Compare commits
2 Commits
master
...
134-intl-c
Author | SHA1 | Date |
---|---|---|
Egor Savkin | 5054b6618e | |
Egor Savkin | 6955d4317b |
|
@ -1,18 +0,0 @@
|
||||||
network:
|
|
||||||
version: 2
|
|
||||||
renderer: networkd
|
|
||||||
ethernets:
|
|
||||||
eth0:
|
|
||||||
addresses:
|
|
||||||
- 5.78.86.156/32
|
|
||||||
- 2a01:4ff:1f0:83de::2/64
|
|
||||||
- 2a01:4ff:1f0:83de::3/64
|
|
||||||
- 2a01:4ff:1f0:83de::4/64
|
|
||||||
tunnels:
|
|
||||||
gre1:
|
|
||||||
mode: gre
|
|
||||||
local: 5.78.86.156
|
|
||||||
remote: 94.190.212.123
|
|
||||||
addresses:
|
|
||||||
- 10.47.3.0/31
|
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=GRE tunnel to the main host
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=simple
|
|
||||||
User=root
|
|
||||||
ExecStart=/root/gretun.sh
|
|
||||||
ExecStop=/root/gretun_down.sh
|
|
||||||
Restart=on-failure
|
|
||||||
RemainAfterExit=yes
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,10 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
|
|
||||||
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
|
|
||||||
|
|
||||||
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
|
|
||||||
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
|
|
||||||
|
|
||||||
/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
|
@ -1,10 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
|
|
||||||
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
|
|
||||||
|
|
||||||
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
|
|
||||||
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
|
|
||||||
|
|
||||||
/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
||||||
/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
|
|
@ -3,15 +3,13 @@ upstream rfq_server {
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
limit_conn addr 5;
|
|
||||||
|
|
||||||
root /var/www/m-labs-intl.com/html;
|
root /var/www/m-labs-intl.com/html;
|
||||||
index index.html index.htm index.nginx-debian.html;
|
index index.html index.htm index.nginx-debian.html;
|
||||||
|
|
||||||
server_name m-labs-intl.com;
|
server_name m-labs-intl.com www.m-labs-intl.com;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ =404;
|
||||||
}
|
}
|
||||||
|
|
||||||
listen [::]:443 ssl ipv6only=on; # managed by Certbot
|
listen [::]:443 ssl ipv6only=on; # managed by Certbot
|
||||||
|
@ -22,21 +20,8 @@ server {
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
|
||||||
server_name www.m-labs-intl.com;
|
|
||||||
return 301 https://m-labs-intl.com$request_uri;
|
|
||||||
|
|
||||||
listen [::]:443 ssl; # managed by Certbot
|
|
||||||
listen 443 ssl; # managed by Certbot
|
|
||||||
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
|
||||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
||||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
server_name hooks.m-labs-intl.com;
|
server_name hooks.m-labs-intl.com;
|
||||||
limit_conn addr 5;
|
|
||||||
|
|
||||||
location /rfq {
|
location /rfq {
|
||||||
proxy_pass http://rfq_server/rfq;
|
proxy_pass http://rfq_server/rfq;
|
||||||
|
@ -50,10 +35,9 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
return 418;
|
return 404;
|
||||||
}
|
}
|
||||||
|
|
||||||
listen [::]:443 ssl; # managed by Certbot
|
|
||||||
listen 443 ssl; # managed by Certbot
|
listen 443 ssl; # managed by Certbot
|
||||||
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||||
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||||
|
@ -62,20 +46,15 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
limit_conn addr 5;
|
|
||||||
if ($host = m-labs-intl.com) {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
} # managed by Certbot
|
|
||||||
|
|
||||||
|
|
||||||
if ($host = www.m-labs-intl.com) {
|
if ($host = www.m-labs-intl.com) {
|
||||||
return 301 https://m-labs-intl.com$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
} # managed by Certbot
|
} # managed by Certbot
|
||||||
|
|
||||||
|
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
||||||
server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
|
server_name m-labs-intl.com www.m-labs-intl.com;
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
|
#return 404; # managed by Certbot
|
||||||
}
|
}
|
|
@ -1,34 +0,0 @@
|
||||||
|
|
||||||
|
|
||||||
connections {
|
|
||||||
m_labs {
|
|
||||||
version = 2
|
|
||||||
encap = no
|
|
||||||
mobike = no
|
|
||||||
send_certreq = no
|
|
||||||
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
|
|
||||||
local_addrs = 5.78.86.156
|
|
||||||
remote_addrs = 94.190.212.123
|
|
||||||
local {
|
|
||||||
auth = pubkey
|
|
||||||
id = fqdn:m-labs-intl.com
|
|
||||||
pubkeys = m-labs-intl.com
|
|
||||||
}
|
|
||||||
remote {
|
|
||||||
auth = pubkey
|
|
||||||
id = fqdn:m-labs.hk
|
|
||||||
pubkeys = m-labs.hk
|
|
||||||
}
|
|
||||||
children {
|
|
||||||
con1 {
|
|
||||||
mode = transport
|
|
||||||
ah_proposals = sha256-curve25519,sha256-ecp256
|
|
||||||
esp_proposals =
|
|
||||||
local_ts = 5.78.86.156[gre]
|
|
||||||
remote_ts = 94.190.212.123[gre]
|
|
||||||
start_action = start
|
|
||||||
close_action = none
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -33,9 +33,6 @@ http {
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
# Rate limiting
|
|
||||||
limit_conn_zone $binary_remote_addr zone=addr:10m;
|
|
||||||
|
|
||||||
##
|
##
|
||||||
# Logging Settings
|
# Logging Settings
|
||||||
##
|
##
|
||||||
|
@ -63,3 +60,28 @@ http {
|
||||||
include /etc/nginx/sites-enabled/*;
|
include /etc/nginx/sites-enabled/*;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
stream {
|
||||||
|
# Upstream mail servers
|
||||||
|
upstream smtp_backend {
|
||||||
|
server mail.m-labs.hk:25;
|
||||||
|
}
|
||||||
|
|
||||||
|
upstream submission_backend {
|
||||||
|
server mail.m-labs.hk:587;
|
||||||
|
}
|
||||||
|
|
||||||
|
# SMTP
|
||||||
|
server {
|
||||||
|
listen 25;
|
||||||
|
proxy_pass smtp_backend;
|
||||||
|
proxy_protocol on;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Submission (Authenticated SMTP)
|
||||||
|
server {
|
||||||
|
listen 587;
|
||||||
|
proxy_pass submission_backend;
|
||||||
|
proxy_protocol on;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -1,99 +0,0 @@
|
||||||
# Setup m-labs-intl.com server
|
|
||||||
|
|
||||||
```shell
|
|
||||||
# Install required packages
|
|
||||||
apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
|
|
||||||
strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
|
|
||||||
snap install --classic certbot
|
|
||||||
ln -s /snap/bin/certbot /usr/bin/certbot
|
|
||||||
|
|
||||||
# Set up networks (includes GRE)
|
|
||||||
cp 60-tunnels.yaml /etc/netplan/
|
|
||||||
netplan apply
|
|
||||||
|
|
||||||
# set up IPsec-AH connection
|
|
||||||
cp m-labs.hk.conf /etc/swanctl/conf.d/
|
|
||||||
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
|
|
||||||
sysctl -p
|
|
||||||
cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
|
|
||||||
pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
|
|
||||||
pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
|
|
||||||
cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
|
|
||||||
systemctl enable strongswan --now
|
|
||||||
systemctl restart strongswan
|
|
||||||
|
|
||||||
# Set up website
|
|
||||||
cp m-labs-intl.com /etc/nginx/sites-available/
|
|
||||||
cp nginx.conf /etc/nginx/
|
|
||||||
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
|
|
||||||
systemctl enable nginx --now
|
|
||||||
service nginx restart
|
|
||||||
|
|
||||||
# Issue SSL certificate - website only, the mail is on the HK side
|
|
||||||
certbot --nginx
|
|
||||||
service nginx restart
|
|
||||||
|
|
||||||
# Create a user for automatic website deployment from nixbld
|
|
||||||
useradd -m zolaupd
|
|
||||||
mkdir -p /var/www/m-labs-intl.com/html
|
|
||||||
chown -R zolaupd /var/www/m-labs-intl.com/
|
|
||||||
sudo -u zolaupd sh -c '
|
|
||||||
cd /home/zolaupd;
|
|
||||||
mkdir /home/zolaupd/.ssh;
|
|
||||||
echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
|
|
||||||
chmod 700 .ssh/
|
|
||||||
chmod 600 .ssh/authorized_keys
|
|
||||||
'
|
|
||||||
|
|
||||||
# Create a user for RFQ hooks service
|
|
||||||
useradd -m rfqserver
|
|
||||||
cp runrfq.sh /home/rfqserver/
|
|
||||||
cp mail.secret /home/rfqserver/
|
|
||||||
chown rfqserver /home/rfqserver/runrfq.sh
|
|
||||||
chmod +x /home/rfqserver/runrfq.sh
|
|
||||||
chown rfqserver /home/rfqserver/mail.secret
|
|
||||||
|
|
||||||
sudo -u rfqserver sh -c '
|
|
||||||
cd /home/rfqserver;
|
|
||||||
git clone https://git.m-labs.hk/M-Labs/web2019.git;
|
|
||||||
cd web2019;
|
|
||||||
python3 -m venv ./venv;
|
|
||||||
source venv/bin/activate;
|
|
||||||
pip install -r requirements.txt;
|
|
||||||
'
|
|
||||||
cp rfq.service /etc/systemd/system/
|
|
||||||
|
|
||||||
# Automate port forwarding rules creation
|
|
||||||
cp gretun.sh /root/gretun.sh
|
|
||||||
cp gretun_down.sh /root/gretun_down.sh
|
|
||||||
chmod u+x /root/gretun.sh
|
|
||||||
chmod u+x /root/gretun_down.sh
|
|
||||||
cp gretun.service /etc/systemd/system/
|
|
||||||
|
|
||||||
# Enable custom services
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl enable rfq.service --now
|
|
||||||
systemctl enable gretun.service --now
|
|
||||||
|
|
||||||
# Setup basic firewall rules
|
|
||||||
ufw default deny
|
|
||||||
ufw default allow outgoing
|
|
||||||
|
|
||||||
ufw allow from 94.190.212.123
|
|
||||||
ufw allow from 2001:470:f891:1::/64
|
|
||||||
ufw allow from 202.77.7.238
|
|
||||||
ufw allow from 2001:470:18:390::2
|
|
||||||
ufw allow "Nginx HTTP"
|
|
||||||
ufw allow "Nginx HTTPS"
|
|
||||||
ufw limit OpenSSH
|
|
||||||
ufw allow 25/tcp
|
|
||||||
ufw allow 587/tcp
|
|
||||||
ufw limit 500,4500/udp
|
|
||||||
|
|
||||||
ufw route allow in on gre1 out on eth0
|
|
||||||
ufw allow from 10.47.3.0/31
|
|
||||||
|
|
||||||
ufw show added
|
|
||||||
ufw enable
|
|
||||||
```
|
|
|
@ -0,0 +1,51 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
apt install git nginx-full python3 python3.12-venv python3-pip
|
||||||
|
snap install --classic certbot
|
||||||
|
ln -s /snap/bin/certbot /usr/bin/certbot
|
||||||
|
useradd -m rfqserver
|
||||||
|
useradd -m zolaupd
|
||||||
|
|
||||||
|
cp m-labs-intl.com /etc/nginx/sites-available/
|
||||||
|
cp nginx.conf /etc/nginx/
|
||||||
|
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
|
||||||
|
|
||||||
|
mkdir -p /var/www/m-labs-intl.com/html
|
||||||
|
chown -R zolaupd /var/www/m-labs-intl.com/
|
||||||
|
|
||||||
|
cp runrfq.sh /home/rfqserver/
|
||||||
|
cp mail.secret /home/rfqserver/
|
||||||
|
chown rfqserver /home/rfqserver/runrfq.sh
|
||||||
|
chmod +x /home/rfqserver/runrfq.sh
|
||||||
|
chown rfqserver /home/rfqserver/mail.secret
|
||||||
|
|
||||||
|
|
||||||
|
sudo -u zolaupd sh -c '
|
||||||
|
cd /home/zolaupd;
|
||||||
|
mkdir /home/zolaupd/.ssh;
|
||||||
|
echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
|
||||||
|
chmod 700 .ssh/
|
||||||
|
chmod 600 .ssh/authorized_keys
|
||||||
|
'
|
||||||
|
|
||||||
|
sudo -u rfqserver sh -c '
|
||||||
|
cd /home/rfqserver;
|
||||||
|
git clone https://git.m-labs.hk/M-Labs/web2019.git;
|
||||||
|
cd web2019;
|
||||||
|
python3 -m venv ./venv;
|
||||||
|
source venv/bin/activate;
|
||||||
|
pip install -r requirements.txt;
|
||||||
|
'
|
||||||
|
|
||||||
|
cp rfq.service /etc/systemd/system/
|
||||||
|
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl enable rfq.service
|
||||||
|
systemctl start rfq.service
|
||||||
|
|
||||||
|
service nginx restart
|
||||||
|
|
||||||
|
certbot --nginx
|
||||||
|
|
||||||
|
service nginx restart
|
|
@ -10,34 +10,16 @@ in
|
||||||
default = false;
|
default = false;
|
||||||
description = "Enable AFWS server";
|
description = "Enable AFWS server";
|
||||||
};
|
};
|
||||||
logFile = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "/var/lib/afws/logs/afws.log";
|
|
||||||
description = "Path to the log file";
|
|
||||||
};
|
|
||||||
logBackupCount = mkOption {
|
|
||||||
type = types.int;
|
|
||||||
default = 30;
|
|
||||||
description = "Number of daily log files to keep";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf config.services.afws.enable {
|
config = mkIf config.services.afws.enable {
|
||||||
systemd.services.afws = {
|
systemd.services.afws = {
|
||||||
description = "AFWS server";
|
description = "AFWS server";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
preStart = ''
|
|
||||||
mkdir -p "$(dirname ${config.services.afws.logFile})"
|
|
||||||
chown afws:afws "$(dirname ${config.services.afws.logFile})"
|
|
||||||
'';
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "afws";
|
User = "afws";
|
||||||
Group = "afws";
|
Group = "afws";
|
||||||
ExecStart = ''
|
ExecStart = "${afws}/bin/afws_server";
|
||||||
${afws}/bin/afws_server \
|
|
||||||
--log-file ${config.services.afws.logFile} \
|
|
||||||
--log-backup-count ${toString config.services.afws.logBackupCount}
|
|
||||||
'';
|
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
|
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
|
||||||
};
|
};
|
||||||
path = [ pkgs.nix pkgs.git ];
|
path = [ pkgs.nix pkgs.git ];
|
||||||
|
|
|
@ -26,10 +26,9 @@ let
|
||||||
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
|
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
|
||||||
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
|
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
|
||||||
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
|
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
|
||||||
${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
|
|
||||||
|
|
||||||
exec 6< /etc/nixos/secret/backup-passphrase
|
exec 6< /etc/nixos/secret/backup-passphrase
|
||||||
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
|
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
|
||||||
${pkgs.bzip2}/bin/bzip2 | \
|
${pkgs.bzip2}/bin/bzip2 | \
|
||||||
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
|
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -6,9 +6,6 @@ let
|
||||||
netifLan = "enp5s0f1";
|
netifLan = "enp5s0f1";
|
||||||
netifWifi = "wlp6s0";
|
netifWifi = "wlp6s0";
|
||||||
netifSit = "henet0";
|
netifSit = "henet0";
|
||||||
netifUSA = "trump0";
|
|
||||||
netifAlt = "alt0";
|
|
||||||
netifAltVlan = "vlan0";
|
|
||||||
hydraWwwOutputs = "/var/www/hydra-outputs";
|
hydraWwwOutputs = "/var/www/hydra-outputs";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -20,8 +17,8 @@ in
|
||||||
./afws-module.nix
|
./afws-module.nix
|
||||||
./rt.nix
|
./rt.nix
|
||||||
(builtins.fetchTarball {
|
(builtins.fetchTarball {
|
||||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/29916981e7b3b5782dc5085ad18490113f8ff63b/nixos-mailserver-nixos.tar.gz";
|
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz";
|
||||||
sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
|
sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv";
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -93,15 +90,6 @@ in
|
||||||
allowedTCPPorts = [ 53 80 443 2222 7402 ];
|
allowedTCPPorts = [ 53 80 443 2222 7402 ];
|
||||||
allowedUDPPorts = [ 53 67 500 4500 ];
|
allowedUDPPorts = [ 53 67 500 4500 ];
|
||||||
trustedInterfaces = [ netifLan ];
|
trustedInterfaces = [ netifLan ];
|
||||||
logRefusedConnections = false;
|
|
||||||
extraCommands = ''
|
|
||||||
iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
|
|
||||||
iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
|
|
||||||
'';
|
|
||||||
extraStopCommands = ''
|
|
||||||
iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
|
|
||||||
iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
|
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
|
||||||
|
@ -188,21 +176,11 @@ in
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
|
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
|
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
|
||||||
iptables -w -A FORWARD -j block-insecure-devices
|
iptables -w -A FORWARD -j block-insecure-devices
|
||||||
|
|
||||||
iptables -w -N pccw-sucks
|
|
||||||
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
|
|
||||||
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
|
||||||
iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
|
||||||
iptables -w -A FORWARD -j pccw-sucks
|
|
||||||
'';
|
'';
|
||||||
extraStopCommands = ''
|
extraStopCommands = ''
|
||||||
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
||||||
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
||||||
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
||||||
|
|
||||||
iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
|
|
||||||
iptables -w -F pccw-sucks 2>/dev/null|| true
|
|
||||||
iptables -w -X pccw-sucks 2>/dev/null|| true
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sits."${netifSit}" = {
|
sits."${netifSit}" = {
|
||||||
|
@ -215,37 +193,14 @@ in
|
||||||
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
||||||
routes = [{ address = "::"; prefixLength = 0; }];
|
routes = [{ address = "::"; prefixLength = 0; }];
|
||||||
};
|
};
|
||||||
greTunnels."${netifUSA}" = {
|
greTunnels.alt0 = {
|
||||||
dev = netifWan;
|
|
||||||
remote = "5.78.86.156";
|
|
||||||
local = "94.190.212.123";
|
|
||||||
ttl = 255;
|
|
||||||
type = "tun";
|
|
||||||
};
|
|
||||||
greTunnels."${netifAlt}" = {
|
|
||||||
dev = netifWan;
|
dev = netifWan;
|
||||||
remote = "103.206.98.1";
|
remote = "103.206.98.1";
|
||||||
local = "94.190.212.123";
|
local = "94.190.212.123";
|
||||||
ttl = 255;
|
ttl = 255;
|
||||||
type = "tun";
|
type = "tun";
|
||||||
};
|
};
|
||||||
interfaces."${netifUSA}" = {
|
interfaces.alt0 = {
|
||||||
ipv4.addresses = [
|
|
||||||
{
|
|
||||||
address = "10.47.3.1";
|
|
||||||
prefixLength = 31;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
ipv4.routes = [
|
|
||||||
{
|
|
||||||
address = "0.0.0.0";
|
|
||||||
prefixLength = 0;
|
|
||||||
via = "10.47.3.0";
|
|
||||||
options.table = "3";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
interfaces."${netifAlt}" = {
|
|
||||||
ipv4.addresses = [
|
ipv4.addresses = [
|
||||||
{
|
{
|
||||||
address = "103.206.98.227";
|
address = "103.206.98.227";
|
||||||
|
@ -262,12 +217,12 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
vlans = {
|
vlans = {
|
||||||
"${netifAltVlan}" = {
|
vlan0 = {
|
||||||
id = 2;
|
id = 2;
|
||||||
interface = netifLan;
|
interface = netifLan;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
interfaces."${netifAltVlan}" = {
|
interfaces.vlan0 = {
|
||||||
ipv4.addresses = [{
|
ipv4.addresses = [{
|
||||||
address = "103.206.98.200";
|
address = "103.206.98.200";
|
||||||
prefixLength = 29;
|
prefixLength = 29;
|
||||||
|
@ -300,7 +255,7 @@ in
|
||||||
id = "fqdn:igw0.hkg.as150788.net";
|
id = "fqdn:igw0.hkg.as150788.net";
|
||||||
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
||||||
};
|
};
|
||||||
children."${netifAlt}" = {
|
children.alt0 = {
|
||||||
mode = "transport";
|
mode = "transport";
|
||||||
ah_proposals = [ "sha256-curve25519" ];
|
ah_proposals = [ "sha256-curve25519" ];
|
||||||
remote_ts = [ "103.206.98.1[gre]" ];
|
remote_ts = [ "103.206.98.1[gre]" ];
|
||||||
|
@ -308,27 +263,6 @@ in
|
||||||
start_action = "start";
|
start_action = "start";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.strongswan-swanctl.swanctl.connections.usa = {
|
|
||||||
local_addrs = [ "94.190.212.123" ];
|
|
||||||
remote_addrs = [ "5.78.86.156" ];
|
|
||||||
local.main = {
|
|
||||||
auth = "pubkey";
|
|
||||||
id = "fqdn:m-labs.hk";
|
|
||||||
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
|
|
||||||
};
|
|
||||||
remote.main = {
|
|
||||||
auth = "pubkey";
|
|
||||||
id = "fqdn:m-labs-intl.com";
|
|
||||||
pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
|
|
||||||
};
|
|
||||||
children."${netifUSA}" = {
|
|
||||||
mode = "transport";
|
|
||||||
ah_proposals = [ "sha256-curve25519" ];
|
|
||||||
remote_ts = [ "5.78.86.156[gre]" ];
|
|
||||||
local_ts = [ "94.190.212.123[gre]" ];
|
|
||||||
start_action = "start";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.network-custom-route-backup = {
|
systemd.services.network-custom-route-backup = {
|
||||||
wantedBy = [ "network.target" ];
|
wantedBy = [ "network.target" ];
|
||||||
|
@ -339,15 +273,6 @@ in
|
||||||
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
|
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.network-custom-route-usa = {
|
|
||||||
wantedBy = [ "network.target" ];
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = true;
|
|
||||||
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
|
|
||||||
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
systemd.services.network-custom-route-alt = {
|
systemd.services.network-custom-route-alt = {
|
||||||
wantedBy = [ "network.target" ];
|
wantedBy = [ "network.target" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
@ -450,14 +375,10 @@ in
|
||||||
notify explicit;
|
notify explicit;
|
||||||
also-notify {
|
also-notify {
|
||||||
216.218.130.2; # ns1.he.net
|
216.218.130.2; # ns1.he.net
|
||||||
213.239.220.50; # ns1.qnetp.net
|
|
||||||
88.198.32.245; # new qnetp
|
|
||||||
};
|
};
|
||||||
'';
|
'';
|
||||||
slaves = [
|
slaves = [
|
||||||
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
||||||
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
|
|
||||||
"88.198.32.245" # new qnetp
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"200-29.98.206.103.in-addr.arpa" = {
|
"200-29.98.206.103.in-addr.arpa" = {
|
||||||
|
@ -540,6 +461,11 @@ in
|
||||||
"/kasli/192.168.1.70"
|
"/kasli/192.168.1.70"
|
||||||
"/kasli-customer/192.168.1.75"
|
"/kasli-customer/192.168.1.75"
|
||||||
"/stabilizer-customer/192.168.1.76"
|
"/stabilizer-customer/192.168.1.76"
|
||||||
|
|
||||||
|
# Google can't do DNS geolocation correctly and slows down websites of everyone using
|
||||||
|
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
|
||||||
|
# cannot reach.
|
||||||
|
"/fonts.googleapis.com/142.250.207.74"
|
||||||
];
|
];
|
||||||
|
|
||||||
dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
|
dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
|
||||||
|
@ -565,23 +491,10 @@ in
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
lm_sensors
|
wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal
|
||||||
acpi
|
irssi tmux usbutils imagemagick jq zip unzip
|
||||||
usbutils
|
|
||||||
pciutils
|
|
||||||
iw
|
iw
|
||||||
nvme-cli
|
nvme-cli
|
||||||
smartmontools
|
|
||||||
psmisc
|
|
||||||
|
|
||||||
wget
|
|
||||||
vim
|
|
||||||
git
|
|
||||||
file
|
|
||||||
imagemagick
|
|
||||||
jq
|
|
||||||
|
|
||||||
nixops_unstable_minimal
|
|
||||||
borgbackup
|
borgbackup
|
||||||
bind
|
bind
|
||||||
waypipe
|
waypipe
|
||||||
|
@ -611,7 +524,6 @@ in
|
||||||
services.openssh.settings.X11Forwarding = true;
|
services.openssh.settings.X11Forwarding = true;
|
||||||
services.openssh.authorizedKeysInHomedir = false;
|
services.openssh.authorizedKeysInHomedir = false;
|
||||||
programs.mosh.enable = true;
|
programs.mosh.enable = true;
|
||||||
programs.tmux.enable = true;
|
|
||||||
|
|
||||||
programs.fish.enable = true;
|
programs.fish.enable = true;
|
||||||
programs.zsh.enable = true;
|
programs.zsh.enable = true;
|
||||||
|
@ -655,23 +567,38 @@ in
|
||||||
users.extraUsers.root = {
|
users.extraUsers.root = {
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
||||||
];
|
];
|
||||||
shell = pkgs.fish;
|
shell = pkgs.fish;
|
||||||
};
|
};
|
||||||
# https://github.com/NixOS/nixpkgs/issues/155357
|
# https://github.com/NixOS/nixpkgs/issues/155357
|
||||||
security.sudo.enable = true;
|
security.sudo.enable = true;
|
||||||
|
|
||||||
# M-Labs HK
|
|
||||||
users.extraUsers.sb = {
|
users.extraUsers.sb = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["lp" "scanner" "afws" "audio"];
|
extraGroups = ["lp" "scanner" "afws" "audio"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
||||||
];
|
];
|
||||||
shell = pkgs.fish;
|
shell = pkgs.fish;
|
||||||
};
|
};
|
||||||
|
users.extraUsers.rj = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = ["afws"];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
users.extraUsers.nkrackow = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = ["afws"];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
|
||||||
|
];
|
||||||
|
};
|
||||||
users.extraUsers.spaqin = {
|
users.extraUsers.spaqin = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["lp" "afws"];
|
extraGroups = ["lp" "afws"];
|
||||||
|
@ -693,35 +620,6 @@ in
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# M-Labs PH
|
|
||||||
users.extraUsers.flo = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = ["afws"];
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# QUARTIQ
|
|
||||||
users.extraUsers.rj = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = ["afws"];
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
users.extraUsers.eduardotenholder = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = ["afws"];
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# HKUST
|
|
||||||
users.extraUsers.derppening = {
|
users.extraUsers.derppening = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
|
@ -753,10 +651,6 @@ in
|
||||||
job = web:web:web
|
job = web:web:web
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
|
||||||
</runcommand>
|
</runcommand>
|
||||||
<runcommand>
|
|
||||||
job = web:web:web-intl
|
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
|
|
||||||
</runcommand>
|
|
||||||
<runcommand>
|
<runcommand>
|
||||||
job = web:web:nmigen-docs
|
job = web:web:nmigen-docs
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
|
||||||
|
@ -868,10 +762,6 @@ in
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
appName = "M-Labs Git";
|
appName = "M-Labs Git";
|
||||||
database = {
|
|
||||||
type = "postgres";
|
|
||||||
socket = "/run/postgresql";
|
|
||||||
};
|
|
||||||
mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
|
mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
|
||||||
settings = {
|
settings = {
|
||||||
server = {
|
server = {
|
||||||
|
@ -919,20 +809,12 @@ in
|
||||||
siteUrl = "https://chat.m-labs.hk/";
|
siteUrl = "https://chat.m-labs.hk/";
|
||||||
mutableConfig = true;
|
mutableConfig = true;
|
||||||
};
|
};
|
||||||
|
services.postgresql.package = pkgs.postgresql_12;
|
||||||
services.matterbridge = {
|
services.matterbridge = {
|
||||||
enable = true;
|
enable = true;
|
||||||
configPath = "/etc/nixos/secret/matterbridge.toml";
|
configPath = "/etc/nixos/secret/matterbridge.toml";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.postgresql = {
|
|
||||||
package = pkgs.postgresql_15;
|
|
||||||
settings.listen_addresses = pkgs.lib.mkForce "";
|
|
||||||
identMap =
|
|
||||||
''
|
|
||||||
rt rt rt_user
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
|
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
|
||||||
nix = super.nix.overrideAttrs(oa: {
|
nix = super.nix.overrideAttrs(oa: {
|
||||||
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
|
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
|
||||||
|
@ -982,7 +864,7 @@ in
|
||||||
expires 60d;
|
expires 60d;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
|
locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
|
||||||
|
|
||||||
# legacy URLs, redirect to avoid breaking people's bookmarks
|
# legacy URLs, redirect to avoid breaking people's bookmarks
|
||||||
locations."/gateware.html".extraConfig = ''
|
locations."/gateware.html".extraConfig = ''
|
||||||
|
@ -1143,6 +1025,15 @@ in
|
||||||
"forum.m-labs.hk" = {
|
"forum.m-labs.hk" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
root = "/var/www/flarum/public";
|
||||||
|
locations."~ \.php$".extraConfig = ''
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
|
||||||
|
fastcgi_index index.php;
|
||||||
|
'';
|
||||||
|
extraConfig = ''
|
||||||
|
index index.php;
|
||||||
|
include /var/www/flarum/.nginx.conf;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
"perso.m-labs.hk" = {
|
"perso.m-labs.hk" = {
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
|
@ -1214,17 +1105,23 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.mysql = {
|
services.mysql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.lib.mkForce pkgs.mariadb;
|
package = pkgs.mariadb;
|
||||||
ensureDatabases = pkgs.lib.mkForce [];
|
|
||||||
ensureUsers = pkgs.lib.mkForce [];
|
|
||||||
};
|
};
|
||||||
services.flarum = {
|
services.phpfpm.pools.flarum = {
|
||||||
enable = true;
|
user = "nobody";
|
||||||
package = pkgs.callPackage ./flarum {};
|
settings = {
|
||||||
domain = "forum.m-labs.hk";
|
"listen.owner" = "nginx";
|
||||||
|
"listen.group" = "nginx";
|
||||||
|
"listen.mode" = "0600";
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = 5;
|
||||||
|
"pm.start_servers" = 2;
|
||||||
|
"pm.min_spare_servers" = 1;
|
||||||
|
"pm.max_spare_servers" = 3;
|
||||||
|
"pm.max_requests" = 500;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.rt = {
|
services.rt = {
|
||||||
|
@ -1249,18 +1146,7 @@ in
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
User = "rt";
|
User = "rt";
|
||||||
Group = "rt";
|
Group = "rt";
|
||||||
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
|
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
|
||||||
};
|
|
||||||
};
|
|
||||||
systemd.services.rt-fetchmail-intl = {
|
|
||||||
description = "Fetchmail for RT (intl)";
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "dovecot2.service" ];
|
|
||||||
serviceConfig = {
|
|
||||||
Restart = "on-failure";
|
|
||||||
User = "rt";
|
|
||||||
Group = "rt";
|
|
||||||
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1268,28 +1154,11 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
localDnsResolver = false; # conflicts with dnsmasq
|
localDnsResolver = false; # conflicts with dnsmasq
|
||||||
fqdn = "mail.m-labs.hk";
|
fqdn = "mail.m-labs.hk";
|
||||||
domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ];
|
domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
|
||||||
enablePop3 = true;
|
enablePop3 = true;
|
||||||
enablePop3Ssl = true;
|
enablePop3Ssl = true;
|
||||||
certificateScheme = "acme-nginx";
|
certificateScheme = "acme-nginx";
|
||||||
} // (import /etc/nixos/secret/email_settings.nix);
|
} // (import /etc/nixos/secret/email_settings.nix);
|
||||||
services.postfix = {
|
|
||||||
mapFiles."sender_transport" = builtins.toFile "sender_transport" ''
|
|
||||||
@m-labs-intl.com intltunnel:
|
|
||||||
'';
|
|
||||||
config = {
|
|
||||||
sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
|
|
||||||
};
|
|
||||||
masterConfig."intltunnel" = {
|
|
||||||
type = "unix";
|
|
||||||
command = "smtp";
|
|
||||||
args = [
|
|
||||||
"-o" "inet_interfaces=10.47.3.1"
|
|
||||||
"-o" "smtp_helo_name=mail.m-labs-intl.com"
|
|
||||||
"-o" "inet_protocols=ipv4"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services.roundcube = {
|
services.roundcube = {
|
||||||
enable = true;
|
enable = true;
|
||||||
hostName = "mail.m-labs.hk";
|
hostName = "mail.m-labs.hk";
|
||||||
|
@ -1302,8 +1171,7 @@ in
|
||||||
|
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nextcloud30;
|
package = pkgs.nextcloud29;
|
||||||
extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
|
|
||||||
hostName = "files.m-labs.hk";
|
hostName = "files.m-labs.hk";
|
||||||
https = true;
|
https = true;
|
||||||
maxUploadSize = "2G";
|
maxUploadSize = "2G";
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,39 +0,0 @@
|
||||||
{
|
|
||||||
lib,
|
|
||||||
php,
|
|
||||||
fetchFromGitHub,
|
|
||||||
fetchpatch,
|
|
||||||
}:
|
|
||||||
|
|
||||||
php.buildComposerProject (finalAttrs: {
|
|
||||||
pname = "flarum";
|
|
||||||
version = "1.8.1";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "flarum";
|
|
||||||
repo = "flarum";
|
|
||||||
rev = "v${finalAttrs.version}";
|
|
||||||
hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
|
|
||||||
};
|
|
||||||
|
|
||||||
patches = [
|
|
||||||
# Add useful extensions from https://github.com/FriendsOfFlarum
|
|
||||||
# Extensions included: fof/upload, fof/polls, fof/subscribed
|
|
||||||
./fof-extensions.patch
|
|
||||||
];
|
|
||||||
|
|
||||||
composerLock = ./composer.lock;
|
|
||||||
composerStrictValidation = false;
|
|
||||||
vendorHash = "sha256-GLE5ZtzZmQ8YbitV6LG744QHoGxlj5TfC5wP2a3eFpU=";
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
|
|
||||||
description = "Flarum is a delightfully simple discussion platform for your website";
|
|
||||||
homepage = "https://github.com/flarum/flarum";
|
|
||||||
license = lib.licenses.mit;
|
|
||||||
maintainers = with maintainers; [
|
|
||||||
fsagbuya
|
|
||||||
jasonodoom
|
|
||||||
];
|
|
||||||
};
|
|
||||||
})
|
|
|
@ -1,16 +0,0 @@
|
||||||
diff --git a/composer.json b/composer.json
|
|
||||||
index c63b5f8..5ad1186 100644
|
|
||||||
--- a/composer.json
|
|
||||||
+++ b/composer.json
|
|
||||||
@@ -37,7 +37,10 @@
|
|
||||||
"flarum/sticky": "*",
|
|
||||||
"flarum/subscriptions": "*",
|
|
||||||
"flarum/suspend": "*",
|
|
||||||
- "flarum/tags": "*"
|
|
||||||
+ "flarum/tags": "*",
|
|
||||||
+ "fof/polls": "*",
|
|
||||||
+ "fof/subscribed": "*",
|
|
||||||
+ "fof/upload": "*"
|
|
||||||
},
|
|
||||||
"config": {
|
|
||||||
"preferred-install": "dist",
|
|
|
@ -1,7 +1,7 @@
|
||||||
$TTL 7200
|
$TTL 7200
|
||||||
|
|
||||||
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
|
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
|
||||||
2024101401
|
2024060601
|
||||||
7200
|
7200
|
||||||
3600
|
3600
|
||||||
86400
|
86400
|
||||||
|
@ -10,21 +10,11 @@ $TTL 7200
|
||||||
|
|
||||||
NS ns.m-labs-intl.com.
|
NS ns.m-labs-intl.com.
|
||||||
NS ns1.he.net.
|
NS ns1.he.net.
|
||||||
NS ns1.qnetp.net.
|
|
||||||
|
|
||||||
A 5.78.86.156
|
A 5.78.86.156
|
||||||
AAAA 2a01:4ff:1f0:83de::1
|
AAAA 2a01:4ff:1f0:83de::1
|
||||||
MX 10 mail.m-labs-intl.com.
|
|
||||||
TXT "v=spf1 mx -all"
|
|
||||||
TXT "google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
|
|
||||||
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
|
|
||||||
|
|
||||||
ns A 94.190.212.123
|
ns A 94.190.212.123
|
||||||
ns AAAA 2001:470:18:390::2
|
ns AAAA 2001:470:18:390::2
|
||||||
|
|
||||||
mail A 5.78.86.156
|
|
||||||
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
|
|
||||||
_dmarc TXT "v=DMARC1; p=none"
|
|
||||||
|
|
||||||
www CNAME @
|
www CNAME @
|
||||||
hooks CNAME @
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
$TTL 7200
|
$TTL 7200
|
||||||
|
|
||||||
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
||||||
2024080501
|
2024060201
|
||||||
7200
|
7200
|
||||||
3600
|
3600
|
||||||
86400
|
86400
|
||||||
|
@ -43,7 +43,17 @@ files CNAME @
|
||||||
docs CNAME @
|
docs CNAME @
|
||||||
|
|
||||||
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
|
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
|
||||||
|
rpi-2 AAAA 2001:470:f891:1:ba27:ebff:fef0:e9e6
|
||||||
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
|
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
|
||||||
|
chiron AAAA 2001:470:f891:1:7f02:9ebf:bee9:3dc7
|
||||||
|
old-nixbld AAAA 2001:470:f891:1:a07b:f49a:a4ef:aad9
|
||||||
|
zeus AAAA 2001:470:f891:1:4fd7:e70a:68bf:e9c1
|
||||||
|
franz AAAA 2001:470:f891:1:1b65:a743:2335:f5c6
|
||||||
|
hera AAAA 2001:470:f891:1:8b5e:404d:ef4e:9d92
|
||||||
|
hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
|
||||||
|
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
|
||||||
|
|
||||||
|
aux A 42.200.147.171
|
||||||
|
|
||||||
router.alt A 103.206.98.200
|
router.alt A 103.206.98.200
|
||||||
stewardship1.alt A 103.206.98.201
|
stewardship1.alt A 103.206.98.201
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
|
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
|
||||||
index 763045a80..d7c5cc82e 100644
|
index 64b55ca6a..9b4e52b8e 100644
|
||||||
--- a/src/libstore/build/local-derivation-goal.cc
|
--- a/src/libstore/build/local-derivation-goal.cc
|
||||||
+++ b/src/libstore/build/local-derivation-goal.cc
|
+++ b/src/libstore/build/local-derivation-goal.cc
|
||||||
@@ -190,6 +190,8 @@ void LocalDerivationGoal::tryLocalBuild()
|
@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||||
|
|
||||||
assert(derivationType);
|
assert(derivationType);
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ index 763045a80..d7c5cc82e 100644
|
||||||
/* Are we doing a chroot build? */
|
/* Are we doing a chroot build? */
|
||||||
{
|
{
|
||||||
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
||||||
@@ -207,7 +209,7 @@ void LocalDerivationGoal::tryLocalBuild()
|
@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||||
else if (settings.sandboxMode == smDisabled)
|
else if (settings.sandboxMode == smDisabled)
|
||||||
useChroot = false;
|
useChroot = false;
|
||||||
else if (settings.sandboxMode == smRelaxed)
|
else if (settings.sandboxMode == smRelaxed)
|
||||||
|
@ -20,7 +20,7 @@ index 763045a80..d7c5cc82e 100644
|
||||||
}
|
}
|
||||||
|
|
||||||
auto & localStore = getLocalStore();
|
auto & localStore = getLocalStore();
|
||||||
@@ -717,7 +719,7 @@ void LocalDerivationGoal::startBuilder()
|
@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
|
||||||
"nogroup:x:65534:\n", sandboxGid()));
|
"nogroup:x:65534:\n", sandboxGid()));
|
||||||
|
|
||||||
/* Create /etc/hosts with localhost entry. */
|
/* Create /etc/hosts with localhost entry. */
|
||||||
|
@ -29,7 +29,7 @@ index 763045a80..d7c5cc82e 100644
|
||||||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
||||||
|
|
||||||
/* Make the closure of the inputs available in the chroot,
|
/* Make the closure of the inputs available in the chroot,
|
||||||
@@ -921,7 +923,7 @@ void LocalDerivationGoal::startBuilder()
|
@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
|
||||||
us.
|
us.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ index 763045a80..d7c5cc82e 100644
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
|
|
||||||
userNamespaceSync.create();
|
userNamespaceSync.create();
|
||||||
@@ -1160,7 +1162,7 @@ void LocalDerivationGoal::initEnv()
|
@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
|
||||||
to the builder is generally impure, but the output of
|
to the builder is generally impure, but the output of
|
||||||
fixed-output derivations is by definition pure (since we
|
fixed-output derivations is by definition pure (since we
|
||||||
already know the cryptographic hash of the output). */
|
already know the cryptographic hash of the output). */
|
||||||
|
@ -47,7 +47,7 @@ index 763045a80..d7c5cc82e 100644
|
||||||
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
||||||
env[i] = getEnv(i).value_or("");
|
env[i] = getEnv(i).value_or("");
|
||||||
}
|
}
|
||||||
@@ -1829,7 +1831,7 @@ void LocalDerivationGoal::runChild()
|
@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
|
||||||
/* Fixed-output derivations typically need to access the
|
/* Fixed-output derivations typically need to access the
|
||||||
network, so give them access to /etc/resolv.conf and so
|
network, so give them access to /etc/resolv.conf and so
|
||||||
on. */
|
on. */
|
||||||
|
@ -56,21 +56,21 @@ index 763045a80..d7c5cc82e 100644
|
||||||
// Only use nss functions to resolve hosts and
|
// Only use nss functions to resolve hosts and
|
||||||
// services. Don’t use it for anything else that may
|
// services. Don’t use it for anything else that may
|
||||||
// be configured for this system. This limits the
|
// be configured for this system. This limits the
|
||||||
@@ -2071,7 +2073,7 @@ void LocalDerivationGoal::runChild()
|
@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
|
||||||
#include "sandbox-defaults.sb"
|
#include "sandbox-defaults.sb"
|
||||||
;
|
|
||||||
|
|
||||||
- if (!derivationType->isSandboxed())
|
|
||||||
+ if (networked || !derivationType->isSandboxed())
|
|
||||||
sandboxProfile +=
|
|
||||||
#include "sandbox-network.sb"
|
|
||||||
;
|
;
|
||||||
|
|
||||||
|
- if (!derivationType->isSandboxed())
|
||||||
|
+ if (networked || !derivationType->isSandboxed())
|
||||||
|
sandboxProfile +=
|
||||||
|
#include "sandbox-network.sb"
|
||||||
|
;
|
||||||
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
|
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
|
||||||
index 86b86c01e..95b03aae8 100644
|
index 0a05081c7..4c251718c 100644
|
||||||
--- a/src/libstore/build/local-derivation-goal.hh
|
--- a/src/libstore/build/local-derivation-goal.hh
|
||||||
+++ b/src/libstore/build/local-derivation-goal.hh
|
+++ b/src/libstore/build/local-derivation-goal.hh
|
||||||
@@ -82,6 +82,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
||||||
*/
|
|
||||||
Path chrootRootDir;
|
Path chrootRootDir;
|
||||||
|
|
||||||
+ bool networked;
|
+ bool networked;
|
||||||
|
|
|
@ -19,9 +19,14 @@ let
|
||||||
Set($Timezone, '${cfg.timeZone}');
|
Set($Timezone, '${cfg.timeZone}');
|
||||||
|
|
||||||
Set($DatabaseType, 'Pg');
|
Set($DatabaseType, 'Pg');
|
||||||
Set($DatabaseHost, '/run/postgresql');
|
Set($DatabaseHost, 'localhost');
|
||||||
Set($DatabaseUser, 'rt');
|
Set($DatabaseUser, 'rt_user');
|
||||||
Set($DatabaseName, 'rt5');
|
Set($DatabaseName, 'rt5');
|
||||||
|
# Read database password from file
|
||||||
|
open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
|
||||||
|
my $dbpw = do { local $/; <$fh> };
|
||||||
|
$dbpw =~ s/^\s+|\s+$//g;
|
||||||
|
Set($DatabasePassword, $dbpw);
|
||||||
|
|
||||||
# System (Logging)
|
# System (Logging)
|
||||||
Set($LogToSTDERR, undef); # Don't log twice
|
Set($LogToSTDERR, undef); # Don't log twice
|
||||||
|
@ -30,7 +35,7 @@ let
|
||||||
Set($OwnerEmail, '${cfg.ownerEmail}');
|
Set($OwnerEmail, '${cfg.ownerEmail}');
|
||||||
Set($MaxAttachmentSize, 15360000);
|
Set($MaxAttachmentSize, 15360000);
|
||||||
Set($CheckMoreMSMailHeaders, 1);
|
Set($CheckMoreMSMailHeaders, 1);
|
||||||
Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
|
Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$');
|
||||||
Set($LoopsToRTOwner, 0);
|
Set($LoopsToRTOwner, 0);
|
||||||
|
|
||||||
# System (Outgoing mail)
|
# System (Outgoing mail)
|
||||||
|
@ -149,6 +154,13 @@ in {
|
||||||
type = str;
|
type = str;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
dbPasswordFile = mkOption {
|
||||||
|
description = "File containing the database password";
|
||||||
|
type = str;
|
||||||
|
default = "/etc/nixos/secret/rtpasswd";
|
||||||
|
internal = true;
|
||||||
|
};
|
||||||
|
|
||||||
domain = mkOption {
|
domain = mkOption {
|
||||||
description = "Which domain RT is running on";
|
description = "Which domain RT is running on";
|
||||||
type = str;
|
type = str;
|
||||||
|
@ -233,6 +245,8 @@ in {
|
||||||
|
|
||||||
PrivateNetwork = false;
|
PrivateNetwork = false;
|
||||||
MemoryDenyWriteExecute = false;
|
MemoryDenyWriteExecute = false;
|
||||||
|
|
||||||
|
ReadOnlyPaths = [ cfg.dbPasswordFile ];
|
||||||
};
|
};
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
root = {
|
root = {
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
sb = {
|
sb = {
|
||||||
|
@ -12,7 +12,7 @@
|
||||||
extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
|
extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
rj = {
|
rj = {
|
||||||
|
@ -57,7 +57,7 @@
|
||||||
};
|
};
|
||||||
esavkin = {
|
esavkin = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
|
extraGroups = ["plugdev" "dialout" "libvirtd"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
|
||||||
];
|
];
|
||||||
|
@ -111,6 +111,35 @@
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
architeuthis = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = ["plugdev" "dialout"];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMhLPEGWDUauFHjiVduBMJrIMKT8SvtTDHXDVudUZrhewQy08h4NEEyWmczP4WMeyugI/L/a+J+Vc8mImgqSoHw52823LVcnR9EKnJoqnwAHU/J+41vIWAN2LAryd4p9yg=="
|
||||||
|
];
|
||||||
|
};
|
||||||
|
abdul = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = ["plugdev" "dialout"];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
|
||||||
|
];
|
||||||
|
};
|
||||||
|
lyken = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = ["plugdev" "dialout"];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ88QJlh/+F/xwXQlPEmQVmtycb8FfabxCdeiP3gTHUCV8y4PLh3ubY+EsY+Xhy/GlOAPdX7KSpiII3dndYfwZWzorXVoPBhhPKEIumFBOinWfp5kRVzWOD61gCwsYoVBg=="
|
||||||
|
];
|
||||||
|
};
|
||||||
|
wanglm = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = ["plugdev" "dialout"];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNhRITe/qj/zvW2dZbXNmyJxLHPgJAynlWh6NCGGarJbkhj8c1UFLUo2Hv7xqGil4PZnPGru4WwHX0RhWS/I39UPzfVvuntRGenNqqpo2T9Ble80QCawpZ2c07w7FkVq7g=="
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
dpn = {
|
dpn = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
|
|
|
@ -64,8 +64,8 @@ in
|
||||||
xournal
|
xournal
|
||||||
xsane
|
xsane
|
||||||
gtkwave unzip zip gnupg
|
gtkwave unzip zip gnupg
|
||||||
gnome-tweaks
|
gnome3.gnome-tweaks
|
||||||
ghex
|
gnome3.ghex
|
||||||
jq sublime3 rink qemu_kvm
|
jq sublime3 rink qemu_kvm
|
||||||
tmux screen gdb minicom picocom
|
tmux screen gdb minicom picocom
|
||||||
artiq.packages.x86_64-linux.openocd-bscanspi
|
artiq.packages.x86_64-linux.openocd-bscanspi
|
||||||
|
@ -129,9 +129,17 @@ in
|
||||||
nssmdns4 = true;
|
nssmdns4 = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
hardware.graphics.enable32Bit = true;
|
# Enable sound.
|
||||||
|
sound.enable = true;
|
||||||
|
hardware.pulseaudio = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.pulseaudioFull;
|
||||||
|
};
|
||||||
|
|
||||||
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
|
hardware.opengl.driSupport32Bit = true;
|
||||||
|
hardware.pulseaudio.support32Bit = true;
|
||||||
|
|
||||||
|
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
|
||||||
|
|
||||||
# Enable the X11 windowing system.
|
# Enable the X11 windowing system.
|
||||||
services.xserver.enable = true;
|
services.xserver.enable = true;
|
||||||
|
|
|
@ -23,5 +23,4 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660"
|
||||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
|
||||||
# DSLogic
|
# DSLogic
|
||||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
|
||||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
|
|
||||||
''
|
''
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/3dca09c8-f725-416a-9f89-b69297698ca9";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/4E51-B390";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
nixpkgs.config.nvidia.acceptLicense = true;
|
||||||
|
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
|
||||||
|
services.xserver.videoDrivers = [ "nvidia" ];
|
||||||
|
services.xserver.displayManager.gdm.wayland = false;
|
||||||
|
|
||||||
|
system.stateVersion = "23.05";
|
||||||
|
}
|
|
@ -13,6 +13,7 @@
|
||||||
chiron = import ./desktop.nix { host = "chiron"; };
|
chiron = import ./desktop.nix { host = "chiron"; };
|
||||||
old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
|
old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
|
||||||
franz = import ./desktop.nix { host = "franz"; };
|
franz = import ./desktop.nix { host = "franz"; };
|
||||||
|
juno = import ./desktop.nix { host = "juno"; };
|
||||||
demeter = import ./desktop.nix { host = "demeter"; };
|
demeter = import ./desktop.nix { host = "demeter"; };
|
||||||
vulcan = import ./desktop.nix { host = "vulcan"; };
|
vulcan = import ./desktop.nix { host = "vulcan"; };
|
||||||
rc = import ./desktop.nix { host = "rc"; };
|
rc = import ./desktop.nix { host = "rc"; };
|
||||||
|
|
|
@ -1,49 +0,0 @@
|
||||||
connections {
|
|
||||||
bypass-ipsec {
|
|
||||||
remote_addrs = 127.0.0.1
|
|
||||||
children {
|
|
||||||
bypass-isakmp-v4 {
|
|
||||||
local_ts = 0.0.0.0/0[udp/isakmp]
|
|
||||||
remote_ts = 0.0.0.0/0[udp/isakmp]
|
|
||||||
mode = pass
|
|
||||||
start_action = trap
|
|
||||||
}
|
|
||||||
bypass-isakmp-v6 {
|
|
||||||
local_ts = ::/0[udp/isakmp]
|
|
||||||
remote_ts = ::/0[udp/isakmp]
|
|
||||||
mode = pass
|
|
||||||
start_action = trap
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
m_labs {
|
|
||||||
version = 2
|
|
||||||
encap = no
|
|
||||||
mobike = no
|
|
||||||
send_certreq = no
|
|
||||||
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
|
|
||||||
local_addrs = 103.206.98.1
|
|
||||||
remote_addrs = 94.190.212.123
|
|
||||||
local {
|
|
||||||
auth = pubkey
|
|
||||||
id = fqdn:igw0.hkg.as150788.net
|
|
||||||
pubkeys = igw0.hkg.as150788.net
|
|
||||||
}
|
|
||||||
remote {
|
|
||||||
auth = pubkey
|
|
||||||
id = fqdn:m-labs.hk
|
|
||||||
pubkeys = m-labs.hk
|
|
||||||
}
|
|
||||||
children {
|
|
||||||
con1 {
|
|
||||||
mode = transport
|
|
||||||
ah_proposals = sha256-curve25519,sha256-ecp256
|
|
||||||
esp_proposals =
|
|
||||||
local_ts = 103.206.98.1[gre]
|
|
||||||
remote_ts = 94.190.212.123[gre]
|
|
||||||
start_action = none
|
|
||||||
close_action = none
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in New Issue