M-Labs/it-infra
M-Labs
/
it-infra
8
0
Fork 5
Code Issues 10 Pull Requests 2 Releases Wiki Activity

Compare commits

base: M-Labs:master
Branches Tags
M-Labs:master
M-Labs:enable-mail-proxy-and-tunnel
M-Labs:134-intl-configuration
M-Labs:disable-spf-from-vps
fsagbuya:134-intl-com
fsagbuya:master
fsagbuya:134-deploy
fsagbuya:134-intl-configuration
fsagbuya:force-ssl-main-website
..
compare: fsagbuya:force-ssl-main-website
Branches Tags
fsagbuya:134-intl-com
fsagbuya:master
fsagbuya:134-deploy
fsagbuya:134-intl-configuration
fsagbuya:force-ssl-main-website
M-Labs:master
M-Labs:enable-mail-proxy-and-tunnel
M-Labs:134-intl-configuration
M-Labs:disable-spf-from-vps

1 Commits
master ... force-ssl-

Author SHA1 Message Date
Egor Savkin 10da6a0cbb Force SSL for main website instead of optional SSL 
https://nixos.wiki/wiki/Nginx
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-01-25 15:51:33 +08:00
33 changed files with 166 additions and 10482 deletions
Show Stats Expand all files Collapse all files

3
nixbld-etc-nixos/backup-module.nix
View File

@ -26,10 +26,9 @@ let
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql ${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
exec 6< /etc/nixos/secret/backup-passphrase exec 6< /etc/nixos/secret/backup-passphrase
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \ ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
${pkgs.bzip2}/bin/bzip2 | \ ${pkgs.bzip2}/bin/bzip2 | \
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6 ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
''; '';

278
nixbld-etc-nixos/configuration.nix
View File

@ -1,13 +1,14 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
netifWan = "enp4s0"; netifWan = "enp4s0";
netifWanBackup = "enp11s0";
netifLan = "enp5s0f1"; netifLan = "enp5s0f1";
netifWifi = "wlp6s0"; netifWifi = "wlp6s0";
netifSit = "henet0"; netifSit = "henet0";
netifAlt = "alt0";
netifAltVlan = "vlan0";
hydraWwwOutputs = "/var/www/hydra-outputs"; hydraWwwOutputs = "/var/www/hydra-outputs";
in in
{ {
@ -19,8 +20,8 @@ in
./afws-module.nix ./afws-module.nix
./rt.nix ./rt.nix
(builtins.fetchTarball { (builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz"; url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/008d78cc21959e33d0d31f375b88353a7d7121ae/nixos-mailserver-nixos.tar.gz";
sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv"; sha256 = "sha256:0pnfyg4icsvrw390a227m8b1j5w8awicx5aza3d0fiyyzpnrpn5a";
}) })
]; ];
@ -30,7 +31,7 @@ in
boot.loader.grub.efiSupport = true; boot.loader.grub.efiSupport = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.amd.updateMicrocode = true; hardware.cpu.amd.updateMicrocode = true;
boot.supportedFilesystems.zfs = true; boot.supportedFilesystems = ["zfs"];
boot.kernelParams = ["zfs.l2arc_write_max=536870912"]; boot.kernelParams = ["zfs.l2arc_write_max=536870912"];
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
@ -89,26 +90,11 @@ in
hostName = "nixbld"; hostName = "nixbld";
hostId = "e423f012"; hostId = "e423f012";
firewall = { firewall = {
allowedTCPPorts = [ 53 80 443 2222 7402 ]; allowedTCPPorts = [ 53 80 443 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ]; allowedUDPPorts = [ 53 67 500 4500 ];
trustedInterfaces = [ netifLan ]; trustedInterfaces = [ netifLan ];
}; };
useDHCP = false; interfaces."${netifWan}".useDHCP = true;
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
interfaces."${netifWanBackup}" = { # HKBN - no DHCP with static IP service
ipv4.addresses = [{
address = "202.77.7.238";
prefixLength = 30;
}];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "202.77.7.237";
options.table = "2";
}
];
};
interfaces."${netifLan}" = { interfaces."${netifLan}" = {
ipv4.addresses = [{ ipv4.addresses = [{
address = "192.168.1.1"; address = "192.168.1.1";
@ -126,11 +112,6 @@ in
prefixLength = 24; prefixLength = 24;
options.table = "1"; options.table = "1";
} }
{
address = "192.168.1.0";
prefixLength = 24;
options.table = "2";
}
]; ];
}; };
interfaces."${netifWifi}" = { interfaces."${netifWifi}" = {
@ -142,19 +123,6 @@ in
address = "2001:470:f891:2::"; address = "2001:470:f891:2::";
prefixLength = 64; prefixLength = 64;
}]; }];
# same hack as above
ipv4.routes = [
{
address = "192.168.12.0";
prefixLength = 24;
options.table = "1";
}
{
address = "192.168.12.0";
prefixLength = 24;
options.table = "2";
}
];
}; };
nat = { nat = {
enable = true; enable = true;
@ -167,6 +135,11 @@ in
{ sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; } { sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
]; ];
extraCommands = '' extraCommands = ''
iptables -w -N block-lan-from-wifi
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
iptables -w -A FORWARD -j block-lan-from-wifi
iptables -w -N block-insecure-devices iptables -w -N block-insecure-devices
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
@ -178,20 +151,15 @@ in
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
iptables -w -A FORWARD -j block-insecure-devices iptables -w -A FORWARD -j block-insecure-devices
iptables -w -N pccw-sucks
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
iptables -w -A FORWARD -j pccw-sucks
''; '';
extraStopCommands = '' extraStopCommands = ''
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
iptables -w -F block-insecure-devices 2>/dev/null|| true iptables -w -F block-insecure-devices 2>/dev/null|| true
iptables -w -X block-insecure-devices 2>/dev/null|| true iptables -w -X block-insecure-devices 2>/dev/null|| true
iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
iptables -w -F pccw-sucks 2>/dev/null|| true
iptables -w -X pccw-sucks 2>/dev/null|| true
''; '';
}; };
sits."${netifSit}" = { sits."${netifSit}" = {
@ -204,14 +172,14 @@ in
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }]; addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
routes = [{ address = "::"; prefixLength = 0; }]; routes = [{ address = "::"; prefixLength = 0; }];
}; };
greTunnels."${netifAlt}" = { greTunnels.alt0 = {
dev = netifWan; dev = netifWan;
remote = "103.206.98.1"; remote = "103.206.98.1";
local = "94.190.212.123"; local = "94.190.212.123";
ttl = 255; ttl = 255;
type = "tun"; type = "tun";
}; };
interfaces."${netifAlt}" = { interfaces.alt0 = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "103.206.98.227"; address = "103.206.98.227";
@ -228,12 +196,12 @@ in
]; ];
}; };
vlans = { vlans = {
"${netifAltVlan}" = { vlan0 = {
id = 2; id = 2;
interface = netifLan; interface = netifLan;
}; };
}; };
interfaces."${netifAltVlan}" = { interfaces.vlan0 = {
ipv4.addresses = [{ ipv4.addresses = [{
address = "103.206.98.200"; address = "103.206.98.200";
prefixLength = 29; prefixLength = 29;
@ -266,7 +234,7 @@ in
id = "fqdn:igw0.hkg.as150788.net"; id = "fqdn:igw0.hkg.as150788.net";
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ]; pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
}; };
children."${netifAlt}" = { children.alt0 = {
mode = "transport"; mode = "transport";
ah_proposals = [ "sha256-curve25519" ]; ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "103.206.98.1[gre]" ]; remote_ts = [ "103.206.98.1[gre]" ];
@ -274,27 +242,13 @@ in
start_action = "start"; start_action = "start";
}; };
}; };
# prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070
systemd.services.strongswan-swanctl = {
after = [ "network-addresses-${netifAlt}.service" ];
requires = [ "network-addresses-${netifAlt}.service" ];
};
systemd.services.network-custom-route-backup = { systemd.services.custom-network-setup = {
wantedBy = [ "network.target" ]; wantedBy = [ "network.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 202.77.7.238/30 table 2"; ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.0/24 table 1";
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
};
};
systemd.services.network-custom-route-alt = {
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.200/29 table 1";
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1"; ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
}; };
}; };
@ -322,13 +276,11 @@ in
also-notify { also-notify {
213.239.220.50; # ns1.qnetp.net 213.239.220.50; # ns1.qnetp.net
216.218.130.2; # ns1.he.net 216.218.130.2; # ns1.he.net
88.198.32.245; # new qnetp
}; };
''; '';
slaves = [ slaves = [
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net "213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net "216.218.133.2" "2001:470:600::2" # slave.dns.he.net
"88.198.32.245" # new qnetp
]; ];
}; };
"m-labs.ph" = { "m-labs.ph" = {
@ -380,27 +332,6 @@ in
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net "216.218.133.2" "2001:470:600::2" # slave.dns.he.net
]; ];
}; };
"m-labs-intl.com" = {
name = "m-labs-intl.com";
master = true;
file = "/etc/nixos/named/m-labs-intl.com";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
213.239.220.50; # ns1.qnetp.net
88.198.32.245; # new qnetp
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
"88.198.32.245" # new qnetp
];
};
"200-29.98.206.103.in-addr.arpa" = { "200-29.98.206.103.in-addr.arpa" = {
name = "200-29.98.206.103.in-addr.arpa"; name = "200-29.98.206.103.in-addr.arpa";
master = true; master = true;
@ -511,7 +442,7 @@ in
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal wget vim git file lm_sensors acpi pciutils psmisc nixopsUnstable
irssi tmux usbutils imagemagick jq zip unzip irssi tmux usbutils imagemagick jq zip unzip
iw iw
nvme-cli nvme-cli
@ -541,8 +472,6 @@ in
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false; services.openssh.settings.PasswordAuthentication = false;
services.openssh.settings.GatewayPorts = "clientspecified"; services.openssh.settings.GatewayPorts = "clientspecified";
services.openssh.settings.X11Forwarding = true;
services.openssh.authorizedKeysInHomedir = false;
programs.mosh.enable = true; programs.mosh.enable = true;
programs.fish.enable = true; programs.fish.enable = true;
@ -570,20 +499,6 @@ in
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp" SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
''; '';
sound.enable = true;
services.mpd.enable = true;
services.mpd.musicDirectory = "/tank/sb-public/FLAC";
services.mpd.network.listenAddress = "192.168.1.1";
services.mpd.extraConfig =
''
audio_output_format "192000:24:2"
audio_output {
type "alsa"
name "alsa"
device "hw:1,1"
}
'';
users.extraUsers.root = { users.extraUsers.root = {
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
@ -596,7 +511,7 @@ in
users.extraUsers.sb = { users.extraUsers.sb = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["lp" "scanner" "afws" "audio"]; extraGroups = ["lp" "scanner" "afws"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
@ -606,11 +521,6 @@ in
users.extraUsers.rj = { users.extraUsers.rj = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["afws"]; extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
];
}; };
users.extraUsers.nkrackow = { users.extraUsers.nkrackow = {
isNormalUser = true; isNormalUser = true;
@ -619,41 +529,46 @@ in
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ==" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
]; ];
}; };
users.extraUsers.occheung = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig=="
];
};
users.extraUsers.spaqin = { users.extraUsers.spaqin = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["lp" "afws"]; extraGroups = ["lp" "scanner" "afws"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
]; ];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };
users.extraUsers.therobs12 = { users.extraUsers.esavkin = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["lp" "afws"]; extraGroups = ["lp" "afws"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
]; ];
}; };
users.extraUsers.morgan = { users.extraUsers.morgan = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["lp"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
]; ];
}; };
users.extraUsers.flo = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
];
};
users.extraUsers.derppening = { users.extraUsers.derppening = {
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
]; ];
}; };
users.extraUsers.dpn = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGChLocYJi8XcSJkIjT2Olm3jPGjtRq5aORa5G9F3OqmjCfvav9Q5+2Mc64XqHtNTffnJuDe4gv+lVJatC0URvPs2HyxXmxRK0jgkkLSUsV2SYLlgMqHW3jsrdh6wKBmkg=="
];
};
users.extraUsers.nix = { users.extraUsers.nix = {
isNormalUser = true; isNormalUser = true;
}; };
@ -662,6 +577,7 @@ in
nix.settings.max-jobs = 10; nix.settings.max-jobs = 10;
nix.nrBuildUsers = 64; nix.nrBuildUsers = 64;
nix.settings.trusted-users = ["sb"];
services.hydra = { services.hydra = {
enable = true; enable = true;
useSubstitutes = true; useSubstitutes = true;
@ -678,10 +594,6 @@ in
job = web:web:web job = web:web:web
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
</runcommand> </runcommand>
<runcommand>
job = web:web:web-intl
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@5.78.86.156:/var/www/m-labs-intl.com/html/
</runcommand>
<runcommand> <runcommand>
job = web:web:nmigen-docs job = web:web:nmigen-docs
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
@ -708,10 +620,6 @@ in
job = artiq:extra-beta:conda-channel job = artiq:extra-beta:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta
</runcommand> </runcommand>
<runcommand>
job = artiq:extra-beta:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
</runcommand>
<runcommand> <runcommand>
job = artiq:main:artiq-manual-html job = artiq:main:artiq-manual-html
@ -725,21 +633,17 @@ in
job = artiq:extra:conda-channel job = artiq:extra:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel
</runcommand> </runcommand>
<runcommand>
job = artiq:extra:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos
</runcommand>
<runcommand> <runcommand>
job = artiq:main-legacy:artiq-manual-html job = artiq:full-legacy:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy
</runcommand> </runcommand>
<runcommand> <runcommand>
job = artiq:main-legacy:artiq-manual-pdf job = artiq:full-legacy:artiq-manual-latexpdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf-legacy command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf-legacy
</runcommand> </runcommand>
<runcommand> <runcommand>
job = artiq:extra-legacy:conda-channel job = artiq:full-legacy:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy
</runcommand> </runcommand>
@ -748,6 +652,11 @@ in
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON) command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON)
</runcommand> </runcommand>
<runcommand>
job = artiq:extra-beta:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
</runcommand>
<runcommand> <runcommand>
job = artiq:main-nac3:msys2-repos job = artiq:main-nac3:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3 command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3
@ -784,7 +693,6 @@ in
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1 secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';
nix.settings.allowed-uris = "github: gitlab: git+https://"; # https://github.com/NixOS/nix/issues/5039
nix.settings.extra-sandbox-paths = ["/opt"]; nix.settings.extra-sandbox-paths = ["/opt"];
services.mlabs-backup.enable = true; services.mlabs-backup.enable = true;
@ -793,19 +701,11 @@ in
services.gitea = { services.gitea = {
enable = true; enable = true;
appName = "M-Labs Git"; appName = "M-Labs Git";
database = {
type = "postgres";
socket = "/run/postgresql";
};
mailerPasswordFile = "/etc/nixos/secret/mailerpassword"; mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
settings = { settings = {
server = { server = {
ROOT_URL = "https://git.m-labs.hk/"; ROOT_URL = "https://git.m-labs.hk/";
HTTP_PORT = 3001; HTTP_PORT = 3001;
DISABLE_SSH = false;
SSH_CREATE_AUTHORIZED_KEYS_FILE = false;
START_SSH_SERVER = true;
SSH_PORT = 2222;
}; };
indexer = { indexer = {
@ -814,8 +714,7 @@ in
mailer = { mailer = {
ENABLED = true; ENABLED = true;
SMTP_ADDR = "mail.m-labs.hk"; HOST = "mail.m-labs.hk:587";
SMTP_PORT = "587";
FROM = "sysop@m-labs.hk"; FROM = "sysop@m-labs.hk";
USER = "sysop@m-labs.hk"; USER = "sysop@m-labs.hk";
}; };
@ -844,20 +743,12 @@ in
siteUrl = "https://chat.m-labs.hk/"; siteUrl = "https://chat.m-labs.hk/";
mutableConfig = true; mutableConfig = true;
}; };
services.postgresql.package = pkgs.postgresql_12;
services.matterbridge = { services.matterbridge = {
enable = true; enable = true;
configPath = "/etc/nixos/secret/matterbridge.toml"; configPath = "/etc/nixos/secret/matterbridge.toml";
}; };
services.postgresql = {
package = pkgs.postgresql_15;
settings.listen_addresses = pkgs.lib.mkForce "";
identMap =
''
rt rt rt_user
'';
};
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in { nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
nix = super.nix.overrideAttrs(oa: { nix = super.nix.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ]; patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
@ -867,6 +758,7 @@ in
./hydra-conda.patch ./hydra-conda.patch
./hydra-msys2.patch ./hydra-msys2.patch
./hydra-restrictdist.patch ./hydra-restrictdist.patch
./hydra-hack-allowed-uris.patch # work around https://github.com/NixOS/nix/issues/5039
]; ];
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ]; hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above. doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
@ -889,7 +781,7 @@ in
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts = let virtualHosts = let
mainWebsite = { mainWebsite = {
addSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
root = "${hydraWwwOutputs}/web"; root = "${hydraWwwOutputs}/web";
extraConfig = '' extraConfig = ''
@ -943,10 +835,10 @@ in
alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf"; alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf";
}; };
locations."/artiq/manual-legacy/" = { locations."/artiq/manual-legacy/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/"; alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/share/doc/artiq-manual/html/";
}; };
locations."=/artiq/manual-legacy.pdf" = { locations."=/artiq/manual-legacy.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-pdf-legacy/ARTIQ.pdf"; alias = "${hydraWwwOutputs}/artiq-manual-latexpdf-legacy/share/doc/artiq-manual/ARTIQ.pdf";
}; };
# legacy content # legacy content
@ -982,12 +874,6 @@ in
autoindex on; autoindex on;
''; '';
}; };
locations."/artiq/" = {
alias = "${hydraWwwOutputs}/artiq-msys2-repos/";
extraConfig = ''
autoindex on;
'';
};
locations."/artiq-nac3/" = { locations."/artiq-nac3/" = {
alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/"; alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/";
extraConfig = '' extraConfig = ''
@ -1068,14 +954,20 @@ in
"forum.m-labs.hk" = { "forum.m-labs.hk" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
root = "/var/www/flarum/public";
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
fastcgi_index index.php;
'';
extraConfig = ''
index index.php;
include /var/www/flarum/.nginx.conf;
'';
}; };
"perso.m-labs.hk" = { "perso.m-labs.hk" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
root = "/var/www/perso"; root = "/var/www/perso";
extraConfig = ''
autoindex on;
'';
}; };
"rt.m-labs.hk" = { "rt.m-labs.hk" = {
forceSSL = true; forceSSL = true;
@ -1139,18 +1031,23 @@ in
}; };
}; };
}; };
services.mysql = { services.mysql = {
enable = true; enable = true;
package = pkgs.lib.mkForce pkgs.mariadb; package = pkgs.mariadb;
ensureDatabases = pkgs.lib.mkForce [];
ensureUsers = pkgs.lib.mkForce [];
}; };
services.flarum = { services.phpfpm.pools.flarum = {
enable = true; user = "nobody";
package = pkgs.callPackage ./flarum {}; settings = {
domain = "forum.m-labs.hk"; "listen.owner" = "nginx";
createDatabaseLocally = true; "listen.group" = "nginx";
"listen.mode" = "0600";
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
}; };
services.rt = { services.rt = {
@ -1183,11 +1080,10 @@ in
enable = true; enable = true;
localDnsResolver = false; # conflicts with dnsmasq localDnsResolver = false; # conflicts with dnsmasq
fqdn = "mail.m-labs.hk"; fqdn = "mail.m-labs.hk";
domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ]; domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
enablePop3 = true; enablePop3 = true;
enablePop3Ssl = true; enablePop3Ssl = true;
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
} // (import /etc/nixos/secret/email_settings.nix); } // (import /etc/nixos/secret/email_settings.nix);
services.roundcube = { services.roundcube = {
enable = true; enable = true;
@ -1201,14 +1097,12 @@ in
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud29; package = pkgs.nextcloud27;
hostName = "files.m-labs.hk"; hostName = "files.m-labs.hk";
https = true; https = true;
maxUploadSize = "2G"; maxUploadSize = "2G";
config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt"; config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
settings.default_phone_region = "HK"; config.defaultPhoneRegion = "HK";
settings.log_type = "file";
phpOptions."opcache.interned_strings_buffer" = "12";
}; };
services.hedgedoc = { services.hedgedoc = {

9876
nixbld-etc-nixos/flarum/composer.lock generated
View File

File diff suppressed because it is too large Load Diff

39
nixbld-etc-nixos/flarum/default.nix
View File

@ -1,39 +0,0 @@
{
lib,
php,
fetchFromGitHub,
fetchpatch,
}:
php.buildComposerProject (finalAttrs: {
pname = "flarum";
version = "1.8.1";
src = fetchFromGitHub {
owner = "flarum";
repo = "flarum";
rev = "v${finalAttrs.version}";
hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
};
patches = [
# Add useful extensions from https://github.com/FriendsOfFlarum
# Extensions included: fof/upload, fof/polls, fof/subscribed
./fof-extensions.patch
];
composerLock = ./composer.lock;
composerStrictValidation = false;
vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";
meta = with lib; {
changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
description = "Flarum is a delightfully simple discussion platform for your website";
homepage = "https://github.com/flarum/flarum";
license = lib.licenses.mit;
maintainers = with maintainers; [
fsagbuya
jasonodoom
];
};
})

16
nixbld-etc-nixos/flarum/fof-extensions.patch
View File

@ -1,16 +0,0 @@
diff --git a/composer.json b/composer.json
index c63b5f8..5ad1186 100644
--- a/composer.json
+++ b/composer.json
@@ -37,7 +37,10 @@
"flarum/sticky": "*",
"flarum/subscriptions": "*",
"flarum/suspend": "*",
- "flarum/tags": "*"
+ "flarum/tags": "*",
+ "fof/polls": "*",
+ "fof/subscribed": "*",
+ "fof/upload": "*"
},
"config": {
"preferred-install": "dist",

13
nixbld-etc-nixos/hydra-hack-allowed-uris.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/src/hydra-eval-jobs/hydra-eval-jobs.cc b/src/hydra-eval-jobs/hydra-eval-jobs.cc
index 934bf42e..48f2d248 100644
--- a/src/hydra-eval-jobs/hydra-eval-jobs.cc
+++ b/src/hydra-eval-jobs/hydra-eval-jobs.cc
@@ -281,6 +281,8 @@ int main(int argc, char * * argv)
to the environment. */
evalSettings.restrictEval = true;
+ evalSettings.allowedUris = {"https://github.com/m-labs/", "https://git.m-labs.hk/m-labs/", "https://gitlab.com/duke-artiq/"};
+
/* When building a flake, use pure evaluation (no access to
'getEnv', 'currentSystem' etc. */
evalSettings.pureEval = myArgs.flake;

5
nixbld-etc-nixos/named/193thz.com
View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA ns.193thz.com. sb.m-labs.hk. ( @ SOA ns.193thz.com. sb.m-labs.hk. (
2024060201 2023121301
7200 7200
3600 3600
86400 86400
@ -12,12 +12,11 @@ $TTL 7200
NS ns1.he.net. NS ns1.he.net.
A 94.190.212.123 A 94.190.212.123
A 202.77.7.238
AAAA 2001:470:18:390::2 AAAA 2001:470:18:390::2
MX 10 mail.m-labs.hk. MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all" TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU" TXT "google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512" CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
ns A 94.190.212.123 ns A 94.190.212.123

4
nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa
View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. ( @ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2024060201 2024010901
7200 7200
3600 3600
86400 86400
@ -10,7 +10,7 @@ $TTL 7200
NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
NS ns1.he.net. NS ns1.he.net.
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512" CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
200 PTR router.alt.m-labs.hk. 200 PTR router.alt.m-labs.hk.
201 PTR stewardship1.alt.m-labs.hk. 201 PTR stewardship1.alt.m-labs.hk.

31
nixbld-etc-nixos/named/m-labs-intl.com
View File

@ -1,31 +0,0 @@
$TTL 7200
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
2024081503
7200
3600
86400
600)
NS ns.m-labs-intl.com.
NS ns1.he.net.
NS ns1.qnetp.net.
A 5.78.86.156
AAAA 2a01:4ff:1f0:83de::1
MX 10 mail.m-labs-intl.com.
TXT "v=spf1 mx -all"
TXT "google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
ns A 94.190.212.123
ns AAAA 2001:470:18:390::2
mail A 5.78.86.156
mail AAAA 2a01:4ff:1f0:83de::1
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
www CNAME @
hooks CNAME @

16
nixbld-etc-nixos/named/m-labs.hk
View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. ( @ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2024080501 2024010901
7200 7200
3600 3600
86400 86400
@ -13,16 +13,14 @@ $TTL 7200
NS ns1.he.net. NS ns1.he.net.
A 94.190.212.123 A 94.190.212.123
A 202.77.7.238
AAAA 2001:470:18:390::2 AAAA 2001:470:18:390::2
MX 10 mail.m-labs.hk. MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all" TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8" TXT "google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512" CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
mail A 94.190.212.123 mail A 94.190.212.123
mail A 202.77.7.238
mail AAAA 2001:470:18:390::2 mail AAAA 2001:470:18:390::2
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB" mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
_dmarc TXT "v=DMARC1; p=none" _dmarc TXT "v=DMARC1; p=none"
@ -43,7 +41,17 @@ files CNAME @
docs CNAME @ docs CNAME @
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93 rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
rpi-2 AAAA 2001:470:f891:1:ba27:ebff:fef0:e9e6
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9 rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
chiron AAAA 2001:470:f891:1:7f02:9ebf:bee9:3dc7
old-nixbld AAAA 2001:470:f891:1:a07b:f49a:a4ef:aad9
zeus AAAA 2001:470:f891:1:4fd7:e70a:68bf:e9c1
franz AAAA 2001:470:f891:1:1b65:a743:2335:f5c6
hera AAAA 2001:470:f891:1:8b5e:404d:ef4e:9d92
hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
aux A 42.200.147.171
router.alt A 103.206.98.200 router.alt A 103.206.98.200
stewardship1.alt A 103.206.98.201 stewardship1.alt A 103.206.98.201

5
nixbld-etc-nixos/named/m-labs.ph
View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA ns1.m-labs.ph. sb.m-labs.hk. ( @ SOA ns1.m-labs.ph. sb.m-labs.hk. (
2024060201 2024010901
7200 7200
3600 3600
86400 86400
@ -12,12 +12,11 @@ $TTL 7200
NS ns1.he.net. NS ns1.he.net.
A 94.190.212.123 A 94.190.212.123
A 202.77.7.238
AAAA 2001:470:18:390::2 AAAA 2001:470:18:390::2
MX 10 mail.m-labs.hk. MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all" TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o" TXT "google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512" CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
ns1 A 94.190.212.123 ns1 A 94.190.212.123
ns1 AAAA 2001:470:18:390::2 ns1 AAAA 2001:470:18:390::2

4
nixbld-etc-nixos/named/malloctech.fr
View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA ns.malloctech.fr. sb.m-labs.hk. ( @ SOA ns.malloctech.fr. sb.m-labs.hk. (
2024060201 2024010901
7200 7200
3600 3600
86400 86400
@ -14,7 +14,7 @@ $TTL 7200
MX 10 mail.m-labs.hk. MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all" TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=LALF-fafTnmkL-18m3CzwFjSwEV1C7NeKexiNfMYsOw" TXT "google-site-verification=LALF-fafTnmkL-18m3CzwFjSwEV1C7NeKexiNfMYsOw"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512" CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
ns A 94.190.212.123 ns A 94.190.212.123
ns AAAA 2001:470:18:390::2 ns AAAA 2001:470:18:390::2

18
nixbld-etc-nixos/rt.nix
View File

@ -19,9 +19,14 @@ let
Set($Timezone, '${cfg.timeZone}'); Set($Timezone, '${cfg.timeZone}');
Set($DatabaseType, 'Pg'); Set($DatabaseType, 'Pg');
Set($DatabaseHost, '/run/postgresql'); Set($DatabaseHost, 'localhost');
Set($DatabaseUser, 'rt'); Set($DatabaseUser, 'rt_user');
Set($DatabaseName, 'rt5'); Set($DatabaseName, 'rt5');
# Read database password from file
open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
my $dbpw = do { local $/; <$fh> };
$dbpw =~ s/^\s+|\s+$//g;
Set($DatabasePassword, $dbpw);
# System (Logging) # System (Logging)
Set($LogToSTDERR, undef); # Don't log twice Set($LogToSTDERR, undef); # Don't log twice
@ -149,6 +154,13 @@ in {
type = str; type = str;
}; };
dbPasswordFile = mkOption {
description = "File containing the database password";
type = str;
default = "/etc/nixos/secret/rtpasswd";
internal = true;
};
domain = mkOption { domain = mkOption {
description = "Which domain RT is running on"; description = "Which domain RT is running on";
type = str; type = str;
@ -233,6 +245,8 @@ in {
PrivateNetwork = false; PrivateNetwork = false;
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = false;
ReadOnlyPaths = [ cfg.dbPasswordFile ];
}; };
environment = { environment = {

45
nixops/athena-hardware-configuration.nix
View File

@ -1,45 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/89463254-b38d-45db-92b6-0f7d92a44f47";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/F84B-ACC5";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "23.11";
}

1
nixops/chiron-hardware-configuration.nix
View File

@ -18,7 +18,6 @@
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/060C-8772"; { device = "/dev/disk/by-uuid/060C-8772";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = [ ]; swapDevices = [ ];

11
nixops/common-users.nix
View File

@ -78,14 +78,14 @@
}; };
linuswck = { linuswck = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"]; extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAFYwmik6/xY1vb9aKBOpKklKOwSJJ0PEgNwWNULghZGJ0g4CTk04LXLSMYBm1SW74df8YMgaE/eoidq6smN6hKIgo8s3qPQGZAi4UXffMs2ciqXNa/zZcCu3PyZvyksxA==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAFYwmik6/xY1vb9aKBOpKklKOwSJJ0PEgNwWNULghZGJ0g4CTk04LXLSMYBm1SW74df8YMgaE/eoidq6smN6hKIgo8s3qPQGZAi4UXffMs2ciqXNa/zZcCu3PyZvyksxA=="
]; ];
}; };
morgan = { morgan = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"]; extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
]; ];
@ -104,13 +104,6 @@
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
]; ];
}; };
therobs12 = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
];
};
dpn = { dpn = {
isNormalUser = true; isNormalUser = true;

1
nixops/demeter-hardware-configuration.nix
View File

@ -21,7 +21,6 @@
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/76A2-F01F"; { device = "/dev/disk/by-uuid/76A2-F01F";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = [ ]; swapDevices = [ ];

15
nixops/desktop.nix
View File

@ -10,9 +10,6 @@ in
nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite"; programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite";
boot.loader.systemd-boot.memtest86.enable = true;
boot.loader.grub.memtest86.enable = true;
imports = imports =
[ [
(./. + "/${host}-hardware-configuration.nix") (./. + "/${host}-hardware-configuration.nix")
@ -65,7 +62,6 @@ in
xsane xsane
gtkwave unzip zip gnupg gtkwave unzip zip gnupg
gnome3.gnome-tweaks gnome3.gnome-tweaks
gnome3.ghex
jq sublime3 rink qemu_kvm jq sublime3 rink qemu_kvm
tmux screen gdb minicom picocom tmux screen gdb minicom picocom
artiq.packages.x86_64-linux.openocd-bscanspi artiq.packages.x86_64-linux.openocd-bscanspi
@ -93,7 +89,6 @@ in
services.avscan.enable = true; services.avscan.enable = true;
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.authorizedKeysInHomedir = false;
services.openssh.settings.PasswordAuthentication = false; services.openssh.settings.PasswordAuthentication = false;
services.openssh.extraConfig = services.openssh.extraConfig =
'' ''
@ -126,7 +121,7 @@ in
}; };
services.avahi = { services.avahi = {
enable = true; enable = true;
nssmdns4 = true; nssmdns = true;
}; };
# Enable sound. # Enable sound.
@ -139,12 +134,16 @@ in
hardware.opengl.driSupport32Bit = true; hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.support32Bit = true; hardware.pulseaudio.support32Bit = true;
i18n.inputMethod = {
enabled = "fcitx5";
fcitx5.addons = [ pkgs.fcitx5-table-extra pkgs.fcitx5-m17n ];
};
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ]; fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
# Enable the X11 windowing system. # Enable the X11 windowing system.
services.xserver.enable = true; services.xserver.enable = true;
services.xserver.xkb.layout = "us"; services.xserver.layout = "us";
services.xserver.xkb.options = "eurosign:e"; services.xserver.xkbOptions = "eurosign:e";
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = true;

4
nixops/experimental-users.nix Normal file
View File

@ -0,0 +1,4 @@
{ pkgs, ... }:
{
}

3
nixops/extra-udev.nix
View File

@ -21,7 +21,4 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="2109", ATTRS{idProduct}=="2812", MODE="0660"
# LibreVNA # LibreVNA
SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev" SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev" SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
# DSLogic
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
'' ''

2
nixops/franz-hardware-configuration.nix
View File

@ -10,6 +10,7 @@
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelPackages = pkgs.linuxPackages_5_15;
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.blacklistedKernelModules = [ "iwlwifi" ]; boot.blacklistedKernelModules = [ "iwlwifi" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
@ -23,7 +24,6 @@
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A33B-F001"; { device = "/dev/disk/by-uuid/A33B-F001";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = [ ]; swapDevices = [ ];

1
nixops/hera-hardware-configuration.nix
View File

@ -18,7 +18,6 @@
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8C30-F6DC"; { device = "/dev/disk/by-uuid/8C30-F6DC";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = [ ]; swapDevices = [ ];

1
nixops/hestia-hardware-configuration.nix
View File

@ -18,7 +18,6 @@
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/E085-5F21"; { device = "/dev/disk/by-uuid/E085-5F21";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = [ ]; swapDevices = [ ];

15
nixops/juno-hardware-configuration.nix
View File

@ -8,9 +8,9 @@
[ (modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
@ -18,6 +18,11 @@
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4E51-B390";
fsType = "vfat";
};
swapDevices = [ ]; swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -25,13 +30,13 @@
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true; # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true; hardware.cpu.intel.updateMicrocode = true;
boot.loader.grub.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.grub.device = "/dev/sda"; boot.loader.efi.canTouchEfiVariables = true;
nixpkgs.config.nvidia.acceptLicense = true; nixpkgs.config.nvidia.acceptLicense = true;
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470; hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;

43
nixops/jupiter-hardware-configuration.nix
View File

@ -1,43 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/315af039-6799-43ac-8999-7da69a6fbd1e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/45B7-790E";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "24.05";
}

7
nixops/nixops.nix
View File

@ -6,6 +6,8 @@
network.enableRollback = true; network.enableRollback = true;
rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = true; }; rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = true; };
rpi-2 = import ./rpi.nix { host = "rpi-2"; rpi4 = false; experimental-users = true; };
rpi-3 = import ./rpi.nix { host = "rpi-3"; rpi4 = true; };
rpi-4 = import ./rpi.nix { host = "rpi-4"; rpi4 = true; }; rpi-4 = import ./rpi.nix { host = "rpi-4"; rpi4 = true; };
zeus = import ./desktop.nix { host = "zeus"; }; zeus = import ./desktop.nix { host = "zeus"; };
hera = import ./desktop.nix { host = "hera"; }; hera = import ./desktop.nix { host = "hera"; };
@ -15,9 +17,4 @@
franz = import ./desktop.nix { host = "franz"; }; franz = import ./desktop.nix { host = "franz"; };
juno = import ./desktop.nix { host = "juno"; }; juno = import ./desktop.nix { host = "juno"; };
demeter = import ./desktop.nix { host = "demeter"; }; demeter = import ./desktop.nix { host = "demeter"; };
vulcan = import ./desktop.nix { host = "vulcan"; };
rc = import ./desktop.nix { host = "rc"; };
athena = import ./desktop.nix { host = "athena"; };
jupiter = import ./desktop.nix { host = "jupiter"; };
saturn = import ./desktop.nix { host = "saturn"; };
} }

1
nixops/old-nixbld-hardware-configuration.nix
View File

@ -21,7 +21,6 @@
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D0A3-DDAE"; { device = "/dev/disk/by-uuid/D0A3-DDAE";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

50
nixops/rc-hardware-configuration.nix
View File

@ -1,50 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/348c924c-1d86-44ff-84af-2594f414e7d0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1BDC-44BB";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/opt" =
{ device = "/dev/disk/by-uuid/cf0f51b6-7b95-4c74-9390-37dc4c86f32b";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "23.11";
}

6
nixops/rpi.nix
View File

@ -24,7 +24,6 @@ in
}; };
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.authorizedKeysInHomedir = false;
services.openssh.settings.PasswordAuthentication = false; services.openssh.settings.PasswordAuthentication = false;
services.openssh.settings.GatewayPorts = "clientspecified"; services.openssh.settings.GatewayPorts = "clientspecified";
services.openssh.extraConfig = services.openssh.extraConfig =
@ -35,12 +34,15 @@ in
networking.hostName = host; networking.hostName = host;
networking.firewall.allowedTCPPorts = if host == "rpi-2" then [ 6000 ] else [];
time.timeZone = "Asia/Hong_Kong"; time.timeZone = "Asia/Hong_Kong";
users.extraGroups.plugdev = { }; users.extraGroups.plugdev = { };
users.mutableUsers = false; users.mutableUsers = false;
users.defaultUserShell = pkgs.fish; users.defaultUserShell = pkgs.fish;
users.extraUsers = (import ./common-users.nix { inherit pkgs; }) // { users.extraUsers = (import ./common-users.nix { inherit pkgs; }) //
(pkgs.lib.optionalAttrs experimental-users (import ./experimental-users.nix { inherit pkgs; })) // {
nixbld = { nixbld = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["plugdev" "dialout"]; extraGroups = ["plugdev" "dialout"];

43
nixops/saturn-hardware-configuration.nix
View File

@ -1,43 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/51d521ec-4807-4b71-8a89-116b89f72d2e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/877D-AF6A";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "24.05";
}

41
nixops/vulcan-hardware-configuration.nix
View File

@ -1,41 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/67168ae0-6448-4b40-b278-406290224b4f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8F4B-AD84";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "23.05";
}

1
nixops/zeus-hardware-configuration.nix
View File

@ -18,7 +18,6 @@
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/91B4-E546"; { device = "/dev/disk/by-uuid/91B4-E546";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
}; };
swapDevices = [ ]; swapDevices = [ ];

49
remote-ipsec.txt
View File

@ -1,49 +0,0 @@
connections {
bypass-ipsec {
remote_addrs = 127.0.0.1
children {
bypass-isakmp-v4 {
local_ts = 0.0.0.0/0[udp/isakmp]
remote_ts = 0.0.0.0/0[udp/isakmp]
mode = pass
start_action = trap
}
bypass-isakmp-v6 {
local_ts = ::/0[udp/isakmp]
remote_ts = ::/0[udp/isakmp]
mode = pass
start_action = trap
}
}
}
m_labs {
version = 2
encap = no
mobike = no
send_certreq = no
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
local_addrs = 103.206.98.1
remote_addrs = 94.190.212.123
local {
auth = pubkey
id = fqdn:igw0.hkg.as150788.net
pubkeys = igw0.hkg.as150788.net
}
remote {
auth = pubkey
id = fqdn:m-labs.hk
pubkeys = m-labs.hk
}
children {
con1 {
mode = transport
ah_proposals = sha256-curve25519,sha256-ecp256
esp_proposals =
local_ts = 103.206.98.1[gre]
remote_ts = 94.190.212.123[gre]
start_action = none
close_action = none
}
}
}
}