From f6e600c20d6a97ebeda23fa2bb5621646222b2b0 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 2 Jan 2021 20:53:17 +0100 Subject: sif: import config --- hosts/sif/default.nix | 295 ++++++++++++++++++++++++++++++++++++++++++++ hosts/sif/hw.nix | 36 ++++++ hosts/sif/mail/default.nix | 66 ++++++++++ hosts/sif/mail/secrets.yaml | 33 +++++ hosts/sif/wacom.conf | 15 +++ 5 files changed, 445 insertions(+) create mode 100644 hosts/sif/default.nix create mode 100644 hosts/sif/hw.nix create mode 100644 hosts/sif/mail/default.nix create mode 100644 hosts/sif/mail/secrets.yaml create mode 100644 hosts/sif/wacom.conf (limited to 'hosts/sif') diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix new file mode 100644 index 00000000..4e9826bd --- /dev/null +++ b/hosts/sif/default.nix @@ -0,0 +1,295 @@ +{ flake, pkgs, customUtils, lib, config, ... }: +{ + imports = with flake.nixosModules.systemProfiles; [ + ./hw.nix + ./mail + initrd-all-crypto-modules default-locale openssh + ]; + + config = { + nixpkgs = { + system = "x86_64-linux"; + config = { + allowUnfree = true; + }; + }; + + boot = { + initrd = { + luks.devices = { + nvm0.device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb"; + nvm1.device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a"; + }; + availableKernelModules = [ "drbg" "nvme" "fbcon" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ]; + }; + + blacklistedKernelModules = [ "nouveau" ]; + + # Use the systemd-boot EFI boot loader. + loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + timeout = null; + }; + + plymouth.enable = true; + + kernelPackages = pkgs.linuxPackages_latest; + kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ]; + + tmpOnTmpfs = true; + }; + + networking = { + domain = "midgard.yggdrasil"; + hosts = { + "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ]; + "::1" = [ "sif.midgard.yggdrasil" "sif" ]; + }; + + firewall = { + enable = true; + allowedTCPPorts = [ 22 # ssh + 8000 # quickserve + ]; + }; + + networkmanager = { + enable = true; + dhcp = "internal"; + dns = "dnsmasq"; + extraConfig = '' + [connectivity] + uri=https://online.yggdrasil.li + ''; + }; + + dhcpcd.enable = false; + + interfaces.yggdrasil = { + virtual = true; + virtualType = config.services.tinc.networks.yggdrasil.interfaceType; + macAddress = "5c:93:21:c3:61:39"; + }; + }; + + environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = { + text = '' + server=/sif.libvirt/192.168.122.1 + ''; + }; + + powerManagement.enable = true; + + environment.systemPackages = with pkgs; [ + nvtop brightnessctl + ]; + + services = { + tinc.yggdrasil.enable = true; + + uucp = { + enable = true; + nodeName = "sif"; + remoteNodes = { + "ymir" = { + publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"]; + hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"]; + }; + }; + + defaultCommands = lib.mkForce []; + }; + + avahi.enable = true; + + fwupd.enable = true; + + fprintd.enable = true; + + blueman.enable = true; + + colord.enable = true; + + vnstat.enable = true; + + logind = { + lidSwitch = "suspend"; + lidSwitchDocked = "lock"; + lidSwitchExternalPower = "lock"; + }; + + atd = { + enable = true; + allowEveryone = true; + }; + + xserver = { + enable = true; + + layout = "us"; + xkbVariant = "dvp"; + xkbOptions = "compose:caps"; + + displayManager.lightdm = { + enable = true; + greeters.gtk = { + clock-format = "%H:%M %a %b %_d"; + indicators = ["~host" "~spacer" "~clock" "~session" "~power"]; + theme = { + package = pkgs.equilux-theme; + name = "Equilux-compact"; + }; + iconTheme = { + package = pkgs.paper-icon-theme; + name = "Paper"; + }; + extraConfig = '' + background = #000000 + user-background = false + active-monitor = #cursor + hide-user-image = true + + [monitor: DP-2] + laptop = true + ''; + }; + }; + + displayManager.setupCommands = '' + ${pkgs.xorg.xinput}/bin/xinput disable 'SynPS/2 Synaptics TouchPad' + ''; + + desktopManager.xterm.enable = true; + windowManager.twm.enable = true; + displayManager.defaultSession = "xterm+twm"; + + wacom.enable = true; + libinput.enable = true; + + dpi = 282; + + videoDrivers = [ "nvidia" ]; + + screenSection = '' + Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }" + ''; + + deviceSection = '' + Option "AccelMethod" "SNA" + Option "TearFree" "True" + ''; + + exportConfiguration = true; + }; + }; + + users = { + users.gkleen.extraGroups = [ "media" ]; + }; + + hardware = { + pulseaudio = { + enable = true; + package = with pkgs; pulseaudioFull; + support32Bit = true; + }; + + bluetooth = { + enable = true; + config = { + General = { + Enable = "Source,Sink,Media,Socket"; + }; + }; + }; + + trackpoint = { + enable = true; + emulateWheel = true; + sensitivity = 255; + speed = 255; + }; + + nvidia = { + modesetting.enable = true; + prime = { + nvidiaBusId = "PCI:1:0:0"; + intelBusId = "PCI:0:2:0"; + sync.enable = true; + }; + }; + + opengl = { + enable = true; + driSupport32Bit = true; + setLdLibraryPath = true; + }; + + firmware = [ pkgs.firmwareLinuxNonfree ]; + }; + + sound.enable = true; + + nix = { + autoOptimiseStore = true; + daemonNiceLevel = 10; + daemonIONiceLevel = 3; + }; + + environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; + + systemd.services."ac-plugged" = { + description = "Inhibit handling of lid-switch and sleep"; + + path = with pkgs; [ systemd coreutils ]; + + script = '' + exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity + ''; + + serviceConfig = { + Type = "simple"; + }; + }; + + services.udev.extraRules = with pkgs; '' + SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service" + SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" + ''; + + services.btrfs.autoScrub = { + enable = true; + fileSystems = [ "/" "/home" ]; + interval = "weekly"; + }; + + systemd.services."nix-daemon".serviceConfig = { + MemoryAccounting = true; + MemoryHigh = "50%"; + MemoryMax = "75%"; + }; + + services.journald.extraConfig = '' + SystemMaxUse=100M + ''; + + services.dbus.packages = with pkgs; + [ dbus gnome3.dconf + ]; + + programs = { + light.enable = true; + wireshark.enable = true; + }; + + virtualisation.libvirtd = { + enable = true; + }; + + zramSwap.enable = true; + + system.stateVersion = "20.03"; + }; +} diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix new file mode 100644 index 00000000..4a3e6c86 --- /dev/null +++ b/hosts/sif/hw.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +{ + fileSystems."/" = + { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/B3A2-D029"; + fsType = "vfat"; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28"; + fsType = "btrfs"; + }; + + fileSystems."/var/media" = + { device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096"; + fsType = "btrfs"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; } + ]; + + nix.maxJobs = 12; + powerManagement.cpuFreqGovernor = "powersave"; + # High-DPI console + console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; + + hardware.cpu.intel.updateMicrocode = true; + + hardware.enableRedistributableFirmware = true; +} diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix new file mode 100644 index 00000000..2addba9d --- /dev/null +++ b/hosts/sif/mail/default.nix @@ -0,0 +1,66 @@ +{ config, pkgs, ... }: +{ + services.postfix = { + enable = true; + enableSmtp = true; + enableSubmission = false; + setSendmail = true; + networksStyle = "host"; + hostname = "sif.midgard.yggdrasil"; + destination = []; + relayHost = "uucp:ymir"; + recipientDelimiter = "+"; + masterConfig = { + uucp = { + type = "unix"; + private = true; + privileged = true; + chroot = false; + command = "pipe"; + args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ]; + }; + }; + transport = '' + odin.asgard.yggdrasil uucp:odin + ''; + config = { + always_bcc = "gkleen+sent@odin.asgard.yggdrasil"; + + default_transport = "uucp:ymir"; + + inet_interfaces = "loopback-only"; + + authorized_submit_users = ["!uucp" "static:anyone"]; + message_size_limit = "0"; + + sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" '' + /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de + /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587 + /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de + ''}''; + sender_bcc_maps = ''texthash:${pkgs.writeText "sender_bcc" '' + uni2work@ifi.lmu.de uni2work@ifi.lmu.de + @ifi.lmu.de gregor.kleen@ifi.lmu.de + ''}''; + + smtp_sasl_auth_enable = true; + smtp_sender_dependent_authentication = true; + smtp_sasl_tls_security_options = "noanonymous"; + smtp_sasl_mechanism_filter = ["plain"]; + smtp_sasl_password_maps = "texthash:/var/db/postfix/sasl_passwd"; + smtp_cname_overrides_servername = false; + smtp_always_send_ehlo = true; + + smtp_tls_loglevel = "1"; + smtp_dns_support_level = "dnssec"; + }; + useDane = true; + }; + + sops.secrets.postfix-sasl-passwd = { + key = "sasl-passwd"; + path = "/var/db/postfix/sasl_passwd"; + owner = "postfix"; + sopsFile = ./secrets.yaml; + }; +} diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml new file mode 100644 index 00000000..00422f82 --- /dev/null +++ b/hosts/sif/mail/secrets.yaml @@ -0,0 +1,33 @@ +sasl-passwd: ENC[AES256_GCM,data:RDZHUgQJHH7IzJD5j+LOuQb4OuPopUEa6CwDRoD/FqoHFW/YKarF3Hxxu4HKA5GDf3SRrFOcPBXmf+0f1CucUQwJQh4nY4fmDVqrH0UXRowuAkIhYpt0sLXlzrOzSeZz788A9xK4AGPzEOx1va7GOqJIaPJ+pyyzazQsSgCJaFkUMriCfKbZ0zhRCr0pk2RPLOLKGuo2mDFf5c3EZYAn7vEzhZj+B3XbNWotV/JXTX7JPK6GPcsX2RMKEYBdmxZzrMCTTFU23W1DbiDJ01mxJh3ckIX+KTmaWNoVg4Tong1vBe2wxKchXajmykwFLJFR1Kj5wv4uAxy2qNvKtQIF/LJosG6LXcdk5QDQBXUINqswupBdV8lt08mk53JHLJPXcV8RpEHT3NUL,iv:2u203xTmUEfWIJDB2ZkOKzhYQrV4TGT7rfOd0md+VOw=,tag:RJ/iLbbq8B8dMmXGWjok/g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + lastmodified: '2021-01-02T19:29:40Z' + mac: ENC[AES256_GCM,data:g8wNpsFXiGoENSteWa1w1UkF8LQwnwtoeEHskKhGqAlCFtA1cVdyFSItm8/h1/eqJl/NWXRGU25XpZysCAkJi+uCq4bNGjV+gjqeIT8Dv5teQbVwthoFqkE/s3jew35+f29/xxb5Cro6EihlTrs5Lt3wExv2+NUdim1aeNgR+4Q=,iv:bj/igDT7GPiCjj4BwE7ihM8wR8CbJeXu/s550rc+QEw=,tag:KKt6tWlqxu5C/L/ZYbQL3g==,type:str] + pgp: + - created_at: '2021-01-02T19:29:14Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw + 4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb + 0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9 + Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl + =7rOv + -----END PGP MESSAGE----- + fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8 + - created_at: '2021-01-02T19:29:14Z' + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw + 8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz + 0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F + ++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC + =E/qh + -----END PGP MESSAGE----- + fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 + unencrypted_suffix: _unencrypted + version: 3.6.1 diff --git a/hosts/sif/wacom.conf b/hosts/sif/wacom.conf new file mode 100644 index 00000000..864409f1 --- /dev/null +++ b/hosts/sif/wacom.conf @@ -0,0 +1,15 @@ +Section "InputClass" + Identifier "Wacom USB device class" + MatchUSBID "056a:*" + MatchDevicePath "/dev/input/event*" + Driver "wacom" +EndSection + +Section "InputClass" + Identifier "calibration" + MatchProduct "Wacom USB device class" + Option "MinX" "58" + Option "MaxX" "30982" + Option "MinY" "87" + Option "MaxY" "17328" +EndSection \ No newline at end of file -- cgit v1.2.3