M-Labs/it-infra
M-Labs
/
it-infra
8
0
Fork 5
Code Issues 10 Pull Requests 1 Releases Wiki Activity

Compare commits

base: M-Labs:5a3be3e3b4ccf15b5c33be4e2863480352a26291
Branches Tags
M-Labs:master
M-Labs:134-intl-configuration
M-Labs:enable-mail-proxy-and-tunnel
M-Labs:disable-spf-from-vps
...
compare: M-Labs:daf9a4d53903ff0d7f0d033c7ce4e2fe9a17ad3b
Branches Tags
M-Labs:134-intl-configuration
M-Labs:master
M-Labs:enable-mail-proxy-and-tunnel
M-Labs:disable-spf-from-vps

7 Commits
5a3be3e3b4 ... daf9a4d539

Author SHA1 Message Date
Egor Savkin daf9a4d539 Add SPF and update mail DKIM key so that postfix will be used instead of nginx for mail forwarding 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-08-14 10:59:00 +08:00
Egor Savkin 6b28001c4e Add hooks subdomain to intl and accept "m-labs-intl.com" addresses in mail 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-08-14 10:59:00 +08:00
Egor Savkin 18194be5c3 nixbld: deploy web2019 to the intl domain 
Co-authored-by: Egor Savkin <es@m-labs.hk>
Co-committed-by: Egor Savkin <es@m-labs.hk>
 2024-08-14 10:54:52 +08:00
Sébastien Bourdeauducq 7781d6236e nixbld/rt: disable TCP 2024-08-11 12:19:15 +08:00
Sébastien Bourdeauducq 93e19c74e9 nixbld/rt: use psql peer authentication 2024-08-11 12:12:28 +08:00
Sébastien Bourdeauducq 4ccab3cf2b nixbld: remove outdated DNS records 2024-08-05 19:13:34 +08:00
Sebastien Bourdeauducq 69fe8c9866 nixbld: add flo user 2024-08-01 07:32:11 +08:00
4 changed files with 33 additions and 29 deletions
Show Stats Expand all files Collapse all files

23
nixbld-etc-nixos/configuration.nix
View File

@ -620,6 +620,13 @@ in
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
];
};
users.extraUsers.flo = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
];
};
users.extraUsers.derppening = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
@ -651,6 +658,10 @@ in
job = web:web:web
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
</runcommand>
<runcommand>
job = web:web:web-intl
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@5.78.86.156:/var/www/m-labs-intl.com/html/
</runcommand>
<runcommand>
job = web:web:nmigen-docs
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
@ -809,12 +820,20 @@ in
siteUrl = "https://chat.m-labs.hk/";
mutableConfig = true;
};
services.postgresql.package = pkgs.postgresql_12;
services.matterbridge = {
enable = true;
configPath = "/etc/nixos/secret/matterbridge.toml";
};
services.postgresql = {
package = pkgs.postgresql_12;
settings.listen_addresses = pkgs.lib.mkForce "";
identMap =
''
rt rt rt_user
'';
};
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
nix = super.nix.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];

9
nixbld-etc-nixos/named/m-labs-intl.com
View File

@ -14,7 +14,16 @@ $TTL 7200
A 5.78.86.156
AAAA 2a01:4ff:1f0:83de::1
MX 10 mail.m-labs-intl.com.
TXT "v=spf1 mx -all"
mail A 5.78.86.156
mail AAAA 2a01:4ff:1f0:83de::1
mail._domainkey TXT "v=DKIM1; h=sha256; k=rsa; t=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2TBwMZv41/zbxAifWeT+JLrhJmJpZYjfV5YXb74nocDf+A8GiKmqu6C4fvh9hCozdLKeSzqxxwyEe/MmedX9ToIpGpXjHlW6qraCeknc4jSjvljVjj2HgOAHWeQSWy9MdUzxKmK9CTB0INXsm34WbyY+fSRDHAUQj60eCwlXAOxqhp9KsndI9kQW+CtkN7xjmyqzU1hLFCtZAleq+zTLCPbAFG7nigxfjM7qBBP8FodTkDv6Wz5hW4wqlIKJygBXoq5yYLQ/UyPhwLpTEAN6pxRVWmwXF4PROTmZ4Cd+RTLvm2CB5N6J9dVVjeVbAaYI/6cNPdB84tZZKYHGhE9nvwIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
ns A 94.190.212.123
ns AAAA 2001:470:18:390::2
www CNAME @
hooks CNAME @

12
nixbld-etc-nixos/named/m-labs.hk
View File

@ -1,7 +1,7 @@
$TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2024060201
2024080501
7200
3600
86400
@ -43,17 +43,7 @@ files CNAME @
docs CNAME @
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
rpi-2 AAAA 2001:470:f891:1:ba27:ebff:fef0:e9e6
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
chiron AAAA 2001:470:f891:1:7f02:9ebf:bee9:3dc7
old-nixbld AAAA 2001:470:f891:1:a07b:f49a:a4ef:aad9
zeus AAAA 2001:470:f891:1:4fd7:e70a:68bf:e9c1
franz AAAA 2001:470:f891:1:1b65:a743:2335:f5c6
hera AAAA 2001:470:f891:1:8b5e:404d:ef4e:9d92
hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
aux A 42.200.147.171
router.alt A 103.206.98.200
stewardship1.alt A 103.206.98.201

18
nixbld-etc-nixos/rt.nix
View File

@ -19,14 +19,9 @@ let
Set($Timezone, '${cfg.timeZone}');
Set($DatabaseType, 'Pg');
Set($DatabaseHost, 'localhost');
Set($DatabaseUser, 'rt_user');
Set($DatabaseHost, '/run/postgresql');
Set($DatabaseUser, 'rt');
Set($DatabaseName, 'rt5');
# Read database password from file
open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
my $dbpw = do { local $/; <$fh> };
$dbpw =~ s/^\s+|\s+$//g;
Set($DatabasePassword, $dbpw);
# System (Logging)
Set($LogToSTDERR, undef); # Don't log twice
@ -154,13 +149,6 @@ in {
type = str;
};
dbPasswordFile = mkOption {
description = "File containing the database password";
type = str;
default = "/etc/nixos/secret/rtpasswd";
internal = true;
};
domain = mkOption {
description = "Which domain RT is running on";
type = str;
@ -245,8 +233,6 @@ in {
PrivateNetwork = false;
MemoryDenyWriteExecute = false;
ReadOnlyPaths = [ cfg.dbPasswordFile ];
};
environment = {