summaryrefslogtreecommitdiff
path: root/hosts/sif
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/sif')
-rw-r--r--hosts/sif/default.nix152
-rw-r--r--hosts/sif/email/default.nix110
-rw-r--r--hosts/sif/email/relay.crt11
-rw-r--r--hosts/sif/email/relay.key19
-rw-r--r--hosts/sif/email/secrets.yaml (renamed from hosts/sif/mail/secrets.yaml)0
-rw-r--r--hosts/sif/greetd/default.nix49
-rw-r--r--hosts/sif/greetd/wallpaper.pngbin0 -> 6073128 bytes
-rw-r--r--hosts/sif/libvirt/default.nix1
-rw-r--r--hosts/sif/mail/default.nix70
-rw-r--r--hosts/sif/ruleset.nft8
10 files changed, 232 insertions, 188 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 6b710f2b..6214569a 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,7 +12,7 @@ let
12in { 12in {
13 imports = with flake.nixosModules.systemProfiles; [ 13 imports = with flake.nixosModules.systemProfiles; [
14 ./hw.nix 14 ./hw.nix
15 ./mail ./libvirt 15 ./email ./libvirt ./greetd
16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager 16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager
17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
18 flakeInputs.impermanence.nixosModules.impermanence 18 flakeInputs.impermanence.nixosModules.impermanence
@@ -26,9 +26,6 @@ in {
26 allowUnfree = true; 26 allowUnfree = true;
27 pulseaudio = true; 27 pulseaudio = true;
28 }; 28 };
29 extraOverlays = [
30 flakeInputs.niri-flake.overlays.niri
31 ];
32 }; 29 };
33 30
34 time.timeZone = null; 31 time.timeZone = null;
@@ -55,6 +52,7 @@ in {
55 systemd-boot = { 52 systemd-boot = {
56 enable = true; 53 enable = true;
57 configurationLimit = 15; 54 configurationLimit = 15;
55 netbootxyz.enable = true;
58 }; 56 };
59 efi.canTouchEfiVariables = true; 57 efi.canTouchEfiVariables = true;
60 timeout = null; 58 timeout = null;
@@ -128,40 +126,16 @@ in {
128 rulesetFile = ./ruleset.nft; 126 rulesetFile = ./ruleset.nft;
129 }; 127 };
130 128
131 # firewall = {
132 # enable = true;
133 # allowedTCPPorts = [ 22 # ssh
134 # 8000 # quickserve
135 # ];
136 # };
137
138 # wlanInterfaces = {
139 # wlan0 = {
140 # device = "wlp82s0";
141 # };
142 # };
143
144 # bonds = {
145 # "lan" = {
146 # interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
147 # driverOptions = {
148 # miimon = "1000";
149 # mode = "active-backup";
150 # primary_reselect = "always";
151 # };
152 # };
153 # };
154
155 useDHCP = false; 129 useDHCP = false;
156 useNetworkd = true; 130 useNetworkd = true;
157
158 # interfaces."tinc.yggdrasil" = {
159 # virtual = true;
160 # virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
161 # macAddress = "5c:93:21:c3:61:39";
162 # };
163 }; 131 };
164 132
133 environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
134 text = ''
135 conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
136 dnssec
137 '';
138 };
165 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { 139 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
166 text = '' 140 text = ''
167 except-interface=virbr0 141 except-interface=virbr0
@@ -404,19 +378,6 @@ in {
404 ]; 378 ];
405 379
406 services = { 380 services = {
407 uucp = {
408 enable = true;
409 nodeName = "sif";
410 remoteNodes = {
411 "ymir" = {
412 publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
413 hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
414 };
415 };
416
417 defaultCommands = lib.mkForce [];
418 };
419
420 avahi.enable = true; 381 avahi.enable = true;
421 382
422 fwupd.enable = true; 383 fwupd.enable = true;
@@ -435,8 +396,8 @@ in {
435 396
436 logind = { 397 logind = {
437 lidSwitch = "suspend"; 398 lidSwitch = "suspend";
438 lidSwitchDocked = "lock"; 399 lidSwitchDocked = "ignore";
439 lidSwitchExternalPower = "lock"; 400 lidSwitchExternalPower = "ignore";
440 }; 401 };
441 402
442 atd = { 403 atd = {
@@ -471,47 +432,18 @@ in {
471 }; 432 };
472 libinput.enable = true; 433 libinput.enable = true;
473 434
474 greetd = { 435 envfs.enable = false;
475 enable = true;
476 # settings.default_session.command = let
477 # cfg = config.programs.regreet;
478 # in pkgs.writeShellScript "greeter" ''
479 # modprobe -r nvidia_drm
480 436
481 # exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package} 437 displayManager.defaultSession = "Niri";
482 # '';
483 };
484 };
485
486 programs.regreet = {
487 enable = true;
488 theme = {
489 package = pkgs.equilux-theme;
490 name = "Equilux-compact";
491 };
492 iconTheme = {
493 package = pkgs.paper-icon-theme;
494 name = "Paper-Mono-Dark";
495 };
496 font = {
497 package = pkgs.fira;
498 name = "Fira Sans";
499 # size = 6;
500 };
501 cageArgs = [ "-s" "-m" "last" ];
502 settings = {
503 GTK.application_prefer_dark_theme = true;
504 };
505 }; 438 };
506 programs.niri.enable = true;
507 439
508 systemd.tmpfiles.settings = { 440 systemd.tmpfiles.settings = {
509 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; 441 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
510 442
511 "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" { 443 # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
512 last_user = "gkleen"; 444 # last_user = "gkleen";
513 user_to_last_sess.gkleen = "Niri"; 445 # user_to_last_sess.gkleen = "Niri";
514 }); 446 # });
515 }; 447 };
516 448
517 users = { 449 users = {
@@ -620,15 +552,15 @@ in {
620 }; 552 };
621 553
622 nvidia = { 554 nvidia = {
623 open = true; 555 open = false;
624 modesetting.enable = true; 556 modesetting.enable = true;
625 powerManagement.enable = false; 557 powerManagement.enable = true;
626 prime = { 558 # prime = {
627 nvidiaBusId = "PCI:1:0:0"; 559 # nvidiaBusId = "PCI:1:0:0";
628 intelBusId = "PCI:0:2:0"; 560 # intelBusId = "PCI:0:2:0";
629 reverseSync.enable = true; 561 # reverseSync.enable = true;
630 offload.enableOffloadCmd = true; 562 # offload.enableOffloadCmd = true;
631 }; 563 # };
632 }; 564 };
633 565
634 graphics = { 566 graphics = {
@@ -671,25 +603,6 @@ in {
671 603
672 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; 604 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
673 605
674 systemd.services."ac-plugged" = {
675 description = "Inhibit handling of lid-switch and sleep";
676
677 path = with pkgs; [ systemd coreutils ];
678
679 script = ''
680 exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
681 '';
682
683 serviceConfig = {
684 Type = "simple";
685 };
686 };
687
688 services.udev.extraRules = with pkgs; lib.mkAfter ''
689 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
690 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
691 '';
692
693 systemd.services."nix-daemon".serviceConfig = { 606 systemd.services."nix-daemon".serviceConfig = {
694 MemoryAccounting = true; 607 MemoryAccounting = true;
695 MemoryHigh = "50%"; 608 MemoryHigh = "50%";
@@ -702,6 +615,7 @@ in {
702 615
703 services.dbus.packages = with pkgs; 616 services.dbus.packages = with pkgs;
704 [ dbus dconf 617 [ dbus dconf
618 xdg-desktop-portal-gtk
705 ]; 619 ];
706 620
707 services.udisks2.enable = true; 621 services.udisks2.enable = true;
@@ -710,6 +624,8 @@ in {
710 light.enable = true; 624 light.enable = true;
711 wireshark.enable = true; 625 wireshark.enable = true;
712 dconf.enable = true; 626 dconf.enable = true;
627 niri.enable = true;
628 fuse.userAllowOther = true;
713 }; 629 };
714 630
715 services.pcscd.enable = true; 631 services.pcscd.enable = true;
@@ -729,6 +645,16 @@ in {
729 environment.sessionVariables."GTK_USE_PORTAL" = "1"; 645 environment.sessionVariables."GTK_USE_PORTAL" = "1";
730 xdg.portal = { 646 xdg.portal = {
731 enable = true; 647 enable = true;
648 extraPortals = with pkgs; [ xdg-desktop-portal-gtk ];
649 config.niri = {
650 default = ["gnome" "gtk"];
651 "org.freedesktop.impl.portal.FileChooser" = ["gtk"];
652 "org.freedesktop.impl.portal.OpenFile" = ["gtk"];
653 "org.freedesktop.impl.portal.Access" = ["gtk"];
654 "org.freedesktop.impl.portal.Notification" = ["gtk"];
655 "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
656 "org.freedesktop.impl.portal.Inhibit" = ["none"];
657 };
732 }; 658 };
733 659
734 environment.persistence."/.bcachefs" = { 660 environment.persistence."/.bcachefs" = {
@@ -736,19 +662,17 @@ in {
736 directories = [ 662 directories = [
737 "/nix" 663 "/nix"
738 "/root" 664 "/root"
665 "/home"
739 "/var/log" 666 "/var/log"
740 "/var/lib/sops-nix" 667 "/var/lib/sops-nix"
741 "/var/lib/nixos" 668 "/var/lib/nixos"
742 "/var/lib/systemd" 669 "/var/lib/systemd"
743 "/home"
744 "/var/lib/chrony" 670 "/var/lib/chrony"
745 "/var/lib/fprint" 671 "/var/lib/fprint"
746 "/var/lib/bluetooth" 672 "/var/lib/bluetooth"
747 "/var/lib/upower" 673 "/var/lib/upower"
748 "/var/lib/postfix" 674 "/var/lib/postfix"
749 "/etc/NetworkManager/system-connections" 675 "/etc/NetworkManager/system-connections"
750 { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; }
751 { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
752 ]; 676 ];
753 files = [ 677 files = [
754 ]; 678 ];
diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix
new file mode 100644
index 00000000..4eda236e
--- /dev/null
+++ b/hosts/sif/email/default.nix
@@ -0,0 +1,110 @@
1{ config, lib, pkgs, ... }:
2{
3 services.postfix = {
4 enable = true;
5 enableSmtp = false;
6 enableSubmission = false;
7 setSendmail = true;
8 networksStyle = "host";
9 hostname = "sif.midgard.yggdrasil";
10 destination = [];
11 recipientDelimiter = "+";
12 config = {
13 mydomain = "yggdrasil.li";
14
15 local_transport = "error:5.1.1 No local delivery";
16 alias_database = [];
17 alias_maps = [];
18 local_recipient_maps = [];
19
20 inet_interfaces = "loopback-only";
21
22 message_size_limit = "0";
23
24 authorized_submit_users = "inline:{ gkleen= }";
25 authorized_flush_users = "inline:{ gkleen= }";
26 authorized_mailq_users = "inline:{ gkleen= }";
27
28 smtp_generic_maps = "inline:{ root=root+sif }";
29
30 mynetworks = ["127.0.0.0/8" "[::1]/128"];
31 smtpd_client_restrictions = ["permit_mynetworks" "reject"];
32 smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
33
34 sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
35 /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
36 /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
37 /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
38 /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
39 ''}'';
40 sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
41 /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
42 /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
43 ''}'';
44 relayhost = "[surtr.yggdrasil.li]:465";
45 default_transport = "relay";
46
47 smtp_sasl_auth_enable = true;
48 smtp_sender_dependent_authentication = true;
49 smtp_sasl_tls_security_options = "noanonymous";
50 smtp_sasl_mechanism_filter = ["plain"];
51 smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
52 smtp_cname_overrides_servername = false;
53 smtp_always_send_ehlo = true;
54 smtp_tls_security_level = "dane";
55
56 smtp_tls_loglevel = "1";
57 smtp_dns_support_level = "dnssec";
58 };
59 masterConfig = {
60 submission = {
61 type = "inet";
62 private = false;
63 command = "smtpd";
64 args = [
65 "-o" "syslog_name=postfix/$service_name"
66 ];
67 };
68 smtp = { };
69 smtps = {
70 type = "unix";
71 private = true;
72 privileged = true;
73 chroot = false;
74 command = "smtp";
75 args = [
76 "-o" "smtp_tls_wrappermode=yes"
77 "-o" "smtp_tls_security_level=encrypt"
78 ];
79 };
80 relay = {
81 command = "smtp";
82 args = [
83 "-o" "smtp_fallback_relay="
84 "-o" "smtp_tls_security_level=verify"
85 "-o" "smtp_tls_wrappermode=yes"
86 "-o" "smtp_tls_cert_file=${./relay.crt}"
87 "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
88 ];
89 };
90 };
91 };
92
93 systemd.services.postfix = {
94 serviceConfig.LoadCredential = [
95 "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
96 "relay.key:${config.sops.secrets."relay-key".path}"
97 ];
98 };
99
100 sops.secrets = {
101 postfix-sasl-passwd = {
102 key = "sasl-passwd";
103 sopsFile = ./secrets.yaml;
104 };
105 relay-key = {
106 format = "binary";
107 sopsFile = ./relay.key;
108 };
109 };
110}
diff --git a/hosts/sif/email/relay.crt b/hosts/sif/email/relay.crt
new file mode 100644
index 00000000..ac13e7cb
--- /dev/null
+++ b/hosts/sif/email/relay.crt
@@ -0,0 +1,11 @@
1-----BEGIN CERTIFICATE-----
2MIIBjDCCAQygAwIBAgIPQAAAAGgLfNoL/PSMAsutMAUGAytlcTAXMRUwEwYDVQQD
3DAx5Z2dkcmFzaWwubGkwHhcNMjUwNDI1MTIwOTQ1WhcNMzUwNDI2MTIxNDQ1WjAR
4MQ8wDQYDVQQDDAZna2xlZW4wKjAFBgMrZXADIQB3outi3/3F4YO7Q97WAAaMHW0a
5m+Blldrgee+EZnWnD6N1MHMwHwYDVR0jBBgwFoAUTtn+VjMw6Ge1f68KD8dT1CWn
6l3YwHQYDVR0OBBYEFFOa4rYZYMbXUVdKv98NB504GUhjMA4GA1UdDwEB/wQEAwID
76DAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAUGAytlcQNzABC0
80UgIt7gLZrU1TmzGoqPBris8R1DbKOJacicF5CU0MIIjHcX7mPFW8KtB4qm6KcPq
9kF6IaEPmgKpX3Nubk8HJik9vhIy9ysfINcVTvzXx8pO1bxbvREJRyA/apj10nzav
10yauId0cXHvN6g5RLAMsMAA==
11-----END CERTIFICATE-----
diff --git a/hosts/sif/email/relay.key b/hosts/sif/email/relay.key
new file mode 100644
index 00000000..412a44e0
--- /dev/null
+++ b/hosts/sif/email/relay.key
@@ -0,0 +1,19 @@
1{
2 "data": "ENC[AES256_GCM,data:lBlTuzOS75pvRmcTKT4KhHMH44RlE2SvCFAUP+GfsXws1Uai7DZ1MmbhvxxCa+pcLW19+sQYxrXLRNZWby1yOeKBJ2UQeYV5LOk9LSL/WIE3FZkCo5Dv0O0gSFKjjb61WN22a4JnHbLWADf/mLT3GZv91XfvFDo=,iv:ho8wQH3UNzX9JPW5gVcUGtxZzdVwsMFus0Z4KYe5t48=,tag:dAgZyHOva2xVVhE1nTl+lg==,type:str]",
3 "sops": {
4 "age": [
5 {
6 "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
7 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eTVRSUdFNUZGZmcxSUlT\nWmlsOGNyWXIzMGNTZjlKbXlhcEdZUXFRVkR3Cll0T0RMd0h2UW16QkR3SHlhYmNZ\nNDFrYXh3Rkp5NWsvcWc3UFJJaHVwT1UKLS0tIHhXVEI0VHBZVkpDQ1FzWENjMmJH\nb1FQWXVUUTBiZ1pKWG00MTNqVEo2SjAKK3VOU+QgRuxWYWEcrJiVMRFCprBICz4F\ngD+9zuPUzPezyJkYwTs+M+wX5GYkXppqm5W58yQLS2UDD38sr+SRjg==\n-----END AGE ENCRYPTED FILE-----\n"
8 },
9 {
10 "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWmJmZDVFazN2bDY1TkNG\nNXpJN2twMFFjZUxMTVdSNzJwQTFiYktrcGdrCjk4eFVHTko0bFVMSlFFWm9tbjMr\nbWNHMEQ1Rm1qUVhodlB1RGw2aDc4TUEKLS0tIERBK0J5NkN4OXJEZ1ZOZXhNc1Jm\naWNnUmZGbTIxdmNkYi9TZ2h2bGs3MVEKPQGaEf7M/5/xvSOfawpIp50fB3QfFSuz\nPgkrPMneaBeUx+uBYMyEFX4rpzLIBR3pnYMjAfoc+bjWaOtGQuEqyQ==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2025-04-25T12:14:44Z",
15 "mac": "ENC[AES256_GCM,data:pObl2bJA93az9E3Ya+hA3ekI8TKKZ9NNTi0KzmWZBOiQwi9FuQYtpnmmT80L1KXWyOKJV6wGdAri3mNe/ue2S0TziSbQ/4+Dj4ubFKgkH7thb5q2dFyxw5FzhYzRQiXFqD/pxcNN9uL0lQI2Al0Eci0zX8Kcd1rAQ6RzLEoSmco=,iv:zo/3QFKTUEDxLy1k5yyU7Z1JMZ7cKdYUc6GHjaTTZKQ=,tag:f63Eja3lBfwJCYAOyEt56g==,type:str]",
16 "unencrypted_suffix": "_unencrypted",
17 "version": "3.10.2"
18 }
19}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/email/secrets.yaml
index 3c74b710..3c74b710 100644
--- a/hosts/sif/mail/secrets.yaml
+++ b/hosts/sif/email/secrets.yaml
diff --git a/hosts/sif/greetd/default.nix b/hosts/sif/greetd/default.nix
new file mode 100644
index 00000000..37ca13c5
--- /dev/null
+++ b/hosts/sif/greetd/default.nix
@@ -0,0 +1,49 @@
1{ pkgs, ... }:
2{
3 config = {
4 services.greetd = {
5 enable = true;
6 # settings.default_session.command = let
7 # cfg = config.programs.regreet;
8 # in pkgs.writeShellScript "greeter" ''
9 # modprobe -r nvidia_drm
10
11 # exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package}
12 # '';
13 };
14 systemd.services.greetd.environment = {
15 XKB_DEFAULT_LAYOUT = "us,us";
16 XKB_DEFAULT_VARIANT = "dvp,";
17 XKB_DEFAULT_OPTIONS = "compose:caps,grp:win_space_toggle";
18 };
19 programs.regreet = {
20 enable = true;
21 theme = {
22 package = pkgs.equilux-theme;
23 name = "Equilux-compact";
24 };
25 iconTheme = {
26 package = pkgs.paper-icon-theme;
27 name = "Paper-Mono-Dark";
28 };
29 font = {
30 package = pkgs.fira;
31 name = "Fira Sans";
32 # size = 6;
33 };
34 cageArgs = [ "-s" "-m" "last" ];
35 settings = {
36 GTK.application_prefer_dark_theme = true;
37 widget.clock.format = "%F %H:%M:%S%:z";
38 background = {
39 path = pkgs.runCommand "wallpaper.png" {
40 buildInputs = with pkgs; [ imagemagick ];
41 } ''
42 magick ${./wallpaper.png} -filter Gaussian -resize 6.25% -define filter:sigma=2.5 -resize 1600% "$out"
43 '';
44 fit = "Cover";
45 };
46 };
47 };
48 };
49}
diff --git a/hosts/sif/greetd/wallpaper.png b/hosts/sif/greetd/wallpaper.png
new file mode 100644
index 00000000..20fc761a
--- /dev/null
+++ b/hosts/sif/greetd/wallpaper.png
Binary files differ
diff --git a/hosts/sif/libvirt/default.nix b/hosts/sif/libvirt/default.nix
index d0be7dff..9712d0d9 100644
--- a/hosts/sif/libvirt/default.nix
+++ b/hosts/sif/libvirt/default.nix
@@ -8,6 +8,7 @@ with flakeInputs.nixVirt.lib;
8 qemu.swtpm.enable = true; 8 qemu.swtpm.enable = true;
9 allowedBridges = ["virbr0" "rz-0971" "rz-2403"]; 9 allowedBridges = ["virbr0" "rz-0971" "rz-2403"];
10 }; 10 };
11 virtualisation.spiceUSBRedirection.enable = true;
11 virtualisation.libvirt = { 12 virtualisation.libvirt = {
12 enable = true; 13 enable = true;
13 swtpm.enable = true; 14 swtpm.enable = true;
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
deleted file mode 100644
index f36cd599..00000000
--- a/hosts/sif/mail/default.nix
+++ /dev/null
@@ -1,70 +0,0 @@
1{ config, pkgs, ... }:
2{
3 services.postfix = {
4 enable = true;
5 enableSmtp = true;
6 enableSubmission = false;
7 setSendmail = true;
8 networksStyle = "host";
9 hostname = "sif.midgard.yggdrasil";
10 destination = [];
11 relayHost = "uucp:ymir";
12 recipientDelimiter = "+";
13 masterConfig = {
14 uucp = {
15 type = "unix";
16 private = true;
17 privileged = true;
18 chroot = false;
19 command = "pipe";
20 args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
21 };
22 smtps = {
23 type = "unix";
24 private = true;
25 privileged = true;
26 chroot = false;
27 command = "smtp";
28 args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ];
29 };
30 };
31 config = {
32 default_transport = "uucp:ymir";
33
34 inet_interfaces = "loopback-only";
35
36 authorized_submit_users = ["!uucp" "static:anyone"];
37 message_size_limit = "0";
38
39 sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
40 /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
41 /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
42 /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
43 /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
44 ''}'';
45 sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
46 /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
47 /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
48 ''}'';
49
50 smtp_sasl_auth_enable = true;
51 smtp_sender_dependent_authentication = true;
52 smtp_sasl_tls_security_options = "noanonymous";
53 smtp_sasl_mechanism_filter = ["plain"];
54 smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
55 smtp_cname_overrides_servername = false;
56 smtp_always_send_ehlo = true;
57 smtp_tls_security_level = "dane";
58
59 smtp_tls_loglevel = "1";
60 smtp_dns_support_level = "dnssec";
61 };
62 };
63
64 sops.secrets.postfix-sasl-passwd = {
65 key = "sasl-passwd";
66 path = "/var/db/postfix/sasl_passwd";
67 owner = "postfix";
68 sopsFile = ./secrets.yaml;
69 };
70}
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 2af8b2ee..62339f69 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -61,7 +61,7 @@ table inet filter {
61 counter mosh-rx {} 61 counter mosh-rx {}
62 counter wg-rx {} 62 counter wg-rx {}
63 counter yggdrasil-gre-rx {} 63 counter yggdrasil-gre-rx {}
64 counter quickserve-rx {} 64 counter miniserve-rx {}
65 counter ausweisapp2-rx {} 65 counter ausweisapp2-rx {}
66 66
67 counter established-rx {} 67 counter established-rx {}
@@ -81,7 +81,7 @@ table inet filter {
81 counter mosh-tx {} 81 counter mosh-tx {}
82 counter wg-tx {} 82 counter wg-tx {}
83 counter yggdrasil-gre-tx {} 83 counter yggdrasil-gre-tx {}
84 counter quickserve-tx {} 84 counter miniserve-tx {}
85 85
86 counter tx {} 86 counter tx {}
87 87
@@ -134,7 +134,7 @@ table inet filter {
134 tcp dport 22 counter name ssh-rx accept 134 tcp dport 22 counter name ssh-rx accept
135 udp dport 60000-61000 counter name mosh-rx accept 135 udp dport 60000-61000 counter name mosh-rx accept
136 136
137 tcp dport 8000 counter name quickserve-rx accept 137 tcp dport 8080 counter name miniserve-rx accept
138 udp dport 24727 counter name ausweisapp2-rx accept 138 udp dport 24727 counter name ausweisapp2-rx accept
139 139
140 udp dport 51820-51822 counter name wg-rx accept 140 udp dport 51820-51822 counter name wg-rx accept
@@ -173,7 +173,7 @@ table inet filter {
173 udp sport 51820-51822 counter name wg-tx 173 udp sport 51820-51822 counter name wg-tx
174 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx 174 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
175 175
176 tcp sport 8000 counter name quickserve-tx accept 176 tcp sport 8080 counter name miniserve-tx accept
177 177
178 oifname virbr0 udp sport 67 counter name libvirt-dhcp accept 178 oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
179 oifname virbr0 udp sport 547 counter name libvirt-dhcp accept 179 oifname virbr0 udp sport 547 counter name libvirt-dhcp accept
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-01 09:50:28 +0000