10 files changed, 270 insertions, 236 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 32651e14..2dcf5459 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,10 +12,9 @@ let
 in {
  imports = with flake.nixosModules.systemProfiles; [
    ./hw.nix
-    ./mail ./libvirt ./greetd
+    ./email ./libvirt ./greetd
-    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager
+    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote zswap
    flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
-    flakeInputs.impermanence.nixosModules.impermanence
    flakeInputs.nixVirt.nixosModules.default
  ];
@@ -26,9 +25,6 @@ in {
        allowUnfree = true;
        pulseaudio = true;
      };
-      extraOverlays = [
-        flakeInputs.niri-flake.overlays.niri
-      ];
    };
    time.timeZone = null;
@@ -37,6 +33,10 @@ in {
      initrd = {
        systemd = {
          emergencyAccess = config.users.users.root.hashedPassword;
+          extraBin = {
+            "vim" = lib.getExe pkgs.vim;
+            "grep" = lib.getExe pkgs.gnugrep;
+          };
        };
        luks.devices = {
          nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -50,34 +50,22 @@ in {
      blacklistedKernelModules = [ "nouveau" ];
-      # Use the systemd-boot EFI boot loader.
+      lanzaboote.configurationLimit = 15;
      loader = {
-        systemd-boot = {
-          enable = true;
-          configurationLimit = 15;
-        };
        efi.canTouchEfiVariables = true;
        timeout = null;
      };
      plymouth.enable = true;
-      kernelPackages = pkgs.linuxPackages_latest;
+      kernelPackages = pkgs.linuxPackages_6_18;
-      kernelPatches = [
+      consoleLogLevel = 3;
-        { name = "edac-config";
+      kernelParams = [
-          patch = null;
+        "quiet"
-          extraStructuredConfig = with lib.kernel; {
+        "boot.shell_on_fail"
-            EDAC = yes;
+        "udev.log_priority=3"
-            EDAC_IE31200 = yes;
+        "rd.systemd.show_status=auto"
-          };
+        "plymouth.use-simpledrm"
-        }
-        { name = "zswap-default";
-          patch = null;
-          extraStructuredConfig = with lib.kernel; {
-            ZSWAP_DEFAULT_ON = yes;
-            ZSWAP_SHRINKER_DEFAULT_ON = yes;
-          };
-        }
      ];
      tmp.useTmpfs = true;
@@ -100,6 +88,8 @@ in {
        server ptbtime2.ptb.de prefer iburst nts
        server ptbtime3.ptb.de prefer iburst nts
        server ptbtime4.ptb.de prefer iburst nts
+        pool ntppool1.time.nl prefer iburst nts
+        pool ntppool2.time.nl prefer iburst nts
        authselectmode require
        minsources 3
@@ -128,40 +118,16 @@ in {
        rulesetFile = ./ruleset.nft;
      };
-      # firewall = {
-      #   enable = true;
-      #   allowedTCPPorts = [ 22 # ssh
-      #                       8000 # quickserve
-      #                     ];
-      # };
-      # wlanInterfaces = {
-      #   wlan0 = {
-      #     device = "wlp82s0";
-      #   };
-      # };
-      # bonds = {
-      #   "lan" = {
-      #     interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
-      #     driverOptions = {
-      #       miimon = "1000";
-      #       mode = "active-backup";
-      #       primary_reselect = "always";
-      #     };
-      #   };
-      # };
      useDHCP = false;
      useNetworkd = true;
-      # interfaces."tinc.yggdrasil" = {
-      #   virtual = true;
-      #   virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
-      #   macAddress = "5c:93:21:c3:61:39";
-      # };
    };
+    environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
+      text = ''
+        conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
+        dnssec
+      '';
+    };
    environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
      text = ''
        except-interface=virbr0
@@ -404,19 +370,6 @@ in {
    ];
    services = {
-      uucp = {
-        enable = true;
-        nodeName = "sif";
-        remoteNodes = {
-          "ymir" = {
-            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
-            hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
-          };
-        };
-        defaultCommands = lib.mkForce [];
-      };
      avahi.enable = true;
      fwupd.enable = true;
@@ -433,10 +386,10 @@ in {
      thinkfan.enable = true;
-      logind = {
+      logind.settings.Login = {
-        lidSwitch = "suspend";
+        HandleLidSwitch = "suspend";
-        lidSwitchDocked = "lock";
+        HandleLidSwitchDocked = "ignore";
-        lidSwitchExternalPower = "lock";
+        HandleLidSwitchExternalPower = "ignore";
      };
      atd = {
@@ -472,15 +425,12 @@ in {
      libinput.enable = true;
      envfs.enable = false;
+      displayManager.defaultSession = "Niri";
    };
    systemd.tmpfiles.settings = {
      "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
-      "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
-        last_user = "gkleen";
-        user_to_last_sess.gkleen = "niri";
-      });
    };
    users = {
@@ -606,10 +556,9 @@ in {
        # setLdLibraryPath = true;
      };
-      firmware = [ pkgs.firmwareLinuxNonfree ];
+      firmware = [ pkgs.linux-firmware ];
      keyboard.uhk.enable = true;
-      nitrokey.enable = true;
    };
    # sound.enable = true;
@@ -640,25 +589,6 @@ in {
    environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
-    systemd.services."ac-plugged" = {
-      description = "Inhibit handling of lid-switch and sleep";
-      path = with pkgs; [ systemd coreutils ];
-      script = ''
-        exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
-      '';
-      serviceConfig = {
-        Type = "simple";
-      };
-    };
-    services.udev.extraRules = with pkgs; lib.mkAfter ''
-      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
-      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
-    '';
    systemd.services."nix-daemon".serviceConfig = {
      MemoryAccounting = true;
      MemoryHigh = "50%";
@@ -682,6 +612,10 @@ in {
      dconf.enable = true;
      niri.enable = true;
      fuse.userAllowOther = true;
+      captive-browser = {
+        enable = true;
+        interface = "wlp82s0";
+      };
    };
    services.pcscd.enable = true;
@@ -693,11 +627,6 @@ in {
      group = "users";
    };
-    i18n.inputMethod = {
-      enable = true;
-      type = "ibus";
-    };
    environment.sessionVariables."GTK_USE_PORTAL" = "1";
    xdg.portal = {
      enable = true;
@@ -708,7 +637,7 @@ in {
        "org.freedesktop.impl.portal.OpenFile" = ["gtk"];
        "org.freedesktop.impl.portal.Access" = ["gtk"];
        "org.freedesktop.impl.portal.Notification" = ["gtk"];
-        "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
+        "org.freedesktop.impl.portal.Secret" = ["none"];
        "org.freedesktop.impl.portal.Inhibit" = ["none"];
      };
    };
@@ -718,7 +647,7 @@ in {
      directories = [
        "/nix"
        "/root"
-        "/home"
+        "/home"
        "/var/log"
        "/var/lib/sops-nix"
        "/var/lib/nixos"
@@ -728,33 +657,19 @@ in {
        "/var/lib/bluetooth"
        "/var/lib/upower"
        "/var/lib/postfix"
+        "/var/lib/regreet"
        "/etc/NetworkManager/system-connections"
-        { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; }
+        config.boot.lanzaboote.pkiBundle
-        { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
      ];
      files = [
      ];
+      timezone = true;
    };
-    systemd.services.timezone = {
+    security.pam.services.quickshell = {};
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-        ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
-        ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
-      };
-    };
-    services.tzupdate.enable = true;
-    security.pam.services.gtklock = {};
    home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
-    environment.pathsToLink = [
-      "share/zsh"
-    ];
    system.stateVersion = "24.11";
  };
 }
diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix
new file mode 100644
index 00000000..bebf7980
--- /dev/null
+++ b/hosts/sif/email/default.nix
@@ -0,0 +1,111 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = false;
+    enableSubmission = false;
+    setSendmail = true;
+    # networksStyle = "host";
+    settings.main = {
+      recpipient_delimiter = "+";
+      mydestination = [];
+      myhostname = "sif.midgard.yggdrasil";
+      mydomain = "yggdrasil.li";
+      local_transport = "error:5.1.1 No local delivery";
+      alias_database = [];
+      alias_maps = [];
+      local_recipient_maps = [];
+      inet_interfaces = "loopback-only";
+      message_size_limit = 0;
+      authorized_submit_users = "inline:{ gkleen= }";
+      authorized_flush_users = "inline:{ gkleen= }";
+      authorized_mailq_users = "inline:{ gkleen= }";
+      smtp_generic_maps = "inline:{ root=root+sif }";
+      mynetworks = ["127.0.0.0/8" "[::1]/128"];
+      smtpd_client_restrictions = ["permit_mynetworks" "reject"];
+      smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
+        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
+        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
+      ''}'';
+      relayhost = ["[surtr.yggdrasil.li]:465"];
+      default_transport = "relay";
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+      smtp_tls_security_level = "dane";
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+    settings.master = {
+      submission = {
+        type = "inet";
+        private = false;
+        command = "smtpd";
+        args = [
+          "-o" "syslog_name=postfix/$service_name"
+        ];
+      };
+      smtp = { };
+      smtps = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "smtp";
+        args = [
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_security_level=encrypt"
+        ];
+      };
+      relay = {
+        command = "smtp";
+        args = [
+          "-o" "smtp_fallback_relay="
+          "-o" "smtp_tls_security_level=verify"
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_cert_file=${./relay.crt}"
+          "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
+        ];
+      };
+    };
+  };
+  systemd.services.postfix = {
+    serviceConfig.LoadCredential = [
+      "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
+      "relay.key:${config.sops.secrets."relay-key".path}"
+    ];
+  };
+  sops.secrets = {
+    postfix-sasl-passwd = {
+      key = "sasl-passwd";
+      sopsFile = ./secrets.yaml;
+    };
+    relay-key = {
+      format = "binary";
+      sopsFile = ./relay.key;
+    };
+  };
+}
diff --git a/hosts/sif/email/relay.crt b/hosts/sif/email/relay.crt
new file mode 100644
index 00000000..ac13e7cb
--- /dev/null
+++ b/hosts/sif/email/relay.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjDCCAQygAwIBAgIPQAAAAGgLfNoL/PSMAsutMAUGAytlcTAXMRUwEwYDVQQD
+DAx5Z2dkcmFzaWwubGkwHhcNMjUwNDI1MTIwOTQ1WhcNMzUwNDI2MTIxNDQ1WjAR
+MQ8wDQYDVQQDDAZna2xlZW4wKjAFBgMrZXADIQB3outi3/3F4YO7Q97WAAaMHW0a
+m+Blldrgee+EZnWnD6N1MHMwHwYDVR0jBBgwFoAUTtn+VjMw6Ge1f68KD8dT1CWn
+l3YwHQYDVR0OBBYEFFOa4rYZYMbXUVdKv98NB504GUhjMA4GA1UdDwEB/wQEAwID
+6DAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAUGAytlcQNzABC0
+0UgIt7gLZrU1TmzGoqPBris8R1DbKOJacicF5CU0MIIjHcX7mPFW8KtB4qm6KcPq
+kF6IaEPmgKpX3Nubk8HJik9vhIy9ysfINcVTvzXx8pO1bxbvREJRyA/apj10nzav
+yauId0cXHvN6g5RLAMsMAA==
+-----END CERTIFICATE-----
diff --git a/hosts/sif/email/relay.key b/hosts/sif/email/relay.key
new file mode 100644
index 00000000..412a44e0
--- /dev/null
+++ b/hosts/sif/email/relay.key
@@ -0,0 +1,19 @@
+{
+        "data": "ENC[AES256_GCM,data:lBlTuzOS75pvRmcTKT4KhHMH44RlE2SvCFAUP+GfsXws1Uai7DZ1MmbhvxxCa+pcLW19+sQYxrXLRNZWby1yOeKBJ2UQeYV5LOk9LSL/WIE3FZkCo5Dv0O0gSFKjjb61WN22a4JnHbLWADf/mLT3GZv91XfvFDo=,iv:ho8wQH3UNzX9JPW5gVcUGtxZzdVwsMFus0Z4KYe5t48=,tag:dAgZyHOva2xVVhE1nTl+lg==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eTVRSUdFNUZGZmcxSUlT\nWmlsOGNyWXIzMGNTZjlKbXlhcEdZUXFRVkR3Cll0T0RMd0h2UW16QkR3SHlhYmNZ\nNDFrYXh3Rkp5NWsvcWc3UFJJaHVwT1UKLS0tIHhXVEI0VHBZVkpDQ1FzWENjMmJH\nb1FQWXVUUTBiZ1pKWG00MTNqVEo2SjAKK3VOU+QgRuxWYWEcrJiVMRFCprBICz4F\ngD+9zuPUzPezyJkYwTs+M+wX5GYkXppqm5W58yQLS2UDD38sr+SRjg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWmJmZDVFazN2bDY1TkNG\nNXpJN2twMFFjZUxMTVdSNzJwQTFiYktrcGdrCjk4eFVHTko0bFVMSlFFWm9tbjMr\nbWNHMEQ1Rm1qUVhodlB1RGw2aDc4TUEKLS0tIERBK0J5NkN4OXJEZ1ZOZXhNc1Jm\naWNnUmZGbTIxdmNkYi9TZ2h2bGs3MVEKPQGaEf7M/5/xvSOfawpIp50fB3QfFSuz\nPgkrPMneaBeUx+uBYMyEFX4rpzLIBR3pnYMjAfoc+bjWaOtGQuEqyQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-04-25T12:14:44Z",
+                "mac": "ENC[AES256_GCM,data:pObl2bJA93az9E3Ya+hA3ekI8TKKZ9NNTi0KzmWZBOiQwi9FuQYtpnmmT80L1KXWyOKJV6wGdAri3mNe/ue2S0TziSbQ/4+Dj4ubFKgkH7thb5q2dFyxw5FzhYzRQiXFqD/pxcNN9uL0lQI2Al0Eci0zX8Kcd1rAQ6RzLEoSmco=,iv:zo/3QFKTUEDxLy1k5yyU7Z1JMZ7cKdYUc6GHjaTTZKQ=,tag:f63Eja3lBfwJCYAOyEt56g==,type:str]",
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.10.2"
+        }
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/email/secrets.yaml
index 3c74b710..3c74b710 100644
--- a/hosts/sif/mail/secrets.yaml
+++ b/hosts/sif/email/secrets.yaml
diff --git a/hosts/sif/greetd/default.nix b/hosts/sif/greetd/default.nix
index f609fc05..081b6346 100644
--- a/hosts/sif/greetd/default.nix
+++ b/hosts/sif/greetd/default.nix
@@ -1,44 +1,92 @@
-{ pkgs, ... }:
+{ config, pkgs, lib, flakeInputs, ... }:
-{
+let
+  gkleenConfig = config.home-manager.users."gkleen";
+  toIni = lib.generators.toINI {
+    mkKeyValue =
+      key: value:
+      let
+        value' = if lib.isBool value then lib.boolToString value else toString value;
+      in
+      "${lib.escape [ "=" ] key}=${value'}";
+  };
+  toDconfIni = let
+    gvariant = import (flakeInputs.home-manager + "/modules/lib/gvariant.nix") { inherit lib; };
+    mkIniKeyValue = key: value: "${key}=${toString (gvariant.mkValue value)}";
+  in lib.generators.toINI { mkKeyValue = mkIniKeyValue; };
+in {
  config = {
    services.greetd = {
      enable = true;
-    #   settings.default_session.command = let
+      settings.default_session.command = lib.getExe (pkgs.writeShellApplication {
-    #     cfg = config.programs.regreet;
+        name = "sway";
-    #   in pkgs.writeShellScript "greeter" ''
+        runtimeInputs = [ pkgs.sway pkgs.fontconfig ];
-    #       modprobe -r nvidia_drm
+        runtimeEnv = {
+          XDG_DATA_DIRS = lib.makeSearchPath "share" [
+            pkgs.equilux-theme pkgs.paper-icon-theme pkgs.fira
+          ];
+          QT_PLUGIN_PATH = lib.makeSearchPath (pkgs.qt6.qtbase.qtPluginPrefix) [
+            pkgs.qt6Packages.qtbase
+          ];
+          QML2_IMPORT_PATH = lib.makeSearchPath (pkgs.qt6.qtbase.qtQmlPrefix) [
+            pkgs.qt6Packages.qtbase
+          ];
+          QT_QPA_PLATFORMTHEME = "gtk3";
+          XDG_CONFIG_DIR = pkgs.symlinkJoin {
+            name = "config";
+            paths = [
+              (pkgs.writeTextDir "gtk-3.0/settings.ini" (toIni {
+                Settings = {
+                  gtk-font-name = "Fira Sans 10";
+                  gtk-theme-name = "Equilux-compact";
+                  gtk-icon-theme-name = "Paper-Mono-Dark";
+                };
+              }))
+            ];
+          };
+          # XDG_CACHE_HOME = "/var/cache/greetd/greeter";
+          # XDG_CONFIG_HOME = "/var/cache/greetd/greeter/config";
+        };
+        text = ''
+          exec &>/tmp/sway-$$.log
+          unset MANAGERPID SYSTEMD_EXEC_PID
+          # ${lib.getExe' pkgs.coreutils "mkdir"} -p ''${XDG_CONFIG_HOME}/dconf
+          ${lib.getExe pkgs.dconf} load / < ${pkgs.writeText "dconf.ini" (toDconfIni {
+            "org/gnome/desktop/interface" = {
+              "color-scheme" = "prefer-dark";
+              "font-name" = "Fira Sans 10";
+              "gtk-theme" = "Equilux-compact";
+              "icon-theme" = "Paper-Mono-Dark";
+            };
+          })}
+          exec sway --unsupported-gpu --config ${pkgs.writeText "sway-config" ''
+            exec "${lib.getExe' config.systemd.package "systemctl"} --user import-environment {,WAYLAND_}DISPLAY SWAYSOCK; ${lib.getExe gkleenConfig.programs.quickshell.package} --path ${gkleenConfig.xdg.configFile."quickshell".source}/displaymanager.qml; swaymsg exit"
+            input type:keyboard {
+              xkb_layout "us,us"
+              xkb_variant "dvp,"
+              xkb_options "compose:caps,grp:win_space_toggle"
+            }
-    #       exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package}
+            output eDP-1 scale 1.5
-    #     '';
+          ''}
+        '';
+      });
    };
-    programs.regreet = {
-      enable = true;
+    # security.pam.services.greetd.fprintAuth = false;
-      theme = {
-        package = pkgs.equilux-theme;
+    systemd.services.greetd.serviceConfig = {
-        name = "Equilux-compact";
+      ExecStartPre = ''${lib.getExe' pkgs.coreutils "install"} -d -o greeter -g greeter -m 0700 ''${CACHE_DIRECTORY}/greeter'';
-      };
+      # CacheDirectory = "greetd";
-      iconTheme = {
+    };
-        package = pkgs.paper-icon-theme;
-        name = "Paper-Mono-Dark";
+    users.users.greeter = {
-      };
+      home = "/var/lib/greeter";
-      font = {
+      createHome = true;
-        package = pkgs.fira;
-        name = "Fira Sans";
-        # size = 6;
-      };
-      cageArgs = [ "-s" "-m" "last" ];
-      settings = {
-        GTK.application_prefer_dark_theme = true;
-        widget.clock.format = "%F %H:%M:%S%:z";
-        background = {
-          path = pkgs.runCommand "wallpaper.png" {
-            buildInputs = with pkgs; [ imagemagick ];
-          } ''
-            magick ${./wallpaper.png} -filter Gaussian -resize 6.25% -define filter:sigma=2.5 -resize 1600% "$out"
-          '';
-          fit = "Cover";
-        };
-      };
    };
  };
 }
diff --git a/hosts/sif/greetd/wallpaper.png b/hosts/sif/greetd/wallpaper.png
deleted file mode 100644
index 20fc761a..00000000
--- a/hosts/sif/greetd/wallpaper.png
+++ /dev/null
Binary files differ
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
index 1bcf0261..e567c37d 100644
--- a/hosts/sif/hw.nix
+++ b/hosts/sif/hw.nix
@@ -25,7 +25,7 @@
  # system.etc.overlay.enable = false;
  boot.initrd.systemd.packages = [
-    (pkgs.writeTextDir "/etc/systemd/system/\\x2ebcachefs.mount.d/block_scan.conf" ''
+    (pkgs.writeTextDir "/etc/systemd/system/sysroot-.bcachefs.mount.d/block_scan.conf" ''
      [Mount]
      Environment=BCACHEFS_BLOCK_SCAN=1
    '')
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
deleted file mode 100644
index 8d6cd705..00000000
--- a/hosts/sif/mail/default.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  services.postfix = {
-    enable = true;
-    enableSmtp = true;
-    enableSubmission = false;
-    setSendmail = true;
-    networksStyle = "host";
-    hostname = "sif.midgard.yggdrasil";
-    destination = [];
-    relayHost = "uucp:ymir";
-    recipientDelimiter = "+";
-    masterConfig = {
-      uucp = {
-        type = "unix";
-        private = true;
-        privileged = true;
-        chroot = false;
-        command = "pipe";
-        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
-      };
-      smtps = {
-        type = "unix";
-        private = true;
-        privileged = true;
-        chroot = false;
-        command = "smtp";
-        args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ];
-      };
-    };
-    config = {
-      default_transport = "uucp:ymir";
-      inet_interfaces = "loopback-only";
-      authorized_submit_users = ["!uucp" "static:anyone"];
-      message_size_limit = "0";
-      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
-        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
-        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
-        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
-        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
-      ''}'';
-      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
-        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
-        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
-      ''}'';
-      smtp_sasl_auth_enable = true;
-      smtp_sender_dependent_authentication = true;
-      smtp_sasl_tls_security_options = "noanonymous";
-      smtp_sasl_mechanism_filter = ["plain"];
-      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
-      smtp_cname_overrides_servername = false;
-      smtp_always_send_ehlo = true;
-      smtp_tls_security_level = "dane";
-      smtp_tls_loglevel = "1";
-      smtp_dns_support_level = "dnssec";
-    };
-  };
-  sops.secrets.postfix-sasl-passwd = {
-    key = "sasl-passwd";
-    path = "/var/db/postfix/sasl_passwd";
-    owner = "postfix";
-    sopsFile = ./secrets.yaml;
-  };
-}
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 2af8b2ee..62339f69 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -61,7 +61,7 @@ table inet filter {
  counter mosh-rx {}
  counter wg-rx {}
  counter yggdrasil-gre-rx {}
-  counter quickserve-rx {}
+  counter miniserve-rx {}
  counter ausweisapp2-rx {}
  counter established-rx {}
@@ -81,7 +81,7 @@ table inet filter {
  counter mosh-tx {}
  counter wg-tx {}
  counter yggdrasil-gre-tx {}
-  counter quickserve-tx {}
+  counter miniserve-tx {}
  counter tx {}
@@ -134,7 +134,7 @@ table inet filter {
    tcp dport 22 counter name ssh-rx accept
    udp dport 60000-61000 counter name mosh-rx accept
-    tcp dport 8000 counter name quickserve-rx accept
+    tcp dport 8080 counter name miniserve-rx accept
    udp dport 24727 counter name ausweisapp2-rx accept
    udp dport 51820-51822 counter name wg-rx accept
@@ -173,7 +173,7 @@ table inet filter {
    udp sport 51820-51822 counter name wg-tx
    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
-    tcp sport 8000 counter name quickserve-tx accept
+    tcp sport 8080 counter name miniserve-tx accept
    oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
    oifname virbr0 udp sport 547 counter name libvirt-dhcp accept