5 files changed, 479 insertions, 0 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
new file mode 100644
index 00000000..daa37ad9
--- /dev/null
+++ b/hosts/sif/default.nix
@@ -0,0 +1,330 @@
+{ flake, pkgs, customUtils, lib, config, path, ... }:
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    ./hw.nix
+    ./mail
+    initrd-all-crypto-modules default-locale openssh
+  ];
+  config = {
+    nixpkgs = {
+      system = "x86_64-linux";
+      config = {
+        allowUnfree = true;
+      };
+    };
+    boot = {
+      initrd = {
+        luks.devices = {
+          nvm0.device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb";
+          nvm1.device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a";
+        };
+        availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+        kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ];
+      };
+      blacklistedKernelModules = [ "nouveau" ];
+      # Use the systemd-boot EFI boot loader.
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+        timeout = null;
+      };
+      plymouth.enable = true;
+      kernelPackages = pkgs.linuxPackages_latest;
+      kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
+      extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
+      kernelModules = ["v4l2loopback"];
+      tmpOnTmpfs = true;
+    };
+    networking = {
+      domain = "midgard.yggdrasil";
+      hosts = {
+        "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ];
+        "::1" = [ "sif.midgard.yggdrasil" "sif" ];
+      };
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [ 22 # ssh
+                            8000 # quickserve
+                          ];
+        allowedUDPPorts = [ 8554 # gopro webcam
+                          ];
+      };
+      networkmanager = {
+        enable = true;
+        dhcp = "internal";
+        dns = "dnsmasq";
+        extraConfig = ''
+          [connectivity]
+          uri=https://online.yggdrasil.li
+        '';
+      };
+      dhcpcd.enable = false;
+      interfaces.yggdrasil = {
+        virtual = true;
+        virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
+        macAddress = "5c:93:21:c3:61:39";
+      };
+    };
+    environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
+      text = ''
+        server=/sif.libvirt/192.168.122.1
+      '';
+    };
+    powerManagement = {
+      enable = true;
+      cpuFreqGovernor = "schedutil";
+    };
+    environment.systemPackages = with pkgs; [
+      nvtop brightnessctl config.boot.kernelPackages.v4l2loopback s-tui
+    ];
+    services = {
+      tinc.yggdrasil.enable = true;
+      uucp = {
+        enable = true;
+        nodeName = "sif";
+        remoteNodes = {
+          "ymir" = {
+            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
+            hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
+          };
+        };
+        defaultCommands = lib.mkForce [];
+      };
+      avahi.enable = true;
+      fwupd.enable = true;
+      fprintd.enable = true;
+      blueman.enable = true;
+    
+      colord.enable = true;
+    
+      vnstat.enable = true;
+      logind = {
+        lidSwitch = "suspend";
+        lidSwitchDocked = "lock";
+        lidSwitchExternalPower = "lock";
+      };
+      atd = {
+        enable = true;
+        allowEveryone = true;
+      };
+      xserver = {
+        enable = true;
+        layout = "us";
+        xkbVariant = "dvp";
+        xkbOptions = "compose:caps";
+        displayManager.lightdm = {
+          enable = true;
+          greeters.gtk = {
+            clock-format = "%H:%M %a %b %_d";
+            indicators = ["~host" "~spacer" "~clock" "~session" "~power"];
+            theme = {
+              package = pkgs.equilux-theme;
+              name = "Equilux-compact";
+            };
+            iconTheme = {
+              package = pkgs.paper-icon-theme;
+              name = "Paper";
+            };
+            extraConfig = ''
+              background = #000000
+              user-background = false
+              active-monitor = #cursor
+              hide-user-image = true
+              [monitor: DP-2]
+                laptop = true
+            '';
+          };
+        };
+        displayManager.setupCommands = ''
+          ${pkgs.xorg.xinput}/bin/xinput disable 'SynPS/2 Synaptics TouchPad'
+        '';
+        desktopManager.xterm.enable = true;
+        windowManager.twm.enable = true;
+        displayManager.defaultSession = "xterm+twm";
+        wacom.enable = true;
+        libinput.enable = true;
+        dpi = 282;
+        videoDrivers = [ "nvidia" ];
+        screenSection = ''
+          Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
+        '';
+        deviceSection = ''
+          Option "AccelMethod" "SNA"
+          Option "TearFree" "True"
+        '';
+        exportConfiguration = true;
+      };
+    };
+    users = {
+      users.gkleen.extraGroups = [ "media" ];
+      groups.media = {};
+    };
+    hardware = {
+      pulseaudio = {
+        enable = true;
+        package = with pkgs; pulseaudioFull;
+        support32Bit = true;
+      };
+      bluetooth = {
+        enable = true;   
+        settings = {
+          General = {
+            Enable = "Source,Sink,Media,Socket";
+          };
+        };
+      };
+      trackpoint = {
+        enable = true;
+        emulateWheel = true;
+        sensitivity = 255;
+        speed = 255;
+      };
+      nvidia = {
+        modesetting.enable = true;
+        prime = {
+          nvidiaBusId = "PCI:1:0:0";
+          intelBusId = "PCI:0:2:0";
+          sync.enable = true;
+        };
+      };
+      opengl = {
+        enable = true;
+        driSupport32Bit = true;
+        setLdLibraryPath = true;
+      };
+      firmware = [ pkgs.firmwareLinuxNonfree ];
+    };
+    sound.enable = true;
+    nix = {
+      autoOptimiseStore = true;
+      daemonNiceLevel = 10;
+      daemonIONiceLevel = 3;
+    };
+    environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
+    systemd.services."ac-plugged" = {
+      description = "Inhibit handling of lid-switch and sleep";
+      path = with pkgs; [ systemd coreutils ];
+      script = ''
+        exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
+      '';
+      serviceConfig = {
+        Type = "simple";
+      };
+    };
+    services.udev.extraRules = with pkgs; ''
+      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
+      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
+    '';
+    services.borgbackup = {
+      snapshots = "btrfs";
+      prefix = "yggdrasil.midgard.sif.";
+      targets = {
+        "munin" = {
+          repo = "borg.munin:borg";
+          paths = [ "/home/gkleen" ];
+          prune = {
+            "home" =
+              [ "--keep-within" "24H"
+                "--keep-daily" "31"
+                "--keep-monthly" "12"
+                "--keep-yearly" "-1"
+              ];
+          };
+          keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
+        };
+      };
+    };
+    sops.secrets.borg-repokey--borg_munin__borg = {
+      sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
+      key = "key";
+    };
+    services.btrfs.autoScrub = {
+      enable = true;
+      fileSystems = [ "/" "/home" ];
+      interval = "weekly";
+    };
+    systemd.services."nix-daemon".serviceConfig = {
+      MemoryAccounting = true;
+      MemoryHigh = "50%";
+      MemoryMax = "75%";
+    };
+    services.journald.extraConfig = ''
+      SystemMaxUse=100M
+    '';
+    services.dbus.packages = with pkgs;
+      [ dbus gnome3.dconf
+      ];
+    programs = {
+      light.enable = true;
+      wireshark.enable = true;
+    };
+    virtualisation.libvirtd = {
+      enable = true;
+    };
+    zramSwap.enable = true;
+    services.pcscd.enable = true;
+    system.stateVersion = "20.03";
+  };
+}
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
new file mode 100644
index 00000000..92afb7c9
--- /dev/null
+++ b/hosts/sif/hw.nix
@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+{
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2";
+      fsType = "btrfs";
+    };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B3A2-D029";
+      fsType = "vfat";
+    };
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28";
+      fsType = "btrfs";
+    };
+  fileSystems."/var/media" =
+    { device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096";
+      fsType = "btrfs";
+    };
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; }
+    ];
+  nix.maxJobs = 12;
+  # High-DPI console
+  console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  hardware.enableRedistributableFirmware = true;
+}
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
new file mode 100644
index 00000000..29bfb4f1
--- /dev/null
+++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = true;
+    enableSubmission = false;
+    setSendmail = true;
+    networksStyle = "host";
+    hostname = "sif.midgard.yggdrasil";
+    destination = [];
+    relayHost = "uucp:ymir";
+    recipientDelimiter = "+";
+    masterConfig = {
+      uucp = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "pipe";
+        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
+      };
+    };
+    transport = ''
+      odin.asgard.yggdrasil uucp:odin
+    '';
+    config = {
+      always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
+      default_transport = "uucp:ymir";
+      inet_interfaces = "loopback-only";
+      authorized_submit_users = ["!uucp" "static:anyone"];
+      message_size_limit = "0";
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
+        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
+        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
+      ''}'';
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+      smtp_tls_security_level = "dane";
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+  };
+  sops.secrets.postfix-sasl-passwd = {
+    key = "sasl-passwd";
+    path = "/var/db/postfix/sasl_passwd";
+    owner = "postfix";
+    sopsFile = ./secrets.yaml;
+  };
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml
new file mode 100644
index 00000000..06a2ad40
--- /dev/null
+++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
+sasl-passwd: ENC[AES256_GCM,data:S81uICROGm/E0TC3xJyPXbVLjOO+PsRyJBoWINFZGzeh8F0nXx1ewiiSXtNl9trTbxlSgf5jnBvtbyd75N0OcyqBf0db5tJtvU42DO5I4qFo4R67FzpKzKWMF4AJuFGP1aKkPsPIc41WTfLemKCfbEhVfQj9qEFLR9TC8iqzSZa0bztCuLoKi0vrAO/4JZnzUe3n7FXy+ER6oYK9JoKwaXc9KYdwQC3QYCby2iSq+GvRs7FL4x6/Zr8FzVCXHYMaW/Qg9dCn/g2NnEnOsH0pEASuKRPJKh8x5dtQg9v3jRK6NIDjEkXeuBnSOaeQiAcYc784foIlI7Q=,iv:zCsYZtU51zJR9XqaCvMtc5aGZwSccIrPzhznubEoEjo=,tag:0/v4Cp/0xLrfEX7H953bOA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-18T09:46:15Z'
+    mac: ENC[AES256_GCM,data:Idvsviv6CGibT+s7TSYUNmYO6gELqahJq33+k8YQhhwDKC6+s3Wqjq3xDkVjPcgq32GQolzmv20s93vQSHVuTKcH9jpXmIlwVZmZFFV7ejuA3QScOqqNNynh1m1ba/eZCGgIZiSlRuv7wqs7wz2uHN9eY3prsDkG1vxpc7UC18g=,iv:S9S/N3vW2TXcNYsc/w+3pDJT+BOQaAw8vgqYwRUtbU4=,tag:jPRXDzy29ewkq/Nzcayfnw==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
+            4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
+            0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
+            Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
+            =7rOv
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+            hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
+            8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
+            0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
+            ++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
+            =E/qh
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/hosts/sif/wacom.conf b/hosts/sif/wacom.conf
new file mode 100644
index 00000000..864409f1
--- /dev/null
+++ b/hosts/sif/wacom.conf
@@ -0,0 +1,15 @@
+Section "InputClass"
+        Identifier "Wacom USB device class"
+        MatchUSBID "056a:*"
+        MatchDevicePath "/dev/input/event*"
+        Driver "wacom"
+EndSection
+Section "InputClass"
+        Identifier      "calibration"
+        MatchProduct    "Wacom USB device class"
+        Option  "MinX"  "58"
+        Option  "MaxX"  "30982"
+        Option  "MinY"  "87"
+        Option  "MaxY"  "17328"
+EndSection
+\ No newline at end of file

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix new file mode 100644 index 00000000..daa37ad9 --- /dev/null +++ b/hosts/sif/default.nix
@@ -0,0 +1,330 @@
	1	{ flake, pkgs, customUtils, lib, config, path, ... }:
	2	{
	3	imports = with flake.nixosModules.systemProfiles; [
	4	./hw.nix
	5	./mail
	6	initrd-all-crypto-modules default-locale openssh
	7	];
	8
	9	config = {
	10	nixpkgs = {
	11	system = "x86_64-linux";
	12	config = {
	13	allowUnfree = true;
	14	};
	15	};
	16
	17	boot = {
	18	initrd = {
	19	luks.devices = {
	20	nvm0.device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb";
	21	nvm1.device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a";
	22	};
	23	availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
	24	kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ];
	25	};
	26
	27	blacklistedKernelModules = [ "nouveau" ];
	28
	29	# Use the systemd-boot EFI boot loader.
	30	loader = {
	31	systemd-boot.enable = true;
	32	efi.canTouchEfiVariables = true;
	33	timeout = null;
	34	};
	35
	36	plymouth.enable = true;
	37
	38	kernelPackages = pkgs.linuxPackages_latest;
	39	kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
	40	extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
	41	kernelModules = ["v4l2loopback"];
	42
	43	tmpOnTmpfs = true;
	44	};
	45
	46	networking = {
	47	domain = "midgard.yggdrasil";
	48	hosts = {
	49	"127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ];
	50	"::1" = [ "sif.midgard.yggdrasil" "sif" ];
	51	};
	52
	53	firewall = {
	54	enable = true;
	55	allowedTCPPorts = [ 22 # ssh
	56	8000 # quickserve
	57	];
	58	allowedUDPPorts = [ 8554 # gopro webcam
	59	];
	60	};
	61
	62	networkmanager = {
	63	enable = true;
	64	dhcp = "internal";
	65	dns = "dnsmasq";
	66	extraConfig = ''
	67	[connectivity]
	68	uri=https://online.yggdrasil.li
	69	'';
	70	};
	71
	72	dhcpcd.enable = false;
	73
	74	interfaces.yggdrasil = {
	75	virtual = true;
	76	virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
	77	macAddress = "5c:93:21:c3:61:39";
	78	};
	79	};
	80
	81	environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
	82	text = ''
	83	server=/sif.libvirt/192.168.122.1
	84	'';
	85	};
	86
	87	powerManagement = {
	88	enable = true;
	89
	90	cpuFreqGovernor = "schedutil";
	91	};
	92
	93	environment.systemPackages = with pkgs; [
	94	nvtop brightnessctl config.boot.kernelPackages.v4l2loopback s-tui
	95	];
	96
	97	services = {
	98	tinc.yggdrasil.enable = true;
	99
	100	uucp = {
	101	enable = true;
	102	nodeName = "sif";
	103	remoteNodes = {
	104	"ymir" = {
	105	publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
	106	hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
	107	};
	108	};
	109
	110	defaultCommands = lib.mkForce [];
	111	};
	112
	113	avahi.enable = true;
	114
	115	fwupd.enable = true;
	116
	117	fprintd.enable = true;
	118
	119	blueman.enable = true;
	120
	121	colord.enable = true;
	122
	123	vnstat.enable = true;
	124
	125	logind = {
	126	lidSwitch = "suspend";
	127	lidSwitchDocked = "lock";
	128	lidSwitchExternalPower = "lock";
	129	};
	130
	131	atd = {
	132	enable = true;
	133	allowEveryone = true;
	134	};
	135
	136	xserver = {
	137	enable = true;
	138
	139	layout = "us";
	140	xkbVariant = "dvp";
	141	xkbOptions = "compose:caps";
	142
	143	displayManager.lightdm = {
	144	enable = true;
	145	greeters.gtk = {
	146	clock-format = "%H:%M %a %b %_d";
	147	indicators = ["~host" "~spacer" "~clock" "~session" "~power"];
	148	theme = {
	149	package = pkgs.equilux-theme;
	150	name = "Equilux-compact";
	151	};
	152	iconTheme = {
	153	package = pkgs.paper-icon-theme;
	154	name = "Paper";
	155	};
	156	extraConfig = ''
	157	background = #000000
	158	user-background = false
	159	active-monitor = #cursor
	160	hide-user-image = true
	161
	162	[monitor: DP-2]
	163	laptop = true
	164	'';
	165	};
	166	};
	167
	168	displayManager.setupCommands = ''
	169	${pkgs.xorg.xinput}/bin/xinput disable 'SynPS/2 Synaptics TouchPad'
	170	'';
	171
	172	desktopManager.xterm.enable = true;
	173	windowManager.twm.enable = true;
	174	displayManager.defaultSession = "xterm+twm";
	175
	176	wacom.enable = true;
	177	libinput.enable = true;
	178
	179	dpi = 282;
	180
	181	videoDrivers = [ "nvidia" ];
	182
	183	screenSection = ''
	184	Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
	185	'';
	186
	187	deviceSection = ''
	188	Option "AccelMethod" "SNA"
	189	Option "TearFree" "True"
	190	'';
	191
	192	exportConfiguration = true;
	193	};
	194	};
	195
	196	users = {
	197	users.gkleen.extraGroups = [ "media" ];
	198	groups.media = {};
	199	};
	200
	201	hardware = {
	202	pulseaudio = {
	203	enable = true;
	204	package = with pkgs; pulseaudioFull;
	205	support32Bit = true;
	206	};
	207
	208	bluetooth = {
	209	enable = true;
	210	settings = {
	211	General = {
	212	Enable = "Source,Sink,Media,Socket";
	213	};
	214	};
	215	};
	216
	217	trackpoint = {
	218	enable = true;
	219	emulateWheel = true;
	220	sensitivity = 255;
	221	speed = 255;
	222	};
	223
	224	nvidia = {
	225	modesetting.enable = true;
	226	prime = {
	227	nvidiaBusId = "PCI:1:0:0";
	228	intelBusId = "PCI:0:2:0";
	229	sync.enable = true;
	230	};
	231	};
	232
	233	opengl = {
	234	enable = true;
	235	driSupport32Bit = true;
	236	setLdLibraryPath = true;
	237	};
	238
	239	firmware = [ pkgs.firmwareLinuxNonfree ];
	240	};
	241
	242	sound.enable = true;
	243
	244	nix = {
	245	autoOptimiseStore = true;
	246	daemonNiceLevel = 10;
	247	daemonIONiceLevel = 3;
	248	};
	249
	250	environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
	251
	252	systemd.services."ac-plugged" = {
	253	description = "Inhibit handling of lid-switch and sleep";
	254
	255	path = with pkgs; [ systemd coreutils ];
	256
	257	script = ''
	258	exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
	259	'';
	260
	261	serviceConfig = {
	262	Type = "simple";
	263	};
	264	};
	265
	266	services.udev.extraRules = with pkgs; ''
	267	SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
	268	SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
	269	'';
	270
	271	services.borgbackup = {
	272	snapshots = "btrfs";
	273	prefix = "yggdrasil.midgard.sif.";
	274	targets = {
	275	"munin" = {
	276	repo = "borg.munin:borg";
	277	paths = [ "/home/gkleen" ];
	278	prune = {
	279	"home" =
	280	[ "--keep-within" "24H"
	281	"--keep-daily" "31"
	282	"--keep-monthly" "12"
	283	"--keep-yearly" "-1"
	284	];
	285	};
	286	keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
	287	};
	288	};
	289	};
	290	sops.secrets.borg-repokey--borg_munin__borg = {
	291	sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
	292	key = "key";
	293	};
	294
	295	services.btrfs.autoScrub = {
	296	enable = true;
	297	fileSystems = [ "/" "/home" ];
	298	interval = "weekly";
	299	};
	300
	301	systemd.services."nix-daemon".serviceConfig = {
	302	MemoryAccounting = true;
	303	MemoryHigh = "50%";
	304	MemoryMax = "75%";
	305	};
	306
	307	services.journald.extraConfig = ''
	308	SystemMaxUse=100M
	309	'';
	310
	311	services.dbus.packages = with pkgs;
	312	[ dbus gnome3.dconf
	313	];
	314
	315	programs = {
	316	light.enable = true;
	317	wireshark.enable = true;
	318	};
	319
	320	virtualisation.libvirtd = {
	321	enable = true;
	322	};
	323
	324	zramSwap.enable = true;
	325
	326	services.pcscd.enable = true;
	327
	328	system.stateVersion = "20.03";
	329	};
	330	}


diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix new file mode 100644 index 00000000..92afb7c9 --- /dev/null +++ b/hosts/sif/hw.nix
@@ -0,0 +1,35 @@
	1	{ config, lib, pkgs, ... }:
	2
	3	{
	4	fileSystems."/" =
	5	{ device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2";
	6	fsType = "btrfs";
	7	};
	8
	9	fileSystems."/boot" =
	10	{ device = "/dev/disk/by-uuid/B3A2-D029";
	11	fsType = "vfat";
	12	};
	13
	14	fileSystems."/home" =
	15	{ device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28";
	16	fsType = "btrfs";
	17	};
	18
	19	fileSystems."/var/media" =
	20	{ device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096";
	21	fsType = "btrfs";
	22	};
	23
	24	swapDevices =
	25	[ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; }
	26	];
	27
	28	nix.maxJobs = 12;
	29	# High-DPI console
	30	console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
	31
	32	hardware.cpu.intel.updateMicrocode = true;
	33
	34	hardware.enableRedistributableFirmware = true;
	35	}


diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix new file mode 100644 index 00000000..29bfb4f1 --- /dev/null +++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
	1	{ config, pkgs, ... }:
	2	{
	3	services.postfix = {
	4	enable = true;
	5	enableSmtp = true;
	6	enableSubmission = false;
	7	setSendmail = true;
	8	networksStyle = "host";
	9	hostname = "sif.midgard.yggdrasil";
	10	destination = [];
	11	relayHost = "uucp:ymir";
	12	recipientDelimiter = "+";
	13	masterConfig = {
	14	uucp = {
	15	type = "unix";
	16	private = true;
	17	privileged = true;
	18	chroot = false;
	19	command = "pipe";
	20	args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
	21	};
	22	};
	23	transport = ''
	24	odin.asgard.yggdrasil uucp:odin
	25	'';
	26	config = {
	27	always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
	28
	29	default_transport = "uucp:ymir";
	30
	31	inet_interfaces = "loopback-only";
	32
	33	authorized_submit_users = ["!uucp" "static:anyone"];
	34	message_size_limit = "0";
	35
	36	sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
	37	/@(cip\|stud)\.ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
	38	/@ifi\.(lmu\|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
	39	/@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
	40	''}'';
	41	sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
	42	/^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
	43	/@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
	44	''}'';
	45
	46	smtp_sasl_auth_enable = true;
	47	smtp_sender_dependent_authentication = true;
	48	smtp_sasl_tls_security_options = "noanonymous";
	49	smtp_sasl_mechanism_filter = ["plain"];
	50	smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
	51	smtp_cname_overrides_servername = false;
	52	smtp_always_send_ehlo = true;
	53	smtp_tls_security_level = "dane";
	54
	55	smtp_tls_loglevel = "1";
	56	smtp_dns_support_level = "dnssec";
	57	};
	58	};
	59
	60	sops.secrets.postfix-sasl-passwd = {
	61	key = "sasl-passwd";
	62	path = "/var/db/postfix/sasl_passwd";
	63	owner = "postfix";
	64	sopsFile = ./secrets.yaml;
	65	};
	66	}


diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml new file mode 100644 index 00000000..06a2ad40 --- /dev/null +++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
	1	sasl-passwd: ENC[AES256_GCM,data:S81uICROGm/E0TC3xJyPXbVLjOO+PsRyJBoWINFZGzeh8F0nXx1ewiiSXtNl9trTbxlSgf5jnBvtbyd75N0OcyqBf0db5tJtvU42DO5I4qFo4R67FzpKzKWMF4AJuFGP1aKkPsPIc41WTfLemKCfbEhVfQj9qEFLR9TC8iqzSZa0bztCuLoKi0vrAO/4JZnzUe3n7FXy+ER6oYK9JoKwaXc9KYdwQC3QYCby2iSq+GvRs7FL4x6/Zr8FzVCXHYMaW/Qg9dCn/g2NnEnOsH0pEASuKRPJKh8x5dtQg9v3jRK6NIDjEkXeuBnSOaeQiAcYc784foIlI7Q=,iv:zCsYZtU51zJR9XqaCvMtc5aGZwSccIrPzhznubEoEjo=,tag:0/v4Cp/0xLrfEX7H953bOA==,type:str]
	2	sops:
	3	kms: []
	4	gcp_kms: []
	5	azure_kv: []
	6	hc_vault: []
	7	lastmodified: '2021-01-18T09:46:15Z'
	8	mac: ENC[AES256_GCM,data:Idvsviv6CGibT+s7TSYUNmYO6gELqahJq33+k8YQhhwDKC6+s3Wqjq3xDkVjPcgq32GQolzmv20s93vQSHVuTKcH9jpXmIlwVZmZFFV7ejuA3QScOqqNNynh1m1ba/eZCGgIZiSlRuv7wqs7wz2uHN9eY3prsDkG1vxpc7UC18g=,iv:S9S/N3vW2TXcNYsc/w+3pDJT+BOQaAw8vgqYwRUtbU4=,tag:jPRXDzy29ewkq/Nzcayfnw==,type:str]
	9	pgp:
	10	- created_at: '2021-01-02T19:29:14Z'
	11	enc: \|
	12	-----BEGIN PGP MESSAGE-----
	13
	14	hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
	15	4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
	16	0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
	17	Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
	18	=7rOv
	19	-----END PGP MESSAGE-----
	20	fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
	21	- created_at: '2021-01-02T19:29:14Z'
	22	enc: \|
	23	-----BEGIN PGP MESSAGE-----
	24
	25	hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
	26	8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
	27	0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
	28	++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
	29	=E/qh
	30	-----END PGP MESSAGE-----
	31	fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
	32	unencrypted_suffix: _unencrypted
	33	version: 3.6.1


diff --git a/hosts/sif/wacom.conf b/hosts/sif/wacom.conf new file mode 100644 index 00000000..864409f1 --- /dev/null +++ b/hosts/sif/wacom.conf
@@ -0,0 +1,15 @@
	1	Section "InputClass"
	2	Identifier "Wacom USB device class"
	3	MatchUSBID "056a:*"
	4	MatchDevicePath "/dev/input/event*"
	5	Driver "wacom"
	6	EndSection
	7
	8	Section "InputClass"
	9	Identifier "calibration"
	10	MatchProduct "Wacom USB device class"
	11	Option "MinX" "58"
	12	Option "MaxX" "30982"
	13	Option "MinY" "87"
	14	Option "MaxY" "17328"
	15	EndSection \ No newline at end of file