Compare commits
8 Commits
master
...
134-intl-c
Author | SHA1 | Date |
---|---|---|
Egor Savkin | 7ecabeaadc | |
Egor Savkin | ad02ee3bda | |
Egor Savkin | 138b1ea45e | |
Egor Savkin | 4b36c5a610 | |
Egor Savkin | c67bc6e033 | |
Egor Savkin | be6cee2bb8 | |
Egor Savkin | 49e8dda365 | |
Egor Savkin | 3587f3b65d |
|
@ -0,0 +1,81 @@
|
|||
upstream rfq_server {
|
||||
server 127.0.0.1:5000;
|
||||
}
|
||||
|
||||
server {
|
||||
limit_conn addr 5;
|
||||
|
||||
root /var/www/m-labs-intl.com/html;
|
||||
index index.html index.htm index.nginx-debian.html;
|
||||
|
||||
server_name m-labs-intl.com;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
listen [::]:443 ssl ipv6only=on; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
|
||||
server {
|
||||
server_name www.m-labs-intl.com;
|
||||
return 301 https://m-labs-intl.com$request_uri;
|
||||
|
||||
listen [::]:443 ssl; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
|
||||
server {
|
||||
server_name hooks.m-labs-intl.com;
|
||||
limit_conn addr 5;
|
||||
|
||||
location /rfq {
|
||||
proxy_pass http://rfq_server/rfq;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_read_timeout 30;
|
||||
proxy_connect_timeout 30;
|
||||
proxy_send_timeout 30;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 418;
|
||||
}
|
||||
|
||||
listen [::]:443 ssl; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
|
||||
server {
|
||||
limit_conn addr 5;
|
||||
if ($host = m-labs-intl.com) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
|
||||
if ($host = www.m-labs-intl.com) {
|
||||
return 301 https://m-labs-intl.com$request_uri;
|
||||
} # managed by Certbot
|
||||
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
|
@ -0,0 +1,63 @@
|
|||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||
|
||||
|
||||
# Debian specific: Specifying a file name will cause the first
|
||||
# line of that file to be used as the name. The Debian default
|
||||
# is /etc/mailname.
|
||||
#myorigin = /etc/mailname
|
||||
|
||||
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
|
||||
biff = no
|
||||
|
||||
# appending .domain is the MUA's job.
|
||||
append_dot_mydomain = no
|
||||
|
||||
# Uncomment the next line to generate "delayed mail" warnings
|
||||
#delay_warning_time = 4h
|
||||
|
||||
readme_directory = no
|
||||
|
||||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
|
||||
# fresh installs.
|
||||
compatibility_level = 3.6
|
||||
|
||||
|
||||
|
||||
# TLS parameters
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtpd_tls_security_level=may
|
||||
|
||||
smtp_tls_CApath=/etc/ssl/certs
|
||||
smtp_tls_security_level=may
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
|
||||
|
||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||
myhostname = mail.m-labs-intl.com
|
||||
mydomain = m-labs-intl.com
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
myorigin = $mydomain
|
||||
#mydestination = $myhostname, m-labs-intl.com, localhost.localdomain, localhost
|
||||
mydestination =
|
||||
relayhost = mail.m-labs.hk
|
||||
#relay_domains = $mydomain
|
||||
local_transport = error:local delivery disabled
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
inet_interfaces = all
|
||||
inet_protocols = all
|
||||
|
||||
|
||||
|
||||
virtual_alias_maps = hash:/etc/postfix/virtual
|
||||
virtual_alias_domains = $mydomain m-labs.hk
|
||||
|
||||
|
||||
# DKIM
|
||||
milter_default_action = accept
|
||||
milter_protocol = 2
|
||||
smtpd_milters = inet:localhost:8891
|
||||
non_smtpd_milters = inet:localhost:8891
|
|
@ -0,0 +1,90 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
pid /run/nginx.pid;
|
||||
error_log /var/log/nginx/error.log;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Rate limiting
|
||||
limit_conn_zone $binary_remote_addr zone=addr:10m;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
stream {
|
||||
# Upstream mail servers
|
||||
upstream smtp_backend {
|
||||
server mail.m-labs.hk:25;
|
||||
}
|
||||
|
||||
upstream submission_backend {
|
||||
server mail.m-labs.hk:587;
|
||||
}
|
||||
|
||||
# SMTP
|
||||
server {
|
||||
listen 25;
|
||||
proxy_protocol on;
|
||||
proxy_pass smtp_backend;
|
||||
}
|
||||
|
||||
# Submission (Authenticated SMTP)
|
||||
server {
|
||||
listen 587;
|
||||
proxy_protocol on;
|
||||
proxy_pass submission_backend;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
# NOTE: This is a legacy configuration file. It is not used by the opendkim
|
||||
# systemd service. Please use the corresponding configuration parameters in
|
||||
# /etc/opendkim.conf instead.
|
||||
#
|
||||
# Previously, one would edit the default settings here, and then execute
|
||||
# /lib/opendkim/opendkim.service.generate to generate systemd override files at
|
||||
# /etc/systemd/system/opendkim.service.d/override.conf and
|
||||
# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
|
||||
# recommended to adjust the settings directly in /etc/opendkim.conf.
|
||||
#
|
||||
#DAEMON_OPTS=""
|
||||
# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
|
||||
# postfix in a chroot:
|
||||
#RUNDIR=/var/spool/postfix/run/opendkim
|
||||
RUNDIR=/run/opendkim
|
||||
#
|
||||
# Uncomment to specify an alternate socket
|
||||
# Note that setting this will override any Socket value in opendkim.conf
|
||||
# default:
|
||||
SOCKET=local:$RUNDIR/opendkim.sock
|
||||
# listen on all interfaces on port 54321:
|
||||
#SOCKET=inet:54321
|
||||
# listen on loopback on port 12345:
|
||||
#SOCKET=inet:12345@localhost
|
||||
# listen on 192.0.2.1 on port 12345:
|
||||
#SOCKET=inet:12345@192.0.2.1
|
||||
USER=opendkim
|
||||
GROUP=opendkim
|
||||
PIDFILE=$RUNDIR/$NAME.pid
|
||||
EXTRAAFTER=
|
||||
|
||||
SOCKET="inet:8891@localhost"
|
|
@ -0,0 +1,57 @@
|
|||
# This is a basic configuration for signing and verifying. It can easily be
|
||||
# adapted to suit a basic installation. See opendkim.conf(5) and
|
||||
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
|
||||
# documentation of available configuration parameters.
|
||||
|
||||
Syslog yes
|
||||
SyslogSuccess yes
|
||||
#LogWhy no
|
||||
|
||||
# Common signing and verification parameters. In Debian, the "From" header is
|
||||
# oversigned, because it is often the identity key used by reputation systems
|
||||
# and thus somewhat security sensitive.
|
||||
Canonicalization relaxed/simple
|
||||
#Mode sv
|
||||
#SubDomains no
|
||||
OversignHeaders From
|
||||
|
||||
# Signing domain, selector, and key (required). For example, perform signing
|
||||
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
|
||||
# using the private key stored in /etc/dkimkeys/example.private. More granular
|
||||
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
|
||||
#Domain example.com
|
||||
#Selector 2020
|
||||
#KeyFile /etc/dkimkeys/example.private
|
||||
|
||||
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
|
||||
# using a local socket with MTAs that access the socket as a non-privileged
|
||||
# user (for example, Postfix). You may need to add user "postfix" to group
|
||||
# "opendkim" in that case.
|
||||
UserID opendkim
|
||||
UMask 007
|
||||
|
||||
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
|
||||
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
|
||||
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
|
||||
# configured as shown on the last line below.
|
||||
Socket local:/run/opendkim/opendkim.sock
|
||||
#Socket inet:8891@localhost
|
||||
#Socket inet:8891
|
||||
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
|
||||
|
||||
PidFile /run/opendkim/opendkim.pid
|
||||
|
||||
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
|
||||
# OPERATION section of opendkim(8) for more information.
|
||||
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
|
||||
|
||||
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
|
||||
# by the package dns-root-data.
|
||||
TrustAnchorFile /usr/share/dns/root.key
|
||||
#Nameservers 127.0.0.1
|
||||
|
||||
|
||||
Domain m-labs-intl.com
|
||||
KeyFile /etc/postfix/dkim.key
|
||||
Selector mail
|
||||
SOCKET inet:8891@localhost
|
|
@ -0,0 +1,12 @@
|
|||
[Unit]
|
||||
Description=RFQ service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=rfqserver
|
||||
ExecStart=/home/rfqserver/runrfq.sh
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,14 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
export FLASK_DEBUG=0
|
||||
export FLASK_MAIL_SERVER=mail.m-labs.hk
|
||||
export FLASK_MAIL_PORT=465
|
||||
export FLASK_MAIL_USE_SSL=True
|
||||
export FLASK_MAIL_USERNAME=sysop-intl@m-labs-intl.com
|
||||
export FLASK_MAIL_PASSWORD_FILE=/home/rfqserver/mail.secret
|
||||
export FLASK_MAIL_RECIPIENT=sales@m-labs.hk
|
||||
export FLASK_MAIL_SENDER=sysop-intl@m-labs-intl.com
|
||||
|
||||
cd /home/rfqserver/web2019/server
|
||||
source venv/bin/activate
|
||||
python3 -m flask --app rfq run --port=5000
|
|
@ -0,0 +1,68 @@
|
|||
# Setup m-labs-intl.com server
|
||||
|
||||
```shell
|
||||
apt install git nginx-full python3 python3.12-venv python3-pip
|
||||
snap install --classic certbot
|
||||
ln -s /snap/bin/certbot /usr/bin/certbot
|
||||
useradd -m rfqserver
|
||||
useradd -m zolaupd
|
||||
|
||||
cp m-labs-intl.com /etc/nginx/sites-available/
|
||||
cp nginx.conf /etc/nginx/
|
||||
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
|
||||
|
||||
mkdir -p /var/www/m-labs-intl.com/html
|
||||
chown -R zolaupd /var/www/m-labs-intl.com/
|
||||
|
||||
cp runrfq.sh /home/rfqserver/
|
||||
cp mail.secret /home/rfqserver/
|
||||
chown rfqserver /home/rfqserver/runrfq.sh
|
||||
chmod +x /home/rfqserver/runrfq.sh
|
||||
chown rfqserver /home/rfqserver/mail.secret
|
||||
|
||||
|
||||
sudo -u zolaupd sh -c '
|
||||
cd /home/zolaupd;
|
||||
mkdir /home/zolaupd/.ssh;
|
||||
echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
|
||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
|
||||
chmod 700 .ssh/
|
||||
chmod 600 .ssh/authorized_keys
|
||||
'
|
||||
|
||||
sudo -u rfqserver sh -c '
|
||||
cd /home/rfqserver;
|
||||
git clone https://git.m-labs.hk/M-Labs/web2019.git;
|
||||
cd web2019;
|
||||
python3 -m venv ./venv;
|
||||
source venv/bin/activate;
|
||||
pip install -r requirements.txt;
|
||||
'
|
||||
|
||||
cp rfq.service /etc/systemd/system/
|
||||
|
||||
systemctl daemon-reload
|
||||
systemctl enable rfq.service
|
||||
systemctl start rfq.service
|
||||
systemctl enable danted.service
|
||||
|
||||
service nginx restart
|
||||
|
||||
certbot --nginx
|
||||
|
||||
service nginx restart
|
||||
|
||||
ufw default deny
|
||||
ufw allow from 94.190.212.123
|
||||
ufw allow from 2001:470:f891:1:5999:5529:5d:f71d
|
||||
ufw allow from 202.77.7.238
|
||||
ufw allow from 2001:470:18:390::2
|
||||
ufw allow "Nginx HTTP"
|
||||
ufw allow "Nginx HTTPS"
|
||||
ufw limit OpenSSH
|
||||
ufw default allow outgoing
|
||||
ufw limit 25/tcp
|
||||
ufw limit 587/tcp
|
||||
ufw show added
|
||||
ufw enable
|
||||
```
|
|
@ -6,9 +6,6 @@ let
|
|||
netifLan = "enp5s0f1";
|
||||
netifWifi = "wlp6s0";
|
||||
netifSit = "henet0";
|
||||
netifUSA = "trump0";
|
||||
netifAlt = "alt0";
|
||||
netifAltVlan = "vlan0";
|
||||
hydraWwwOutputs = "/var/www/hydra-outputs";
|
||||
in
|
||||
{
|
||||
|
@ -20,8 +17,8 @@ in
|
|||
./afws-module.nix
|
||||
./rt.nix
|
||||
(builtins.fetchTarball {
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/29916981e7b3b5782dc5085ad18490113f8ff63b/nixos-mailserver-nixos.tar.gz";
|
||||
sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz";
|
||||
sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv";
|
||||
})
|
||||
];
|
||||
|
||||
|
@ -93,15 +90,6 @@ in
|
|||
allowedTCPPorts = [ 53 80 443 2222 7402 ];
|
||||
allowedUDPPorts = [ 53 67 500 4500 ];
|
||||
trustedInterfaces = [ netifLan ];
|
||||
logRefusedConnections = false;
|
||||
extraCommands = ''
|
||||
iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
|
||||
iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
|
||||
iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
|
||||
'';
|
||||
};
|
||||
useDHCP = false;
|
||||
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
|
||||
|
@ -188,21 +176,11 @@ in
|
|||
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
|
||||
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
|
||||
iptables -w -A FORWARD -j block-insecure-devices
|
||||
|
||||
iptables -w -N pccw-sucks
|
||||
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
|
||||
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||
iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||
iptables -w -A FORWARD -j pccw-sucks
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
||||
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
||||
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
||||
|
||||
iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
|
||||
iptables -w -F pccw-sucks 2>/dev/null|| true
|
||||
iptables -w -X pccw-sucks 2>/dev/null|| true
|
||||
'';
|
||||
};
|
||||
sits."${netifSit}" = {
|
||||
|
@ -215,37 +193,14 @@ in
|
|||
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
||||
routes = [{ address = "::"; prefixLength = 0; }];
|
||||
};
|
||||
greTunnels."${netifUSA}" = {
|
||||
dev = netifWan;
|
||||
remote = "5.78.86.156";
|
||||
local = "94.190.212.123";
|
||||
ttl = 255;
|
||||
type = "tun";
|
||||
};
|
||||
greTunnels."${netifAlt}" = {
|
||||
greTunnels.alt0 = {
|
||||
dev = netifWan;
|
||||
remote = "103.206.98.1";
|
||||
local = "94.190.212.123";
|
||||
ttl = 255;
|
||||
type = "tun";
|
||||
};
|
||||
interfaces."${netifUSA}" = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "10.47.3.1";
|
||||
prefixLength = 31;
|
||||
}
|
||||
];
|
||||
ipv4.routes = [
|
||||
{
|
||||
address = "0.0.0.0";
|
||||
prefixLength = 0;
|
||||
via = "10.47.3.0";
|
||||
options.table = "3";
|
||||
}
|
||||
];
|
||||
};
|
||||
interfaces."${netifAlt}" = {
|
||||
interfaces.alt0 = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "103.206.98.227";
|
||||
|
@ -262,12 +217,12 @@ in
|
|||
];
|
||||
};
|
||||
vlans = {
|
||||
"${netifAltVlan}" = {
|
||||
vlan0 = {
|
||||
id = 2;
|
||||
interface = netifLan;
|
||||
};
|
||||
};
|
||||
interfaces."${netifAltVlan}" = {
|
||||
interfaces.vlan0 = {
|
||||
ipv4.addresses = [{
|
||||
address = "103.206.98.200";
|
||||
prefixLength = 29;
|
||||
|
@ -300,7 +255,7 @@ in
|
|||
id = "fqdn:igw0.hkg.as150788.net";
|
||||
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
||||
};
|
||||
children."${netifAlt}" = {
|
||||
children.alt0 = {
|
||||
mode = "transport";
|
||||
ah_proposals = [ "sha256-curve25519" ];
|
||||
remote_ts = [ "103.206.98.1[gre]" ];
|
||||
|
@ -308,27 +263,6 @@ in
|
|||
start_action = "start";
|
||||
};
|
||||
};
|
||||
services.strongswan-swanctl.swanctl.connections.usa = {
|
||||
local_addrs = [ "94.190.212.123" ];
|
||||
remote_addrs = [ "5.78.86.156" ];
|
||||
local.main = {
|
||||
auth = "pubkey";
|
||||
id = "fqdn:m-labs.hk";
|
||||
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
|
||||
};
|
||||
remote.main = {
|
||||
auth = "pubkey";
|
||||
id = "fqdn:m-labs-intl.com";
|
||||
pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
|
||||
};
|
||||
children."${netifUSA}" = {
|
||||
mode = "transport";
|
||||
ah_proposals = [ "sha256-curve25519" ];
|
||||
remote_ts = [ "5.78.86.156[gre]" ];
|
||||
local_ts = [ "94.190.212.123[gre]" ];
|
||||
start_action = "start";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.network-custom-route-backup = {
|
||||
wantedBy = [ "network.target" ];
|
||||
|
@ -339,15 +273,6 @@ in
|
|||
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
|
||||
};
|
||||
};
|
||||
systemd.services.network-custom-route-usa = {
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
|
||||
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
|
||||
};
|
||||
};
|
||||
systemd.services.network-custom-route-alt = {
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
|
@ -540,6 +465,11 @@ in
|
|||
"/kasli/192.168.1.70"
|
||||
"/kasli-customer/192.168.1.75"
|
||||
"/stabilizer-customer/192.168.1.76"
|
||||
|
||||
# Google can't do DNS geolocation correctly and slows down websites of everyone using
|
||||
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
|
||||
# cannot reach.
|
||||
"/fonts.googleapis.com/142.250.207.74"
|
||||
];
|
||||
|
||||
dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
|
||||
|
@ -565,23 +495,10 @@ in
|
|||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment.systemPackages = with pkgs; [
|
||||
lm_sensors
|
||||
acpi
|
||||
usbutils
|
||||
pciutils
|
||||
wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal
|
||||
irssi tmux usbutils imagemagick jq zip unzip
|
||||
iw
|
||||
nvme-cli
|
||||
smartmontools
|
||||
psmisc
|
||||
|
||||
wget
|
||||
vim
|
||||
git
|
||||
file
|
||||
imagemagick
|
||||
jq
|
||||
|
||||
nixops_unstable_minimal
|
||||
borgbackup
|
||||
bind
|
||||
waypipe
|
||||
|
@ -611,7 +528,6 @@ in
|
|||
services.openssh.settings.X11Forwarding = true;
|
||||
services.openssh.authorizedKeysInHomedir = false;
|
||||
programs.mosh.enable = true;
|
||||
programs.tmux.enable = true;
|
||||
|
||||
programs.fish.enable = true;
|
||||
programs.zsh.enable = true;
|
||||
|
@ -662,7 +578,6 @@ in
|
|||
# https://github.com/NixOS/nixpkgs/issues/155357
|
||||
security.sudo.enable = true;
|
||||
|
||||
# M-Labs HK
|
||||
users.extraUsers.sb = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["lp" "scanner" "afws" "audio"];
|
||||
|
@ -672,6 +587,22 @@ in
|
|||
];
|
||||
shell = pkgs.fish;
|
||||
};
|
||||
users.extraUsers.rj = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["afws"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
|
||||
];
|
||||
};
|
||||
users.extraUsers.nkrackow = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["afws"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
|
||||
];
|
||||
};
|
||||
users.extraUsers.spaqin = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["lp" "afws"];
|
||||
|
@ -693,8 +624,6 @@ in
|
|||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
||||
];
|
||||
};
|
||||
|
||||
# M-Labs PH
|
||||
users.extraUsers.flo = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["afws"];
|
||||
|
@ -702,26 +631,6 @@ in
|
|||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
|
||||
];
|
||||
};
|
||||
|
||||
# QUARTIQ
|
||||
users.extraUsers.rj = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["afws"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
|
||||
];
|
||||
};
|
||||
users.extraUsers.eduardotenholder = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["afws"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
|
||||
];
|
||||
};
|
||||
|
||||
# HKUST
|
||||
users.extraUsers.derppening = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
|
@ -925,7 +834,7 @@ in
|
|||
};
|
||||
|
||||
services.postgresql = {
|
||||
package = pkgs.postgresql_15;
|
||||
package = pkgs.postgresql_12;
|
||||
settings.listen_addresses = pkgs.lib.mkForce "";
|
||||
identMap =
|
||||
''
|
||||
|
@ -1143,6 +1052,15 @@ in
|
|||
"forum.m-labs.hk" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "/var/www/flarum/public";
|
||||
locations."~ \.php$".extraConfig = ''
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
|
||||
fastcgi_index index.php;
|
||||
'';
|
||||
extraConfig = ''
|
||||
index index.php;
|
||||
include /var/www/flarum/.nginx.conf;
|
||||
'';
|
||||
};
|
||||
"perso.m-labs.hk" = {
|
||||
addSSL = true;
|
||||
|
@ -1214,17 +1132,23 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.mysql = {
|
||||
enable = true;
|
||||
package = pkgs.lib.mkForce pkgs.mariadb;
|
||||
ensureDatabases = pkgs.lib.mkForce [];
|
||||
ensureUsers = pkgs.lib.mkForce [];
|
||||
package = pkgs.mariadb;
|
||||
};
|
||||
services.flarum = {
|
||||
enable = true;
|
||||
package = pkgs.callPackage ./flarum {};
|
||||
domain = "forum.m-labs.hk";
|
||||
services.phpfpm.pools.flarum = {
|
||||
user = "nobody";
|
||||
settings = {
|
||||
"listen.owner" = "nginx";
|
||||
"listen.group" = "nginx";
|
||||
"listen.mode" = "0600";
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 5;
|
||||
"pm.start_servers" = 2;
|
||||
"pm.min_spare_servers" = 1;
|
||||
"pm.max_spare_servers" = 3;
|
||||
"pm.max_requests" = 500;
|
||||
};
|
||||
};
|
||||
|
||||
services.rt = {
|
||||
|
@ -1252,6 +1176,32 @@ in
|
|||
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
|
||||
};
|
||||
};
|
||||
systemd.services.ssh-tunnel-intl = {
|
||||
description = "SSH Tunnel to Intl";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "sockets.service" ];
|
||||
serviceConfig = {
|
||||
Restart = "on-failure";
|
||||
User = "hydra-queue-runner"; # TODO needs new user both here and there
|
||||
Group = "hydra";
|
||||
ExecStart = "${pkgs.openssh}/bin/ssh -N -L 127.0.0.1:1587:5.78.86.156:1587 zolaupd@5.78.86.156";
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."postfix/sender_relay".text = ''
|
||||
@m-labs-intl.com [localhost]:1587
|
||||
@m-labs.hk :
|
||||
@m-labs.ph :
|
||||
@193thz.com :
|
||||
@malloctech.fr :
|
||||
'';
|
||||
systemd.services.postfix-rebuild-sender-relay = {
|
||||
description = "Postfix Rebuild Sender Dependent Relayhost Maps";
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.postfix}/sbin/postmap /etc/postfix/sender_relay";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
|
@ -1263,20 +1213,10 @@ in
|
|||
certificateScheme = "acme-nginx";
|
||||
} // (import /etc/nixos/secret/email_settings.nix);
|
||||
services.postfix = {
|
||||
mapFiles."sender_transport" = builtins.toFile "sender_transport" ''
|
||||
@m-labs-intl.com intltunnel:
|
||||
'';
|
||||
config = {
|
||||
sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
|
||||
};
|
||||
masterConfig."intltunnel" = {
|
||||
type = "unix";
|
||||
command = "smtp";
|
||||
args = [
|
||||
"-o" "inet_interfaces=10.47.3.1"
|
||||
"-o" "smtp_helo_name=mail.m-labs-intl.com"
|
||||
"-o" "inet_protocols=ipv4"
|
||||
];
|
||||
sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
|
||||
postscreen_upstream_proxy_protocol = "haproxy";
|
||||
postscreen_upstream_proxy_timeout = "5s";
|
||||
};
|
||||
};
|
||||
services.roundcube = {
|
||||
|
@ -1291,8 +1231,7 @@ in
|
|||
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
package = pkgs.nextcloud30;
|
||||
extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
|
||||
package = pkgs.nextcloud29;
|
||||
hostName = "files.m-labs.hk";
|
||||
https = true;
|
||||
maxUploadSize = "2G";
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,39 +0,0 @@
|
|||
{
|
||||
lib,
|
||||
php,
|
||||
fetchFromGitHub,
|
||||
fetchpatch,
|
||||
}:
|
||||
|
||||
php.buildComposerProject (finalAttrs: {
|
||||
pname = "flarum";
|
||||
version = "1.8.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "flarum";
|
||||
repo = "flarum";
|
||||
rev = "v${finalAttrs.version}";
|
||||
hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
# Add useful extensions from https://github.com/FriendsOfFlarum
|
||||
# Extensions included: fof/upload, fof/polls, fof/subscribed
|
||||
./fof-extensions.patch
|
||||
];
|
||||
|
||||
composerLock = ./composer.lock;
|
||||
composerStrictValidation = false;
|
||||
vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";
|
||||
|
||||
meta = with lib; {
|
||||
changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
|
||||
description = "Flarum is a delightfully simple discussion platform for your website";
|
||||
homepage = "https://github.com/flarum/flarum";
|
||||
license = lib.licenses.mit;
|
||||
maintainers = with maintainers; [
|
||||
fsagbuya
|
||||
jasonodoom
|
||||
];
|
||||
};
|
||||
})
|
|
@ -1,16 +0,0 @@
|
|||
diff --git a/composer.json b/composer.json
|
||||
index c63b5f8..5ad1186 100644
|
||||
--- a/composer.json
|
||||
+++ b/composer.json
|
||||
@@ -37,7 +37,10 @@
|
||||
"flarum/sticky": "*",
|
||||
"flarum/subscriptions": "*",
|
||||
"flarum/suspend": "*",
|
||||
- "flarum/tags": "*"
|
||||
+ "flarum/tags": "*",
|
||||
+ "fof/polls": "*",
|
||||
+ "fof/subscribed": "*",
|
||||
+ "fof/upload": "*"
|
||||
},
|
||||
"config": {
|
||||
"preferred-install": "dist",
|
|
@ -1,7 +1,7 @@
|
|||
$TTL 7200
|
||||
|
||||
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
|
||||
2024101401
|
||||
2024081503
|
||||
7200
|
||||
3600
|
||||
86400
|
||||
|
@ -23,6 +23,7 @@ ns A 94.190.212.123
|
|||
ns AAAA 2001:470:18:390::2
|
||||
|
||||
mail A 5.78.86.156
|
||||
mail AAAA 2a01:4ff:1f0:83de::1
|
||||
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
|
||||
_dmarc TXT "v=DMARC1; p=none"
|
||||
|
||||
|
|
|
@ -111,6 +111,27 @@
|
|||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
|
||||
];
|
||||
};
|
||||
architeuthis = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMhLPEGWDUauFHjiVduBMJrIMKT8SvtTDHXDVudUZrhewQy08h4NEEyWmczP4WMeyugI/L/a+J+Vc8mImgqSoHw52823LVcnR9EKnJoqnwAHU/J+41vIWAN2LAryd4p9yg=="
|
||||
];
|
||||
};
|
||||
abdul = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
|
||||
];
|
||||
};
|
||||
lyken = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ88QJlh/+F/xwXQlPEmQVmtycb8FfabxCdeiP3gTHUCV8y4PLh3ubY+EsY+Xhy/GlOAPdX7KSpiII3dndYfwZWzorXVoPBhhPKEIumFBOinWfp5kRVzWOD61gCwsYoVBg=="
|
||||
];
|
||||
};
|
||||
|
||||
dpn = {
|
||||
isNormalUser = true;
|
||||
|
|
|
@ -1,49 +0,0 @@
|
|||
connections {
|
||||
bypass-ipsec {
|
||||
remote_addrs = 127.0.0.1
|
||||
children {
|
||||
bypass-isakmp-v4 {
|
||||
local_ts = 0.0.0.0/0[udp/isakmp]
|
||||
remote_ts = 0.0.0.0/0[udp/isakmp]
|
||||
mode = pass
|
||||
start_action = trap
|
||||
}
|
||||
bypass-isakmp-v6 {
|
||||
local_ts = ::/0[udp/isakmp]
|
||||
remote_ts = ::/0[udp/isakmp]
|
||||
mode = pass
|
||||
start_action = trap
|
||||
}
|
||||
}
|
||||
}
|
||||
m_labs {
|
||||
version = 2
|
||||
encap = no
|
||||
mobike = no
|
||||
send_certreq = no
|
||||
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
|
||||
local_addrs = 103.206.98.1
|
||||
remote_addrs = 94.190.212.123
|
||||
local {
|
||||
auth = pubkey
|
||||
id = fqdn:igw0.hkg.as150788.net
|
||||
pubkeys = igw0.hkg.as150788.net
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = fqdn:m-labs.hk
|
||||
pubkeys = m-labs.hk
|
||||
}
|
||||
children {
|
||||
con1 {
|
||||
mode = transport
|
||||
ah_proposals = sha256-curve25519,sha256-ecp256
|
||||
esp_proposals =
|
||||
local_ts = 103.206.98.1[gre]
|
||||
remote_ts = 94.190.212.123[gre]
|
||||
start_action = none
|
||||
close_action = none
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue