summaryrefslogtreecommitdiff
path: root/hosts/sif
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/sif')
-rw-r--r--hosts/sif/default.nix70
-rw-r--r--hosts/sif/email/default.nix111
-rw-r--r--hosts/sif/email/relay.crt11
-rw-r--r--hosts/sif/email/relay.key19
-rw-r--r--hosts/sif/email/secrets.yaml (renamed from hosts/sif/mail/secrets.yaml)0
-rw-r--r--hosts/sif/hw.nix2
-rw-r--r--hosts/sif/mail/default.nix70
7 files changed, 170 insertions, 113 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index b50cad60..ed85ca17 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,10 +12,9 @@ let
12in { 12in {
13 imports = with flake.nixosModules.systemProfiles; [ 13 imports = with flake.nixosModules.systemProfiles; [
14 ./hw.nix 14 ./hw.nix
15 ./mail ./libvirt ./greetd 15 ./email ./libvirt ./greetd
16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager 16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
18 flakeInputs.impermanence.nixosModules.impermanence
19 flakeInputs.nixVirt.nixosModules.default 18 flakeInputs.nixVirt.nixosModules.default
20 ]; 19 ];
21 20
@@ -34,6 +33,10 @@ in {
34 initrd = { 33 initrd = {
35 systemd = { 34 systemd = {
36 emergencyAccess = config.users.users.root.hashedPassword; 35 emergencyAccess = config.users.users.root.hashedPassword;
36 extraBin = {
37 "vim" = lib.getExe pkgs.vim;
38 "grep" = lib.getExe pkgs.gnugrep;
39 };
37 }; 40 };
38 luks.devices = { 41 luks.devices = {
39 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; 42 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -47,13 +50,8 @@ in {
47 50
48 blacklistedKernelModules = [ "nouveau" ]; 51 blacklistedKernelModules = [ "nouveau" ];
49 52
50 # Use the systemd-boot EFI boot loader. 53 lanzaboote.configurationLimit = 15;
51 loader = { 54 loader = {
52 systemd-boot = {
53 enable = true;
54 configurationLimit = 15;
55 netbootxyz.enable = true;
56 };
57 efi.canTouchEfiVariables = true; 55 efi.canTouchEfiVariables = true;
58 timeout = null; 56 timeout = null;
59 }; 57 };
@@ -64,19 +62,27 @@ in {
64 kernelPatches = [ 62 kernelPatches = [
65 { name = "edac-config"; 63 { name = "edac-config";
66 patch = null; 64 patch = null;
67 extraStructuredConfig = with lib.kernel; { 65 structuredExtraConfig = with lib.kernel; {
68 EDAC = yes; 66 EDAC = yes;
69 EDAC_IE31200 = yes; 67 EDAC_IE31200 = yes;
70 }; 68 };
71 } 69 }
72 { name = "zswap-default"; 70 { name = "zswap-default";
73 patch = null; 71 patch = null;
74 extraStructuredConfig = with lib.kernel; { 72 structuredExtraConfig = with lib.kernel; {
75 ZSWAP_DEFAULT_ON = yes; 73 ZSWAP_DEFAULT_ON = yes;
76 ZSWAP_SHRINKER_DEFAULT_ON = yes; 74 ZSWAP_SHRINKER_DEFAULT_ON = yes;
77 }; 75 };
78 } 76 }
79 ]; 77 ];
78 consoleLogLevel = 3;
79 kernelParams = [
80 "quiet"
81 "boot.shell_on_fail"
82 "udev.log_priority=3"
83 "rd.systemd.show_status=auto"
84 "plymouth.use-simpledrm"
85 ];
80 86
81 tmp.useTmpfs = true; 87 tmp.useTmpfs = true;
82 88
@@ -98,6 +104,8 @@ in {
98 server ptbtime2.ptb.de prefer iburst nts 104 server ptbtime2.ptb.de prefer iburst nts
99 server ptbtime3.ptb.de prefer iburst nts 105 server ptbtime3.ptb.de prefer iburst nts
100 server ptbtime4.ptb.de prefer iburst nts 106 server ptbtime4.ptb.de prefer iburst nts
107 pool ntppool1.time.nl prefer iburst nts
108 pool ntppool2.time.nl prefer iburst nts
101 109
102 authselectmode require 110 authselectmode require
103 minsources 3 111 minsources 3
@@ -130,6 +138,12 @@ in {
130 useNetworkd = true; 138 useNetworkd = true;
131 }; 139 };
132 140
141 environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
142 text = ''
143 conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
144 dnssec
145 '';
146 };
133 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { 147 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
134 text = '' 148 text = ''
135 except-interface=virbr0 149 except-interface=virbr0
@@ -372,19 +386,6 @@ in {
372 ]; 386 ];
373 387
374 services = { 388 services = {
375 uucp = {
376 enable = true;
377 nodeName = "sif";
378 remoteNodes = {
379 "ymir" = {
380 publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
381 hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
382 };
383 };
384
385 defaultCommands = lib.mkForce [];
386 };
387
388 avahi.enable = true; 389 avahi.enable = true;
389 390
390 fwupd.enable = true; 391 fwupd.enable = true;
@@ -446,11 +447,6 @@ in {
446 447
447 systemd.tmpfiles.settings = { 448 systemd.tmpfiles.settings = {
448 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; 449 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
449
450 # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
451 # last_user = "gkleen";
452 # user_to_last_sess.gkleen = "Niri";
453 # });
454 }; 450 };
455 451
456 users = { 452 users = {
@@ -679,25 +675,15 @@ in {
679 "/var/lib/bluetooth" 675 "/var/lib/bluetooth"
680 "/var/lib/upower" 676 "/var/lib/upower"
681 "/var/lib/postfix" 677 "/var/lib/postfix"
678 "/var/lib/regreet"
682 "/etc/NetworkManager/system-connections" 679 "/etc/NetworkManager/system-connections"
683 { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; } 680 config.boot.lanzaboote.pkiBundle
684 { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
685 ]; 681 ];
686 files = [ 682 files = [
687 ]; 683 ];
684 timezone = true;
688 }; 685 };
689 686
690 systemd.services.timezone = {
691 wantedBy = [ "multi-user.target" ];
692 serviceConfig = {
693 Type = "oneshot";
694 RemainAfterExit = true;
695 ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
696 ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
697 };
698 };
699 services.tzupdate.enable = true;
700
701 security.pam.services.gtklock = {}; 687 security.pam.services.gtklock = {};
702 688
703 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; 689 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix
new file mode 100644
index 00000000..bebf7980
--- /dev/null
+++ b/hosts/sif/email/default.nix
@@ -0,0 +1,111 @@
1{ config, lib, pkgs, ... }:
2{
3 services.postfix = {
4 enable = true;
5 enableSmtp = false;
6 enableSubmission = false;
7 setSendmail = true;
8 # networksStyle = "host";
9 settings.main = {
10 recpipient_delimiter = "+";
11 mydestination = [];
12 myhostname = "sif.midgard.yggdrasil";
13
14 mydomain = "yggdrasil.li";
15
16 local_transport = "error:5.1.1 No local delivery";
17 alias_database = [];
18 alias_maps = [];
19 local_recipient_maps = [];
20
21 inet_interfaces = "loopback-only";
22
23 message_size_limit = 0;
24
25 authorized_submit_users = "inline:{ gkleen= }";
26 authorized_flush_users = "inline:{ gkleen= }";
27 authorized_mailq_users = "inline:{ gkleen= }";
28
29 smtp_generic_maps = "inline:{ root=root+sif }";
30
31 mynetworks = ["127.0.0.0/8" "[::1]/128"];
32 smtpd_client_restrictions = ["permit_mynetworks" "reject"];
33 smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
34
35 sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
36 /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
37 /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
38 /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
39 /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
40 ''}'';
41 sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
42 /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
43 /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
44 ''}'';
45 relayhost = ["[surtr.yggdrasil.li]:465"];
46 default_transport = "relay";
47
48 smtp_sasl_auth_enable = true;
49 smtp_sender_dependent_authentication = true;
50 smtp_sasl_tls_security_options = "noanonymous";
51 smtp_sasl_mechanism_filter = ["plain"];
52 smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
53 smtp_cname_overrides_servername = false;
54 smtp_always_send_ehlo = true;
55 smtp_tls_security_level = "dane";
56
57 smtp_tls_loglevel = "1";
58 smtp_dns_support_level = "dnssec";
59 };
60 settings.master = {
61 submission = {
62 type = "inet";
63 private = false;
64 command = "smtpd";
65 args = [
66 "-o" "syslog_name=postfix/$service_name"
67 ];
68 };
69 smtp = { };
70 smtps = {
71 type = "unix";
72 private = true;
73 privileged = true;
74 chroot = false;
75 command = "smtp";
76 args = [
77 "-o" "smtp_tls_wrappermode=yes"
78 "-o" "smtp_tls_security_level=encrypt"
79 ];
80 };
81 relay = {
82 command = "smtp";
83 args = [
84 "-o" "smtp_fallback_relay="
85 "-o" "smtp_tls_security_level=verify"
86 "-o" "smtp_tls_wrappermode=yes"
87 "-o" "smtp_tls_cert_file=${./relay.crt}"
88 "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
89 ];
90 };
91 };
92 };
93
94 systemd.services.postfix = {
95 serviceConfig.LoadCredential = [
96 "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
97 "relay.key:${config.sops.secrets."relay-key".path}"
98 ];
99 };
100
101 sops.secrets = {
102 postfix-sasl-passwd = {
103 key = "sasl-passwd";
104 sopsFile = ./secrets.yaml;
105 };
106 relay-key = {
107 format = "binary";
108 sopsFile = ./relay.key;
109 };
110 };
111}
diff --git a/hosts/sif/email/relay.crt b/hosts/sif/email/relay.crt
new file mode 100644
index 00000000..ac13e7cb
--- /dev/null
+++ b/hosts/sif/email/relay.crt
@@ -0,0 +1,11 @@
1-----BEGIN CERTIFICATE-----
2MIIBjDCCAQygAwIBAgIPQAAAAGgLfNoL/PSMAsutMAUGAytlcTAXMRUwEwYDVQQD
3DAx5Z2dkcmFzaWwubGkwHhcNMjUwNDI1MTIwOTQ1WhcNMzUwNDI2MTIxNDQ1WjAR
4MQ8wDQYDVQQDDAZna2xlZW4wKjAFBgMrZXADIQB3outi3/3F4YO7Q97WAAaMHW0a
5m+Blldrgee+EZnWnD6N1MHMwHwYDVR0jBBgwFoAUTtn+VjMw6Ge1f68KD8dT1CWn
6l3YwHQYDVR0OBBYEFFOa4rYZYMbXUVdKv98NB504GUhjMA4GA1UdDwEB/wQEAwID
76DAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAUGAytlcQNzABC0
80UgIt7gLZrU1TmzGoqPBris8R1DbKOJacicF5CU0MIIjHcX7mPFW8KtB4qm6KcPq
9kF6IaEPmgKpX3Nubk8HJik9vhIy9ysfINcVTvzXx8pO1bxbvREJRyA/apj10nzav
10yauId0cXHvN6g5RLAMsMAA==
11-----END CERTIFICATE-----
diff --git a/hosts/sif/email/relay.key b/hosts/sif/email/relay.key
new file mode 100644
index 00000000..412a44e0
--- /dev/null
+++ b/hosts/sif/email/relay.key
@@ -0,0 +1,19 @@
1{
2 "data": "ENC[AES256_GCM,data:lBlTuzOS75pvRmcTKT4KhHMH44RlE2SvCFAUP+GfsXws1Uai7DZ1MmbhvxxCa+pcLW19+sQYxrXLRNZWby1yOeKBJ2UQeYV5LOk9LSL/WIE3FZkCo5Dv0O0gSFKjjb61WN22a4JnHbLWADf/mLT3GZv91XfvFDo=,iv:ho8wQH3UNzX9JPW5gVcUGtxZzdVwsMFus0Z4KYe5t48=,tag:dAgZyHOva2xVVhE1nTl+lg==,type:str]",
3 "sops": {
4 "age": [
5 {
6 "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
7 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eTVRSUdFNUZGZmcxSUlT\nWmlsOGNyWXIzMGNTZjlKbXlhcEdZUXFRVkR3Cll0T0RMd0h2UW16QkR3SHlhYmNZ\nNDFrYXh3Rkp5NWsvcWc3UFJJaHVwT1UKLS0tIHhXVEI0VHBZVkpDQ1FzWENjMmJH\nb1FQWXVUUTBiZ1pKWG00MTNqVEo2SjAKK3VOU+QgRuxWYWEcrJiVMRFCprBICz4F\ngD+9zuPUzPezyJkYwTs+M+wX5GYkXppqm5W58yQLS2UDD38sr+SRjg==\n-----END AGE ENCRYPTED FILE-----\n"
8 },
9 {
10 "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWmJmZDVFazN2bDY1TkNG\nNXpJN2twMFFjZUxMTVdSNzJwQTFiYktrcGdrCjk4eFVHTko0bFVMSlFFWm9tbjMr\nbWNHMEQ1Rm1qUVhodlB1RGw2aDc4TUEKLS0tIERBK0J5NkN4OXJEZ1ZOZXhNc1Jm\naWNnUmZGbTIxdmNkYi9TZ2h2bGs3MVEKPQGaEf7M/5/xvSOfawpIp50fB3QfFSuz\nPgkrPMneaBeUx+uBYMyEFX4rpzLIBR3pnYMjAfoc+bjWaOtGQuEqyQ==\n-----END AGE ENCRYPTED FILE-----\n"
12 }
13 ],
14 "lastmodified": "2025-04-25T12:14:44Z",
15 "mac": "ENC[AES256_GCM,data:pObl2bJA93az9E3Ya+hA3ekI8TKKZ9NNTi0KzmWZBOiQwi9FuQYtpnmmT80L1KXWyOKJV6wGdAri3mNe/ue2S0TziSbQ/4+Dj4ubFKgkH7thb5q2dFyxw5FzhYzRQiXFqD/pxcNN9uL0lQI2Al0Eci0zX8Kcd1rAQ6RzLEoSmco=,iv:zo/3QFKTUEDxLy1k5yyU7Z1JMZ7cKdYUc6GHjaTTZKQ=,tag:f63Eja3lBfwJCYAOyEt56g==,type:str]",
16 "unencrypted_suffix": "_unencrypted",
17 "version": "3.10.2"
18 }
19}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/email/secrets.yaml
index 3c74b710..3c74b710 100644
--- a/hosts/sif/mail/secrets.yaml
+++ b/hosts/sif/email/secrets.yaml
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
index 1bcf0261..e567c37d 100644
--- a/hosts/sif/hw.nix
+++ b/hosts/sif/hw.nix
@@ -25,7 +25,7 @@
25 # system.etc.overlay.enable = false; 25 # system.etc.overlay.enable = false;
26 26
27 boot.initrd.systemd.packages = [ 27 boot.initrd.systemd.packages = [
28 (pkgs.writeTextDir "/etc/systemd/system/\\x2ebcachefs.mount.d/block_scan.conf" '' 28 (pkgs.writeTextDir "/etc/systemd/system/sysroot-.bcachefs.mount.d/block_scan.conf" ''
29 [Mount] 29 [Mount]
30 Environment=BCACHEFS_BLOCK_SCAN=1 30 Environment=BCACHEFS_BLOCK_SCAN=1
31 '') 31 '')
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
deleted file mode 100644
index 8d6cd705..00000000
--- a/hosts/sif/mail/default.nix
+++ /dev/null
@@ -1,70 +0,0 @@
1{ config, lib, pkgs, ... }:
2{
3 services.postfix = {
4 enable = true;
5 enableSmtp = true;
6 enableSubmission = false;
7 setSendmail = true;
8 networksStyle = "host";
9 hostname = "sif.midgard.yggdrasil";
10 destination = [];
11 relayHost = "uucp:ymir";
12 recipientDelimiter = "+";
13 masterConfig = {
14 uucp = {
15 type = "unix";
16 private = true;
17 privileged = true;
18 chroot = false;
19 command = "pipe";
20 args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
21 };
22 smtps = {
23 type = "unix";
24 private = true;
25 privileged = true;
26 chroot = false;
27 command = "smtp";
28 args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ];
29 };
30 };
31 config = {
32 default_transport = "uucp:ymir";
33
34 inet_interfaces = "loopback-only";
35
36 authorized_submit_users = ["!uucp" "static:anyone"];
37 message_size_limit = "0";
38
39 sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
40 /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
41 /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
42 /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
43 /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
44 ''}'';
45 sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
46 /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
47 /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
48 ''}'';
49
50 smtp_sasl_auth_enable = true;
51 smtp_sender_dependent_authentication = true;
52 smtp_sasl_tls_security_options = "noanonymous";
53 smtp_sasl_mechanism_filter = ["plain"];
54 smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
55 smtp_cname_overrides_servername = false;
56 smtp_always_send_ehlo = true;
57 smtp_tls_security_level = "dane";
58
59 smtp_tls_loglevel = "1";
60 smtp_dns_support_level = "dnssec";
61 };
62 };
63
64 sops.secrets.postfix-sasl-passwd = {
65 key = "sasl-passwd";
66 path = "/var/db/postfix/sasl_passwd";
67 owner = "postfix";
68 sopsFile = ./secrets.yaml;
69 };
70}
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-18 16:33:53 +0000