it-infra/nixbld-etc-nixos/configuration.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

let
  netifWan = "enp4s0";
  netifLan = "enp5s0f1";
  netifWifi = "wlp6s0";
  netifSit = "henet0";
  hydraWwwOutputs = "/var/www/hydra-outputs";
in
{
  imports =
    [
      ./hardware-configuration.nix
      ./backup-module.nix
      ./github-backup-module.nix
      ./afws-module.nix
      ./rt.nix
      (builtins.fetchTarball {
        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/008d78cc21959e33d0d31f375b88353a7d7121ae/nixos-mailserver-nixos.tar.gz";
        sha256 = "sha256:0pnfyg4icsvrw390a227m8b1j5w8awicx5aza3d0fiyyzpnrpn5a";
      })
    ];

  boot.loader.grub.enable = true;
  boot.loader.grub.copyKernels = true;
  boot.loader.grub.device = "nodev";
  boot.loader.grub.efiSupport = true;
  boot.loader.efi.canTouchEfiVariables = true;
  hardware.cpu.amd.updateMicrocode = true;
  boot.supportedFilesystems = ["zfs"];
  boot.kernelParams = ["zfs.l2arc_write_max=536870912"];
  boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];

  services.zfs.autoScrub.enable = true;
  services.zfs.autoScrub.interval = "monthly";
  services.zfs.autoSnapshot.enable = true;

  systemd.suppressedSystemUnits = [
      "hibernate.target"
      "suspend.target"
      "suspend-then-hibernate.target"
      "sleep.target"
      "hybrid-sleep.target"
      "systemd-hibernate.service"
      "systemd-hybrid-sleep.service"
      "systemd-suspend.service"
      "systemd-suspend-then-hibernate.service"
  ];

  services.fail2ban.enable = true;
  services.fail2ban.ignoreIP = [ "94.190.212.123" "2001:470:18:390::2" ];
  services.fail2ban.maxretry = 9;
  services.fail2ban.bantime-increment.enable = true;
  services.fail2ban.jails.sshd = {
    settings = {
      filter = "sshd";
      action = "iptables-allports";
    };
  };
  services.fail2ban.jails.nginx-botsearch = {
    settings = {
      filter = "nginx-botsearch";
      action = "iptables-allports";
    };
  };
  services.fail2ban.jails.nginx-limit-req = {
    settings = {
      filter = "nginx-limit-req";
      action = "iptables-allports";
    };
  };
  services.fail2ban.jails.postfix = {
    settings = {
      filter = "postfix";
      action = "iptables-allports";
    };
  };
  services.fail2ban.jails.dovecot = {
    settings = {
      filter = "dovecot";
      action = "iptables-allports";
    };
  };

  networking = {
    hostName = "nixbld";
    hostId = "e423f012";
    firewall = {
      allowedTCPPorts = [ 53 80 443 7402 ];
      allowedUDPPorts = [ 53 67 500 4500 ];
      trustedInterfaces = [ netifLan ];
    };
    interfaces."${netifWan}".useDHCP = true;
    interfaces."${netifLan}" = {
      ipv4.addresses = [{
        address = "192.168.1.1";
        prefixLength = 24;
      }];
      ipv6.addresses = [{
        address = "2001:470:f891:1::";
        prefixLength = 64;
      }];
      # https://unix.stackexchange.com/questions/423502/iproute2-inherit-or-copy-table
      # we just copy what matters here. Ugly but easier.
      ipv4.routes = [
        {
          address = "192.168.1.0";
          prefixLength = 24;
          options.table = "1";
        }
      ];
    };
    interfaces."${netifWifi}" = {
      ipv4.addresses = [{
        address = "192.168.12.1";
        prefixLength = 24;
      }];
      ipv6.addresses = [{
        address = "2001:470:f891:2::";
        prefixLength = 64;
      }];
    };
    nat = {
      enable = true;
      externalInterface = netifWan;
      internalInterfaces = [ netifLan netifWifi ];
      forwardPorts = [
        { sourcePort = 2201; destination = "192.168.1.201:22"; proto = "tcp"; }
        { sourcePort = 2202; destination = "192.168.1.202:22"; proto = "tcp"; }
        { sourcePort = 2203; destination = "192.168.1.203:22"; proto = "tcp"; }
        { sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
      ];
      extraCommands = ''
        iptables -w -N block-lan-from-wifi
        iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
        iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
        iptables -w -A FORWARD -j block-lan-from-wifi

        iptables -w -N block-insecure-devices
        iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP  # keysight SA
        iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP  # siglent scope
        iptables -w -A block-insecure-devices -m mac --mac-source 00:0a:35:00:01:23 -j DROP  # function generator
        iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:21:f1:ee -j DROP  # siglent scope #2
        iptables -w -A block-insecure-devices -m mac --mac-source 00:19:af:5b:dd:58 -j DROP  # power supply
        iptables -w -A block-insecure-devices -m mac --mac-source 28:58:be:dc:66:1f -j DROP  # hikvision low-cost 780nm laser viewer
        iptables -w -A block-insecure-devices -m mac --mac-source bc:99:11:a4:d2:ac -j DROP  # zyxel cloud switch
        iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP  # HP printer, wifi
        iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP  # HP printer, ethernet
        iptables -w -A FORWARD -j block-insecure-devices
      '';
      extraStopCommands = ''
        iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
        iptables -w -F block-lan-from-wifi 2>/dev/null|| true
        iptables -w -X block-lan-from-wifi 2>/dev/null|| true

        iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
        iptables -w -F block-insecure-devices 2>/dev/null|| true
        iptables -w -X block-insecure-devices 2>/dev/null|| true
      '';
    };
    sits."${netifSit}" = {
      dev = netifWan;
      remote = "216.218.221.6";
      local = "94.190.212.123";
      ttl = 255;
    };
    interfaces."${netifSit}".ipv6 = {
      addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
      routes = [{ address = "::"; prefixLength = 0; }];
    };
    greTunnels.alt0 = {
      dev = netifWan;
      remote = "103.206.98.1";
      local = "94.190.212.123";
      ttl = 255;
      type = "tun";
    };
    interfaces.alt0 = {
      ipv4.addresses = [
        {
          address = "103.206.98.227";
          prefixLength = 31;
        }
      ];
      ipv4.routes = [
        {
          address = "0.0.0.0";
          prefixLength = 0;
          via = "103.206.98.226";
          options.table = "1";
        }
      ];
    };
    vlans = {
      vlan0 = {
        id = 2;
        interface = netifLan;
      };
    };
    interfaces.vlan0 = {
      ipv4.addresses = [{
        address = "103.206.98.200";
        prefixLength = 29;
      }];
      ipv4.routes = [
        {
          address = "103.206.98.200";
          prefixLength = 29;
          options.table = "1";
        }
      ];
    };
  };
  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
  boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
  boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
  boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";

  services.strongswan-swanctl.enable = true;
  services.strongswan-swanctl.swanctl.connections.altnet = {
    local_addrs = [ "94.190.212.123" ];
    remote_addrs = [ "103.206.98.1" ];
    local.main = {
      auth = "pubkey";
      id = "fqdn:m-labs.hk";
      pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
    };
    remote.main = {
      auth = "pubkey";
      id = "fqdn:igw0.hkg.as150788.net";
      pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
    };
    children.alt0 = {
      mode = "transport";
      ah_proposals = [ "sha256-curve25519" ];
      remote_ts = [ "103.206.98.1[gre]" ];
      local_ts = [ "94.190.212.123[gre]" ];
      start_action = "start";
    };
  };

  systemd.services.custom-network-setup = {
    wantedBy = [ "network.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.0/24 table 1";
      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
    };
  };

  # https://kb.isc.org/docs/dnssec-key-and-signing-policy
  # chown named.named /etc/nixos/named
  services.bind = {
    enable = true;
    listenOn = [ "94.190.212.123" ];
    listenOnIpv6 = [ "2001:470:18:390::2" ];
    forwarders = [];
    extraOptions = "listen-on-v6 port 5354 { ::1; };";
    cacheNetworks = [ "::1/128" ];
    directory = "/etc/nixos/named";
    zones = {
      "m-labs.hk" = {
        name = "m-labs.hk";
        master = true;
        file = "/etc/nixos/named/m-labs.hk";
        extraConfig =
           ''
           dnssec-policy "default";
           inline-signing yes;
           notify explicit;
           also-notify {
             213.239.220.50;  # ns1.qnetp.net
             216.218.130.2;   # ns1.he.net
             88.198.32.245;   # new qnetp
           };
           '';
        slaves = [
          "213.239.220.50" "2a01:4f8:a0:7041::1"  # ns1.qnetp.net
          "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
          "88.198.32.245"                         # new qnetp
        ];
      };
      "m-labs.ph" = {
        name = "m-labs.ph";
        master = true;
        file = "/etc/nixos/named/m-labs.ph";
        extraConfig =
           ''
           notify explicit;
           also-notify {
             216.218.130.2;   # ns1.he.net
           };
           '';
        slaves = [
          "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
        ];
      };
      "193thz.com" = {
        name = "193thz.com";
        master = true;
        file = "/etc/nixos/named/193thz.com";
        extraConfig =
           ''
           dnssec-policy "default";
           inline-signing yes;
           notify explicit;
           also-notify {
             216.218.130.2;   # ns1.he.net
           };
           '';
        slaves = [
          "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
        ];
      };
      "malloctech.fr" = {
        name = "malloctech.fr";
        master = true;
        file = "/etc/nixos/named/malloctech.fr";
        extraConfig =
           ''
           dnssec-policy "default";
           inline-signing yes;
           notify explicit;
           also-notify {
             216.218.130.2;   # ns1.he.net
           };
           '';
        slaves = [
          "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
        ];
      };
      "200-29.98.206.103.in-addr.arpa" = {
        name = "200-29.98.206.103.in-addr.arpa";
        master = true;
        file = "/etc/nixos/named/200-29.98.206.103.in-addr.arpa";
        extraConfig =
           ''
           dnssec-policy "default";
           inline-signing yes;
           notify explicit;
           also-notify {
             216.218.130.2;   # ns1.he.net
           };
           '';
        slaves = [
          "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
        ];
      };
    };
    extraConfig = ''
      zone "mil." IN {
        type forward;
        forward only;
        forwarders { 74.82.42.42; };
      };
    '';
  };

  services.hostapd = {
    enable = true;
    radios.${netifWifi} = {
      band = "2g";
      countryCode = "HK";
      networks.${netifWifi} = {
        ssid = "M-Labs";
        authentication.saePasswords = [
          { password = (import /etc/nixos/secret/wifi_password.nix); }
        ];
      };
    };
  };
  services.dnsmasq = {
    enable = true;
    settings = {
      server = ["::1#5354"];
      interface = [ netifLan netifWifi ];
      bind-interfaces = true;
      dhcp-range = [
        "interface:${netifLan},192.168.1.81,192.168.1.254,24h"
        "interface:${netifWifi},192.168.12.10,192.168.12.254,24h"
        "interface:${netifLan},::,constructor:${netifLan},ra-names"
        "interface:${netifWifi},::,constructor:${netifWifi},ra-only"
      ];
      enable-ra = true;

      no-resolv = true;

      dhcp-host = [
        # Static IPv4s to make Red Pitayas with factory firmware less annoying
        "rp-f05cc9,192.168.1.190"
        "rp-f0612e,192.168.1.191"
        # Static IPv4s to make port redirections work
        "rpi-1,192.168.1.201"
        "rpi-2,192.168.1.202"
        "rpi-3,192.168.1.203"
        "rpi-4,192.168.1.204"
      ];

      address = [
        # Static IP addresses for non-DHCP boards
        "/thermostat/192.168.1.26"
        "/powercycler/192.168.1.31"
        "/kc705/192.168.1.50"
        "/zynq-experiments/192.168.1.51"
        "/zc706/192.168.1.52"
        "/zc706-2/192.168.1.53"
        "/cora-z7/192.168.1.54"
        "/rust-pitaya/192.168.1.55"
        "/kasli/192.168.1.70"
        "/kasli-customer/192.168.1.75"
        "/stabilizer-customer/192.168.1.76"

        # Google can't do DNS geolocation correctly and slows down websites of everyone using
        # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
        # cannot reach.
        "/fonts.googleapis.com/142.250.207.74"
      ];

      dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
      dhcp-boot = [
        "tag:!ipxe,ipxe.efi"
        "tag:ipxe,http://m-labs.hk/nuc-netboot/netboot.ipxe"
      ];
      enable-tftp = netifLan;
      tftp-root = "${pkgs.ipxe}";
    };
  };

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "de";
  };

  # Set your time zone.
  time.timeZone = "Asia/Hong_Kong";

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    wget vim git file lm_sensors acpi pciutils psmisc nixopsUnstable
    irssi tmux usbutils imagemagick jq zip unzip
    iw
    nvme-cli
    borgbackup
    bind
    waypipe
    (callPackage ./afws { inherit pkgs; })
    (callPackage ./labelprinter { inherit pkgs; })
  ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };

  # List services that you want to enable:

  services.apcupsd.enable = true;
  services.apcupsd.configText = ''
    UPSTYPE usb
    NISIP 127.0.0.1
    BATTERYLEVEL 10
    MINUTES 5
  '';

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.settings.GatewayPorts = "clientspecified";
  programs.mosh.enable = true;

  programs.fish.enable = true;
  programs.zsh.enable = true;

  # Enable CUPS to print documents.
  services.avahi.enable = true;
  services.avahi.allowInterfaces = [ netifLan ];
  services.avahi.publish.enable = true;
  services.avahi.publish.userServices = true;
  nixpkgs.config.allowUnfree = true;
  services.printing.enable = true;
  services.printing.drivers = [ pkgs.hplipWithPlugin ];
  services.printing.browsing = true;
  services.printing.listenAddresses = [ "*:631" ];
  services.printing.defaultShared = true;
  hardware.sane.enable = true;
  hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
  services.saned.enable = true;
  services.saned.extraConfig = "192.168.1.0/24";

  services.udev.extraRules =
    ''
    # label printer
    SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
    '';

  users.extraUsers.root = {
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
    shell = pkgs.fish;
  };
  # https://github.com/NixOS/nixpkgs/issues/155357
  security.sudo.enable = true;

  users.extraUsers.sb = {
    isNormalUser = true;
    extraGroups = ["lp" "scanner" "afws"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
    shell = pkgs.fish;
  };
  users.extraUsers.rj = {
    isNormalUser = true;
    extraGroups = ["afws"];
  };
  users.extraUsers.nkrackow = {
    isNormalUser = true;
    extraGroups = ["afws"];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
    ];
  };
  users.extraUsers.spaqin = {
    isNormalUser = true;
    extraGroups = ["lp" "afws"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
    ];
    shell = pkgs.zsh;
  };
  users.extraUsers.therobs12 = {
    isNormalUser = true;
    extraGroups = ["lp" "afws"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
    ];
  };
  users.extraUsers.morgan = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
    ];
  };
  users.extraUsers.derppening = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
    ];
  };

  users.extraUsers.nix = {
    isNormalUser = true;
  };
  boot.kernel.sysctl."kernel.dmesg_restrict" = true;
  services.udev.packages = [ pkgs.sane-backends ];

  nix.settings.max-jobs = 10;
  nix.nrBuildUsers = 64;
  services.hydra = {
    enable = true;
    useSubstitutes = true;
    hydraURL = "https://nixbld.m-labs.hk";
    notificationSender = "hydra@m-labs.hk";
    minimumDiskFree = 15;  # in GB
    minimumDiskFreeEvaluator = 1;
    extraConfig =
      ''
      binary_cache_secret_key_file = /etc/nixos/secret/nixbld.m-labs.hk-1
      max_output_size = 10000000000

      <runcommand>
        job = web:web:web
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
      </runcommand>
      <runcommand>
        job = web:web:nmigen-docs
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
      </runcommand>

      <runcommand>
        job = artiq:sipyco:sipyco-manual-html
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-html
      </runcommand>
      <runcommand>
        job = artiq:sipyco:sipyco-manual-pdf
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-pdf
      </runcommand>

      <runcommand>
        job = artiq:main-beta:artiq-manual-html
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-beta
      </runcommand>
      <runcommand>
        job = artiq:main-beta:artiq-manual-pdf
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf-beta
      </runcommand>
      <runcommand>
        job = artiq:extra-beta:conda-channel
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta
      </runcommand>

      <runcommand>
        job = artiq:main:artiq-manual-html
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html
      </runcommand>
      <runcommand>
        job = artiq:main:artiq-manual-pdf
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf
      </runcommand>
      <runcommand>
        job = artiq:extra:conda-channel
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel
      </runcommand>

      <runcommand>
        job = artiq:full-legacy:artiq-manual-html
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy
      </runcommand>
      <runcommand>
        job = artiq:full-legacy:artiq-manual-latexpdf
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf-legacy
      </runcommand>
      <runcommand>
        job = artiq:full-legacy:conda-channel
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy
      </runcommand>

      <runcommand>
        job = artiq:*:conda-channel
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON)
      </runcommand>

      <runcommand>
        job = artiq:extra-beta:msys2-repos
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
      </runcommand>

      <runcommand>
        job = artiq:main-nac3:msys2-repos
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3
      </runcommand>


      <githubstatus>
        jobs = artiq:fast.*:extended-tests
        inputs = artiqSrc
        useShortContext = 1
        authorization = token ${(import /etc/nixos/secret/github_tokens.nix).artiq}
      </githubstatus>
      <gitea_authorization>
        sb=${(import /etc/nixos/secret/gitea_tokens.nix).artiq-zynq}
      </gitea_authorization>
      '';
  };
  systemd.services.hydra-www-outputs-init = {
    description = "Set up a hydra-owned directory for build outputs";
    wantedBy = [ "multi-user.target" ];
    requiredBy = [ "hydra-queue-runner.service" ];
    before = [ "hydra-queue-runner.service" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = [
        "${pkgs.coreutils}/bin/mkdir -p ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives"
        "${pkgs.coreutils}/bin/chown hydra-queue-runner:hydra ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives"
      ];
    };
  };
  services.afws.enable = true;

  nix.extraOptions = ''
    secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
    experimental-features = nix-command flakes
  '';
  nix.settings.extra-sandbox-paths = ["/opt"];

  services.mlabs-backup.enable = true;
  services.ghbackup.enable = true;

  services.gitea = {
    enable = true;
    appName = "M-Labs Git";
    mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
    settings = {
      server = {
        ROOT_URL = "https://git.m-labs.hk/";
        HTTP_PORT = 3001;
      };

      indexer = {
        REPO_INDEXER_ENABLED = true;
      };

      mailer = {
        ENABLED = true;
        HOST = "mail.m-labs.hk:587";
        FROM = "sysop@m-labs.hk";
        USER = "sysop@m-labs.hk";
      };

      service = {
        ENABLE_NOTIFY_MAIL = true;
        DISABLE_REGISTRATION = true;
      };

      attachment = {
        ALLOWED_TYPES = "*/*";
      };

      log.LEVEL = "Warn";

      session.COOKIE_SECURE = true;
    };
  };
  systemd.tmpfiles.rules = [
    "L+ '${config.services.gitea.stateDir}/custom/templates/home.tmpl' - - - - ${./gitea-home.tmpl}"
    "L+ '${config.services.gitea.stateDir}/custom/templates/user/auth/signin.tmpl' - - - - ${./gitea-signin.tmpl}"
  ];

  services.mattermost = {
    enable = true;
    siteUrl = "https://chat.m-labs.hk/";
    mutableConfig = true;
  };
  services.postgresql.package = pkgs.postgresql_12;
  services.matterbridge = {
    enable = true;
    configPath = "/etc/nixos/secret/matterbridge.toml";
  };
 
  nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
    nix = super.nix.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
    });
    hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [
        ./hydra-conda.patch
        ./hydra-msys2.patch
        ./hydra-restrictdist.patch
        ./hydra-hack-allowed-uris.patch  # work around https://github.com/NixOS/nix/issues/5039
      ];
      hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
      doCheck = false;  # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
    });
    matterbridge = super.matterbridge.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
    });
  };

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "sb" + "@m-labs.hk";

  # https://github.com/NixOS/nixpkgs/issues/106862
  systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
  systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ];
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedTlsSettings = true;
    virtualHosts = let
      mainWebsite = {
        addSSL = true;
        enableACME = true;
        root = "${hydraWwwOutputs}/web";
        extraConfig = ''
          error_page 404 /404.html;
        '';
        locations."^~ /fonts/".extraConfig = ''
          expires 60d;
        '';
        locations."^~ /js/".extraConfig = ''
          expires 60d;
        '';
        locations."/MathJax/" = {
          alias = "/var/www/MathJax/";
          extraConfig = ''
            expires 60d;
          '';
        };
        locations."/nuc-netboot/".alias = "${import ./defenestrate}/";

        # legacy URLs, redirect to avoid breaking people's bookmarks
        locations."/gateware.html".extraConfig = ''
          return 301 /gateware/migen/;
        '';
        locations."/migen".extraConfig = ''
          return 301 /gateware/migen/;
        '';
        locations."/artiq".extraConfig = ''
          return 301 /experiment-control/artiq/;
        '';
        locations."/artiq/resources.html".extraConfig = ''
          return 301 /experiment-control/resources/;
        '';

        # autogenerated manuals
        locations."/artiq/sipyco-manual/" = {
          alias = "${hydraWwwOutputs}/sipyco-manual-html/";
        };
        locations."=/artiq/sipyco-manual.pdf" = {
          alias = "${hydraWwwOutputs}/sipyco-manual-pdf/SiPyCo.pdf";
        };
        locations."/artiq/manual-beta/" = {
          alias = "${hydraWwwOutputs}/artiq-manual-html-beta/";
        };
        locations."=/artiq/manual-beta.pdf" = {
          alias = "${hydraWwwOutputs}/artiq-manual-pdf-beta/ARTIQ.pdf";
        };
        locations."/artiq/manual/" = {
          alias = "${hydraWwwOutputs}/artiq-manual-html/";
        };
        locations."=/artiq/manual.pdf" = {
          alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf";
        };
        locations."/artiq/manual-legacy/" = {
          alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/share/doc/artiq-manual/html/";
        };
        locations."=/artiq/manual-legacy.pdf" = {
          alias = "${hydraWwwOutputs}/artiq-manual-latexpdf-legacy/share/doc/artiq-manual/ARTIQ.pdf";
        };

        # legacy content
        locations."/migen/manual/" = {
          alias = "/var/www/m-labs.hk.old/migen/manual/";
        };
        locations."/artiq/manual-release-4/" = {
          alias = "/var/www/m-labs.hk.old/artiq/manual-release-4/";
        };
        locations."/artiq/manual-release-3/" = {
          alias = "/var/www/m-labs.hk.old/artiq/manual-release-3/";
        };
        locations."/artiq/manual-release-2/" = {
          alias = "/var/www/m-labs.hk.old/artiq/manual-release-2/";
        };
      };
    in {
      "m-labs.hk" = mainWebsite;
      "www.m-labs.hk" = mainWebsite;
      "m-labs.ph" = mainWebsite;
      "www.m-labs.ph" = mainWebsite;
      "nixbld.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://127.0.0.1:3000";
      };
      "msys2.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
        locations."/artiq-beta/" = {
          alias = "${hydraWwwOutputs}/artiq-msys2-repos-beta/";
          extraConfig = ''
            autoindex on;
          '';
        };
        locations."/artiq-nac3/" = {
          alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/";
          extraConfig = ''
            autoindex on;
          '';
        };
      };
      "conda.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
        locations."/artiq-beta/" = {
          alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/";
          extraConfig = ''
            autoindex on;
            index bogus_index_file;
          '';
        };
        locations."/artiq/" = {
          alias = "${hydraWwwOutputs}/artiq-conda-channel/";
          extraConfig = ''
            autoindex on;
            index bogus_index_file;
          '';
        };
        locations."/artiq-legacy/" = {
          alias = "${hydraWwwOutputs}/artiq-conda-channel-legacy/";
          extraConfig = ''
            autoindex on;
            index bogus_index_file;
          '';
        };
        locations."/artiq-archives/" = {
          alias = "${hydraWwwOutputs}/artiq-conda-channel-archives/";
          extraConfig = ''
            autoindex on;
            index bogus_index_file;
          '';
        };
      };
      "afws.m-labs.hk" = {
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:3771";
          proxyWebsockets = true;
          extraConfig =
            ''
            proxy_read_timeout 2h;
            '';
        };
      };
      "git.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://127.0.0.1:3001";
        extraConfig = ''
          client_max_body_size 300M;
        '';
      };
      "chat.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://127.0.0.1:8065";
        locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "http://127.0.0.1:8065";
        locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true;
      };
      "hooks.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
        locations."/mattermost-github".extraConfig = ''
          include ${pkgs.nginx}/conf/uwsgi_params;
          uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-mgi.sock;
        '';
        locations."/rfq".extraConfig = ''
          include ${pkgs.nginx}/conf/uwsgi_params;
          uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-rfq.sock;
        '';
      };
      "forum.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
        root = "/var/www/flarum/public";
        locations."~ \.php$".extraConfig = ''
          fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
          fastcgi_index index.php;
        '';
        extraConfig = ''
          index index.php;
          include /var/www/flarum/.nginx.conf;
        '';
      };
      "perso.m-labs.hk" = {
        addSSL = true;
        enableACME = true;
        root = "/var/www/perso";
      };
      "rt.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:4201";
          extraConfig = ''
            client_max_body_size 100M;
          '';
        };
        locations."/REST/1.0/NoAuth" = {
          proxyPass = "http://127.0.0.1:4201";
          extraConfig = ''
            client_max_body_size 100M;
            allow 127.0.0.1;
            deny all;
          '';
        };
      };
      "files.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
      };
      "docs.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
        locations."/".proxyPass = "http://localhost:9825";
        locations."/socket.io/".proxyPass = "http://localhost:9825";
        locations."/socket.io/".proxyWebsockets = true;
      };
      "193thz.com" = {
        addSSL = true;
        enableACME = true;
        root = "/var/www/193thz";
      };
      "www.193thz.com" = {
        addSSL = true;
        enableACME = true;
        root = "/var/www/193thz";
      };
      "nmigen.net" = {
        addSSL = true;
        enableACME = true;
        root = "${hydraWwwOutputs}/nmigen-docs";
      };
      "www.nmigen.net" = {
        addSSL = true;
        enableACME = true;
        root = "${hydraWwwOutputs}/nmigen-docs";
      };
    };
  };
  services.uwsgi = {
    enable = true;
    plugins = [ "python3" ];
    instance = {
      type = "emperor";
      vassals = {
        mattermostgithub = import ./mattermost-github-integration/uwsgi-config.nix { inherit config pkgs; };
        rfq = import ./rfq/uwsgi-config.nix { inherit config pkgs; };
      };
    };
  };
  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
  };
  services.phpfpm.pools.flarum = {
    user = "nobody";
    settings = {
      "listen.owner" = "nginx";
      "listen.group" = "nginx";
      "listen.mode" = "0600";
      "pm" = "dynamic";
      "pm.max_children" = 5;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 1;
      "pm.max_spare_servers" = 3;
      "pm.max_requests" = 500;
    };
  };

  services.rt = {
    enable = true;
    package = pkgs.rt.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [ ./rt-session.patch ];
    });
    organization = "M-Labs";
    domain = "rt.m-labs.hk";
    rtName = "Helpdesk";
    ownerEmail = "sb" + "@m-labs.hk";
    commentAddress = "helpdesk" + "@m-labs.hk";
    correspondAddress = "helpdesk" + "@m-labs.hk";
    sendmailPath = "${pkgs.msmtp}/bin/msmtp";
    sendmailArguments = ["-t" "-C" "/etc/nixos/secret/rt_msmtp.conf"];
  };
  systemd.services.rt-fetchmail = {
    description = "Fetchmail for RT";
    wantedBy = [ "multi-user.target" ];
    after = [ "dovecot2.service" ];
    serviceConfig = {
      Restart = "on-failure";
      User = "rt";
      Group = "rt";
      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
    };
  };

  mailserver = {
    enable = true;
    localDnsResolver = false;  # conflicts with dnsmasq
    fqdn = "mail.m-labs.hk";
    domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
    enablePop3 = true;
    enablePop3Ssl = true;
    certificateScheme = "acme-nginx";
  } // (import /etc/nixos/secret/email_settings.nix);
  services.roundcube = {
    enable = true;
    hostName = "mail.m-labs.hk";
    extraConfig = ''
      $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };

  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud27;
    hostName = "files.m-labs.hk";
    https = true;
    maxUploadSize = "2G";
    config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
    config.defaultPhoneRegion = "HK";
  };

  services.hedgedoc = {
    enable = true;
    settings = {
      port = 9825;
      domain = "docs.m-labs.hk";
      protocolUseSSL = true;
      allowEmailRegister = false;
      allowAnonymous = false;
      db = {
        dialect = "sqlite";
        storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
      };
    };
  };

  system.stateVersion = "21.05";
}