDPPorts = [
-      # WG
-      51820
-      51821
-      # Dev ports
-      8000
-      8080
-      5173
-    ];
-    allowedTCPPorts = [
-      # WG
-      51820
-      51821
-      # Dev ports
-      8000
-      8080
-      5173
-    ];
-  };
-
-  services.keybase.enable = true;
 
   home-manager.users."tsandrini" = {
     imports = [
@@ -192,10 +202,12 @@ in
 
     mcp-servers.programs = {
       playwright.enable = true;
+      playwright.args = [ "--headless" ];
       nixos.enable = true;
       time.enable = true;
       fetch.enable = true;
-      github.enable = true;
+      # everything.enable = true;
+      # github.enable = true;
     };
 
     programs.claude-code = {

diff --git a/flake-parts/hosts/jetbundle/default.nix b/flake-parts/hosts/jetbundle/default.nix
@@ -95,6 +95,34 @@ in
   };
   # nix-mineral.enable = true;
 
+  tensorfiles.networking.firewall.subnets-firewall = {
+    nixosPassthrough = {
+      allowedTCPPorts = [
+        #
+      ];
+    };
+    defaultSubnets = {
+      allowedTCPPorts = [
+        # WG
+        51820
+        51821
+        # Dev ports
+        8000
+        8080
+        5173
+      ];
+      allowedUDPPorts = [
+        # WG
+        51820
+        51821
+        # Dev ports
+        8000
+        8080
+        5173
+      ];
+    };
+  };
+
   programs.nh.flake = "/home/tsandrini/ProjectBundle/tsandrini/tensorfiles";
 
   programs.fish.enable = true;
@@ -135,26 +163,6 @@ in
 
   services.tailscale.enable = true;
   networking.wireguard.enable = true;
-  networking.firewall = {
-    allowedUDPPorts = [
-      # WG
-      51820
-      51821
-      # Dev ports
-      8000
-      8080
-      5173
-    ];
-    allowedTCPPorts = [
-      # WG
-      51820
-      51821
-      # Dev ports
-      8000
-      8080
-      5173
-    ];
-  };
 
   home-manager.users."tsandrini" = {
     tensorfiles.hm = {

diff --git a/flake-parts/hosts/pupibundle/default.nix b/flake-parts/hosts/pupibundle/default.nix
@@ -62,9 +62,6 @@ in
   tensorfiles = {
     profiles = {
       headless.enable = true;
-      packages-base.enable = true;
-      # packages-extra.enable = true;
-
       with-base-monitoring-exports.enable = true;
     };
 
@@ -98,32 +95,19 @@ in
   ];
 
   tensorfiles.networking.firewall.subnets-firewall = {
-    enable = true;
-    subnets = {
-      "${infraVars.common.networking.defaultSubnet}" = {
-        allowedTCPPorts = [
-          80
-          443
-          prometheusExporters.pihole.port
-          prometheusExporters.unbound.port
-        ];
-      };
-      "${infraVars.common.networking.intranetSubnet}" = {
-        allowedTCPPorts = [
-          80
-          443
-          prometheusExporters.pihole.port
-          prometheusExporters.unbound.port
-        ];
-      };
+    nixosPassthrough = {
+      allowedTCPPorts = [
+        #
+      ];
+    };
+    defaultSubnets = {
+      allowedTCPPorts = [
+        80
+        443
+        prometheusExporters.pihole.port
+        prometheusExporters.unbound.port
+      ];
     };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = [
-    ];
-    allowedUDPPorts = [
-    ];
   };
 
   networking = {

diff --git a/flake-parts/hosts/remotebundle/default.nix b/flake-parts/hosts/remotebundle/default.nix
@@ -108,8 +108,6 @@ in
   tensorfiles = {
     profiles = {
       headless.enable = true;
-      packages-base.enable = true;
-      # packages-extra.enable = true;
       with-base-monitoring-exports.enable = true;
     };
 
@@ -156,6 +154,24 @@ in
     };
   };
 
+  tensorfiles.networking.firewall.subnets-firewall = {
+    nixosPassthrough = {
+      allowedTCPPorts = [
+        80
+        443
+      ];
+      allowedUDPPorts = [
+        config.networking.wireguard.interfaces.wg-home-tunnel.listenPort
+      ];
+    };
+    defaultSubnets = {
+      allowedTCPPorts = [
+        config.services.postgresql.settings.port
+        config.services.loki.configuration.server.http_listen_port
+      ];
+    };
+  };
+
   # NAS
   fileSystems."/mnt/NAS" = {
     device = "172.16.131.12:/nas/5829";
@@ -188,34 +204,6 @@ in
     }
   ];
 
-  tensorfiles.networking.firewall.subnets-firewall = {
-    enable = true;
-    subnets = {
-      "${infraVars.common.networking.defaultSubnet}" = {
-        allowedTCPPorts = [
-          config.services.postgresql.settings.port
-          config.services.loki.configuration.server.http_listen_port
-        ];
-      };
-      "${infraVars.common.networking.intranetSubnet}" = {
-        allowedTCPPorts = [
-          config.services.postgresql.settings.port
-          config.services.loki.configuration.server.http_listen_port
-        ];
-      };
-    };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = [
-      80
-      443
-    ];
-    allowedUDPPorts = [
-      config.networking.wireguard.interfaces.wg-home-tunnel.listenPort
-    ];
-  };
-
   networking.wireguard.interfaces = {
     wg-home-tunnel = {
       ips = [ "${selfVars.wgAddress}/32" ];

diff --git a/flake-parts/hosts/spinorbundle/default.nix b/flake-parts/hosts/spinorbundle/default.nix
@@ -78,6 +78,34 @@
   };
   # nix-mineral.enable = true;
 
+  tensorfiles.networking.firewall.subnets-firewall = {
+    nixosPassthrough = {
+      allowedTCPPorts = [
+        #
+      ];
+    };
+    defaultSubnets = {
+      allowedTCPPorts = [
+        # WG
+        51820
+        51821
+        # Dev ports
+        8000
+        8080
+        5173
+      ];
+      allowedUDPPorts = [
+        # WG
+        51820
+        51821
+        # Dev ports
+        8000
+        8080
+        5173
+      ];
+    };
+  };
+
   programs.nh.flake = "/home/tsandrini/ProjectBundle/tsandrini/tensorfiles";
 
   programs.fish.enable = true;
@@ -107,26 +135,6 @@
 
   services.tailscale.enable = true;
   networking.wireguard.enable = true;
-  networking.firewall = {
-    allowedUDPPorts = [
-      # WG
-      51820
-      51821
-      # Dev ports
-      8000
-      8080
-      5173
-    ];
-    allowedTCPPorts = [
-      # WG
-      51820
-      51821
-      # Dev ports
-      8000
-      8080
-      5173
-    ];
-  };
 
   home-manager.users."tsandrini" = {
     tensorfiles.hm = {

diff --git a/flake-parts/infra-vars/variables.nix b/flake-parts/infra-vars/variables.nix
@@ -26,6 +26,10 @@ _: rec {
       defaultSubnet = "10.10.0.0/24";
       intranetSubnet = "10.0.33.0/24";
       defaultGateway = "10.10.0.1";
+      defaultFirewallSubnets = [
+        common.networking.defaultSubnet
+        common.networking.intranetSubnet
+      ];
       defaultNameservers = [
         "10.10.0.10"
         "8.8.8.8"

diff --git a/flake-parts/modules/home-manager/programs/ssh.nix b/flake-parts/modules/home-manager/programs/ssh.nix
@@ -99,6 +99,14 @@ in
       programs.ssh = {
         enable = _ true;
         enableDefaultConfig = _ true;
+
+        # NOTE: Override TERM for all SSH connections to avoid issues with
+        # remote servers that lack the ghostty terminfo entry (xterm-ghostty).
+        # This preserves the full xterm-ghostty features locally while
+        # ensuring compatibility over SSH.
+        matchBlocks."*".setEnv = {
+          TERM = _ "xterm-256color";
+        };
       };
 
       programs.keychain = {

diff --git a/flake-parts/modules/nixos/default.nix b/flake-parts/modules/nixos/default.nix
@@ -53,8 +53,8 @@ in
     profiles_graphical-startx-home-manager = importApply ./profiles/graphical-startx-home-manager.nix {
       inherit localFlake;
     };
-    profiles_headless = importApply ./profiles/headless.nix { inherit localFlake infraVars; };
-    profiles_minimal = importApply ./profiles/minimal.nix { inherit localFlake; };
+    profiles_headless = importApply ./profiles/headless.nix { inherit localFlake; };
+    profiles_minimal = importApply ./profiles/minimal.nix { inherit localFlake infraVars; };
     profiles_with-base-monitoring-exports = importApply ./profiles/with-base-monitoring-exports.nix {
       inherit localFlake infraVars;
     };
@@ -82,6 +82,7 @@ in
     services_monit = importApply ./services/monit.nix {
       inherit localFlake;
     };
+    services_fail2ban = importApply ./services/fail2ban.nix { inherit localFlake; };
     services_monitoring_loki = importApply ./services/monitoring/loki.nix {
       inherit localFlake;
     };