summaryrefslogtreecommitdiff
path: root/hosts/sif
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/sif')
-rw-r--r--hosts/sif/default.nix305
-rw-r--r--hosts/sif/gkleen-rclone.yaml34
-rw-r--r--hosts/sif/hw.nix63
-rw-r--r--hosts/sif/mail/secrets.yaml34
-rw-r--r--hosts/sif/wgrz/privkey16
5 files changed, 251 insertions, 201 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index b90e7162..5ed4e05e 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -1,4 +1,4 @@
1{ flake, pkgs, customUtils, lib, config, path, ... }: 1{ flake, flakeInputs, pkgs, customUtils, lib, config, path, ... }:
2let 2let
3 mwnSubnetsPublic = 3 mwnSubnetsPublic =
4 [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16" 4 [ "129.187.0.0/16" "141.40.0.0/16" "141.84.0.0/16"
@@ -13,8 +13,10 @@ in {
13 imports = with flake.nixosModules.systemProfiles; [ 13 imports = with flake.nixosModules.systemProfiles; [
14 ./hw.nix 14 ./hw.nix
15 ./mail 15 ./mail
16 initrd-all-crypto-modules default-locale openssh rebuild-machines 16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines
17 networkmanager 17 networkmanager
18 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
19 flakeInputs.impermanence.nixosModules.impermanence
18 ]; 20 ];
19 21
20 config = { 22 config = {
@@ -31,12 +33,12 @@ in {
31 boot = { 33 boot = {
32 initrd = { 34 initrd = {
33 systemd = { 35 systemd = {
34 enable = true; 36 enable = false;
35 emergencyAccess = config.users.users.root.hashedPassword; 37 emergencyAccess = config.users.users.root.hashedPassword;
36 }; 38 };
37 luks.devices = { 39 luks.devices = {
38 nvm0 = { device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb"; bypassWorkqueues = true; }; 40 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
39 nvm1 = { device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a"; bypassWorkqueues = true; }; 41 nvm1 = { device = "/dev/disk/by-uuid/2884e98d-5afd-4965-91c9-88ffb5ec58bc"; bypassWorkqueues = true; };
40 }; 42 };
41 availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; 43 availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
42 kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ]; 44 kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ];
@@ -59,7 +61,6 @@ in {
59 plymouth.enable = true; 61 plymouth.enable = true;
60 62
61 kernelPackages = pkgs.linuxPackages_latest; 63 kernelPackages = pkgs.linuxPackages_latest;
62 kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
63 extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ]; 64 extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
64 kernelModules = ["v4l2loopback"]; 65 kernelModules = ["v4l2loopback"];
65 kernelPatches = [ 66 kernelPatches = [
@@ -187,12 +188,10 @@ in {
187 # FirewallMark = 1; 188 # FirewallMark = 1;
188 }; 189 };
189 wireguardPeers = [ 190 wireguardPeers = [
190 { wireguardPeerConfig = { 191 { AllowedIPs = [ "10.200.116.1/32" "10.163.88.40/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic;
191 AllowedIPs = [ "10.200.116.1/32" "10.163.88.40/32" ] ++ mwnSubnetsPrivate ++ mwnSubnetsPublic; 192 PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI=";
192 PublicKey = "YlRFLc+rD2k2KXl7pIJbOKbcPgdJCl8ZTsv0xlK4VEI="; 193 PersistentKeepalive = 25;
193 PersistentKeepalive = 25; 194 Endpoint = "wg.math.lmu.de:51820";
194 Endpoint = "wg.math.lmu.de:51820";
195 };
196 } 195 }
197 ]; 196 ];
198 }; 197 };
@@ -211,43 +210,34 @@ in {
211 Name = "wgrz"; 210 Name = "wgrz";
212 }; 211 };
213 address = ["10.200.116.128/24"]; 212 address = ["10.200.116.128/24"];
214 routes = map (Destination: { routeConfig = { 213 routes = map (Destination: {
215 inherit Destination; 214 inherit Destination;
216 Gateway = "10.200.116.1"; 215 Gateway = "10.200.116.1";
217 GatewayOnLink = true; 216 GatewayOnLink = true;
218 Table = "wgrz"; 217 Table = "wgrz";
219 };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic ++ ["10.163.88.40/32"]); 218 }) (mwnSubnetsPrivate ++ mwnSubnetsPublic ++ ["10.163.88.40/32"]);
220 routingPolicyRules = [ 219 routingPolicyRules = [
221 { routingPolicyRuleConfig = { 220 { Table = "main";
222 Table = "main"; 221 # FirewallMark = 1;
223 # FirewallMark = 1; 222 To = "129.187.111.225";
224 To = "129.187.111.225"; 223 Priority = 100;
225 Priority = 100;
226 };
227 } 224 }
228 { routingPolicyRuleConfig = { 225 { Table = "main";
229 Table = "main"; 226 To = "10.153.91.204";
230 To = "10.153.91.204"; 227 Priority = 100;
231 Priority = 100;
232 };
233 } 228 }
234 { routingPolicyRuleConfig = { 229 { Table = "wgrz";
235 Table = "wgrz"; 230 From = "10.200.116.128";
236 From = "10.200.116.128"; 231 Priority = 200;
237 Priority = 200;
238 };
239 } 232 }
240 { routingPolicyRuleConfig = { 233 { Table = "wgrz";
241 Table = "wgrz"; 234 To = "10.163.88.40";
242 To = "10.163.88.40"; 235 Priority = 200;
243 Priority = 200;
244 };
245 } 236 }
246 ] ++ map (To: { routingPolicyRuleConfig = { 237 ] ++ map (To: { Table = "wgrz";
247 Table = "wgrz"; 238 inherit To;
248 inherit To; 239 Priority = 200;
249 Priority = 200; 240 }) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
250 };}) (mwnSubnetsPrivate ++ mwnSubnetsPublic);
251 linkConfig = { 241 linkConfig = {
252 RequiredForOnline = false; 242 RequiredForOnline = false;
253 }; 243 };
@@ -328,7 +318,7 @@ in {
328 }; 318 };
329 319
330 environment.systemPackages = with pkgs; [ 320 environment.systemPackages = with pkgs; [
331 nvtop brightnessctl config.boot.kernelPackages.v4l2loopback s-tui uhk-agent 321 nvtopPackages.full brightnessctl config.boot.kernelPackages.v4l2loopback s-tui uhk-agent
332 ]; 322 ];
333 323
334 services = { 324 services = {
@@ -375,9 +365,27 @@ in {
375 xserver = { 365 xserver = {
376 enable = true; 366 enable = true;
377 367
378 layout = "us"; 368 xkb = {
379 xkbVariant = "dvp"; 369 layout = "us";
380 xkbOptions = "compose:caps"; 370 variant = "dvp";
371 options = "compose:caps";
372 };
373
374 wacom.enable = true;
375
376 dpi = 282;
377
378 videoDrivers = [ "nvidia" ];
379
380 screenSection = ''
381 Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
382 '';
383
384 deviceSection = ''
385 Option "TearFree" "True"
386 '';
387
388 exportConfiguration = true;
381 389
382 displayManager.lightdm = { 390 displayManager.lightdm = {
383 enable = true; 391 enable = true;
@@ -403,26 +411,21 @@ in {
403 ''; 411 '';
404 }; 412 };
405 }; 413 };
406
407 wacom.enable = true;
408 libinput.enable = true;
409
410 dpi = 282;
411
412 videoDrivers = [ "nvidia" ];
413
414 screenSection = ''
415 Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
416 '';
417
418 deviceSection = ''
419 Option "TearFree" "True"
420 '';
421
422 exportConfiguration = true;
423 }; 414 };
415 libinput.enable = true;
424 }; 416 };
425 417
418 systemd.tmpfiles.rules = [
419 "d /var/lib/lightdm/.cache/lightdm-gtk-greeter 1770 lightdm lightdm -"
420 "L /var/lib/lightdm/.cache/lightdm-gtk-greeter/state - - - - ${pkgs.writeText "state" ''
421 [greeter]
422 last-user=gkleen
423 last-session=none+xmonad
424 ''}"
425
426 "L /etc/localtime - - - - /.bcachefs/etc/localtime"
427 ];
428
426 users = { 429 users = {
427 users.gkleen.extraGroups = [ "media" "plugdev" "input" "rtkit" ]; 430 users.gkleen.extraGroups = [ "media" "plugdev" "input" "rtkit" ];
428 groups.media = {}; 431 groups.media = {};
@@ -438,72 +441,75 @@ in {
438 pulse.enable = true; 441 pulse.enable = true;
439 jack.enable = true; 442 jack.enable = true;
440 wireplumber.enable = true; 443 wireplumber.enable = true;
441 }; 444 extraConfig = {
442 environment.etc."pipewire/pipewire.conf.d/custom.conf".source = (pkgs.formats.json {}).generate "custom.conf" { 445 pipewire."10-custom" = {
443 "context.properties" = { 446 "context.properties" = {
444 "log.level" = 2; 447 "log.level" = 2;
445 "core.daemon" = true; 448 "core.daemon" = true;
446 "core.name" = "pipewire-0"; 449 "core.name" = "pipewire-0";
447 }; 450 "module.x11.bell" = false;
448 "context.modules" = [
449 {
450 name = "libpipewire-module-rtkit";
451 args = {
452 "nice.level" = -15;
453 "rt.prio" = 88;
454 "rt.time.soft" = 200000;
455 "rt.time.hard" = 200000;
456 }; 451 };
457 flags = [ "ifexists" "nofail" ]; 452 "context.modules" = [
458 } 453 {
459 # { name = "libpipewire-module-protocol-native"; } 454 name = "libpipewire-module-rtkit";
460 { name = "libpipewire-module-profiler"; } 455 args = {
461 # { name = "libpipewire-module-metadata"; } 456 "nice.level" = -15;
462 { name = "libpipewire-module-spa-device-factory"; } 457 "rt.prio" = 88;
463 { name = "libpipewire-module-spa-node-factory"; } 458 "rt.time.soft" = 200000;
464 # { name = "libpipewire-module-client-node"; } 459 "rt.time.hard" = 200000;
465 # { name = "libpipewire-module-client-device"; } 460 };
466 { 461 flags = [ "ifexists" "nofail" ];
467 name = "libpipewire-module-portal"; 462 }
468 flags = [ "ifexists" "nofail" ]; 463 # { name = "libpipewire-module-protocol-native"; }
469 } 464 { name = "libpipewire-module-profiler"; }
470 { 465 # { name = "libpipewire-module-metadata"; }
471 name = "libpipewire-module-access"; 466 { name = "libpipewire-module-spa-device-factory"; }
472 args = {}; 467 { name = "libpipewire-module-spa-node-factory"; }
473 } 468 # { name = "libpipewire-module-client-node"; }
474 { name = "libpipewire-module-adapter"; } 469 # { name = "libpipewire-module-client-device"; }
475 { name = "libpipewire-module-link-factory"; } 470 {
476 { name = "libpipewire-module-session-manager"; } 471 name = "libpipewire-module-portal";
477 ]; 472 flags = [ "ifexists" "nofail" ];
478 }; 473 }
479 environment.etc."pipewire/pipewire-pulse.conf.d/custom.conf".source = (pkgs.formats.json {}).generate "custom.conf" { 474 {
480 "context.properties" = { 475 name = "libpipewire-module-access";
481 "log.level" = 2; 476 args = {};
482 }; 477 }
483 "context.modules" = [ 478 { name = "libpipewire-module-adapter"; }
484 { 479 { name = "libpipewire-module-link-factory"; }
485 name = "libpipewire-module-rtkit"; 480 { name = "libpipewire-module-session-manager"; }
486 args = { 481 ];
487 "nice.level" = -15; 482 };
488 "rt.prio" = 88; 483 pipewire-pulse."10-custom" = {
489 "rt.time.soft" = 200000; 484 "context.properties" = {
490 "rt.time.hard" = 200000; 485 "log.level" = 2;
491 }; 486 };
492 flags = [ "ifexists" "nofail" ]; 487 "context.modules" = [
493 } 488 {
494 # { name = "libpipewire-module-protocol-native"; } 489 name = "libpipewire-module-rtkit";
495 # { name = "libpipewire-module-client-node"; } 490 args = {
496 { name = "libpipewire-module-adapter"; } 491 "nice.level" = -15;
497 # { name = "libpipewire-module-metadata"; } 492 "rt.prio" = 88;
498 # { 493 "rt.time.soft" = 200000;
499 # name = "libpipewire-module-protocol-pulse"; 494 "rt.time.hard" = 200000;
500 # args = { 495 };
501 # "server.address" = [ "unix:native" ]; 496 flags = [ "ifexists" "nofail" ];
502 # }; 497 }
503 # } 498 # { name = "libpipewire-module-protocol-native"; }
504 ]; 499 # { name = "libpipewire-module-client-node"; }
505 "stream.properties" = { 500 { name = "libpipewire-module-adapter"; }
506 "resample.quality" = 1; 501 # { name = "libpipewire-module-metadata"; }
502 # {
503 # name = "libpipewire-module-protocol-pulse";
504 # args = {
505 # "server.address" = [ "unix:native" ];
506 # };
507 # }
508 ];
509 "stream.properties" = {
510 "resample.quality" = 1;
511 };
512 };
507 }; 513 };
508 }; 514 };
509 515
@@ -531,14 +537,14 @@ in {
531 prime = { 537 prime = {
532 nvidiaBusId = "PCI:1:0:0"; 538 nvidiaBusId = "PCI:1:0:0";
533 intelBusId = "PCI:0:2:0"; 539 intelBusId = "PCI:0:2:0";
534 sync.enable = true; 540 reverseSync.enable = true;
535 }; 541 };
536 }; 542 };
537 543
538 opengl = { 544 graphics = {
539 enable = true; 545 enable = true;
540 driSupport32Bit = true; 546 enable32Bit = true;
541 setLdLibraryPath = true; 547 # setLdLibraryPath = true;
542 }; 548 };
543 549
544 firmware = [ pkgs.firmwareLinuxNonfree ]; 550 firmware = [ pkgs.firmwareLinuxNonfree ];
@@ -547,10 +553,13 @@ in {
547 nitrokey.enable = true; 553 nitrokey.enable = true;
548 }; 554 };
549 555
550 sound.enable = true; 556 # sound.enable = true;
551 557
552 nix = { 558 nix = {
553 settings.auto-optimise-store = true; 559 settings = {
560 auto-optimise-store = true;
561 max-jobs = 4;
562 };
554 daemonCPUSchedPolicy = "idle"; 563 daemonCPUSchedPolicy = "idle";
555 daemonIOSchedClass = "idle"; 564 daemonIOSchedClass = "idle";
556 565
@@ -564,6 +573,11 @@ in {
564 speedFactor = 4; 573 speedFactor = 4;
565 }; 574 };
566 }; 575 };
576 systemd.services."nix-daemon" = {
577 serviceConfig = {
578 CPUQuota = "400%";
579 };
580 };
567 581
568 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; 582 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
569 583
@@ -621,7 +635,7 @@ in {
621 zramSwap = { 635 zramSwap = {
622 enable = true; 636 enable = true;
623 algorithm = "zstd"; 637 algorithm = "zstd";
624 writebackDevice = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; 638 writebackDevice = "/dev/disk/by-label/swap";
625 }; 639 };
626 640
627 services.pcscd.enable = true; 641 services.pcscd.enable = true;
@@ -633,7 +647,10 @@ in {
633 group = "users"; 647 group = "users";
634 }; 648 };
635 649
636 i18n.inputMethod.enabled = "ibus"; 650 i18n.inputMethod = {
651 enable = true;
652 type = "ibus";
653 };
637 654
638 environment.sessionVariables."GTK_USE_PORTAL" = "1"; 655 environment.sessionVariables."GTK_USE_PORTAL" = "1";
639 xdg.portal = { 656 xdg.portal = {
@@ -653,6 +670,26 @@ in {
653 in [ gtk-portal ]; 670 in [ gtk-portal ];
654 }; 671 };
655 672
656 system.stateVersion = "20.03"; 673 environment.persistence."/.bcachefs" = {
674 hideMounts = true;
675 directories = [
676 "/nix"
677 "/root"
678 "/var/log"
679 "/var/lib/sops-nix"
680 "/var/lib/nixos"
681 "/var/lib/systemd"
682 "/home"
683 "/var/lib/chrony"
684 "/var/lib/fprint"
685 "/var/lib/bluetooth"
686 "/etc/NetworkManager/system-connections"
687 ];
688 files = [
689 "/etc/localtime"
690 ];
691 };
692
693 system.stateVersion = "24.11";
657 }; 694 };
658} 695}
diff --git a/hosts/sif/gkleen-rclone.yaml b/hosts/sif/gkleen-rclone.yaml
index 4bc07556..f0430f71 100644
--- a/hosts/sif/gkleen-rclone.yaml
+++ b/hosts/sif/gkleen-rclone.yaml
@@ -5,28 +5,26 @@ sops:
5 azure_kv: [] 5 azure_kv: []
6 hc_vault: [] 6 hc_vault: []
7 age: 7 age:
8 - recipient: age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d 8 - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866
9 enc: | 9 enc: |
10 -----BEGIN AGE ENCRYPTED FILE----- 10 -----BEGIN AGE ENCRYPTED FILE-----
11 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhazlZcFRyY2ZxZ2dLb00v 11 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZU1MY0JCRkdPK0JIWEs4
12 SzZmM3paanI1b090NW8za1FKa3Q0bWlKeTJNCllhRGo2bDNaMkxpMHlweEZGU3FQ 12 MnVQYWN1cklPSFJFTkYxVm9nVFpYSjRTUENnClZZaUw0QVYxejMzM0VvYTUzMUlE
13 SlFIQmxqK2trWm5TRFp0SEhVRUNNWncKLS0tIHc3OGNqbHF0eFozdWp1V3IvRFJJ 13 N0ZVV0laeVJQV3BsUHJzVWlNM0ZZWEUKLS0tIEZvRWtEdzFwVlVMS2FxT2Z3NHRo
14 bzd6VTRPT1pqYVFPQ0IyblVQdWt4MUUKtp8FKeOVhZ6DTY0euegOFcmUL6bNYlml 14 STZZRWxURnQ1MHE2RlJVQmdiM2VlNVkKpDJSJxij/LKFGUyuy/iAmf/Gq+PhLh4V
15 1DlbDUF47mAMz6HfsvpyoJmLG/uQBCXUVIpP18ignQtJJx043+vnEA== 15 DoowTqWMehgKz/x14HCegI6fIuI2Spwk6GVVICQvmk5Y33/kyneOiA==
16 -----END AGE ENCRYPTED FILE-----
17 - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne
18 enc: |
19 -----BEGIN AGE ENCRYPTED FILE-----
20 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c0hoSGE4SVpwRkpBZmgv
21 SVVDODZmbkN4THNMelJucXZ3aTFrUDlmRmtZCkl3UFlROWJyd0VGakZRK3NGUEty
22 UUxjMDVZZWc4MXdKQTlKczF4N1gxYUUKLS0tIHRyczNiTzJLYTZaRFduc2RoaXhU
23 SUpCMXJDd1YwcnpuQ2hHa2Q4TlNGYjgKe3cSIERblN7XbI8mBWWSKhdLs6J8LT6t
24 3Q2gz8LZhtEJvROOYiVjcnZG9iOLLkgsy/mI34Y0evcKZrvvsPyQ1g==
16 -----END AGE ENCRYPTED FILE----- 25 -----END AGE ENCRYPTED FILE-----
17 lastmodified: "2022-01-31T18:19:02Z" 26 lastmodified: "2022-01-31T18:19:02Z"
18 mac: ENC[AES256_GCM,data:E/XAsuv+EqFud686SHuRp6XZ4f8uoXMI2rnPI733lQg/x/zuvCoOil9AtnQpStnu9wchlbee/y53uUDzAdTiYsjBCRqqt+19iAPnRHPZ2eb82SPetIRA8leKhiJFtOpHFTmlPYHCokxVBH6qLDjaJj/1Dx7Iv9xoAB4ECYnWxTo=,iv:wY5p++ixK5KA+Xnpuj0/3YBLMr/CQwIm3Nj3DzQC4II=,tag:f+7rincFHPEJZp+QJ2iiMQ==,type:str] 27 mac: ENC[AES256_GCM,data:E/XAsuv+EqFud686SHuRp6XZ4f8uoXMI2rnPI733lQg/x/zuvCoOil9AtnQpStnu9wchlbee/y53uUDzAdTiYsjBCRqqt+19iAPnRHPZ2eb82SPetIRA8leKhiJFtOpHFTmlPYHCokxVBH6qLDjaJj/1Dx7Iv9xoAB4ECYnWxTo=,iv:wY5p++ixK5KA+Xnpuj0/3YBLMr/CQwIm3Nj3DzQC4II=,tag:f+7rincFHPEJZp+QJ2iiMQ==,type:str]
19 pgp: 28 pgp: []
20 - created_at: "2023-01-30T10:58:04Z"
21 enc: |
22 -----BEGIN PGP MESSAGE-----
23
24 hF4DXxoViZlp6dISAQdAEEQ+ELalInEqD7WVWPyhz9C2WGOAqYZdW8wHn+i7c3cw
25 HgPkJXA0JJBawtQ+eqWtVBbmZbabVdiZ7xOAlVQWrVXa7tN7s2y4yY6KESB/5NFo
26 0l4BvOF0KdMDkBx9rhVakSfCJ9w/3ZodD2tZ/KgttamnsYg9EwI2xDSsFowK0gUM
27 2t7ZnDbDsQCrIR0y/qL5DwFVVKlvbDl5ZGLq5Py/ECMh5WdsEQ0dqBmeytxN44gw
28 =SxAd
29 -----END PGP MESSAGE-----
30 fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
31 unencrypted_suffix: _unencrypted 29 unencrypted_suffix: _unencrypted
32 version: 3.7.1 30 version: 3.7.1
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
index 3442a93a..fc20ef7c 100644
--- a/hosts/sif/hw.nix
+++ b/hosts/sif/hw.nix
@@ -1,31 +1,50 @@
1{ config, lib, pkgs, ... }: 1{ config, lib, pkgs, utils, ... }:
2 2
3{ 3{
4 fileSystems."/" = 4 fileSystems = {
5 { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2"; 5 "/boot" =
6 fsType = "btrfs"; 6 { label = "boot";
7 }; 7 fsType = "vfat";
8 options = [ "fmask=0033" "dmask=0022" ];
9 };
10 "/.bcachefs" =
11 { device = "/dev/mapper/sif-nvm0:/dev/mapper/sif-nvm1";
12 fsType = "bcachefs";
13 neededForBoot = true;
14 };
15 "/var/lib/sops-nix".neededForBoot = true;
16 "/var/lib/systemd".neededForBoot = true;
17 };
18 system.etc.overlay.enable = false;
19 systemd.sysusers.enable = false;
8 20
9 fileSystems."/boot" = 21 # boot.initrd.supportedFilesystems.bcachefs = true;
10 { device = "/dev/disk/by-uuid/B3A2-D029"; 22 # boot.initrd.systemd.units."dev-sif-nvm0:-dev-sif-nvm1.device".enable = false;
11 fsType = "vfat"; 23 # systemd.units."dev-sif-nvm0:-dev-sif-nvm1.device".enable = false;
12 }; 24 # boot.initrd.systemd.services."bcachefs" = {
25 # before = [ "initrd-fs.target" ];
26 # after = [ "local-fs-pre.target" "dev-sif-nvm0.device" "dev-sif-nvm1.device" ];
27 # requires = [ "dev-sif-nvm0.device" "dev-sif-nvm1.device" ];
28 # wantedBy = [ "initrd-fs.target" ];
29 # unitConfig = {
30 # DefaultDependencies = false;
31 # StopPropagatedFrom = [ "dev-sif-nvm0.device" "dev-sif-nvm1.device" ];
32 # };
33 # serviceConfig = {
34 # Type = "oneshot";
35 # ExecStart = "/bin/mount -o X-mount.mkdir -t bcachefs /dev/sif/nvm0:/dev/sif/nvm1 /sysroot/.bcachefs";
36 # RemainAfterExit = true;
37 # };
38 # };
39 # systemd.services."bcachefs" = {
40 # serviceConfig = {
41 # Type = "oneshot";
42 # ExecStart = "${pkgs.coreutils}/bin/true";
43 # };
44 # };
13 45
14 fileSystems."/home" =
15 { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28";
16 fsType = "btrfs";
17 };
18
19 fileSystems."/var/media" =
20 { device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096";
21 fsType = "btrfs";
22 };
23
24 nix.settings.max-jobs = 12;
25 # High-DPI console 46 # High-DPI console
26 console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; 47 console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
27 48
28 hardware.cpu.intel.updateMicrocode = true;
29
30 hardware.enableRedistributableFirmware = true; 49 hardware.enableRedistributableFirmware = true;
31} 50}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml
index 5ac36cc6..3c74b710 100644
--- a/hosts/sif/mail/secrets.yaml
+++ b/hosts/sif/mail/secrets.yaml
@@ -5,28 +5,26 @@ sops:
5 azure_kv: [] 5 azure_kv: []
6 hc_vault: [] 6 hc_vault: []
7 age: 7 age:
8 - recipient: age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d 8 - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866
9 enc: | 9 enc: |
10 -----BEGIN AGE ENCRYPTED FILE----- 10 -----BEGIN AGE ENCRYPTED FILE-----
11 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYkM2VWRIZzZCQUVYeThv 11 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1MVYrR1ZrUXVhYVIvdTdS
12 eWhHZE5GVFVOSUtLcDBXQmhtdFhuTThBdTF3ClNVcDl3SUdRMGJXOENyNWdSb21z 12 OUxoOGhRZ3p2dFhCYkxta1REYy9FWTFEZVNJCjhpQ0VMcWdkWWQ1blZyVVpGWk81
13 OXY1QUNwUjRrbU00b2hHS3pJM3diTFkKLS0tIEFxV2JSbWphdEEzbE8xbkd2cXBz 13 UVBTZzNKSis2ZVVNdFA4TldvL05oMWcKLS0tIEl0TU8xQUhkTk83dDhzYU5aeCtR
14 dEhFSDVKbFJJZWRPY3o2am94ZURJL2cKwJkjD9jarS3zdcNBVpx3cIjh8XmXCL+C 14 OVcrdFRaeGxZL2kxT3VzUnBtWEI1Y1UK8LwKTus25P/nQrMJG5MOuR/lD2PCgeLC
15 AN1T7DQjzQpD65Mdbj9QqXx1p0HmjO/sqr1yNQopub8oQneLbtx8Gg== 15 WYBIbFusX//mwr1nymyWnHXkfXf8uHzpc6rJGFoa+TuOVU3elYB/Pg==
16 -----END AGE ENCRYPTED FILE-----
17 - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne
18 enc: |
19 -----BEGIN AGE ENCRYPTED FILE-----
20 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQcUs2OGp6WWN5cm9IVDdx
21 TFRpZTJXQjBXeGp3RytPaFdjR3UyVURnYmhZCnh3SDNYR0J1US9vcEhTbmJCNm5r
22 emJReml2QTNkTC93M0lpYlpNbTc4TGsKLS0tIGZ4YkE4STQ2dmh4akJVcnZOUVhT
23 MTNrOGxqZmFWSnl0U3lVTnllbEFTN28KKv/W6tk2YlNQV8fotfjSLg1HOs6OdMj4
24 GkZ30jQYfwmFYEA8YPn9JXbVNpprXd0d6ufLl/tAQckT6lsqGhwzeg==
16 -----END AGE ENCRYPTED FILE----- 25 -----END AGE ENCRYPTED FILE-----
17 lastmodified: "2022-02-02T14:45:23Z" 26 lastmodified: "2022-02-02T14:45:23Z"
18 mac: ENC[AES256_GCM,data:UdM/VmdfqhYm1aFCHaO0mbJA/oyV/J2oKVVmGDa0Co3MWq9aWMqP726O+rLk36W0HOG4fmue//R1Q524au2hMW9bZUFzrubfQt2V78tZRZeHCJSRmOmi1D1EDdfPz9J3oWDvIEgIIsAk5H5EuuH0j6FILye6tzcomNGDAKZbwuc=,iv:a7dJAqkcroLp01gkGKV5gm6gTIIMa/9P8qJn44ISrw0=,tag:R9/6X6mgfVSLK7bmoWRnfQ==,type:str] 27 mac: ENC[AES256_GCM,data:UdM/VmdfqhYm1aFCHaO0mbJA/oyV/J2oKVVmGDa0Co3MWq9aWMqP726O+rLk36W0HOG4fmue//R1Q524au2hMW9bZUFzrubfQt2V78tZRZeHCJSRmOmi1D1EDdfPz9J3oWDvIEgIIsAk5H5EuuH0j6FILye6tzcomNGDAKZbwuc=,iv:a7dJAqkcroLp01gkGKV5gm6gTIIMa/9P8qJn44ISrw0=,tag:R9/6X6mgfVSLK7bmoWRnfQ==,type:str]
19 pgp: 28 pgp: []
20 - created_at: "2023-01-30T10:58:14Z"
21 enc: |
22 -----BEGIN PGP MESSAGE-----
23
24 hF4DXxoViZlp6dISAQdAYwW96YVgfK1Y3Ue1EA3qbE3zw4k4gdTnzWeBB2Ljux4w
25 urG4pwe47rkuq3e1TMdZxxDeZe0OvLwaZBVfD+eFVUrnLYbkrm4shvrq+6xv70Zm
26 0l4BvG9W6VvUXNyKR0Bl65K/hqm8A7GOBPfB35npsY+1ufeJJYdmxX6n7dL94SX5
27 he4m9JRuiyPrRxomudU5nrWLQwKQk8WtavExfVq6zIlnkhlGerKbxDVEIsFaDleT
28 =7IFo
29 -----END PGP MESSAGE-----
30 fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
31 unencrypted_suffix: _unencrypted 29 unencrypted_suffix: _unencrypted
32 version: 3.7.1 30 version: 3.7.1
diff --git a/hosts/sif/wgrz/privkey b/hosts/sif/wgrz/privkey
index 66ad2bd5..c316585b 100644
--- a/hosts/sif/wgrz/privkey
+++ b/hosts/sif/wgrz/privkey
@@ -7,19 +7,17 @@
7 "hc_vault": null, 7 "hc_vault": null,
8 "age": [ 8 "age": [
9 { 9 {
10 "recipient": "age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d", 10 "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHZWp5NWNJRDhGVzEza2hw\nR0dXSVljL2h0V3BKY0NBdHNGMUQ4VWZVQjNBCnMyWElnblBHLzF5VTB0R0xQMFd6\namRDb3JvNXJkNnFyMzloR2VPNFVyV1EKLS0tIDZiNkFFUnFKKzFObjd5VU04eXQ3\nVzdXem9FM2QwMjdvY3JRS1NYZEJHbk0KiyJDq69kk/gS7xMwqJRb3fzvl5wFIXN1\nxkdHl9pCQYGwgLUuHFgrNCseiDIO2n4hf2wEfbgS5F/errO91GGEBg==\n-----END AGE ENCRYPTED FILE-----\n" 11 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqNEhML1RrdGlpdEdqeGx0\nNVpwc2ZXYTg0UHRmVGVBVXVVaERUbi9YRTBNCms3WklLeG5MbDNKK3NSWXhvb1Fk\nR1NGVjROQ1gyQmdGNHVQQ2xFTXpVRWMKLS0tIFEvbG92bW45OHpYV3c1T0Jna1A3\nd0JocXhPVkNZcEdFMG5xN211eTc1MXMKOX1AS9rBBh3I/0iAS8u9RKqYHOfWSlOk\nDLa2WGUyXE+RHninTS8wQyoyM4V5ZMlQC5/qBCNi/5P/3xhup9TpRA==\n-----END AGE ENCRYPTED FILE-----\n"
12 },
13 {
14 "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
15 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArbFV2YlVnR2krSmZlSjhp\nUXVjNVlzam1KYUQvekRoV2N4YkNXRHdMMEJFCnZ4RUViRTNPQUgxVVJWM0x1R0FS\nWEtYUjIzQXlPVi9XQ2NDV2I3WGNyVHcKLS0tIGFXUUx0V2NhSmptcXJ5a3NKV1BL\nTU9qeWtmQnNXVk9hK1pxQXJVNlhvdlUKbikT1rHTFvqiMiQ0el2jn2efgL8sbbHA\nFGY76cwdbGx7bc4j5hwkJE/+RNn1Fly2hVOnZbsh1SixFBM54vSl9A==\n-----END AGE ENCRYPTED FILE-----\n"
12 } 16 }
13 ], 17 ],
14 "lastmodified": "2022-02-03T14:44:50Z", 18 "lastmodified": "2022-02-03T14:44:50Z",
15 "mac": "ENC[AES256_GCM,data:LzYx8LqNy2NPr9+5v/f9ExE2PR1xHm1O1ldK2xPZFc3yMrgOpJpIF+sEHqf3Pv9prLbVC/2pSuAdtKrPqQdTWV8cCtaj8h4aBrnU9WHRESMe/ZkrpipeCEMuzBrhAjf94FQqI0gEkfUAq27nxyXJfaYw7eIfEKBqO6gZPGOiLpM=,iv:I1BGnMxm+R9ci0zBsJU0LbTkuxhZFfvgZ+01QcZCCTw=,tag:jeeeyW1rzt/BbSAbo4OSZw==,type:str]", 19 "mac": "ENC[AES256_GCM,data:LzYx8LqNy2NPr9+5v/f9ExE2PR1xHm1O1ldK2xPZFc3yMrgOpJpIF+sEHqf3Pv9prLbVC/2pSuAdtKrPqQdTWV8cCtaj8h4aBrnU9WHRESMe/ZkrpipeCEMuzBrhAjf94FQqI0gEkfUAq27nxyXJfaYw7eIfEKBqO6gZPGOiLpM=,iv:I1BGnMxm+R9ci0zBsJU0LbTkuxhZFfvgZ+01QcZCCTw=,tag:jeeeyW1rzt/BbSAbo4OSZw==,type:str]",
16 "pgp": [ 20 "pgp": null,
17 {
18 "created_at": "2023-01-30T10:58:43Z",
19 "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAiQkff1SBFC/IhgcdXnIFcwOUlY5bd+tDy161X7Yag3gw\nrUrCJwLeE3LWzxIO0oUrhe9J73yjbnQadtGJT+MP8WWa88P7YNKxBULXn6Ry20Pc\n0l4Bi/HYhX3T11Z0buR5nqhO/+j2hAUl3qOTYql2qBxqQkgEf4/hDDuEQUe+5oY4\n/S7TtUJPE3xKreWo1byGqevoe4as98Hb6CFjC3MgIGJyyBZBxLABjQAhYEN+NGrW\n=+dMk\n-----END PGP MESSAGE-----\n",
20 "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
21 }
22 ],
23 "unencrypted_suffix": "_unencrypted", 21 "unencrypted_suffix": "_unencrypted",
24 "version": "3.7.1" 22 "version": "3.7.1"
25 } 23 }
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-28 11:18:59 +0000