nixbld-etc-nixos/backup-module.nix

@@ -28,10 +28,9 @@ let
     ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
     ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
     ${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
-    ${config.services.postgresql.package}/bin/pg_dump nextcloud > nextcloud.sql
 
     exec 6< /etc/nixos/secret/backup-passphrase
-    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /home/sb/backed /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql nextcloud.sql | \
+    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
         ${pkgs.bzip2}/bin/bzip2 | \
         ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
   '';

nixbld-etc-nixos/configuration.nix

@@ -20,8 +20,8 @@ in
       ./afws-module.nix
       ./rt.nix
       (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/63209b1def2c9fc891ad271f474a3464a5833294/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:05k4nj2cqz1c5zgqa0c6b8sp3807ps385qca74fgs6cdc415y3qw";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/nixos-mailserver-nixos.tar.gz";
+        sha256 = "sha256:1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma";
       })
     ];
 
@@ -53,7 +53,7 @@ in
 
   services.fail2ban.enable = true;
   services.fail2ban.ignoreIP = [ "94.190.212.123" "2001:470:18:390::2" ];
-  services.fail2ban.maxretry = 7;
+  services.fail2ban.maxretry = 9;
   services.fail2ban.bantime-increment.enable = true;
   services.fail2ban.jails.sshd = {
     settings = {
@@ -61,6 +61,18 @@ in
       action = "iptables-allports";
     };
   };
+  services.fail2ban.jails.nginx-botsearch = {
+    settings = {
+      filter = "nginx-botsearch";
+      action = "iptables-allports";
+    };
+  };
+  services.fail2ban.jails.nginx-limit-req = {
+    settings = {
+      filter = "nginx-limit-req";
+      action = "iptables-allports";
+    };
+  };
   services.fail2ban.jails.postfix = {
     settings = {
       filter = "postfix";
@@ -586,9 +598,6 @@ in
     psmisc
 
     wget
-    bind
-    whois
-
     vim
     git
     file
@@ -597,8 +606,8 @@ in
 
     nixops_unstable_minimal
     borgbackup
+    bind
     waypipe
-
     (callPackage ./afws { inherit pkgs; })
     (callPackage ./labelprinter { inherit pkgs; })
   ];
@@ -614,9 +623,8 @@ in
   services.apcupsd.configText = ''
     UPSTYPE usb
     NISIP 127.0.0.1
-    BATTERYLEVEL 1
-    MINUTES 1
-    SELFTEST OFF
+    BATTERYLEVEL 10
+    MINUTES 5
   '';
 
   # Enable the OpenSSH daemon.
@@ -915,7 +923,6 @@ in
       service = {
         ENABLE_NOTIFY_MAIL = true;
         DISABLE_REGISTRATION = true;
-        REQUIRE_SIGNIN_VIEW = "expensive";
       };
 
       attachment = {
@@ -929,6 +936,7 @@ in
   };
   systemd.tmpfiles.rules = [
     "L+ '${config.services.gitea.stateDir}/custom/templates/home.tmpl' - - - - ${./gitea-home.tmpl}"
+    "L+ '${config.services.gitea.stateDir}/custom/templates/user/auth/signin.tmpl' - - - - ${./gitea-signin.tmpl}"
   ];
 
   services.mattermost = {
@@ -962,7 +970,6 @@ in
       hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
       doCheck = false;  # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
     });
-    gitea = super.callPackage ./gitea/package.nix {};
     mattermost = super.mattermost.overrideAttrs(oldAttrs: {
       webapp = oldAttrs.webapp.overrideAttrs (webappAttrs: {
         patches = webappAttrs.patches or [ ] ++ [ ./mattermost-remove-free-banner.patch ];
@@ -1154,6 +1161,7 @@ in
         forceSSL = true;
         enableACME = true;
         locations."/".proxyPass = "http://127.0.0.1:3001";
+        locations."/".extraConfig = "if ($http_user_agent ~* (ClaudeBot|GPTBot|AwarioBot|meta-externalagent|Amazonbot|DataForSeoBot|bingbot|Bytespider|AhrefsBot|SemrushBot)) { return 403; }";
         extraConfig = ''
           client_max_body_size 300M;
         '';
@@ -1341,16 +1349,12 @@ in
 
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud31;
-    extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps) forms deck groupfolders tasks;
-    };
+    package = pkgs.nextcloud30;
+    extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
     hostName = "files.m-labs.hk";
     https = true;
     maxUploadSize = "2G";
     config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
-    config.dbtype = "pgsql";
-    config.dbhost = "/run/postgresql";
     settings.default_phone_region = "HK";
     settings.log_type = "file";
     phpOptions."opcache.interned_strings_buffer" = "12";

nixbld-etc-nixos/flarum/default.nix

@@ -23,7 +23,7 @@ php.buildComposerProject (finalAttrs: {
 
   composerLock = ./composer.lock;
   composerStrictValidation = false;
-  vendorHash = "sha256-S79nFpbLA1vJp8mKRVmQbdvO1LcUZThmgzQjVQDzmRM=";
+  vendorHash = "sha256-rWvIKiQVyfvUprYfm/+Jdq+DO5qymyWp+Xh0c0nY2Cw=";
 
   meta = with lib; {
     changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";

nixbld-etc-nixos/gitea-home.tmpl

@@ -17,9 +17,6 @@
 			<p class="large">
 				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
 			</p>
-			<p class="large">
-			  Due to excessive amounts of server resources being wasted by AI bots, <a href="https://github.com/go-gitea/gitea/pull/34024">many functionalities currently require sign-in</a>. You can always clone git repositories anonymously and access most of that functionality on your local machine. We apologize for the inconvenience and look forward to rolling out a less obtrusive solution when one becomes available.
-			</p>
 		</div>
 	</div>
 </div>

nixbld-etc-nixos/gitea-signin.tmpl

@@ -0,0 +1,11 @@
+{{template "base/head" .}}
+<div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
+	{{template "user/auth/signin_navbar" .}}
+	<div class="ui middle very relaxed page grid">
+		<div class="ui container column fluid">
+			{{template "user/auth/signin_inner" .}}
+			To get an account (also available to external contributors), simply write to sb@m-labs.hk.
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}

nixbld-etc-nixos/gitea/allow-src.patch

@@ -1,13 +0,0 @@
-diff '--color=auto' -Naur gitea-1.23.7.orig/routers/common/blockexpensive.go gitea-1.23.7/routers/common/blockexpensive.go
---- gitea-1.23.7.orig/routers/common/blockexpensive.go	2025-04-20 21:42:28.210137661 +0100
-+++ gitea-1.23.7/routers/common/blockexpensive.go	2025-04-20 21:48:47.743843506 +0100
-@@ -45,9 +45,6 @@
- 		"/{username}/{reponame}/commit/",
- 		"/{username}/{reponame}/commits/",
- 		"/{username}/{reponame}/graph",
--		"/{username}/{reponame}/media/",
--		"/{username}/{reponame}/raw/",
--		"/{username}/{reponame}/src/",
- 
- 		// issue & PR related (no trailing slash)
- 		"/{username}/{reponame}/issues",

nixbld-etc-nixos/gitea/package.nix

@@ -1,120 +0,0 @@
-{
-  lib,
-  buildGoModule,
-  fetchFromGitHub,
-  makeWrapper,
-  git,
-  bash,
-  coreutils,
-  compressDrvWeb,
-  gitea,
-  gzip,
-  openssh,
-  sqliteSupport ? true,
-  nixosTests,
-  buildNpmPackage,
-}:
-
-let
-  frontend = buildNpmPackage {
-    pname = "gitea-frontend";
-    inherit (gitea) src version;
-
-    npmDepsHash = "sha256-5i3aB1QgH5NK5yDZySFlraVGU+Kh6J4Y2zvFqJX5kJs=";
-
-    # use webpack directly instead of 'make frontend' as the packages are already installed
-    buildPhase = ''
-      BROWSERSLIST_IGNORE_OLD_DATA=true npx webpack
-    '';
-
-    installPhase = ''
-      mkdir -p $out
-      cp -R public $out/
-    '';
-  };
-in
-buildGoModule rec {
-  pname = "gitea";
-  version = "1.23.7";
-
-  src = fetchFromGitHub {
-    owner = "go-gitea";
-    repo = "gitea";
-    tag = "v${gitea.version}";
-    hash = "sha256-pdmRujcLnQBIQXc26MPpoLbbV00KMaVHPY4xTsitaCA=";
-  };
-
-  proxyVendor = true;
-
-  vendorHash = "sha256-h9RnHv4weGfHwpmuEhQbsYDd5fKc439m0gF/BgDVIdA=";
-
-  outputs = [
-    "out"
-    "data"
-  ];
-
-  patches = [ ./static-root-path.patch ./allow-src.patch ];
-
-  # go-modules derivation doesn't provide $data
-  # so we need to wait until it is built, and then
-  # at that time we can then apply the substituteInPlace
-  overrideModAttrs = _: { postPatch = null; };
-
-  postPatch = ''
-    substituteInPlace modules/setting/server.go --subst-var data
-  '';
-
-  subPackages = [ "." ];
-
-  nativeBuildInputs = [ makeWrapper ];
-
-  tags = lib.optionals sqliteSupport [
-    "sqlite"
-    "sqlite_unlock_notify"
-  ];
-
-  ldflags = [
-    "-s"
-    "-w"
-    "-X main.Version=${version}"
-    "-X 'main.Tags=${lib.concatStringsSep " " tags}'"
-  ];
-
-  postInstall = ''
-    mkdir $data
-    ln -s ${frontend}/public $data/public
-    cp -R ./{templates,options} $data
-    mkdir -p $out
-    cp -R ./options/locale $out/locale
-
-    wrapProgram $out/bin/gitea \
-      --prefix PATH : ${
-        lib.makeBinPath [
-          bash
-          coreutils
-          git
-          gzip
-          openssh
-        ]
-      }
-  '';
-
-  passthru = {
-    data-compressed =
-      lib.warn "gitea.passthru.data-compressed is deprecated. Use \"compressDrvWeb gitea.data\"."
-        (compressDrvWeb gitea.data { });
-
-    tests = nixosTests.gitea;
-  };
-
-  meta = with lib; {
-    description = "Git with a cup of tea";
-    homepage = "https://about.gitea.com";
-    license = licenses.mit;
-    maintainers = with maintainers; [
-      techknowlogick
-      SuperSandro2000
-    ];
-    mainProgram = "gitea";
-  };
-}

nixbld-etc-nixos/gitea/static-root-path.patch

@@ -1,13 +0,0 @@
-diff --git a/modules/setting/server.go b/modules/setting/server.go
-index 183906268..fa02e8915 100644
---- a/modules/setting/server.go
-+++ b/modules/setting/server.go
-@@ -319,7 +319,7 @@ func loadServerFrom(rootCfg ConfigProvider) {
- 	OfflineMode = sec.Key("OFFLINE_MODE").MustBool()
- 	Log.DisableRouterLog = sec.Key("DISABLE_ROUTER_LOG").MustBool()
- 	if len(StaticRootPath) == 0 {
--		StaticRootPath = AppWorkPath
-+		StaticRootPath = "@data@"
- 	}
- 	StaticRootPath = sec.Key("STATIC_ROOT_PATH").MustString(StaticRootPath)
- 	StaticCacheTime = sec.Key("STATIC_CACHE_TIME").MustDuration(6 * time.Hour)

nixops/avscan-module.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  avscan = pkgs.writeScript "avscan" ''
+    #!${pkgs.bash}/bin/bash
+
+    for user in $(cut -d":" -f1 /etc/passwd); do
+      if [ -d "/home/$user" ]; then
+          nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
+      fi
+    done
+  '';
+  cfg = config.services.avscan;
+in
+{
+  options.services.avscan = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable antivirus scan";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.clamav.updater.enable = true;
+    services.clamav.updater.interval = "daily";
+    services.clamav.updater.frequency = 1;
+
+    systemd.services.avscan = {
+      description = "Antivirus scan";
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+        ExecStart = "${avscan}";
+      };
+    };
+
+    systemd.timers.avscan = {
+      description = "Antivirus scan";
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnCalendar = "Mon *-*-* 13:00:00";
+    };
+  };
+}

nixops/common-users.nix

@@ -55,6 +55,13 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMoGOV9HoFkm6S6zMfOc8ivUcGzKFxuqpmOXKQtg2nn5Kh6ByMuuAHFlvKISILBaWgXN8lPQN9VjLuXV93oG4Pe7u8EVw20IGbA6RZ4Pnnr1xQBESPbye+72taLvyQlxGA=="
     ];
   };
+  esavkin = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
+    ];
+  };
   flo = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];

nixops/desktop.nix

@@ -17,6 +17,7 @@ in
   imports =
     [
       (./. + "/${host}-hardware-configuration.nix")
+      ./avscan-module.nix
     ];
   nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
     libp11 = super.libp11.override({ openssl = super.openssl_1_1; });
@@ -90,6 +91,8 @@ in
     setuid = true;
   };
 
+  services.avscan.enable = true;
+
   services.openssh.enable = true;
   services.openssh.authorizedKeysInHomedir = false;
   services.openssh.settings.PasswordAuthentication = false;

nixops/extra-udev.nix

@@ -24,6 +24,4 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660"
 # DSLogic
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
-# chinese Lattice USB-2B
-SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6010", MODE="0660", GROUP="plugdev"
 ''

nixops/vulcan-hardware-configuration.nix

@@ -38,15 +38,4 @@
   hardware.cpu.intel.updateMicrocode = true;
   
   system.stateVersion = "23.05";
-
-  specialisation.virtualgpu = {
-    configuration = {
-      boot.kernelModules = [ "vfio_pci" "vfio" ];
-      boot.kernelParams = [ "intel_iommu=on" ];
-      boot.extraModprobeConfig =
-        ''
-        options vfio-pci ids=1002:67df,1002:aaf0
-        '';
-    };
-  };
 }