lfrc symlink

modules/system/backups.nix

@@ -80,11 +80,11 @@ in
                   echo "backing up: ${lib.concatStringsSep " " bak_paths.paths} → $archive"
                   borg create \
                     --verbose \
-                    --filter AME \
+                   # --filter AME \
                     --list \
                     --stats \
                     --show-rc \
-                    --compression lzma,9 \
+                    --compression lz4 \
                     "$BORG_REPO::$archive" \
                     ${lib.concatStringsSep " " bak_paths.paths}
                 echo "pruning old backups for ${bak_name}..."

modules/system/tailscale.nix

@@ -1,10 +1,12 @@
-{ pkgs, config, lib, ... }:
-
-let
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
   cfg = config.modules.system.tailscale;
   authkey_file = config.sops.secrets."tailscale_authkey".path;
-in
-{
+in {
   options.modules.system.tailscale = {
     enable = lib.mkEnableOption "enables tailscale";
   };
@@ -15,14 +17,18 @@ in
       useRoutingFeatures = "both";
       authKeyFile = authkey_file;
       extraUpFlags = [
-        "--accept-routes=false"   # true is equilivant to useRoutingFeatures = "client" (breaks shit)
-        "--accept-dns=true"       # explicitly allow resolved
+        "--accept-routes=false" # true is equilivant to useRoutingFeatures = "client" (breaks shit)
+        "--accept-dns=true" # explicitly allow resolved
       ];
     };
 
+    # network config
+    networking.firewall.trustedInterfaces = ["tailscale0"];
+    networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+
     # declare authkey secrets
     sops.secrets = {
-      "tailscale_authkey" = { 
+      "tailscale_authkey" = {
         owner = "root";
       };
     };