summaryrefslogtreecommitdiff
path: root/hosts/sif
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/sif')
-rw-r--r--hosts/sif/default.nix141
-rw-r--r--hosts/sif/email/default.nix111
-rw-r--r--hosts/sif/email/relay.crt11
-rw-r--r--hosts/sif/email/relay.key19
-rw-r--r--hosts/sif/email/secrets.yaml (renamed from hosts/sif/mail/secrets.yaml)0
-rw-r--r--hosts/sif/greetd/default.nix5
-rw-r--r--hosts/sif/greetd/wallpaper.pngbin132 -> 6073128 bytes
-rw-r--r--hosts/sif/hw.nix2
-rw-r--r--hosts/sif/mail/default.nix70
-rw-r--r--hosts/sif/ruleset.nft8
10 files changed, 189 insertions, 178 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 9de16de3..ed85ca17 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,10 +12,9 @@ let
12in { 12in {
13 imports = with flake.nixosModules.systemProfiles; [ 13 imports = with flake.nixosModules.systemProfiles; [
14 ./hw.nix 14 ./hw.nix
15 ./mail ./libvirt ./greetd 15 ./email ./libvirt ./greetd
16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager 16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
18 flakeInputs.impermanence.nixosModules.impermanence
19 flakeInputs.nixVirt.nixosModules.default 18 flakeInputs.nixVirt.nixosModules.default
20 ]; 19 ];
21 20
@@ -26,9 +25,6 @@ in {
26 allowUnfree = true; 25 allowUnfree = true;
27 pulseaudio = true; 26 pulseaudio = true;
28 }; 27 };
29 extraOverlays = [
30 flakeInputs.niri-flake.overlays.niri
31 ];
32 }; 28 };
33 29
34 time.timeZone = null; 30 time.timeZone = null;
@@ -37,6 +33,10 @@ in {
37 initrd = { 33 initrd = {
38 systemd = { 34 systemd = {
39 emergencyAccess = config.users.users.root.hashedPassword; 35 emergencyAccess = config.users.users.root.hashedPassword;
36 extraBin = {
37 "vim" = lib.getExe pkgs.vim;
38 "grep" = lib.getExe pkgs.gnugrep;
39 };
40 }; 40 };
41 luks.devices = { 41 luks.devices = {
42 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; 42 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -50,12 +50,8 @@ in {
50 50
51 blacklistedKernelModules = [ "nouveau" ]; 51 blacklistedKernelModules = [ "nouveau" ];
52 52
53 # Use the systemd-boot EFI boot loader. 53 lanzaboote.configurationLimit = 15;
54 loader = { 54 loader = {
55 systemd-boot = {
56 enable = true;
57 configurationLimit = 15;
58 };
59 efi.canTouchEfiVariables = true; 55 efi.canTouchEfiVariables = true;
60 timeout = null; 56 timeout = null;
61 }; 57 };
@@ -66,19 +62,27 @@ in {
66 kernelPatches = [ 62 kernelPatches = [
67 { name = "edac-config"; 63 { name = "edac-config";
68 patch = null; 64 patch = null;
69 extraStructuredConfig = with lib.kernel; { 65 structuredExtraConfig = with lib.kernel; {
70 EDAC = yes; 66 EDAC = yes;
71 EDAC_IE31200 = yes; 67 EDAC_IE31200 = yes;
72 }; 68 };
73 } 69 }
74 { name = "zswap-default"; 70 { name = "zswap-default";
75 patch = null; 71 patch = null;
76 extraStructuredConfig = with lib.kernel; { 72 structuredExtraConfig = with lib.kernel; {
77 ZSWAP_DEFAULT_ON = yes; 73 ZSWAP_DEFAULT_ON = yes;
78 ZSWAP_SHRINKER_DEFAULT_ON = yes; 74 ZSWAP_SHRINKER_DEFAULT_ON = yes;
79 }; 75 };
80 } 76 }
81 ]; 77 ];
78 consoleLogLevel = 3;
79 kernelParams = [
80 "quiet"
81 "boot.shell_on_fail"
82 "udev.log_priority=3"
83 "rd.systemd.show_status=auto"
84 "plymouth.use-simpledrm"
85 ];
82 86
83 tmp.useTmpfs = true; 87 tmp.useTmpfs = true;
84 88
@@ -100,6 +104,8 @@ in {
100 server ptbtime2.ptb.de prefer iburst nts 104 server ptbtime2.ptb.de prefer iburst nts
101 server ptbtime3.ptb.de prefer iburst nts 105 server ptbtime3.ptb.de prefer iburst nts
102 server ptbtime4.ptb.de prefer iburst nts 106 server ptbtime4.ptb.de prefer iburst nts
107 pool ntppool1.time.nl prefer iburst nts
108 pool ntppool2.time.nl prefer iburst nts
103 109
104 authselectmode require 110 authselectmode require
105 minsources 3 111 minsources 3
@@ -128,40 +134,16 @@ in {
128 rulesetFile = ./ruleset.nft; 134 rulesetFile = ./ruleset.nft;
129 }; 135 };
130 136
131 # firewall = {
132 # enable = true;
133 # allowedTCPPorts = [ 22 # ssh
134 # 8000 # quickserve
135 # ];
136 # };
137
138 # wlanInterfaces = {
139 # wlan0 = {
140 # device = "wlp82s0";
141 # };
142 # };
143
144 # bonds = {
145 # "lan" = {
146 # interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
147 # driverOptions = {
148 # miimon = "1000";
149 # mode = "active-backup";
150 # primary_reselect = "always";
151 # };
152 # };
153 # };
154
155 useDHCP = false; 137 useDHCP = false;
156 useNetworkd = true; 138 useNetworkd = true;
157
158 # interfaces."tinc.yggdrasil" = {
159 # virtual = true;
160 # virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
161 # macAddress = "5c:93:21:c3:61:39";
162 # };
163 }; 139 };
164 140
141 environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
142 text = ''
143 conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
144 dnssec
145 '';
146 };
165 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { 147 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
166 text = '' 148 text = ''
167 except-interface=virbr0 149 except-interface=virbr0
@@ -404,19 +386,6 @@ in {
404 ]; 386 ];
405 387
406 services = { 388 services = {
407 uucp = {
408 enable = true;
409 nodeName = "sif";
410 remoteNodes = {
411 "ymir" = {
412 publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
413 hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
414 };
415 };
416
417 defaultCommands = lib.mkForce [];
418 };
419
420 avahi.enable = true; 389 avahi.enable = true;
421 390
422 fwupd.enable = true; 391 fwupd.enable = true;
@@ -435,8 +404,8 @@ in {
435 404
436 logind = { 405 logind = {
437 lidSwitch = "suspend"; 406 lidSwitch = "suspend";
438 lidSwitchDocked = "lock"; 407 lidSwitchDocked = "ignore";
439 lidSwitchExternalPower = "lock"; 408 lidSwitchExternalPower = "ignore";
440 }; 409 };
441 410
442 atd = { 411 atd = {
@@ -470,17 +439,14 @@ in {
470 exportConfiguration = true; 439 exportConfiguration = true;
471 }; 440 };
472 libinput.enable = true; 441 libinput.enable = true;
473 };
474 442
475 programs.niri.enable = true; 443 envfs.enable = false;
444
445 displayManager.defaultSession = "Niri";
446 };
476 447
477 systemd.tmpfiles.settings = { 448 systemd.tmpfiles.settings = {
478 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; 449 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
479
480 "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
481 last_user = "gkleen";
482 user_to_last_sess.gkleen = "Niri";
483 });
484 }; 450 };
485 451
486 users = { 452 users = {
@@ -589,7 +555,7 @@ in {
589 }; 555 };
590 556
591 nvidia = { 557 nvidia = {
592 open = true; 558 open = false;
593 modesetting.enable = true; 559 modesetting.enable = true;
594 powerManagement.enable = true; 560 powerManagement.enable = true;
595 # prime = { 561 # prime = {
@@ -640,25 +606,6 @@ in {
640 606
641 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; 607 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
642 608
643 systemd.services."ac-plugged" = {
644 description = "Inhibit handling of lid-switch and sleep";
645
646 path = with pkgs; [ systemd coreutils ];
647
648 script = ''
649 exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
650 '';
651
652 serviceConfig = {
653 Type = "simple";
654 };
655 };
656
657 services.udev.extraRules = with pkgs; lib.mkAfter ''
658 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
659 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
660 '';
661
662 systemd.services."nix-daemon".serviceConfig = { 609 systemd.services."nix-daemon".serviceConfig = {
663 MemoryAccounting = true; 610 MemoryAccounting = true;
664 MemoryHigh = "50%"; 611 MemoryHigh = "50%";
@@ -680,6 +627,8 @@ in {
680 light.enable = true; 627 light.enable = true;
681 wireshark.enable = true; 628 wireshark.enable = true;
682 dconf.enable = true; 629 dconf.enable = true;
630 niri.enable = true;
631 fuse.userAllowOther = true;
683 }; 632 };
684 633
685 services.pcscd.enable = true; 634 services.pcscd.enable = true;
@@ -716,43 +665,29 @@ in {
716 directories = [ 665 directories = [
717 "/nix" 666 "/nix"
718 "/root" 667 "/root"
668 "/home"
719 "/var/log" 669 "/var/log"
720 "/var/lib/sops-nix" 670 "/var/lib/sops-nix"
721 "/var/lib/nixos" 671 "/var/lib/nixos"
722 "/var/lib/systemd" 672 "/var/lib/systemd"
723 "/home"
724 "/var/lib/chrony" 673 "/var/lib/chrony"
725 "/var/lib/fprint" 674 "/var/lib/fprint"
726 "/var/lib/bluetooth" 675 "/var/lib/bluetooth"
727 "/var/lib/upower" 676 "/var/lib/upower"
728 "/var/lib/postfix" 677 "/var/lib/postfix"
678 "/var/lib/regreet"
729 "/etc/NetworkManager/system-connections" 679 "/etc/NetworkManager/system-connections"
730 { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; } 680 config.boot.lanzaboote.pkiBundle
731 { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
732 ]; 681 ];
733 files = [ 682 files = [
734 ]; 683 ];
684 timezone = true;
735 }; 685 };
736 686
737 systemd.services.timezone = {
738 wantedBy = [ "multi-user.target" ];
739 serviceConfig = {
740 Type = "oneshot";
741 RemainAfterExit = true;
742 ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
743 ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
744 };
745 };
746 services.tzupdate.enable = true;
747
748 security.pam.services.gtklock = {}; 687 security.pam.services.gtklock = {};
749 688
750 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; 689 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
751 690
752 environment.pathsToLink = [
753 "share/zsh"
754 ];
755
756 system.stateVersion = "24.11"; 691 system.stateVersion = "24.11";
757 }; 692 };
758} 693}
diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix
new file mode 100644
index 00000000..bebf7980
--- /dev/null
+++ b/hosts/sif/email/default.nix
@@ -0,0 +1,111 @@
1{ config, lib, pkgs, ... }:
2{
3 services.postfix = {
4 enable = true;
5 enableSmtp = false;
6 enableSubmission = false;
7 setSendmail = true;
8 # networksStyle = "host";
9 settings.main = {
10 recpipient_delimiter = "+";
11 mydestination = [];
12 myhostname = "sif.midgard.yggdrasil";
13
14 mydomain = "yggdrasil.li";
15
16 local_transport = "error:5.1.1 No local delivery";
17 alias_database = [];
18 alias_maps = [];
19 local_recipient_maps = [];
20
21 inet_interfaces = "loopback-only";
22
23 message_size_limit = 0;
24
25 authorized_submit_users = "inline:{ gkleen= }";
26 authorized_flush_users = "inline:{ gkleen= }";
27 authorized_mailq_users = "inline:{ gkleen= }";
28
29 smtp_generic_maps = "inline:{ root=root+sif }";
30
31 mynetworks = ["127.0.0.0/8" "[::1]/128"];
32 smtpd_client_restrictions = ["permit_mynetworks" "reject"];
33 smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
34
35 sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
36 /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
37 /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
38 /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
39 /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
40 ''}'';
41 sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
42 /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
43 /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
44 ''}'';
45 relayhost = ["[surtr.yggdrasil.li]:465"];
46 default_transport = "relay";
47
48 smtp_sasl_auth_enable = true;
49 smtp_sender_dependent_authentication = true;
50 smtp_sasl_tls_security_options = "noanonymous";
51 smtp_sasl_mechanism_filter = ["plain"];
52 smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
53 smtp_cname_overrides_servername = false;
54 smtp_always_send_ehlo = true;
55 smtp_tls_security_level = "dane";
56
57 smtp_tls_loglevel = "1";
58 smtp_dns_support_level = "dnssec";
59 };
60 settings.master = {
61 submission = {
62 type = "inet";
63 private = false;
64 command = "smtpd";
65 args = [
66 "-o" "syslog_name=postfix/$service_name"
67 ];
68 };
69 smtp = { };
70 smtps = {
71 type = "unix";
72 private = true;
73 privileged = true;
74 chroot = false;
75 command = "smtp";
76 args = [
77 "-o" "smtp_tls_wrappermode=yes"
78 "-o" "smtp_tls_security_level=encrypt"
79 ];
80 };
81 relay = {
82 command = "smtp";
83 args = [
84 "-o" "smtp_fallback_relay="
85 "-o" "smtp_tls_security_level=verify"
86 "-o" "smtp_tls_wrappermode=yes"
87 "-o" "smtp_tls_cert_file=${./relay.crt}"
88 "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
89 ];
90 };
91 };
92 };
93
94 systemd.services.postfix = {
95 serviceConfig.LoadCredential = [
96 "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
97 "relay.key:${config.sops.secrets."relay-key".path}"
98 ];
99 };
100
101 sops.secrets = {
102 postfix-sasl-passwd = {
103 key = "sasl-passwd";
104 sopsFile = ./secrets.yaml;
105 };
106 relay-key = {
107 format = "binary";
108 sopsFile = ./relay.key;
109 };
110 };
111}
diff --git a/hosts/sif/email/relay.crt b/hosts/sif/email/relay.crt
new file mode 100644
index 00000000..ac13e7cb
--- /dev/null
+++ b/hosts/sif/email/relay.crt
@@ -0,0 +1,11 @@
1-----BEGIN CERTIFICATE-----
2MIIBjDCCAQygAwIBAgIPQAAAAGgLfNoL/PSMAsutMAUGAytlcTAXMRUwEwYDVQQD
3DAx5Z2dkcmFzaWwubGkwHhcNMjUwNDI1MTIwOTQ1WhcNMzUwNDI2MTIxNDQ1WjAR
4MQ8wDQYDVQQDDAZna2xlZW4wKjAFBgMrZXADIQB3outi3/3F4YO7Q97WAAaMHW0a
5m+Blldrgee+EZnWnD6N1MHMwHwYDVR0jBBgwFoAUTtn+VjMw6Ge1f68KD8dT1CWn
6l3YwHQYDVR0OBBYEFFOa4rYZYMbXUVdKv98NB504GUhjMA4GA1UdDwEB/wQEAwID
76DAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAUGAytlcQNzABC0
80UgIt7gLZrU1TmzGoqPBris8R1DbKOJacicF5CU0MIIjHcX7mPFW8KtB4qm6KcPq
9kF6IaEPmgKpX3Nubk8HJik9vhIy9ysfINcVTvzXx8pO1bxbvREJRyA/apj10nzav
10yauId0cXHvN6g5RLAMsMAA==
11-----END CERTIFICATE-----
diff --git a/hosts/sif/email/relay.key b/hosts/sif/email/relay.key
new file mode 100644
index 00000000..412a44e0
--- /dev/null
+++ b/hosts/sif/email/relay.key
@@ -0,0 +1,19 @@
1{
2 "data": "ENC[AES256_GCM,data:lBlTuzOS75pvRmcTKT4KhHMH44RlE2SvCFAUP+GfsXws1Uai7DZ1MmbhvxxCa+pcLW19+sQYxrXLRNZWby1yOeKBJ2UQeYV5LOk9LSL/WIE3FZkCo5Dv0O0gSFKjjb61WN22a4JnHbLWADf/mLT3GZv91XfvFDo=,iv:ho8wQH3UNzX9JPW5gVcUGtxZzdVwsMFus0Z4KYe5t48=,tag:dAgZyHOva2xVVhE1nTl+lg==,type:str]",
3 "sops": {
4 "age": [
5 {
6 "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
7 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eTVRSUdFNUZGZmcxSUlT\nWmlsOGNyWXIzMGNTZjlKbXlhcEdZUXFRVkR3Cll0T0RMd0h2UW16QkR3SHlhYmNZ\nNDFrYXh3Rkp5NWsvcWc3UFJJaHVwT1UKLS0tIHhXVEI0VHBZVkpDQ1FzWENjMmJH\nb1FQWXVUUTBiZ1pKWG00MTNqVEo2SjAKK3VOU+QgRuxWYWEcrJiVMRFCprBICz4F\ngD+9zuPUzPezyJkYwTs+M+wX5GYkXppqm5W58yQLS2UDD38sr+SRjg==\n-----END AGE ENCRYPTED FILE-----\n"
8 },
9 {
10 "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWmJmZDVFazN2bDY1TkNG\nNXpJN2twMFFjZUxMTVdSNzJwQTFiYktrcGdrCjk4eFVHTko0bFVMSlFFWm9tbjMr\nbWNHMEQ1Rm1qUVhodlB1RGw2aDc4TUEKLS0tIERBK0J5NkN4OXJEZ1ZOZXhNc1Jm\naWNnUmZGbTIxdmNkYi9TZ2h2bGs3MVEKPQGaEf7M/5/xvSOfawpIp50fB3QfFSuz\nPgkrPMneaBeUx+uBYMyEFX4rpzLIBR3pnYMjAfoc+bjWaOtGQuEqyQ==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2025-04-25T12:14:44Z",
15 "mac": "ENC[AES256_GCM,data:pObl2bJA93az9E3Ya+hA3ekI8TKKZ9NNTi0KzmWZBOiQwi9FuQYtpnmmT80L1KXWyOKJV6wGdAri3mNe/ue2S0TziSbQ/4+Dj4ubFKgkH7thb5q2dFyxw5FzhYzRQiXFqD/pxcNN9uL0lQI2Al0Eci0zX8Kcd1rAQ6RzLEoSmco=,iv:zo/3QFKTUEDxLy1k5yyU7Z1JMZ7cKdYUc6GHjaTTZKQ=,tag:f63Eja3lBfwJCYAOyEt56g==,type:str]",
16 "unencrypted_suffix": "_unencrypted",
17 "version": "3.10.2"
18 }
19}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/email/secrets.yaml
index 3c74b710..3c74b710 100644
--- a/hosts/sif/mail/secrets.yaml
+++ b/hosts/sif/email/secrets.yaml
diff --git a/hosts/sif/greetd/default.nix b/hosts/sif/greetd/default.nix
index f609fc05..37ca13c5 100644
--- a/hosts/sif/greetd/default.nix
+++ b/hosts/sif/greetd/default.nix
@@ -11,6 +11,11 @@
11 # exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package} 11 # exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package}
12 # ''; 12 # '';
13 }; 13 };
14 systemd.services.greetd.environment = {
15 XKB_DEFAULT_LAYOUT = "us,us";
16 XKB_DEFAULT_VARIANT = "dvp,";
17 XKB_DEFAULT_OPTIONS = "compose:caps,grp:win_space_toggle";
18 };
14 programs.regreet = { 19 programs.regreet = {
15 enable = true; 20 enable = true;
16 theme = { 21 theme = {
diff --git a/hosts/sif/greetd/wallpaper.png b/hosts/sif/greetd/wallpaper.png
index f6f6c818..20fc761a 100644
--- a/hosts/sif/greetd/wallpaper.png
+++ b/hosts/sif/greetd/wallpaper.png
Binary files differ
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
index 1bcf0261..e567c37d 100644
--- a/hosts/sif/hw.nix
+++ b/hosts/sif/hw.nix
@@ -25,7 +25,7 @@
25 # system.etc.overlay.enable = false; 25 # system.etc.overlay.enable = false;
26 26
27 boot.initrd.systemd.packages = [ 27 boot.initrd.systemd.packages = [
28 (pkgs.writeTextDir "/etc/systemd/system/\\x2ebcachefs.mount.d/block_scan.conf" '' 28 (pkgs.writeTextDir "/etc/systemd/system/sysroot-.bcachefs.mount.d/block_scan.conf" ''
29 [Mount] 29 [Mount]
30 Environment=BCACHEFS_BLOCK_SCAN=1 30 Environment=BCACHEFS_BLOCK_SCAN=1
31 '') 31 '')
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
deleted file mode 100644
index 8d6cd705..00000000
--- a/hosts/sif/mail/default.nix
+++ /dev/null
@@ -1,70 +0,0 @@
1{ config, lib, pkgs, ... }:
2{
3 services.postfix = {
4 enable = true;
5 enableSmtp = true;
6 enableSubmission = false;
7 setSendmail = true;
8 networksStyle = "host";
9 hostname = "sif.midgard.yggdrasil";
10 destination = [];
11 relayHost = "uucp:ymir";
12 recipientDelimiter = "+";
13 masterConfig = {
14 uucp = {
15 type = "unix";
16 private = true;
17 privileged = true;
18 chroot = false;
19 command = "pipe";
20 args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
21 };
22 smtps = {
23 type = "unix";
24 private = true;
25 privileged = true;
26 chroot = false;
27 command = "smtp";
28 args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ];
29 };
30 };
31 config = {
32 default_transport = "uucp:ymir";
33
34 inet_interfaces = "loopback-only";
35
36 authorized_submit_users = ["!uucp" "static:anyone"];
37 message_size_limit = "0";
38
39 sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
40 /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
41 /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
42 /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
43 /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
44 ''}'';
45 sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
46 /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
47 /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
48 ''}'';
49
50 smtp_sasl_auth_enable = true;
51 smtp_sender_dependent_authentication = true;
52 smtp_sasl_tls_security_options = "noanonymous";
53 smtp_sasl_mechanism_filter = ["plain"];
54 smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
55 smtp_cname_overrides_servername = false;
56 smtp_always_send_ehlo = true;
57 smtp_tls_security_level = "dane";
58
59 smtp_tls_loglevel = "1";
60 smtp_dns_support_level = "dnssec";
61 };
62 };
63
64 sops.secrets.postfix-sasl-passwd = {
65 key = "sasl-passwd";
66 path = "/var/db/postfix/sasl_passwd";
67 owner = "postfix";
68 sopsFile = ./secrets.yaml;
69 };
70}
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 2af8b2ee..62339f69 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -61,7 +61,7 @@ table inet filter {
61 counter mosh-rx {} 61 counter mosh-rx {}
62 counter wg-rx {} 62 counter wg-rx {}
63 counter yggdrasil-gre-rx {} 63 counter yggdrasil-gre-rx {}
64 counter quickserve-rx {} 64 counter miniserve-rx {}
65 counter ausweisapp2-rx {} 65 counter ausweisapp2-rx {}
66 66
67 counter established-rx {} 67 counter established-rx {}
@@ -81,7 +81,7 @@ table inet filter {
81 counter mosh-tx {} 81 counter mosh-tx {}
82 counter wg-tx {} 82 counter wg-tx {}
83 counter yggdrasil-gre-tx {} 83 counter yggdrasil-gre-tx {}
84 counter quickserve-tx {} 84 counter miniserve-tx {}
85 85
86 counter tx {} 86 counter tx {}
87 87
@@ -134,7 +134,7 @@ table inet filter {
134 tcp dport 22 counter name ssh-rx accept 134 tcp dport 22 counter name ssh-rx accept
135 udp dport 60000-61000 counter name mosh-rx accept 135 udp dport 60000-61000 counter name mosh-rx accept
136 136
137 tcp dport 8000 counter name quickserve-rx accept 137 tcp dport 8080 counter name miniserve-rx accept
138 udp dport 24727 counter name ausweisapp2-rx accept 138 udp dport 24727 counter name ausweisapp2-rx accept
139 139
140 udp dport 51820-51822 counter name wg-rx accept 140 udp dport 51820-51822 counter name wg-rx accept
@@ -173,7 +173,7 @@ table inet filter {
173 udp sport 51820-51822 counter name wg-tx 173 udp sport 51820-51822 counter name wg-tx
174 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx 174 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
175 175
176 tcp sport 8000 counter name quickserve-tx accept 176 tcp sport 8080 counter name miniserve-tx accept
177 177
178 oifname virbr0 udp sport 67 counter name libvirt-dhcp accept 178 oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
179 oifname virbr0 udp sport 547 counter name libvirt-dhcp accept 179 oifname virbr0 udp sport 547 counter name libvirt-dhcp accept
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-18 21:11:54 +0000