6 files changed, 611 insertions, 0 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
new file mode 100644
index 00000000..c0b7f50c
--- /dev/null
+++ b/hosts/sif/default.nix
@@ -0,0 +1,355 @@
+{ flake, pkgs, customUtils, lib, config, path, ... }:
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    ./hw.nix
+    ./mail
+    initrd-all-crypto-modules default-locale openssh
+  ];
+  config = {
+    nixpkgs = {
+      system = "x86_64-linux";
+      config = {
+        allowUnfree = true;
+      };
+    };
+    boot = {
+      initrd = {
+        luks.devices = {
+          nvm0.device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb";
+          nvm1.device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a";
+        };
+        availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+        kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ];
+      };
+      blacklistedKernelModules = [ "nouveau" ];
+      # Use the systemd-boot EFI boot loader.
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+        timeout = null;
+      };
+      plymouth.enable = true;
+      kernelPackages = pkgs.linuxPackages_latest;
+      kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
+      extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
+      kernelModules = ["v4l2loopback"];
+      tmpOnTmpfs = true;
+    };
+    networking = {
+      domain = "midgard.yggdrasil";
+      hosts = {
+        "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ];
+        "::1" = [ "sif.midgard.yggdrasil" "sif" ];
+      };
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [ 22 # ssh
+                            8000 # quickserve
+                          ];
+        allowedUDPPorts = [ 8554 # gopro webcam
+                          ];
+      };
+      networkmanager = {
+        enable = true;
+        dhcp = "internal";
+        dns = lib.mkForce "dnsmasq";
+        extraConfig = ''
+          [connectivity]
+          uri=https://online.yggdrasil.li
+        '';
+      };
+      wlanInterfaces = {
+        wlan0 = {
+          device = "wlp82s0";
+        };
+      };
+      bonds = {
+        "lan" = {
+          interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
+          driverOptions = {
+            miimon = "1000";
+            mode = "active-backup";
+            primary_reselect = "always";
+          };
+        };
+      };
+      dhcpcd.enable = false;
+      useDHCP = false;
+      useNetworkd = true;
+      interfaces.yggdrasil = {
+        virtual = true;
+        virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
+        macAddress = "5c:93:21:c3:61:39";
+      };
+    };
+    systemd.services."NetworkManager-wait-online".enable = false;
+    systemd.services."systemd-networkd-wait-online".enable = false;
+    environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
+      text = ''
+        server=/sif.libvirt/192.168.122.1
+      '';
+    };
+    services.openssh.enable = true;
+    powerManagement = {
+      enable = true;
+      cpuFreqGovernor = "schedutil";
+    };
+    environment.systemPackages = with pkgs; [
+      nvtop brightnessctl config.boot.kernelPackages.v4l2loopback s-tui
+    ];
+    services = {
+      tinc.yggdrasil.enable = true;
+      uucp = {
+        enable = true;
+        nodeName = "sif";
+        remoteNodes = {
+          "ymir" = {
+            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
+            hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
+          };
+        };
+        defaultCommands = lib.mkForce [];
+      };
+      avahi.enable = true;
+      fwupd.enable = true;
+      fprintd.enable = true;
+      blueman.enable = true;
+    
+      colord.enable = true;
+    
+      vnstat.enable = true;
+      logind = {
+        lidSwitch = "suspend";
+        lidSwitchDocked = "lock";
+        lidSwitchExternalPower = "lock";
+      };
+      atd = {
+        enable = true;
+        allowEveryone = true;
+      };
+      xserver = {
+        enable = true;
+        layout = "us";
+        xkbVariant = "dvp";
+        xkbOptions = "compose:caps";
+        displayManager.lightdm = {
+          enable = true;
+          greeters.gtk = {
+            clock-format = "%H:%M %a %b %_d";
+            indicators = ["~host" "~spacer" "~clock" "~session" "~power"];
+            theme = {
+              package = pkgs.equilux-theme;
+              name = "Equilux-compact";
+            };
+            iconTheme = {
+              package = pkgs.paper-icon-theme;
+              name = "Paper";
+            };
+            extraConfig = ''
+              background = #000000
+              user-background = false
+              active-monitor = #cursor
+              hide-user-image = true
+              [monitor: DP-2]
+                laptop = true
+            '';
+          };
+        };
+        displayManager.setupCommands = ''
+          ${pkgs.xorg.xinput}/bin/xinput disable 'SynPS/2 Synaptics TouchPad'
+        '';
+        desktopManager.xterm.enable = true;
+        windowManager.twm.enable = true;
+        displayManager.defaultSession = "xterm+twm";
+        wacom.enable = true;
+        libinput.enable = true;
+        dpi = 282;
+        videoDrivers = [ "nvidia" ];
+        screenSection = ''
+          Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
+        '';
+        deviceSection = ''
+          Option "AccelMethod" "SNA"
+          Option "TearFree" "True"
+        '';
+        exportConfiguration = true;
+      };
+    };
+    users = {
+      users.gkleen.extraGroups = [ "media" ];
+      groups.media = {};
+    };
+    hardware = {
+      pulseaudio = {
+        enable = true;
+        package = with pkgs; pulseaudioFull;
+        support32Bit = true;
+      };
+      bluetooth = {
+        enable = true;   
+        settings = {
+          General = {
+            Enable = "Source,Sink,Media,Socket";
+          };
+        };
+      };
+      trackpoint = {
+        enable = true;
+        emulateWheel = true;
+        sensitivity = 255;
+        speed = 255;
+      };
+      nvidia = {
+        modesetting.enable = true;
+        prime = {
+          nvidiaBusId = "PCI:1:0:0";
+          intelBusId = "PCI:0:2:0";
+          sync.enable = true;
+        };
+      };
+      opengl = {
+        enable = true;
+        driSupport32Bit = true;
+        setLdLibraryPath = true;
+      };
+      firmware = [ pkgs.firmwareLinuxNonfree ];
+    };
+    sound.enable = true;
+    nix = {
+      autoOptimiseStore = true;
+      daemonNiceLevel = 10;
+      daemonIONiceLevel = 3;
+    };
+    environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
+    systemd.services."ac-plugged" = {
+      description = "Inhibit handling of lid-switch and sleep";
+      path = with pkgs; [ systemd coreutils ];
+      script = ''
+        exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
+      '';
+      serviceConfig = {
+        Type = "simple";
+      };
+    };
+    services.udev.extraRules = with pkgs; lib.mkAfter ''
+      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
+      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
+      ACTION=="add", SUBSYSTEM=="net", DEVTYPE!="?*", ATTR{address}=="3c:e1:a1:b9:cd:e5", NAME="dock0"
+    '';
+    services.borgbackup = {
+      snapshots = "btrfs";
+      prefix = "yggdrasil.midgard.sif.";
+      targets = {
+        "munin" = {
+          repo = "borg.munin:borg";
+          paths = [ "/home/gkleen" ];
+          prune = {
+            "home" =
+              [ "--keep-within" "24H"
+                "--keep-daily" "31"
+                "--keep-monthly" "12"
+                "--keep-yearly" "-1"
+              ];
+          };
+          keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
+        };
+      };
+    };
+    sops.secrets.borg-repokey--borg_munin__borg = {
+      sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
+      key = "key";
+    };
+    services.btrfs.autoScrub = {
+      enable = true;
+      fileSystems = [ "/" "/home" ];
+      interval = "weekly";
+    };
+    systemd.services."nix-daemon".serviceConfig = {
+      MemoryAccounting = true;
+      MemoryHigh = "50%";
+      MemoryMax = "75%";
+    };
+    services.journald.extraConfig = ''
+      SystemMaxUse=100M
+    '';
+    services.dbus.packages = with pkgs;
+      [ dbus gnome3.dconf
+      ];
+    programs = {
+      light.enable = true;
+      wireshark.enable = true;
+    };
+    virtualisation.libvirtd = {
+      enable = true;
+    };
+    zramSwap.enable = true;
+    services.pcscd.enable = true;
+    system.stateVersion = "20.03";
+  };
+}
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
new file mode 100644
index 00000000..92afb7c9
--- /dev/null
+++ b/hosts/sif/hw.nix
@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+{
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2";
+      fsType = "btrfs";
+    };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B3A2-D029";
+      fsType = "vfat";
+    };
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28";
+      fsType = "btrfs";
+    };
+  fileSystems."/var/media" =
+    { device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096";
+      fsType = "btrfs";
+    };
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; }
+    ];
+  nix.maxJobs = 12;
+  # High-DPI console
+  console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  hardware.enableRedistributableFirmware = true;
+}
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
new file mode 100644
index 00000000..29bfb4f1
--- /dev/null
+++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = true;
+    enableSubmission = false;
+    setSendmail = true;
+    networksStyle = "host";
+    hostname = "sif.midgard.yggdrasil";
+    destination = [];
+    relayHost = "uucp:ymir";
+    recipientDelimiter = "+";
+    masterConfig = {
+      uucp = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "pipe";
+        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
+      };
+    };
+    transport = ''
+      odin.asgard.yggdrasil uucp:odin
+    '';
+    config = {
+      always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
+      default_transport = "uucp:ymir";
+      inet_interfaces = "loopback-only";
+      authorized_submit_users = ["!uucp" "static:anyone"];
+      message_size_limit = "0";
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
+        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
+        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
+      ''}'';
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+      smtp_tls_security_level = "dane";
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+  };
+  sops.secrets.postfix-sasl-passwd = {
+    key = "sasl-passwd";
+    path = "/var/db/postfix/sasl_passwd";
+    owner = "postfix";
+    sopsFile = ./secrets.yaml;
+  };
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml
new file mode 100644
index 00000000..06a2ad40
--- /dev/null
+++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
+sasl-passwd: ENC[AES256_GCM,data:S81uICROGm/E0TC3xJyPXbVLjOO+PsRyJBoWINFZGzeh8F0nXx1ewiiSXtNl9trTbxlSgf5jnBvtbyd75N0OcyqBf0db5tJtvU42DO5I4qFo4R67FzpKzKWMF4AJuFGP1aKkPsPIc41WTfLemKCfbEhVfQj9qEFLR9TC8iqzSZa0bztCuLoKi0vrAO/4JZnzUe3n7FXy+ER6oYK9JoKwaXc9KYdwQC3QYCby2iSq+GvRs7FL4x6/Zr8FzVCXHYMaW/Qg9dCn/g2NnEnOsH0pEASuKRPJKh8x5dtQg9v3jRK6NIDjEkXeuBnSOaeQiAcYc784foIlI7Q=,iv:zCsYZtU51zJR9XqaCvMtc5aGZwSccIrPzhznubEoEjo=,tag:0/v4Cp/0xLrfEX7H953bOA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-18T09:46:15Z'
+    mac: ENC[AES256_GCM,data:Idvsviv6CGibT+s7TSYUNmYO6gELqahJq33+k8YQhhwDKC6+s3Wqjq3xDkVjPcgq32GQolzmv20s93vQSHVuTKcH9jpXmIlwVZmZFFV7ejuA3QScOqqNNynh1m1ba/eZCGgIZiSlRuv7wqs7wz2uHN9eY3prsDkG1vxpc7UC18g=,iv:S9S/N3vW2TXcNYsc/w+3pDJT+BOQaAw8vgqYwRUtbU4=,tag:jPRXDzy29ewkq/Nzcayfnw==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
+            4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
+            0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
+            Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
+            =7rOv
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
+            8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
+            0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
+            ++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
+            =E/qh
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/hosts/sif/wacom.conf b/hosts/sif/wacom.conf
new file mode 100644
index 00000000..864409f1
--- /dev/null
+++ b/hosts/sif/wacom.conf
@@ -0,0 +1,15 @@
+Section "InputClass"
+        Identifier "Wacom USB device class"
+        MatchUSBID "056a:*"
+        MatchDevicePath "/dev/input/event*"
+        Driver "wacom"
+EndSection
+Section "InputClass"
+        Identifier      "calibration"
+        MatchProduct    "Wacom USB device class"
+        Option  "MinX"  "58"
+        Option  "MaxX"  "30982"
+        Option  "MinY"  "87"
+        Option  "MaxY"  "17328"
+EndSection
+\ No newline at end of file
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
new file mode 100644
index 00000000..d37646f9
--- /dev/null
+++ b/hosts/surtr/default.nix
@@ -0,0 +1,107 @@
+{ flake, pkgs, ... }:
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    qemu-guest openssh rebuild-machines
+  ];
+  config = {
+    nixpkgs = {
+      system = "x86_64-linux";
+    };
+    networking.hostId = "a64cf4d7";
+    environment.etc."machine-id".text = "a64cf4d793ab0a0ed3892ead609fc0bc";
+    boot = {
+      loader.grub = {
+        enable = true;
+        version = 2;
+        device = "/dev/vda";
+      };
+      kernelPackages = pkgs.linuxPackages_latest;
+      tmpOnTmpfs = true;
+      supportedFilesystems = [ "zfs" ];
+      zfs.devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id
+    };
+    fileSystems = {
+      "/" = {
+        fsType = "tmpfs";
+        options = [ "mode=0755" ];
+      };
+      "/boot" =
+        { device = "/dev/disk/by-label/boot";
+          fsType = "vfat";
+        };
+      "/nix" =
+        { device = "surtr/local/nix";
+          fsType = "zfs";
+        };
+      "/root" =
+        { device = "surtr/safe/home-root";
+          fsType = "zfs";
+          neededForBoot = true;
+        };
+      "/var/log" =
+        { device = "surtr/local/var-log";
+          fsType = "zfs";
+        };
+      "/home" =
+        { device = "surtr/safe/home";
+          fsType = "zfs";
+        };
+    };
+    networking = {
+      hostName = "surtr";
+      domain = "muspelheim.yggdrasil";
+      search = [ "muspelheim.yggdrasil" "yggdrasil" ];
+      enableIPv6 = true;
+      dhcpcd.enable = false;
+      useDHCP = false;
+      useNetworkd = true;
+      defaultGateway = { address = "202.61.240.1"; };
+      defaultGateway6 = { address = "fe80::1"; };
+      interfaces."ens3" = {
+        ipv4.addresses = [
+          { address = "202.61.241.61"; prefixLength = 22; }
+        ];
+        ipv6.addresses = [
+          { address = "2a03:4000:52:ada::"; prefixLength = 64; }
+        ];
+      };
+      firewall = {
+        enable = true;
+        allowPing = true;
+        allowedTCPPorts = [
+          22 # ssh
+        ];
+        allowedUDPPortRanges = [
+          { from = 60000; to = 61000; } # mosh
+        ];
+      };
+    };
+    services.openssh = {
+      enable = true;
+      passwordAuthentication = false;
+      challengeResponseAuthentication = false;
+      extraConfig = ''
+        AllowGroups ssh
+      '';
+    };
+    users.groups."ssh" = {
+      members = ["root"];
+    };
+  };
+}

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix new file mode 100644 index 00000000..c0b7f50c --- /dev/null +++ b/hosts/sif/default.nix
@@ -0,0 +1,355 @@
	1	{ flake, pkgs, customUtils, lib, config, path, ... }:
	2	{
	3	imports = with flake.nixosModules.systemProfiles; [
	4	./hw.nix
	5	./mail
	6	initrd-all-crypto-modules default-locale openssh
	7	];
	8
	9	config = {
	10	nixpkgs = {
	11	system = "x86_64-linux";
	12	config = {
	13	allowUnfree = true;
	14	};
	15	};
	16
	17	boot = {
	18	initrd = {
	19	luks.devices = {
	20	nvm0.device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb";
	21	nvm1.device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a";
	22	};
	23	availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
	24	kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ];
	25	};
	26
	27	blacklistedKernelModules = [ "nouveau" ];
	28
	29	# Use the systemd-boot EFI boot loader.
	30	loader = {
	31	systemd-boot.enable = true;
	32	efi.canTouchEfiVariables = true;
	33	timeout = null;
	34	};
	35
	36	plymouth.enable = true;
	37
	38	kernelPackages = pkgs.linuxPackages_latest;
	39	kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
	40	extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
	41	kernelModules = ["v4l2loopback"];
	42
	43	tmpOnTmpfs = true;
	44	};
	45
	46	networking = {
	47	domain = "midgard.yggdrasil";
	48	hosts = {
	49	"127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ];
	50	"::1" = [ "sif.midgard.yggdrasil" "sif" ];
	51	};
	52
	53	firewall = {
	54	enable = true;
	55	allowedTCPPorts = [ 22 # ssh
	56	8000 # quickserve
	57	];
	58	allowedUDPPorts = [ 8554 # gopro webcam
	59	];
	60	};
	61
	62	networkmanager = {
	63	enable = true;
	64	dhcp = "internal";
	65	dns = lib.mkForce "dnsmasq";
	66	extraConfig = ''
	67	[connectivity]
	68	uri=https://online.yggdrasil.li
	69	'';
	70	};
	71
	72	wlanInterfaces = {
	73	wlan0 = {
	74	device = "wlp82s0";
	75	};
	76	};
	77
	78	bonds = {
	79	"lan" = {
	80	interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
	81	driverOptions = {
	82	miimon = "1000";
	83	mode = "active-backup";
	84	primary_reselect = "always";
	85	};
	86	};
	87	};
	88
	89	dhcpcd.enable = false;
	90	useDHCP = false;
	91	useNetworkd = true;
	92
	93	interfaces.yggdrasil = {
	94	virtual = true;
	95	virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
	96	macAddress = "5c:93:21:c3:61:39";
	97	};
	98	};
	99
	100	systemd.services."NetworkManager-wait-online".enable = false;
	101	systemd.services."systemd-networkd-wait-online".enable = false;
	102
	103	environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
	104	text = ''
	105	server=/sif.libvirt/192.168.122.1
	106	'';
	107	};
	108
	109	services.openssh.enable = true;
	110
	111	powerManagement = {
	112	enable = true;
	113
	114	cpuFreqGovernor = "schedutil";
	115	};
	116
	117	environment.systemPackages = with pkgs; [
	118	nvtop brightnessctl config.boot.kernelPackages.v4l2loopback s-tui
	119	];
	120
	121	services = {
	122	tinc.yggdrasil.enable = true;
	123
	124	uucp = {
	125	enable = true;
	126	nodeName = "sif";
	127	remoteNodes = {
	128	"ymir" = {
	129	publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
	130	hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
	131	};
	132	};
	133
	134	defaultCommands = lib.mkForce [];
	135	};
	136
	137	avahi.enable = true;
	138
	139	fwupd.enable = true;
	140
	141	fprintd.enable = true;
	142
	143	blueman.enable = true;
	144
	145	colord.enable = true;
	146
	147	vnstat.enable = true;
	148
	149	logind = {
	150	lidSwitch = "suspend";
	151	lidSwitchDocked = "lock";
	152	lidSwitchExternalPower = "lock";
	153	};
	154
	155	atd = {
	156	enable = true;
	157	allowEveryone = true;
	158	};
	159
	160	xserver = {
	161	enable = true;
	162
	163	layout = "us";
	164	xkbVariant = "dvp";
	165	xkbOptions = "compose:caps";
	166
	167	displayManager.lightdm = {
	168	enable = true;
	169	greeters.gtk = {
	170	clock-format = "%H:%M %a %b %_d";
	171	indicators = ["~host" "~spacer" "~clock" "~session" "~power"];
	172	theme = {
	173	package = pkgs.equilux-theme;
	174	name = "Equilux-compact";
	175	};
	176	iconTheme = {
	177	package = pkgs.paper-icon-theme;
	178	name = "Paper";
	179	};
	180	extraConfig = ''
	181	background = #000000
	182	user-background = false
	183	active-monitor = #cursor
	184	hide-user-image = true
	185
	186	[monitor: DP-2]
	187	laptop = true
	188	'';
	189	};
	190	};
	191
	192	displayManager.setupCommands = ''
	193	${pkgs.xorg.xinput}/bin/xinput disable 'SynPS/2 Synaptics TouchPad'
	194	'';
	195
	196	desktopManager.xterm.enable = true;
	197	windowManager.twm.enable = true;
	198	displayManager.defaultSession = "xterm+twm";
	199
	200	wacom.enable = true;
	201	libinput.enable = true;
	202
	203	dpi = 282;
	204
	205	videoDrivers = [ "nvidia" ];
	206
	207	screenSection = ''
	208	Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
	209	'';
	210
	211	deviceSection = ''
	212	Option "AccelMethod" "SNA"
	213	Option "TearFree" "True"
	214	'';
	215
	216	exportConfiguration = true;
	217	};
	218	};
	219
	220	users = {
	221	users.gkleen.extraGroups = [ "media" ];
	222	groups.media = {};
	223	};
	224
	225	hardware = {
	226	pulseaudio = {
	227	enable = true;
	228	package = with pkgs; pulseaudioFull;
	229	support32Bit = true;
	230	};
	231
	232	bluetooth = {
	233	enable = true;
	234	settings = {
	235	General = {
	236	Enable = "Source,Sink,Media,Socket";
	237	};
	238	};
	239	};
	240
	241	trackpoint = {
	242	enable = true;
	243	emulateWheel = true;
	244	sensitivity = 255;
	245	speed = 255;
	246	};
	247
	248	nvidia = {
	249	modesetting.enable = true;
	250	prime = {
	251	nvidiaBusId = "PCI:1:0:0";
	252	intelBusId = "PCI:0:2:0";
	253	sync.enable = true;
	254	};
	255	};
	256
	257	opengl = {
	258	enable = true;
	259	driSupport32Bit = true;
	260	setLdLibraryPath = true;
	261	};
	262
	263	firmware = [ pkgs.firmwareLinuxNonfree ];
	264	};
	265
	266	sound.enable = true;
	267
	268	nix = {
	269	autoOptimiseStore = true;
	270	daemonNiceLevel = 10;
	271	daemonIONiceLevel = 3;
	272	};
	273
	274	environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
	275
	276	systemd.services."ac-plugged" = {
	277	description = "Inhibit handling of lid-switch and sleep";
	278
	279	path = with pkgs; [ systemd coreutils ];
	280
	281	script = ''
	282	exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
	283	'';
	284
	285	serviceConfig = {
	286	Type = "simple";
	287	};
	288	};
	289
	290	services.udev.extraRules = with pkgs; lib.mkAfter ''
	291	SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
	292	SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
	293	ACTION=="add", SUBSYSTEM=="net", DEVTYPE!="?*", ATTR{address}=="3c:e1:a1:b9:cd:e5", NAME="dock0"
	294	'';
	295
	296	services.borgbackup = {
	297	snapshots = "btrfs";
	298	prefix = "yggdrasil.midgard.sif.";
	299	targets = {
	300	"munin" = {
	301	repo = "borg.munin:borg";
	302	paths = [ "/home/gkleen" ];
	303	prune = {
	304	"home" =
	305	[ "--keep-within" "24H"
	306	"--keep-daily" "31"
	307	"--keep-monthly" "12"
	308	"--keep-yearly" "-1"
	309	];
	310	};
	311	keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
	312	};
	313	};
	314	};
	315	sops.secrets.borg-repokey--borg_munin__borg = {
	316	sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
	317	key = "key";
	318	};
	319
	320	services.btrfs.autoScrub = {
	321	enable = true;
	322	fileSystems = [ "/" "/home" ];
	323	interval = "weekly";
	324	};
	325
	326	systemd.services."nix-daemon".serviceConfig = {
	327	MemoryAccounting = true;
	328	MemoryHigh = "50%";
	329	MemoryMax = "75%";
	330	};
	331
	332	services.journald.extraConfig = ''
	333	SystemMaxUse=100M
	334	'';
	335
	336	services.dbus.packages = with pkgs;
	337	[ dbus gnome3.dconf
	338	];
	339
	340	programs = {
	341	light.enable = true;
	342	wireshark.enable = true;
	343	};
	344
	345	virtualisation.libvirtd = {
	346	enable = true;
	347	};
	348
	349	zramSwap.enable = true;
	350
	351	services.pcscd.enable = true;
	352
	353	system.stateVersion = "20.03";
	354	};
	355	}


diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix new file mode 100644 index 00000000..92afb7c9 --- /dev/null +++ b/hosts/sif/hw.nix
@@ -0,0 +1,35 @@
	1	{ config, lib, pkgs, ... }:
	2
	3	{
	4	fileSystems."/" =
	5	{ device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2";
	6	fsType = "btrfs";
	7	};
	8
	9	fileSystems."/boot" =
	10	{ device = "/dev/disk/by-uuid/B3A2-D029";
	11	fsType = "vfat";
	12	};
	13
	14	fileSystems."/home" =
	15	{ device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28";
	16	fsType = "btrfs";
	17	};
	18
	19	fileSystems."/var/media" =
	20	{ device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096";
	21	fsType = "btrfs";
	22	};
	23
	24	swapDevices =
	25	[ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; }
	26	];
	27
	28	nix.maxJobs = 12;
	29	# High-DPI console
	30	console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
	31
	32	hardware.cpu.intel.updateMicrocode = true;
	33
	34	hardware.enableRedistributableFirmware = true;
	35	}


diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix new file mode 100644 index 00000000..29bfb4f1 --- /dev/null +++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
	1	{ config, pkgs, ... }:
	2	{
	3	services.postfix = {
	4	enable = true;
	5	enableSmtp = true;
	6	enableSubmission = false;
	7	setSendmail = true;
	8	networksStyle = "host";
	9	hostname = "sif.midgard.yggdrasil";
	10	destination = [];
	11	relayHost = "uucp:ymir";
	12	recipientDelimiter = "+";
	13	masterConfig = {
	14	uucp = {
	15	type = "unix";
	16	private = true;
	17	privileged = true;
	18	chroot = false;
	19	command = "pipe";
	20	args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
	21	};
	22	};
	23	transport = ''
	24	odin.asgard.yggdrasil uucp:odin
	25	'';
	26	config = {
	27	always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
	28
	29	default_transport = "uucp:ymir";
	30
	31	inet_interfaces = "loopback-only";
	32
	33	authorized_submit_users = ["!uucp" "static:anyone"];
	34	message_size_limit = "0";
	35
	36	sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
	37	/@(cip\|stud)\.ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
	38	/@ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
	39	/@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
	40	''}'';
	41	sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
	42	/^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
	43	/@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
	44	''}'';
	45
	46	smtp_sasl_auth_enable = true;
	47	smtp_sender_dependent_authentication = true;
	48	smtp_sasl_tls_security_options = "noanonymous";
	49	smtp_sasl_mechanism_filter = ["plain"];
	50	smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
	51	smtp_cname_overrides_servername = false;
	52	smtp_always_send_ehlo = true;
	53	smtp_tls_security_level = "dane";
	54
	55	smtp_tls_loglevel = "1";
	56	smtp_dns_support_level = "dnssec";
	57	};
	58	};
	59
	60	sops.secrets.postfix-sasl-passwd = {
	61	key = "sasl-passwd";
	62	path = "/var/db/postfix/sasl_passwd";
	63	owner = "postfix";
	64	sopsFile = ./secrets.yaml;
	65	};
	66	}


diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml new file mode 100644 index 00000000..06a2ad40 --- /dev/null +++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
	1	sasl-passwd: ENC[AES256_GCM,data:S81uICROGm/E0TC3xJyPXbVLjOO+PsRyJBoWINFZGzeh8F0nXx1ewiiSXtNl9trTbxlSgf5jnBvtbyd75N0OcyqBf0db5tJtvU42DO5I4qFo4R67FzpKzKWMF4AJuFGP1aKkPsPIc41WTfLemKCfbEhVfQj9qEFLR9TC8iqzSZa0bztCuLoKi0vrAO/4JZnzUe3n7FXy+ER6oYK9JoKwaXc9KYdwQC3QYCby2iSq+GvRs7FL4x6/Zr8FzVCXHYMaW/Qg9dCn/g2NnEnOsH0pEASuKRPJKh8x5dtQg9v3jRK6NIDjEkXeuBnSOaeQiAcYc784foIlI7Q=,iv:zCsYZtU51zJR9XqaCvMtc5aGZwSccIrPzhznubEoEjo=,tag:0/v4Cp/0xLrfEX7H953bOA==,type:str]
	2	sops:
	3	kms: []
	4	gcp_kms: []
	5	azure_kv: []
	6	hc_vault: []
	7	lastmodified: '2021-01-18T09:46:15Z'
	8	mac: ENC[AES256_GCM,data:Idvsviv6CGibT+s7TSYUNmYO6gELqahJq33+k8YQhhwDKC6+s3Wqjq3xDkVjPcgq32GQolzmv20s93vQSHVuTKcH9jpXmIlwVZmZFFV7ejuA3QScOqqNNynh1m1ba/eZCGgIZiSlRuv7wqs7wz2uHN9eY3prsDkG1vxpc7UC18g=,iv:S9S/N3vW2TXcNYsc/w+3pDJT+BOQaAw8vgqYwRUtbU4=,tag:jPRXDzy29ewkq/Nzcayfnw==,type:str]
	9	pgp:
	10	- created_at: '2021-01-02T19:29:14Z'
	11	enc: \|
	12	-----BEGIN PGP MESSAGE-----
	13
	14	hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
	15	4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
	16	0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
	17	Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
	18	=7rOv
	19	-----END PGP MESSAGE-----
	20	fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
	21	- created_at: '2021-01-02T19:29:14Z'
	22	enc: \|
	23	-----BEGIN PGP MESSAGE-----
	24
	25	hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
	26	8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
	27	0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
	28	++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
	29	=E/qh
	30	-----END PGP MESSAGE-----
	31	fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
	32	unencrypted_suffix: _unencrypted
	33	version: 3.6.1


diff --git a/hosts/sif/wacom.conf b/hosts/sif/wacom.conf new file mode 100644 index 00000000..864409f1 --- /dev/null +++ b/hosts/sif/wacom.conf
@@ -0,0 +1,15 @@
	1	Section "InputClass"
	2	Identifier "Wacom USB device class"
	3	MatchUSBID "056a:*"
	4	MatchDevicePath "/dev/input/event*"
	5	Driver "wacom"
	6	EndSection
	7
	8	Section "InputClass"
	9	Identifier "calibration"
	10	MatchProduct "Wacom USB device class"
	11	Option "MinX" "58"
	12	Option "MaxX" "30982"
	13	Option "MinY" "87"
	14	Option "MaxY" "17328"
	15	EndSection \ No newline at end of file


diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix new file mode 100644 index 00000000..d37646f9 --- /dev/null +++ b/hosts/surtr/default.nix
@@ -0,0 +1,107 @@
	1	{ flake, pkgs, ... }:
	2	{
	3	imports = with flake.nixosModules.systemProfiles; [
	4	qemu-guest openssh rebuild-machines
	5	];
	6
	7	config = {
	8	nixpkgs = {
	9	system = "x86_64-linux";
	10	};
	11
	12	networking.hostId = "a64cf4d7";
	13	environment.etc."machine-id".text = "a64cf4d793ab0a0ed3892ead609fc0bc";
	14
	15	boot = {
	16	loader.grub = {
	17	enable = true;
	18	version = 2;
	19	device = "/dev/vda";
	20	};
	21
	22	kernelPackages = pkgs.linuxPackages_latest;
	23
	24	tmpOnTmpfs = true;
	25
	26	supportedFilesystems = [ "zfs" ];
	27	zfs.devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id
	28	};
	29
	30	fileSystems = {
	31	"/" = {
	32	fsType = "tmpfs";
	33	options = [ "mode=0755" ];
	34	};
	35
	36	"/boot" =
	37	{ device = "/dev/disk/by-label/boot";
	38	fsType = "vfat";
	39	};
	40
	41	"/nix" =
	42	{ device = "surtr/local/nix";
	43	fsType = "zfs";
	44	};
	45
	46	"/root" =
	47	{ device = "surtr/safe/home-root";
	48	fsType = "zfs";
	49	neededForBoot = true;
	50	};
	51
	52	"/var/log" =
	53	{ device = "surtr/local/var-log";
	54	fsType = "zfs";
	55	};
	56
	57	"/home" =
	58	{ device = "surtr/safe/home";
	59	fsType = "zfs";
	60	};
	61	};
	62
	63	networking = {
	64	hostName = "surtr";
	65	domain = "muspelheim.yggdrasil";
	66	search = [ "muspelheim.yggdrasil" "yggdrasil" ];
	67
	68	enableIPv6 = true;
	69	dhcpcd.enable = false;
	70	useDHCP = false;
	71	useNetworkd = true;
	72	defaultGateway = { address = "202.61.240.1"; };
	73	defaultGateway6 = { address = "fe80::1"; };
	74	interfaces."ens3" = {
	75	ipv4.addresses = [
	76	{ address = "202.61.241.61"; prefixLength = 22; }
	77	];
	78	ipv6.addresses = [
	79	{ address = "2a03:4000:52:ada::"; prefixLength = 64; }
	80	];
	81	};
	82
	83	firewall = {
	84	enable = true;
	85	allowPing = true;
	86	allowedTCPPorts = [
	87	22 # ssh
	88	];
	89	allowedUDPPortRanges = [
	90	{ from = 60000; to = 61000; } # mosh
	91	];
	92	};
	93	};
	94
	95	services.openssh = {
	96	enable = true;
	97	passwordAuthentication = false;
	98	challengeResponseAuthentication = false;
	99	extraConfig = ''
	100	AllowGroups ssh
	101	'';
	102	};
	103	users.groups."ssh" = {
	104	members = ["root"];
	105	};
	106	};
	107	}