|
|
|
@ -6,6 +6,9 @@ let
|
|
|
|
|
netifLan = "enp5s0f1";
|
|
|
|
|
netifWifi = "wlp6s0";
|
|
|
|
|
netifSit = "henet0";
|
|
|
|
|
netifUSA = "trump0";
|
|
|
|
|
netifAlt = "alt0";
|
|
|
|
|
netifAltVlan = "vlan0";
|
|
|
|
|
hydraWwwOutputs = "/var/www/hydra-outputs";
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
@ -17,8 +20,8 @@ in
|
|
|
|
|
./afws-module.nix
|
|
|
|
|
./rt.nix
|
|
|
|
|
(builtins.fetchTarball {
|
|
|
|
|
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz";
|
|
|
|
|
sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv";
|
|
|
|
|
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/29916981e7b3b5782dc5085ad18490113f8ff63b/nixos-mailserver-nixos.tar.gz";
|
|
|
|
|
sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
|
|
|
|
|
})
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
@ -90,6 +93,15 @@ in
|
|
|
|
|
allowedTCPPorts = [ 53 80 443 2222 7402 ];
|
|
|
|
|
allowedUDPPorts = [ 53 67 500 4500 ];
|
|
|
|
|
trustedInterfaces = [ netifLan ];
|
|
|
|
|
logRefusedConnections = false;
|
|
|
|
|
extraCommands = ''
|
|
|
|
|
iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
|
|
|
|
|
iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
|
|
|
|
|
'';
|
|
|
|
|
extraStopCommands = ''
|
|
|
|
|
iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
|
|
|
|
|
iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
useDHCP = false;
|
|
|
|
|
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
|
|
|
|
@ -176,11 +188,21 @@ in
|
|
|
|
|
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
|
|
|
|
|
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
|
|
|
|
|
iptables -w -A FORWARD -j block-insecure-devices
|
|
|
|
|
|
|
|
|
|
iptables -w -N pccw-sucks
|
|
|
|
|
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
|
|
|
|
|
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
|
|
|
|
iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
|
|
|
|
iptables -w -A FORWARD -j pccw-sucks
|
|
|
|
|
'';
|
|
|
|
|
extraStopCommands = ''
|
|
|
|
|
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
|
|
|
|
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
|
|
|
|
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
|
|
|
|
|
|
|
|
|
iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
|
|
|
|
|
iptables -w -F pccw-sucks 2>/dev/null|| true
|
|
|
|
|
iptables -w -X pccw-sucks 2>/dev/null|| true
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
sits."${netifSit}" = {
|
|
|
|
@ -193,14 +215,37 @@ in
|
|
|
|
|
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
|
|
|
|
routes = [{ address = "::"; prefixLength = 0; }];
|
|
|
|
|
};
|
|
|
|
|
greTunnels.alt0 = {
|
|
|
|
|
greTunnels."${netifUSA}" = {
|
|
|
|
|
dev = netifWan;
|
|
|
|
|
remote = "5.78.86.156";
|
|
|
|
|
local = "94.190.212.123";
|
|
|
|
|
ttl = 255;
|
|
|
|
|
type = "tun";
|
|
|
|
|
};
|
|
|
|
|
greTunnels."${netifAlt}" = {
|
|
|
|
|
dev = netifWan;
|
|
|
|
|
remote = "103.206.98.1";
|
|
|
|
|
local = "94.190.212.123";
|
|
|
|
|
ttl = 255;
|
|
|
|
|
type = "tun";
|
|
|
|
|
};
|
|
|
|
|
interfaces.alt0 = {
|
|
|
|
|
interfaces."${netifUSA}" = {
|
|
|
|
|
ipv4.addresses = [
|
|
|
|
|
{
|
|
|
|
|
address = "10.47.3.1";
|
|
|
|
|
prefixLength = 31;
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
ipv4.routes = [
|
|
|
|
|
{
|
|
|
|
|
address = "0.0.0.0";
|
|
|
|
|
prefixLength = 0;
|
|
|
|
|
via = "10.47.3.0";
|
|
|
|
|
options.table = "3";
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
interfaces."${netifAlt}" = {
|
|
|
|
|
ipv4.addresses = [
|
|
|
|
|
{
|
|
|
|
|
address = "103.206.98.227";
|
|
|
|
@ -217,12 +262,12 @@ in
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
vlans = {
|
|
|
|
|
vlan0 = {
|
|
|
|
|
"${netifAltVlan}" = {
|
|
|
|
|
id = 2;
|
|
|
|
|
interface = netifLan;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
interfaces.vlan0 = {
|
|
|
|
|
interfaces."${netifAltVlan}" = {
|
|
|
|
|
ipv4.addresses = [{
|
|
|
|
|
address = "103.206.98.200";
|
|
|
|
|
prefixLength = 29;
|
|
|
|
@ -255,7 +300,7 @@ in
|
|
|
|
|
id = "fqdn:igw0.hkg.as150788.net";
|
|
|
|
|
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
|
|
|
|
};
|
|
|
|
|
children.alt0 = {
|
|
|
|
|
children."${netifAlt}" = {
|
|
|
|
|
mode = "transport";
|
|
|
|
|
ah_proposals = [ "sha256-curve25519" ];
|
|
|
|
|
remote_ts = [ "103.206.98.1[gre]" ];
|
|
|
|
@ -263,6 +308,27 @@ in
|
|
|
|
|
start_action = "start";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
services.strongswan-swanctl.swanctl.connections.usa = {
|
|
|
|
|
local_addrs = [ "94.190.212.123" ];
|
|
|
|
|
remote_addrs = [ "5.78.86.156" ];
|
|
|
|
|
local.main = {
|
|
|
|
|
auth = "pubkey";
|
|
|
|
|
id = "fqdn:m-labs.hk";
|
|
|
|
|
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
|
|
|
|
|
};
|
|
|
|
|
remote.main = {
|
|
|
|
|
auth = "pubkey";
|
|
|
|
|
id = "fqdn:m-labs-intl.com";
|
|
|
|
|
pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
|
|
|
|
|
};
|
|
|
|
|
children."${netifUSA}" = {
|
|
|
|
|
mode = "transport";
|
|
|
|
|
ah_proposals = [ "sha256-curve25519" ];
|
|
|
|
|
remote_ts = [ "5.78.86.156[gre]" ];
|
|
|
|
|
local_ts = [ "94.190.212.123[gre]" ];
|
|
|
|
|
start_action = "start";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.network-custom-route-backup = {
|
|
|
|
|
wantedBy = [ "network.target" ];
|
|
|
|
@ -273,6 +339,15 @@ in
|
|
|
|
|
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
systemd.services.network-custom-route-usa = {
|
|
|
|
|
wantedBy = [ "network.target" ];
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
RemainAfterExit = true;
|
|
|
|
|
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
|
|
|
|
|
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
systemd.services.network-custom-route-alt = {
|
|
|
|
|
wantedBy = [ "network.target" ];
|
|
|
|
|
serviceConfig = {
|
|
|
|
@ -465,11 +540,6 @@ in
|
|
|
|
|
"/kasli/192.168.1.70"
|
|
|
|
|
"/kasli-customer/192.168.1.75"
|
|
|
|
|
"/stabilizer-customer/192.168.1.76"
|
|
|
|
|
|
|
|
|
|
# Google can't do DNS geolocation correctly and slows down websites of everyone using
|
|
|
|
|
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
|
|
|
|
|
# cannot reach.
|
|
|
|
|
"/fonts.googleapis.com/142.250.207.74"
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
|
|
|
|
@ -495,10 +565,23 @@ in
|
|
|
|
|
# List packages installed in system profile. To search, run:
|
|
|
|
|
# $ nix search wget
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal
|
|
|
|
|
irssi tmux usbutils imagemagick jq zip unzip
|
|
|
|
|
lm_sensors
|
|
|
|
|
acpi
|
|
|
|
|
usbutils
|
|
|
|
|
pciutils
|
|
|
|
|
iw
|
|
|
|
|
nvme-cli
|
|
|
|
|
smartmontools
|
|
|
|
|
psmisc
|
|
|
|
|
|
|
|
|
|
wget
|
|
|
|
|
vim
|
|
|
|
|
git
|
|
|
|
|
file
|
|
|
|
|
imagemagick
|
|
|
|
|
jq
|
|
|
|
|
|
|
|
|
|
nixops_unstable_minimal
|
|
|
|
|
borgbackup
|
|
|
|
|
bind
|
|
|
|
|
waypipe
|
|
|
|
@ -528,6 +611,7 @@ in
|
|
|
|
|
services.openssh.settings.X11Forwarding = true;
|
|
|
|
|
services.openssh.authorizedKeysInHomedir = false;
|
|
|
|
|
programs.mosh.enable = true;
|
|
|
|
|
programs.tmux.enable = true;
|
|
|
|
|
|
|
|
|
|
programs.fish.enable = true;
|
|
|
|
|
programs.zsh.enable = true;
|
|
|
|
@ -578,6 +662,7 @@ in
|
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/155357
|
|
|
|
|
security.sudo.enable = true;
|
|
|
|
|
|
|
|
|
|
# M-Labs HK
|
|
|
|
|
users.extraUsers.sb = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
extraGroups = ["lp" "scanner" "afws" "audio"];
|
|
|
|
@ -587,22 +672,6 @@ in
|
|
|
|
|
];
|
|
|
|
|
shell = pkgs.fish;
|
|
|
|
|
};
|
|
|
|
|
users.extraUsers.rj = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
extraGroups = ["afws"];
|
|
|
|
|
openssh.authorizedKeys.keys = [
|
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
|
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
users.extraUsers.nkrackow = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
extraGroups = ["afws"];
|
|
|
|
|
openssh.authorizedKeys.keys = [
|
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
users.extraUsers.spaqin = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
extraGroups = ["lp" "afws"];
|
|
|
|
@ -624,6 +693,8 @@ in
|
|
|
|
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# M-Labs PH
|
|
|
|
|
users.extraUsers.flo = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
extraGroups = ["afws"];
|
|
|
|
@ -631,6 +702,26 @@ in
|
|
|
|
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# QUARTIQ
|
|
|
|
|
users.extraUsers.rj = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
extraGroups = ["afws"];
|
|
|
|
|
openssh.authorizedKeys.keys = [
|
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
|
|
|
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
users.extraUsers.eduardotenholder = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
extraGroups = ["afws"];
|
|
|
|
|
openssh.authorizedKeys.keys = [
|
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# HKUST
|
|
|
|
|
users.extraUsers.derppening = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
openssh.authorizedKeys.keys = [
|
|
|
|
@ -834,7 +925,7 @@ in
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.postgresql = {
|
|
|
|
|
package = pkgs.postgresql_12;
|
|
|
|
|
package = pkgs.postgresql_15;
|
|
|
|
|
settings.listen_addresses = pkgs.lib.mkForce "";
|
|
|
|
|
identMap =
|
|
|
|
|
''
|
|
|
|
@ -1052,15 +1143,6 @@ in
|
|
|
|
|
"forum.m-labs.hk" = {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
root = "/var/www/flarum/public";
|
|
|
|
|
locations."~ \.php$".extraConfig = ''
|
|
|
|
|
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
|
|
|
|
|
fastcgi_index index.php;
|
|
|
|
|
'';
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
index index.php;
|
|
|
|
|
include /var/www/flarum/.nginx.conf;
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
"perso.m-labs.hk" = {
|
|
|
|
|
addSSL = true;
|
|
|
|
@ -1132,23 +1214,17 @@ in
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.mysql = {
|
|
|
|
|
enable = true;
|
|
|
|
|
package = pkgs.mariadb;
|
|
|
|
|
package = pkgs.lib.mkForce pkgs.mariadb;
|
|
|
|
|
ensureDatabases = pkgs.lib.mkForce [];
|
|
|
|
|
ensureUsers = pkgs.lib.mkForce [];
|
|
|
|
|
};
|
|
|
|
|
services.phpfpm.pools.flarum = {
|
|
|
|
|
user = "nobody";
|
|
|
|
|
settings = {
|
|
|
|
|
"listen.owner" = "nginx";
|
|
|
|
|
"listen.group" = "nginx";
|
|
|
|
|
"listen.mode" = "0600";
|
|
|
|
|
"pm" = "dynamic";
|
|
|
|
|
"pm.max_children" = 5;
|
|
|
|
|
"pm.start_servers" = 2;
|
|
|
|
|
"pm.min_spare_servers" = 1;
|
|
|
|
|
"pm.max_spare_servers" = 3;
|
|
|
|
|
"pm.max_requests" = 500;
|
|
|
|
|
};
|
|
|
|
|
services.flarum = {
|
|
|
|
|
enable = true;
|
|
|
|
|
package = pkgs.callPackage ./flarum {};
|
|
|
|
|
domain = "forum.m-labs.hk";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.rt = {
|
|
|
|
@ -1185,8 +1261,24 @@ in
|
|
|
|
|
enablePop3 = true;
|
|
|
|
|
enablePop3Ssl = true;
|
|
|
|
|
certificateScheme = "acme-nginx";
|
|
|
|
|
policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
|
|
|
|
|
} // (import /etc/nixos/secret/email_settings.nix);
|
|
|
|
|
services.postfix = {
|
|
|
|
|
mapFiles."sender_transport" = builtins.toFile "sender_transport" ''
|
|
|
|
|
@m-labs-intl.com intltunnel:
|
|
|
|
|
'';
|
|
|
|
|
config = {
|
|
|
|
|
sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
|
|
|
|
|
};
|
|
|
|
|
masterConfig."intltunnel" = {
|
|
|
|
|
type = "unix";
|
|
|
|
|
command = "smtp";
|
|
|
|
|
args = [
|
|
|
|
|
"-o" "inet_interfaces=10.47.3.1"
|
|
|
|
|
"-o" "smtp_helo_name=mail.m-labs-intl.com"
|
|
|
|
|
"-o" "inet_protocols=ipv4"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
services.roundcube = {
|
|
|
|
|
enable = true;
|
|
|
|
|
hostName = "mail.m-labs.hk";
|
|
|
|
@ -1199,7 +1291,8 @@ in
|
|
|
|
|
|
|
|
|
|
services.nextcloud = {
|
|
|
|
|
enable = true;
|
|
|
|
|
package = pkgs.nextcloud29;
|
|
|
|
|
package = pkgs.nextcloud30;
|
|
|
|
|
extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
|
|
|
|
|
hostName = "files.m-labs.hk";
|
|
|
|
|
https = true;
|
|
|
|
|
maxUploadSize = "2G";
|
|
|
|
|