9 files changed, 259 insertions, 155 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index b50cad60..fb2dddc6 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,10 +12,9 @@ let
 in {
  imports = with flake.nixosModules.systemProfiles; [
    ./hw.nix
-    ./mail ./libvirt ./greetd
+    ./email ./libvirt ./greetd
-    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager
+    tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
    flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
-    flakeInputs.impermanence.nixosModules.impermanence
    flakeInputs.nixVirt.nixosModules.default
  ];
@@ -34,6 +33,10 @@ in {
      initrd = {
        systemd = {
          emergencyAccess = config.users.users.root.hashedPassword;
+          extraBin = {
+            "vim" = lib.getExe pkgs.vim;
+            "grep" = lib.getExe pkgs.gnugrep;
+          };
        };
        luks.devices = {
          nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -47,13 +50,8 @@ in {
      blacklistedKernelModules = [ "nouveau" ];
-      # Use the systemd-boot EFI boot loader.
+      lanzaboote.configurationLimit = 15;
      loader = {
-        systemd-boot = {
-          enable = true;
-          configurationLimit = 15;
-          netbootxyz.enable = true;
-        };
        efi.canTouchEfiVariables = true;
        timeout = null;
      };
@@ -64,19 +62,27 @@ in {
      kernelPatches = [
        { name = "edac-config";
          patch = null;
-          extraStructuredConfig = with lib.kernel; {
+          structuredExtraConfig = with lib.kernel; {
            EDAC = yes;
            EDAC_IE31200 = yes;
          };
        }
        { name = "zswap-default";
          patch = null;
-          extraStructuredConfig = with lib.kernel; {
+          structuredExtraConfig = with lib.kernel; {
            ZSWAP_DEFAULT_ON = yes;
            ZSWAP_SHRINKER_DEFAULT_ON = yes;
          };
        }
      ];
+      consoleLogLevel = 3;
+      kernelParams = [
+        "quiet"
+        "boot.shell_on_fail"
+        "udev.log_priority=3"
+        "rd.systemd.show_status=auto"
+        "plymouth.use-simpledrm"
+      ];
      tmp.useTmpfs = true;
@@ -98,6 +104,8 @@ in {
        server ptbtime2.ptb.de prefer iburst nts
        server ptbtime3.ptb.de prefer iburst nts
        server ptbtime4.ptb.de prefer iburst nts
+        pool ntppool1.time.nl prefer iburst nts
+        pool ntppool2.time.nl prefer iburst nts
        authselectmode require
        minsources 3
@@ -130,6 +138,12 @@ in {
      useNetworkd = true;
    };
+    environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
+      text = ''
+        conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
+        dnssec
+      '';
+    };
    environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
      text = ''
        except-interface=virbr0
@@ -372,19 +386,6 @@ in {
    ];
    services = {
-      uucp = {
-        enable = true;
-        nodeName = "sif";
-        remoteNodes = {
-          "ymir" = {
-            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
-            hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
-          };
-        };
-        defaultCommands = lib.mkForce [];
-      };
      avahi.enable = true;
      fwupd.enable = true;
@@ -446,11 +447,6 @@ in {
    systemd.tmpfiles.settings = {
      "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
-      # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
-      #   last_user = "gkleen";
-      #   user_to_last_sess.gkleen = "Niri";
-      # });
    };
    users = {
@@ -633,6 +629,10 @@ in {
      dconf.enable = true;
      niri.enable = true;
      fuse.userAllowOther = true;
+      captive-browser = {
+        enable = true;
+        interface = "wlp82s0";
+      };
    };
    services.pcscd.enable = true;
@@ -659,7 +659,7 @@ in {
        "org.freedesktop.impl.portal.OpenFile" = ["gtk"];
        "org.freedesktop.impl.portal.Access" = ["gtk"];
        "org.freedesktop.impl.portal.Notification" = ["gtk"];
-        "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];
+        "org.freedesktop.impl.portal.Secret" = ["none"];
        "org.freedesktop.impl.portal.Inhibit" = ["none"];
      };
    };
@@ -679,26 +679,16 @@ in {
        "/var/lib/bluetooth"
        "/var/lib/upower"
        "/var/lib/postfix"
+        "/var/lib/regreet"
        "/etc/NetworkManager/system-connections"
-        { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; }
+        config.boot.lanzaboote.pkiBundle
-        { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
      ];
      files = [
      ];
+      timezone = true;
    };
-    systemd.services.timezone = {
+    security.pam.services.quickshell = {};
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-        ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
-        ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
-      };
-    };
-    services.tzupdate.enable = true;
-    security.pam.services.gtklock = {};
    home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix
new file mode 100644
index 00000000..bebf7980
--- /dev/null
+++ b/hosts/sif/email/default.nix
@@ -0,0 +1,111 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = false;
+    enableSubmission = false;
+    setSendmail = true;
+    # networksStyle = "host";
+    settings.main = {
+      recpipient_delimiter = "+";
+      mydestination = [];
+      myhostname = "sif.midgard.yggdrasil";
+      mydomain = "yggdrasil.li";
+      local_transport = "error:5.1.1 No local delivery";
+      alias_database = [];
+      alias_maps = [];
+      local_recipient_maps = [];
+      inet_interfaces = "loopback-only";
+      message_size_limit = 0;
+      authorized_submit_users = "inline:{ gkleen= }";
+      authorized_flush_users = "inline:{ gkleen= }";
+      authorized_mailq_users = "inline:{ gkleen= }";
+      smtp_generic_maps = "inline:{ root=root+sif }";
+      mynetworks = ["127.0.0.0/8" "[::1]/128"];
+      smtpd_client_restrictions = ["permit_mynetworks" "reject"];
+      smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
+        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
+        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
+      ''}'';
+      relayhost = ["[surtr.yggdrasil.li]:465"];
+      default_transport = "relay";
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+      smtp_tls_security_level = "dane";
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+    settings.master = {
+      submission = {
+        type = "inet";
+        private = false;
+        command = "smtpd";
+        args = [
+          "-o" "syslog_name=postfix/$service_name"
+        ];
+      };
+      smtp = { };
+      smtps = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "smtp";
+        args = [
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_security_level=encrypt"
+        ];
+      };
+      relay = {
+        command = "smtp";
+        args = [
+          "-o" "smtp_fallback_relay="
+          "-o" "smtp_tls_security_level=verify"
+          "-o" "smtp_tls_wrappermode=yes"
+          "-o" "smtp_tls_cert_file=${./relay.crt}"
+          "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
+        ];
+      };
+    };
+  };
+  systemd.services.postfix = {
+    serviceConfig.LoadCredential = [
+      "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
+      "relay.key:${config.sops.secrets."relay-key".path}"
+    ];
+  };
+  sops.secrets = {
+    postfix-sasl-passwd = {
+      key = "sasl-passwd";
+      sopsFile = ./secrets.yaml;
+    };
+    relay-key = {
+      format = "binary";
+      sopsFile = ./relay.key;
+    };
+  };
+}
diff --git a/hosts/sif/email/relay.crt b/hosts/sif/email/relay.crt
new file mode 100644
index 00000000..ac13e7cb
--- /dev/null
+++ b/hosts/sif/email/relay.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBjDCCAQygAwIBAgIPQAAAAGgLfNoL/PSMAsutMAUGAytlcTAXMRUwEwYDVQQD
+DAx5Z2dkcmFzaWwubGkwHhcNMjUwNDI1MTIwOTQ1WhcNMzUwNDI2MTIxNDQ1WjAR
+MQ8wDQYDVQQDDAZna2xlZW4wKjAFBgMrZXADIQB3outi3/3F4YO7Q97WAAaMHW0a
+m+Blldrgee+EZnWnD6N1MHMwHwYDVR0jBBgwFoAUTtn+VjMw6Ge1f68KD8dT1CWn
+l3YwHQYDVR0OBBYEFFOa4rYZYMbXUVdKv98NB504GUhjMA4GA1UdDwEB/wQEAwID
+6DAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAUGAytlcQNzABC0
+0UgIt7gLZrU1TmzGoqPBris8R1DbKOJacicF5CU0MIIjHcX7mPFW8KtB4qm6KcPq
+kF6IaEPmgKpX3Nubk8HJik9vhIy9ysfINcVTvzXx8pO1bxbvREJRyA/apj10nzav
+yauId0cXHvN6g5RLAMsMAA==
+-----END CERTIFICATE-----
diff --git a/hosts/sif/email/relay.key b/hosts/sif/email/relay.key
new file mode 100644
index 00000000..412a44e0
--- /dev/null
+++ b/hosts/sif/email/relay.key
@@ -0,0 +1,19 @@
+{
+        "data": "ENC[AES256_GCM,data:lBlTuzOS75pvRmcTKT4KhHMH44RlE2SvCFAUP+GfsXws1Uai7DZ1MmbhvxxCa+pcLW19+sQYxrXLRNZWby1yOeKBJ2UQeYV5LOk9LSL/WIE3FZkCo5Dv0O0gSFKjjb61WN22a4JnHbLWADf/mLT3GZv91XfvFDo=,iv:ho8wQH3UNzX9JPW5gVcUGtxZzdVwsMFus0Z4KYe5t48=,tag:dAgZyHOva2xVVhE1nTl+lg==,type:str]",
+        "sops": {
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eTVRSUdFNUZGZmcxSUlT\nWmlsOGNyWXIzMGNTZjlKbXlhcEdZUXFRVkR3Cll0T0RMd0h2UW16QkR3SHlhYmNZ\nNDFrYXh3Rkp5NWsvcWc3UFJJaHVwT1UKLS0tIHhXVEI0VHBZVkpDQ1FzWENjMmJH\nb1FQWXVUUTBiZ1pKWG00MTNqVEo2SjAKK3VOU+QgRuxWYWEcrJiVMRFCprBICz4F\ngD+9zuPUzPezyJkYwTs+M+wX5GYkXppqm5W58yQLS2UDD38sr+SRjg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWmJmZDVFazN2bDY1TkNG\nNXpJN2twMFFjZUxMTVdSNzJwQTFiYktrcGdrCjk4eFVHTko0bFVMSlFFWm9tbjMr\nbWNHMEQ1Rm1qUVhodlB1RGw2aDc4TUEKLS0tIERBK0J5NkN4OXJEZ1ZOZXhNc1Jm\naWNnUmZGbTIxdmNkYi9TZ2h2bGs3MVEKPQGaEf7M/5/xvSOfawpIp50fB3QfFSuz\nPgkrPMneaBeUx+uBYMyEFX4rpzLIBR3pnYMjAfoc+bjWaOtGQuEqyQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-04-25T12:14:44Z",
+                "mac": "ENC[AES256_GCM,data:pObl2bJA93az9E3Ya+hA3ekI8TKKZ9NNTi0KzmWZBOiQwi9FuQYtpnmmT80L1KXWyOKJV6wGdAri3mNe/ue2S0TziSbQ/4+Dj4ubFKgkH7thb5q2dFyxw5FzhYzRQiXFqD/pxcNN9uL0lQI2Al0Eci0zX8Kcd1rAQ6RzLEoSmco=,iv:zo/3QFKTUEDxLy1k5yyU7Z1JMZ7cKdYUc6GHjaTTZKQ=,tag:f63Eja3lBfwJCYAOyEt56g==,type:str]",
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.10.2"
+        }
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/email/secrets.yaml
index 3c74b710..3c74b710 100644
--- a/hosts/sif/mail/secrets.yaml
+++ b/hosts/sif/email/secrets.yaml
diff --git a/hosts/sif/greetd/default.nix b/hosts/sif/greetd/default.nix
index 37ca13c5..081b6346 100644
--- a/hosts/sif/greetd/default.nix
+++ b/hosts/sif/greetd/default.nix
@@ -1,49 +1,92 @@
-{ pkgs, ... }:
+{ config, pkgs, lib, flakeInputs, ... }:
-{
+let
+  gkleenConfig = config.home-manager.users."gkleen";
+  toIni = lib.generators.toINI {
+    mkKeyValue =
+      key: value:
+      let
+        value' = if lib.isBool value then lib.boolToString value else toString value;
+      in
+      "${lib.escape [ "=" ] key}=${value'}";
+  };
+  toDconfIni = let
+    gvariant = import (flakeInputs.home-manager + "/modules/lib/gvariant.nix") { inherit lib; };
+    mkIniKeyValue = key: value: "${key}=${toString (gvariant.mkValue value)}";
+  in lib.generators.toINI { mkKeyValue = mkIniKeyValue; };
+in {
  config = {
    services.greetd = {
      enable = true;
-    #   settings.default_session.command = let
+      settings.default_session.command = lib.getExe (pkgs.writeShellApplication {
-    #     cfg = config.programs.regreet;
+        name = "sway";
-    #   in pkgs.writeShellScript "greeter" ''
+        runtimeInputs = [ pkgs.sway pkgs.fontconfig ];
-    #       modprobe -r nvidia_drm
+        runtimeEnv = {
+          XDG_DATA_DIRS = lib.makeSearchPath "share" [
+            pkgs.equilux-theme pkgs.paper-icon-theme pkgs.fira
+          ];
+          QT_PLUGIN_PATH = lib.makeSearchPath (pkgs.qt6.qtbase.qtPluginPrefix) [
+            pkgs.qt6Packages.qtbase
+          ];
+          QML2_IMPORT_PATH = lib.makeSearchPath (pkgs.qt6.qtbase.qtQmlPrefix) [
+            pkgs.qt6Packages.qtbase
+          ];
+          QT_QPA_PLATFORMTHEME = "gtk3";
+          XDG_CONFIG_DIR = pkgs.symlinkJoin {
+            name = "config";
+            paths = [
+              (pkgs.writeTextDir "gtk-3.0/settings.ini" (toIni {
+                Settings = {
+                  gtk-font-name = "Fira Sans 10";
+                  gtk-theme-name = "Equilux-compact";
+                  gtk-icon-theme-name = "Paper-Mono-Dark";
+                };
+              }))
+            ];
+          };
+          # XDG_CACHE_HOME = "/var/cache/greetd/greeter";
+          # XDG_CONFIG_HOME = "/var/cache/greetd/greeter/config";
+        };
+        text = ''
+          exec &>/tmp/sway-$$.log
+          unset MANAGERPID SYSTEMD_EXEC_PID
+          # ${lib.getExe' pkgs.coreutils "mkdir"} -p ''${XDG_CONFIG_HOME}/dconf
+          ${lib.getExe pkgs.dconf} load / < ${pkgs.writeText "dconf.ini" (toDconfIni {
+            "org/gnome/desktop/interface" = {
+              "color-scheme" = "prefer-dark";
+              "font-name" = "Fira Sans 10";
+              "gtk-theme" = "Equilux-compact";
+              "icon-theme" = "Paper-Mono-Dark";
+            };
+          })}
+          exec sway --unsupported-gpu --config ${pkgs.writeText "sway-config" ''
+            exec "${lib.getExe' config.systemd.package "systemctl"} --user import-environment {,WAYLAND_}DISPLAY SWAYSOCK; ${lib.getExe gkleenConfig.programs.quickshell.package} --path ${gkleenConfig.xdg.configFile."quickshell".source}/displaymanager.qml; swaymsg exit"
-    #       exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package}
+            input type:keyboard {
-    #     '';
+              xkb_layout "us,us"
+              xkb_variant "dvp,"
+              xkb_options "compose:caps,grp:win_space_toggle"
+            }
+            output eDP-1 scale 1.5
+          ''}
+        '';
+      });
    };
-    systemd.services.greetd.environment = {
-      XKB_DEFAULT_LAYOUT = "us,us";
+    # security.pam.services.greetd.fprintAuth = false;
-      XKB_DEFAULT_VARIANT = "dvp,";
-      XKB_DEFAULT_OPTIONS = "compose:caps,grp:win_space_toggle";
+    systemd.services.greetd.serviceConfig = {
+      ExecStartPre = ''${lib.getExe' pkgs.coreutils "install"} -d -o greeter -g greeter -m 0700 ''${CACHE_DIRECTORY}/greeter'';
+      # CacheDirectory = "greetd";
    };
-    programs.regreet = {
-      enable = true;
+    users.users.greeter = {
-      theme = {
+      home = "/var/lib/greeter";
-        package = pkgs.equilux-theme;
+      createHome = true;
-        name = "Equilux-compact";
-      };
-      iconTheme = {
-        package = pkgs.paper-icon-theme;
-        name = "Paper-Mono-Dark";
-      };
-      font = {
-        package = pkgs.fira;
-        name = "Fira Sans";
-        # size = 6;
-      };
-      cageArgs = [ "-s" "-m" "last" ];
-      settings = {
-        GTK.application_prefer_dark_theme = true;
-        widget.clock.format = "%F %H:%M:%S%:z";
-        background = {
-          path = pkgs.runCommand "wallpaper.png" {
-            buildInputs = with pkgs; [ imagemagick ];
-          } ''
-            magick ${./wallpaper.png} -filter Gaussian -resize 6.25% -define filter:sigma=2.5 -resize 1600% "$out"
-          '';
-          fit = "Cover";
-        };
-      };
    };
  };
 }
diff --git a/hosts/sif/greetd/wallpaper.png b/hosts/sif/greetd/wallpaper.png
deleted file mode 100644
index 20fc761a..00000000
--- a/hosts/sif/greetd/wallpaper.png
+++ /dev/null
Binary files differ
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
index 1bcf0261..e567c37d 100644
--- a/hosts/sif/hw.nix
+++ b/hosts/sif/hw.nix
@@ -25,7 +25,7 @@
  # system.etc.overlay.enable = false;
  boot.initrd.systemd.packages = [
-    (pkgs.writeTextDir "/etc/systemd/system/\\x2ebcachefs.mount.d/block_scan.conf" ''
+    (pkgs.writeTextDir "/etc/systemd/system/sysroot-.bcachefs.mount.d/block_scan.conf" ''
      [Mount]
      Environment=BCACHEFS_BLOCK_SCAN=1
    '')
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
deleted file mode 100644
index 8d6cd705..00000000
--- a/hosts/sif/mail/default.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  services.postfix = {
-    enable = true;
-    enableSmtp = true;
-    enableSubmission = false;
-    setSendmail = true;
-    networksStyle = "host";
-    hostname = "sif.midgard.yggdrasil";
-    destination = [];
-    relayHost = "uucp:ymir";
-    recipientDelimiter = "+";
-    masterConfig = {
-      uucp = {
-        type = "unix";
-        private = true;
-        privileged = true;
-        chroot = false;
-        command = "pipe";
-        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
-      };
-      smtps = {
-        type = "unix";
-        private = true;
-        privileged = true;
-        chroot = false;
-        command = "smtp";
-        args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ];
-      };
-    };
-    config = {
-      default_transport = "uucp:ymir";
-      inet_interfaces = "loopback-only";
-      authorized_submit_users = ["!uucp" "static:anyone"];
-      message_size_limit = "0";
-      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
-        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
-        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
-        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
-        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
-      ''}'';
-      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
-        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
-        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
-      ''}'';
-      smtp_sasl_auth_enable = true;
-      smtp_sender_dependent_authentication = true;
-      smtp_sasl_tls_security_options = "noanonymous";
-      smtp_sasl_mechanism_filter = ["plain"];
-      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
-      smtp_cname_overrides_servername = false;
-      smtp_always_send_ehlo = true;
-      smtp_tls_security_level = "dane";
-      smtp_tls_loglevel = "1";
-      smtp_dns_support_level = "dnssec";
-    };
-  };
-  sops.secrets.postfix-sasl-passwd = {
-    key = "sasl-passwd";
-    path = "/var/db/postfix/sasl_passwd";
-    owner = "postfix";
-    sopsFile = ./secrets.yaml;
-  };
-}

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index b50cad60..fb2dddc6 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix
@@ -12,10 +12,9 @@ let
12	in {	12	in {
13	imports = with flake.nixosModules.systemProfiles; [	13	imports = with flake.nixosModules.systemProfiles; [
14	./hw.nix	14	./hw.nix
15	./mail ./libvirt ./greetd	15	./email ./libvirt ./greetd
16	tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager	16	tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote
17	flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1	17	flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
18	flakeInputs.impermanence.nixosModules.impermanence
19	flakeInputs.nixVirt.nixosModules.default	18	flakeInputs.nixVirt.nixosModules.default
20	];	19	];
21		20
@@ -34,6 +33,10 @@ in {
34	initrd = {	33	initrd = {
35	systemd = {	34	systemd = {
36	emergencyAccess = config.users.users.root.hashedPassword;	35	emergencyAccess = config.users.users.root.hashedPassword;
		36	extraBin = {
		37	"vim" = lib.getExe pkgs.vim;
		38	"grep" = lib.getExe pkgs.gnugrep;
		39	};
37	};	40	};
38	luks.devices = {	41	luks.devices = {
39	nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };	42	nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -47,13 +50,8 @@ in {
47		50
48	blacklistedKernelModules = [ "nouveau" ];	51	blacklistedKernelModules = [ "nouveau" ];
49		52
50	# Use the systemd-boot EFI boot loader.	53	lanzaboote.configurationLimit = 15;
51	loader = {	54	loader = {
52	systemd-boot = {
53	enable = true;
54	configurationLimit = 15;
55	netbootxyz.enable = true;
56	};
57	efi.canTouchEfiVariables = true;	55	efi.canTouchEfiVariables = true;
58	timeout = null;	56	timeout = null;
59	};	57	};
@@ -64,19 +62,27 @@ in {
64	kernelPatches = [	62	kernelPatches = [
65	{ name = "edac-config";	63	{ name = "edac-config";
66	patch = null;	64	patch = null;
67	extraStructuredConfig = with lib.kernel; {	65	structuredExtraConfig = with lib.kernel; {
68	EDAC = yes;	66	EDAC = yes;
69	EDAC_IE31200 = yes;	67	EDAC_IE31200 = yes;
70	};	68	};
71	}	69	}
72	{ name = "zswap-default";	70	{ name = "zswap-default";
73	patch = null;	71	patch = null;
74	extraStructuredConfig = with lib.kernel; {	72	structuredExtraConfig = with lib.kernel; {
75	ZSWAP_DEFAULT_ON = yes;	73	ZSWAP_DEFAULT_ON = yes;
76	ZSWAP_SHRINKER_DEFAULT_ON = yes;	74	ZSWAP_SHRINKER_DEFAULT_ON = yes;
77	};	75	};
78	}	76	}
79	];	77	];
		78	consoleLogLevel = 3;
		79	kernelParams = [
		80	"quiet"
		81	"boot.shell_on_fail"
		82	"udev.log_priority=3"
		83	"rd.systemd.show_status=auto"
		84	"plymouth.use-simpledrm"
		85	];
80		86
81	tmp.useTmpfs = true;	87	tmp.useTmpfs = true;
82		88
@@ -98,6 +104,8 @@ in {
98	server ptbtime2.ptb.de prefer iburst nts	104	server ptbtime2.ptb.de prefer iburst nts
99	server ptbtime3.ptb.de prefer iburst nts	105	server ptbtime3.ptb.de prefer iburst nts
100	server ptbtime4.ptb.de prefer iburst nts	106	server ptbtime4.ptb.de prefer iburst nts
		107	pool ntppool1.time.nl prefer iburst nts
		108	pool ntppool2.time.nl prefer iburst nts
101		109
102	authselectmode require	110	authselectmode require
103	minsources 3	111	minsources 3
@@ -130,6 +138,12 @@ in {
130	useNetworkd = true;	138	useNetworkd = true;
131	};	139	};
132		140
		141	environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
		142	text = ''
		143	conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
		144	dnssec
		145	'';
		146	};
133	environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {	147	environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
134	text = ''	148	text = ''
135	except-interface=virbr0	149	except-interface=virbr0
@@ -372,19 +386,6 @@ in {
372	];	386	];
373		387
374	services = {	388	services = {
375	uucp = {
376	enable = true;
377	nodeName = "sif";
378	remoteNodes = {
379	"ymir" = {
380	publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
381	hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
382	};
383	};
384
385	defaultCommands = lib.mkForce [];
386	};
387
388	avahi.enable = true;	389	avahi.enable = true;
389		390
390	fwupd.enable = true;	391	fwupd.enable = true;
@@ -446,11 +447,6 @@ in {
446		447
447	systemd.tmpfiles.settings = {	448	systemd.tmpfiles.settings = {
448	"10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";	449	"10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
449
450	# "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
451	# last_user = "gkleen";
452	# user_to_last_sess.gkleen = "Niri";
453	# });
454	};	450	};
455		451
456	users = {	452	users = {
@@ -633,6 +629,10 @@ in {
633	dconf.enable = true;	629	dconf.enable = true;
634	niri.enable = true;	630	niri.enable = true;
635	fuse.userAllowOther = true;	631	fuse.userAllowOther = true;
		632	captive-browser = {
		633	enable = true;
		634	interface = "wlp82s0";
		635	};
636	};	636	};
637		637
638	services.pcscd.enable = true;	638	services.pcscd.enable = true;
@@ -659,7 +659,7 @@ in {
659	"org.freedesktop.impl.portal.OpenFile" = ["gtk"];	659	"org.freedesktop.impl.portal.OpenFile" = ["gtk"];
660	"org.freedesktop.impl.portal.Access" = ["gtk"];	660	"org.freedesktop.impl.portal.Access" = ["gtk"];
661	"org.freedesktop.impl.portal.Notification" = ["gtk"];	661	"org.freedesktop.impl.portal.Notification" = ["gtk"];
662	"org.freedesktop.impl.portal.Secret" = ["gnome-keyring"];	662	"org.freedesktop.impl.portal.Secret" = ["none"];
663	"org.freedesktop.impl.portal.Inhibit" = ["none"];	663	"org.freedesktop.impl.portal.Inhibit" = ["none"];
664	};	664	};
665	};	665	};
@@ -679,26 +679,16 @@ in {
679	"/var/lib/bluetooth"	679	"/var/lib/bluetooth"
680	"/var/lib/upower"	680	"/var/lib/upower"
681	"/var/lib/postfix"	681	"/var/lib/postfix"
		682	"/var/lib/regreet"
682	"/etc/NetworkManager/system-connections"	683	"/etc/NetworkManager/system-connections"
683	{ directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; }	684	config.boot.lanzaboote.pkiBundle
684	{ directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
685	];	685	];
686	files = [	686	files = [
687	];	687	];
		688	timezone = true;
688	};	689	};
689		690
690	systemd.services.timezone = {	691	security.pam.services.quickshell = {};
691	wantedBy = [ "multi-user.target" ];
692	serviceConfig = {
693	Type = "oneshot";
694	RemainAfterExit = true;
695	ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
696	ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
697	};
698	};
699	services.tzupdate.enable = true;
700
701	security.pam.services.gtklock = {};
702		692
703	home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];	693	home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
704		694


diff --git a/hosts/sif/email/default.nix b/hosts/sif/email/default.nix new file mode 100644 index 00000000..bebf7980 --- /dev/null +++ b/hosts/sif/email/default.nix
@@ -0,0 +1,111 @@
		1	{ config, lib, pkgs, ... }:
		2	{
		3	services.postfix = {
		4	enable = true;
		5	enableSmtp = false;
		6	enableSubmission = false;
		7	setSendmail = true;
		8	# networksStyle = "host";
		9	settings.main = {
		10	recpipient_delimiter = "+";
		11	mydestination = [];
		12	myhostname = "sif.midgard.yggdrasil";
		13
		14	mydomain = "yggdrasil.li";
		15
		16	local_transport = "error:5.1.1 No local delivery";
		17	alias_database = [];
		18	alias_maps = [];
		19	local_recipient_maps = [];
		20
		21	inet_interfaces = "loopback-only";
		22
		23	message_size_limit = 0;
		24
		25	authorized_submit_users = "inline:{ gkleen= }";
		26	authorized_flush_users = "inline:{ gkleen= }";
		27	authorized_mailq_users = "inline:{ gkleen= }";
		28
		29	smtp_generic_maps = "inline:{ root=root+sif }";
		30
		31	mynetworks = ["127.0.0.0/8" "[::1]/128"];
		32	smtpd_client_restrictions = ["permit_mynetworks" "reject"];
		33	smtpd_relay_restrictions = ["permit_mynetworks" "reject"];
		34
		35	sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
		36	/@(cip\|stud)\.ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
		37	/@ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
		38	/@math(ematik)?\.(lmu\|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
		39	/@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
		40	''}'';
		41	sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
		42	/^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
		43	/@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
		44	''}'';
		45	relayhost = ["[surtr.yggdrasil.li]:465"];
		46	default_transport = "relay";
		47
		48	smtp_sasl_auth_enable = true;
		49	smtp_sender_dependent_authentication = true;
		50	smtp_sasl_tls_security_options = "noanonymous";
		51	smtp_sasl_mechanism_filter = ["plain"];
		52	smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
		53	smtp_cname_overrides_servername = false;
		54	smtp_always_send_ehlo = true;
		55	smtp_tls_security_level = "dane";
		56
		57	smtp_tls_loglevel = "1";
		58	smtp_dns_support_level = "dnssec";
		59	};
		60	settings.master = {
		61	submission = {
		62	type = "inet";
		63	private = false;
		64	command = "smtpd";
		65	args = [
		66	"-o" "syslog_name=postfix/$service_name"
		67	];
		68	};
		69	smtp = { };
		70	smtps = {
		71	type = "unix";
		72	private = true;
		73	privileged = true;
		74	chroot = false;
		75	command = "smtp";
		76	args = [
		77	"-o" "smtp_tls_wrappermode=yes"
		78	"-o" "smtp_tls_security_level=encrypt"
		79	];
		80	};
		81	relay = {
		82	command = "smtp";
		83	args = [
		84	"-o" "smtp_fallback_relay="
		85	"-o" "smtp_tls_security_level=verify"
		86	"-o" "smtp_tls_wrappermode=yes"
		87	"-o" "smtp_tls_cert_file=${./relay.crt}"
		88	"-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
		89	];
		90	};
		91	};
		92	};
		93
		94	systemd.services.postfix = {
		95	serviceConfig.LoadCredential = [
		96	"sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
		97	"relay.key:${config.sops.secrets."relay-key".path}"
		98	];
		99	};
		100
		101	sops.secrets = {
		102	postfix-sasl-passwd = {
		103	key = "sasl-passwd";
		104	sopsFile = ./secrets.yaml;
		105	};
		106	relay-key = {
		107	format = "binary";
		108	sopsFile = ./relay.key;
		109	};
		110	};
		111	}


diff --git a/hosts/sif/email/relay.crt b/hosts/sif/email/relay.crt new file mode 100644 index 00000000..ac13e7cb --- /dev/null +++ b/hosts/sif/email/relay.crt
@@ -0,0 +1,11 @@
		1	-----BEGIN CERTIFICATE-----
		2	MIIBjDCCAQygAwIBAgIPQAAAAGgLfNoL/PSMAsutMAUGAytlcTAXMRUwEwYDVQQD
		3	DAx5Z2dkcmFzaWwubGkwHhcNMjUwNDI1MTIwOTQ1WhcNMzUwNDI2MTIxNDQ1WjAR
		4	MQ8wDQYDVQQDDAZna2xlZW4wKjAFBgMrZXADIQB3outi3/3F4YO7Q97WAAaMHW0a
		5	m+Blldrgee+EZnWnD6N1MHMwHwYDVR0jBBgwFoAUTtn+VjMw6Ge1f68KD8dT1CWn
		6	l3YwHQYDVR0OBBYEFFOa4rYZYMbXUVdKv98NB504GUhjMA4GA1UdDwEB/wQEAwID
		7	6DAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAUGAytlcQNzABC0
		8	0UgIt7gLZrU1TmzGoqPBris8R1DbKOJacicF5CU0MIIjHcX7mPFW8KtB4qm6KcPq
		9	kF6IaEPmgKpX3Nubk8HJik9vhIy9ysfINcVTvzXx8pO1bxbvREJRyA/apj10nzav
		10	yauId0cXHvN6g5RLAMsMAA==
		11	-----END CERTIFICATE-----


diff --git a/hosts/sif/email/relay.key b/hosts/sif/email/relay.key new file mode 100644 index 00000000..412a44e0 --- /dev/null +++ b/hosts/sif/email/relay.key
@@ -0,0 +1,19 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:lBlTuzOS75pvRmcTKT4KhHMH44RlE2SvCFAUP+GfsXws1Uai7DZ1MmbhvxxCa+pcLW19+sQYxrXLRNZWby1yOeKBJ2UQeYV5LOk9LSL/WIE3FZkCo5Dv0O0gSFKjjb61WN22a4JnHbLWADf/mLT3GZv91XfvFDo=,iv:ho8wQH3UNzX9JPW5gVcUGtxZzdVwsMFus0Z4KYe5t48=,tag:dAgZyHOva2xVVhE1nTl+lg==,type:str]",
		3	"sops": {
		4	"age": [
		5	{
		6	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		7	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eTVRSUdFNUZGZmcxSUlT\nWmlsOGNyWXIzMGNTZjlKbXlhcEdZUXFRVkR3Cll0T0RMd0h2UW16QkR3SHlhYmNZ\nNDFrYXh3Rkp5NWsvcWc3UFJJaHVwT1UKLS0tIHhXVEI0VHBZVkpDQ1FzWENjMmJH\nb1FQWXVUUTBiZ1pKWG00MTNqVEo2SjAKK3VOU+QgRuxWYWEcrJiVMRFCprBICz4F\ngD+9zuPUzPezyJkYwTs+M+wX5GYkXppqm5W58yQLS2UDD38sr+SRjg==\n-----END AGE ENCRYPTED FILE-----\n"
		8	},
		9	{
		10	"recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWmJmZDVFazN2bDY1TkNG\nNXpJN2twMFFjZUxMTVdSNzJwQTFiYktrcGdrCjk4eFVHTko0bFVMSlFFWm9tbjMr\nbWNHMEQ1Rm1qUVhodlB1RGw2aDc4TUEKLS0tIERBK0J5NkN4OXJEZ1ZOZXhNc1Jm\naWNnUmZGbTIxdmNkYi9TZ2h2bGs3MVEKPQGaEf7M/5/xvSOfawpIp50fB3QfFSuz\nPgkrPMneaBeUx+uBYMyEFX4rpzLIBR3pnYMjAfoc+bjWaOtGQuEqyQ==\n-----END AGE ENCRYPTED FILE-----\n"
		12	}
		13	],
		14	"lastmodified": "2025-04-25T12:14:44Z",
		15	"mac": "ENC[AES256_GCM,data:pObl2bJA93az9E3Ya+hA3ekI8TKKZ9NNTi0KzmWZBOiQwi9FuQYtpnmmT80L1KXWyOKJV6wGdAri3mNe/ue2S0TziSbQ/4+Dj4ubFKgkH7thb5q2dFyxw5FzhYzRQiXFqD/pxcNN9uL0lQI2Al0Eci0zX8Kcd1rAQ6RzLEoSmco=,iv:zo/3QFKTUEDxLy1k5yyU7Z1JMZ7cKdYUc6GHjaTTZKQ=,tag:f63Eja3lBfwJCYAOyEt56g==,type:str]",
		16	"unencrypted_suffix": "_unencrypted",
		17	"version": "3.10.2"
		18	}
		19	}


diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/email/secrets.yaml index 3c74b710..3c74b710 100644 --- a/hosts/sif/mail/secrets.yaml +++ b/hosts/sif/email/secrets.yaml


diff --git a/hosts/sif/greetd/default.nix b/hosts/sif/greetd/default.nix index 37ca13c5..081b6346 100644 --- a/hosts/sif/greetd/default.nix +++ b/hosts/sif/greetd/default.nix
@@ -1,49 +1,92 @@
1	{ pkgs, ... }:	1	{ config, pkgs, lib, flakeInputs, ... }:
2	{	2
		3	let
		4	gkleenConfig = config.home-manager.users."gkleen";
		5	toIni = lib.generators.toINI {
		6	mkKeyValue =
		7	key: value:
		8	let
		9	value' = if lib.isBool value then lib.boolToString value else toString value;
		10	in
		11	"${lib.escape [ "=" ] key}=${value'}";
		12	};
		13	toDconfIni = let
		14	gvariant = import (flakeInputs.home-manager + "/modules/lib/gvariant.nix") { inherit lib; };
		15	mkIniKeyValue = key: value: "${key}=${toString (gvariant.mkValue value)}";
		16	in lib.generators.toINI { mkKeyValue = mkIniKeyValue; };
		17	in {
3	config = {	18	config = {
4	services.greetd = {	19	services.greetd = {
5	enable = true;	20	enable = true;
6	# settings.default_session.command = let	21	settings.default_session.command = lib.getExe (pkgs.writeShellApplication {
7	# cfg = config.programs.regreet;	22	name = "sway";
8	# in pkgs.writeShellScript "greeter" ''	23	runtimeInputs = [ pkgs.sway pkgs.fontconfig ];
9	# modprobe -r nvidia_drm	24	runtimeEnv = {
		25	XDG_DATA_DIRS = lib.makeSearchPath "share" [
		26	pkgs.equilux-theme pkgs.paper-icon-theme pkgs.fira
		27	];
		28	QT_PLUGIN_PATH = lib.makeSearchPath (pkgs.qt6.qtbase.qtPluginPrefix) [
		29	pkgs.qt6Packages.qtbase
		30	];
		31	QML2_IMPORT_PATH = lib.makeSearchPath (pkgs.qt6.qtbase.qtQmlPrefix) [
		32	pkgs.qt6Packages.qtbase
		33	];
		34	QT_QPA_PLATFORMTHEME = "gtk3";
		35	XDG_CONFIG_DIR = pkgs.symlinkJoin {
		36	name = "config";
		37	paths = [
		38	(pkgs.writeTextDir "gtk-3.0/settings.ini" (toIni {
		39	Settings = {
		40	gtk-font-name = "Fira Sans 10";
		41	gtk-theme-name = "Equilux-compact";
		42	gtk-icon-theme-name = "Paper-Mono-Dark";
		43	};
		44	}))
		45	];
		46	};
		47	# XDG_CACHE_HOME = "/var/cache/greetd/greeter";
		48	# XDG_CONFIG_HOME = "/var/cache/greetd/greeter/config";
		49	};
		50	text = ''
		51	exec &>/tmp/sway-$$.log
		52
		53	unset MANAGERPID SYSTEMD_EXEC_PID
		54
		55	# ${lib.getExe' pkgs.coreutils "mkdir"} -p ''${XDG_CONFIG_HOME}/dconf
		56	${lib.getExe pkgs.dconf} load / < ${pkgs.writeText "dconf.ini" (toDconfIni {
		57	"org/gnome/desktop/interface" = {
		58	"color-scheme" = "prefer-dark";
		59	"font-name" = "Fira Sans 10";
		60	"gtk-theme" = "Equilux-compact";
		61	"icon-theme" = "Paper-Mono-Dark";
		62	};
		63	})}
		64
		65	exec sway --unsupported-gpu --config ${pkgs.writeText "sway-config" ''
		66	exec "${lib.getExe' config.systemd.package "systemctl"} --user import-environment {,WAYLAND_}DISPLAY SWAYSOCK; ${lib.getExe gkleenConfig.programs.quickshell.package} --path ${gkleenConfig.xdg.configFile."quickshell".source}/displaymanager.qml; swaymsg exit"
10		67
11	# exec ${pkgs.dbus}/bin/dbus-run-session ${lib.getExe pkgs.cage} ${lib.escapeShellArgs cfg.cageArgs} -- ${lib.getExe cfg.package}	68	input type:keyboard {
12	# '';	69	xkb_layout "us,us"
		70	xkb_variant "dvp,"
		71	xkb_options "compose:caps,grp:win_space_toggle"
		72	}
		73
		74	output eDP-1 scale 1.5
		75	''}
		76	'';
		77	});
13	};	78	};
14	systemd.services.greetd.environment = {	79
15	XKB_DEFAULT_LAYOUT = "us,us";	80	# security.pam.services.greetd.fprintAuth = false;
16	XKB_DEFAULT_VARIANT = "dvp,";	81
17	XKB_DEFAULT_OPTIONS = "compose:caps,grp:win_space_toggle";	82	systemd.services.greetd.serviceConfig = {
		83	ExecStartPre = ''${lib.getExe' pkgs.coreutils "install"} -d -o greeter -g greeter -m 0700 ''${CACHE_DIRECTORY}/greeter'';
		84	# CacheDirectory = "greetd";
18	};	85	};
19	programs.regreet = {	86
20	enable = true;	87	users.users.greeter = {
21	theme = {	88	home = "/var/lib/greeter";
22	package = pkgs.equilux-theme;	89	createHome = true;
23	name = "Equilux-compact";
24	};
25	iconTheme = {
26	package = pkgs.paper-icon-theme;
27	name = "Paper-Mono-Dark";
28	};
29	font = {
30	package = pkgs.fira;
31	name = "Fira Sans";
32	# size = 6;
33	};
34	cageArgs = [ "-s" "-m" "last" ];
35	settings = {
36	GTK.application_prefer_dark_theme = true;
37	widget.clock.format = "%F %H:%M:%S%:z";
38	background = {
39	path = pkgs.runCommand "wallpaper.png" {
40	buildInputs = with pkgs; [ imagemagick ];
41	} ''
42	magick ${./wallpaper.png} -filter Gaussian -resize 6.25% -define filter:sigma=2.5 -resize 1600% "$out"
43	'';
44	fit = "Cover";
45	};
46	};
47	};	90	};
48	};	91	};
49	}	92	}


diff --git a/hosts/sif/greetd/wallpaper.png b/hosts/sif/greetd/wallpaper.png deleted file mode 100644 index 20fc761a..00000000 --- a/hosts/sif/greetd/wallpaper.png +++ /dev/null
Binary files differ


diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix index 1bcf0261..e567c37d 100644 --- a/hosts/sif/hw.nix +++ b/hosts/sif/hw.nix
@@ -25,7 +25,7 @@
25	# system.etc.overlay.enable = false;	25	# system.etc.overlay.enable = false;
26		26
27	boot.initrd.systemd.packages = [	27	boot.initrd.systemd.packages = [
28	(pkgs.writeTextDir "/etc/systemd/system/\\x2ebcachefs.mount.d/block_scan.conf" ''	28	(pkgs.writeTextDir "/etc/systemd/system/sysroot-.bcachefs.mount.d/block_scan.conf" ''
29	[Mount]	29	[Mount]
30	Environment=BCACHEFS_BLOCK_SCAN=1	30	Environment=BCACHEFS_BLOCK_SCAN=1
31	'')	31	'')


diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix deleted file mode 100644 index 8d6cd705..00000000 --- a/hosts/sif/mail/default.nix +++ /dev/null
@@ -1,70 +0,0 @@
1	{ config, lib, pkgs, ... }:
2	{
3	services.postfix = {
4	enable = true;
5	enableSmtp = true;
6	enableSubmission = false;
7	setSendmail = true;
8	networksStyle = "host";
9	hostname = "sif.midgard.yggdrasil";
10	destination = [];
11	relayHost = "uucp:ymir";
12	recipientDelimiter = "+";
13	masterConfig = {
14	uucp = {
15	type = "unix";
16	private = true;
17	privileged = true;
18	chroot = false;
19	command = "pipe";
20	args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
21	};
22	smtps = {
23	type = "unix";
24	private = true;
25	privileged = true;
26	chroot = false;
27	command = "smtp";
28	args = [ "-o" "smtp_tls_wrappermode=yes" "-o" "smtp_tls_security_level=encrypt" ];
29	};
30	};
31	config = {
32	default_transport = "uucp:ymir";
33
34	inet_interfaces = "loopback-only";
35
36	authorized_submit_users = ["!uucp" "static:anyone"];
37	message_size_limit = "0";
38
39	sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
40	/@(cip\|stud)\.ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
41	/@ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
42	/@math(ematik)?\.(lmu\|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
43	/@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
44	''}'';
45	sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
46	/^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
47	/@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
48	''}'';
49
50	smtp_sasl_auth_enable = true;
51	smtp_sender_dependent_authentication = true;
52	smtp_sasl_tls_security_options = "noanonymous";
53	smtp_sasl_mechanism_filter = ["plain"];
54	smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
55	smtp_cname_overrides_servername = false;
56	smtp_always_send_ehlo = true;
57	smtp_tls_security_level = "dane";
58
59	smtp_tls_loglevel = "1";
60	smtp_dns_support_level = "dnssec";
61	};
62	};
63
64	sops.secrets.postfix-sasl-passwd = {
65	key = "sasl-passwd";
66	path = "/var/db/postfix/sasl_passwd";
67	owner = "postfix";
68	sopsFile = ./secrets.yaml;
69	};
70	}