Compare commits
1 Commits
master
...
force-ssl-
Author | SHA1 | Date |
---|---|---|
Egor Savkin | 10da6a0cbb |
|
@ -6,7 +6,6 @@
|
|||
|
||||
let
|
||||
netifWan = "enp4s0";
|
||||
netifWanBackup = "enp11s0";
|
||||
netifLan = "enp5s0f1";
|
||||
netifWifi = "wlp6s0";
|
||||
netifSit = "henet0";
|
||||
|
@ -95,22 +94,7 @@ in
|
|||
allowedUDPPorts = [ 53 67 500 4500 ];
|
||||
trustedInterfaces = [ netifLan ];
|
||||
};
|
||||
useDHCP = false;
|
||||
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
|
||||
interfaces."${netifWanBackup}" = { # HKBN - no DHCP with static IP service
|
||||
ipv4.addresses = [{
|
||||
address = "202.77.7.238";
|
||||
prefixLength = 30;
|
||||
}];
|
||||
ipv4.routes = [
|
||||
{
|
||||
address = "0.0.0.0";
|
||||
prefixLength = 0;
|
||||
via = "202.77.7.237";
|
||||
options.table = "2";
|
||||
}
|
||||
];
|
||||
};
|
||||
interfaces."${netifWan}".useDHCP = true;
|
||||
interfaces."${netifLan}" = {
|
||||
ipv4.addresses = [{
|
||||
address = "192.168.1.1";
|
||||
|
@ -128,11 +112,6 @@ in
|
|||
prefixLength = 24;
|
||||
options.table = "1";
|
||||
}
|
||||
{
|
||||
address = "192.168.1.0";
|
||||
prefixLength = 24;
|
||||
options.table = "2";
|
||||
}
|
||||
];
|
||||
};
|
||||
interfaces."${netifWifi}" = {
|
||||
|
@ -144,19 +123,6 @@ in
|
|||
address = "2001:470:f891:2::";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
# same hack as above
|
||||
ipv4.routes = [
|
||||
{
|
||||
address = "192.168.12.0";
|
||||
prefixLength = 24;
|
||||
options.table = "1";
|
||||
}
|
||||
{
|
||||
address = "192.168.12.0";
|
||||
prefixLength = 24;
|
||||
options.table = "2";
|
||||
}
|
||||
];
|
||||
};
|
||||
nat = {
|
||||
enable = true;
|
||||
|
@ -169,6 +135,11 @@ in
|
|||
{ sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
|
||||
];
|
||||
extraCommands = ''
|
||||
iptables -w -N block-lan-from-wifi
|
||||
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
|
||||
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
|
||||
iptables -w -A FORWARD -j block-lan-from-wifi
|
||||
|
||||
iptables -w -N block-insecure-devices
|
||||
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
|
||||
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
|
||||
|
@ -182,6 +153,10 @@ in
|
|||
iptables -w -A FORWARD -j block-insecure-devices
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
|
||||
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
|
||||
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
|
||||
|
||||
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
||||
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
||||
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
||||
|
@ -268,21 +243,12 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services.network-custom-route-backup = {
|
||||
systemd.services.custom-network-setup = {
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 202.77.7.238/30 table 2";
|
||||
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
|
||||
};
|
||||
};
|
||||
systemd.services.network-custom-route-alt = {
|
||||
wantedBy = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.200/29 table 1";
|
||||
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.0/24 table 1";
|
||||
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
|
||||
};
|
||||
};
|
||||
|
@ -310,13 +276,11 @@ in
|
|||
also-notify {
|
||||
213.239.220.50; # ns1.qnetp.net
|
||||
216.218.130.2; # ns1.he.net
|
||||
88.198.32.245; # new qnetp
|
||||
};
|
||||
'';
|
||||
slaves = [
|
||||
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
|
||||
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
||||
"88.198.32.245" # new qnetp
|
||||
];
|
||||
};
|
||||
"m-labs.ph" = {
|
||||
|
@ -565,23 +529,30 @@ in
|
|||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
|
||||
];
|
||||
};
|
||||
users.extraUsers.occheung = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig=="
|
||||
];
|
||||
};
|
||||
users.extraUsers.spaqin = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["lp" "afws"];
|
||||
extraGroups = ["lp" "scanner" "afws"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
|
||||
];
|
||||
shell = pkgs.zsh;
|
||||
};
|
||||
users.extraUsers.therobs12 = {
|
||||
users.extraUsers.esavkin = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["lp" "afws"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
|
||||
];
|
||||
};
|
||||
users.extraUsers.morgan = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["lp"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
||||
];
|
||||
|
@ -592,7 +563,12 @@ in
|
|||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
|
||||
];
|
||||
};
|
||||
|
||||
users.extraUsers.dpn = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGChLocYJi8XcSJkIjT2Olm3jPGjtRq5aORa5G9F3OqmjCfvav9Q5+2Mc64XqHtNTffnJuDe4gv+lVJatC0URvPs2HyxXmxRK0jgkkLSUsV2SYLlgMqHW3jsrdh6wKBmkg=="
|
||||
];
|
||||
};
|
||||
users.extraUsers.nix = {
|
||||
isNormalUser = true;
|
||||
};
|
||||
|
@ -601,6 +577,7 @@ in
|
|||
|
||||
nix.settings.max-jobs = 10;
|
||||
nix.nrBuildUsers = 64;
|
||||
nix.settings.trusted-users = ["sb"];
|
||||
services.hydra = {
|
||||
enable = true;
|
||||
useSubstitutes = true;
|
||||
|
@ -804,7 +781,7 @@ in
|
|||
recommendedTlsSettings = true;
|
||||
virtualHosts = let
|
||||
mainWebsite = {
|
||||
addSSL = true;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "${hydraWwwOutputs}/web";
|
||||
extraConfig = ''
|
||||
|
@ -991,9 +968,6 @@ in
|
|||
addSSL = true;
|
||||
enableACME = true;
|
||||
root = "/var/www/perso";
|
||||
extraConfig = ''
|
||||
autoindex on;
|
||||
'';
|
||||
};
|
||||
"rt.m-labs.hk" = {
|
||||
forceSSL = true;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
$TTL 7200
|
||||
|
||||
@ SOA ns.193thz.com. sb.m-labs.hk. (
|
||||
2024050601
|
||||
2023121301
|
||||
7200
|
||||
3600
|
||||
86400
|
||||
|
@ -12,7 +12,6 @@ $TTL 7200
|
|||
NS ns1.he.net.
|
||||
|
||||
A 94.190.212.123
|
||||
A 202.77.7.238
|
||||
AAAA 2001:470:18:390::2
|
||||
MX 10 mail.m-labs.hk.
|
||||
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
$TTL 7200
|
||||
|
||||
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
||||
2024050601
|
||||
2024010901
|
||||
7200
|
||||
3600
|
||||
86400
|
||||
|
@ -13,7 +13,6 @@ $TTL 7200
|
|||
NS ns1.he.net.
|
||||
|
||||
A 94.190.212.123
|
||||
A 202.77.7.238
|
||||
AAAA 2001:470:18:390::2
|
||||
MX 10 mail.m-labs.hk.
|
||||
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
||||
|
@ -22,7 +21,6 @@ $TTL 7200
|
|||
|
||||
|
||||
mail A 94.190.212.123
|
||||
mail A 202.77.7.238
|
||||
mail AAAA 2001:470:18:390::2
|
||||
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
|
||||
_dmarc TXT "v=DMARC1; p=none"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
$TTL 7200
|
||||
|
||||
@ SOA ns1.m-labs.ph. sb.m-labs.hk. (
|
||||
2024050601
|
||||
2024010901
|
||||
7200
|
||||
3600
|
||||
86400
|
||||
|
@ -12,7 +12,6 @@ $TTL 7200
|
|||
NS ns1.he.net.
|
||||
|
||||
A 94.190.212.123
|
||||
A 202.77.7.238
|
||||
AAAA 2001:470:18:390::2
|
||||
MX 10 mail.m-labs.hk.
|
||||
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
||||
|
|
|
@ -78,14 +78,14 @@
|
|||
};
|
||||
linuswck = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAFYwmik6/xY1vb9aKBOpKklKOwSJJ0PEgNwWNULghZGJ0g4CTk04LXLSMYBm1SW74df8YMgaE/eoidq6smN6hKIgo8s3qPQGZAi4UXffMs2ciqXNa/zZcCu3PyZvyksxA=="
|
||||
];
|
||||
};
|
||||
morgan = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
||||
];
|
||||
|
@ -104,14 +104,6 @@
|
|||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
|
||||
];
|
||||
};
|
||||
therobs12 = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
|
||||
];
|
||||
};
|
||||
|
||||
|
||||
dpn = {
|
||||
isNormalUser = true;
|
||||
|
|
|
@ -134,6 +134,10 @@ in
|
|||
hardware.opengl.driSupport32Bit = true;
|
||||
hardware.pulseaudio.support32Bit = true;
|
||||
|
||||
i18n.inputMethod = {
|
||||
enabled = "fcitx5";
|
||||
fcitx5.addons = [ pkgs.fcitx5-table-extra pkgs.fcitx5-m17n ];
|
||||
};
|
||||
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
}
|
|
@ -10,6 +10,7 @@
|
|||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelPackages = pkgs.linuxPackages_5_15;
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.blacklistedKernelModules = [ "iwlwifi" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
|
|
@ -6,6 +6,8 @@
|
|||
network.enableRollback = true;
|
||||
|
||||
rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = true; };
|
||||
rpi-2 = import ./rpi.nix { host = "rpi-2"; rpi4 = false; experimental-users = true; };
|
||||
rpi-3 = import ./rpi.nix { host = "rpi-3"; rpi4 = true; };
|
||||
rpi-4 = import ./rpi.nix { host = "rpi-4"; rpi4 = true; };
|
||||
zeus = import ./desktop.nix { host = "zeus"; };
|
||||
hera = import ./desktop.nix { host = "hera"; };
|
||||
|
@ -15,5 +17,4 @@
|
|||
franz = import ./desktop.nix { host = "franz"; };
|
||||
juno = import ./desktop.nix { host = "juno"; };
|
||||
demeter = import ./desktop.nix { host = "demeter"; };
|
||||
vulcan = import ./desktop.nix { host = "vulcan"; };
|
||||
}
|
||||
|
|
|
@ -34,12 +34,15 @@ in
|
|||
|
||||
networking.hostName = host;
|
||||
|
||||
networking.firewall.allowedTCPPorts = if host == "rpi-2" then [ 6000 ] else [];
|
||||
|
||||
time.timeZone = "Asia/Hong_Kong";
|
||||
|
||||
users.extraGroups.plugdev = { };
|
||||
users.mutableUsers = false;
|
||||
users.defaultUserShell = pkgs.fish;
|
||||
users.extraUsers = (import ./common-users.nix { inherit pkgs; }) // {
|
||||
users.extraUsers = (import ./common-users.nix { inherit pkgs; }) //
|
||||
(pkgs.lib.optionalAttrs experimental-users (import ./experimental-users.nix { inherit pkgs; })) // {
|
||||
nixbld = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/67168ae0-6448-4b40-b278-406290224b4f";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/8F4B-AD84";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = true;
|
||||
|
||||
system.stateVersion = "23.05";
|
||||
}
|
Loading…
Reference in New Issue