# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, ... }:
let
netifWan = "enp4s0";
netifLan = "enp5s0f1";
netifWifi = "wlp6s0";
netifSit = "henet0";
hydraWwwOutputs = "/var/www/hydra-outputs";
in
{
imports =
[
./hardware-configuration.nix
./backup-module.nix
./github-backup-module.nix
./afws-module.nix
./rt.nix
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/008d78cc21959e33d0d31f375b88353a7d7121ae/nixos-mailserver-nixos.tar.gz";
sha256 = "sha256:0pnfyg4icsvrw390a227m8b1j5w8awicx5aza3d0fiyyzpnrpn5a";
})
];
boot.loader.grub.enable = true;
boot.loader.grub.copyKernels = true;
boot.loader.grub.device = "nodev";
boot.loader.grub.efiSupport = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.amd.updateMicrocode = true;
boot.supportedFilesystems = ["zfs"];
boot.kernelParams = ["zfs.l2arc_write_max=536870912"];
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
services.zfs.autoScrub.enable = true;
services.zfs.autoScrub.interval = "monthly";
services.zfs.autoSnapshot.enable = true;
systemd.suppressedSystemUnits = [
"hibernate.target"
"suspend.target"
"suspend-then-hibernate.target"
"sleep.target"
"hybrid-sleep.target"
"systemd-hibernate.service"
"systemd-hybrid-sleep.service"
"systemd-suspend.service"
"systemd-suspend-then-hibernate.service"
];
services.fail2ban.enable = true;
services.fail2ban.ignoreIP = [ "94.190.212.123" "2001:470:18:390::2" ];
services.fail2ban.maxretry = 9;
services.fail2ban.bantime-increment.enable = true;
services.fail2ban.jails.sshd = {
settings = {
filter = "sshd";
action = "iptables-allports";
};
};
services.fail2ban.jails.nginx-botsearch = {
settings = {
filter = "nginx-botsearch";
action = "iptables-allports";
};
};
services.fail2ban.jails.nginx-limit-req = {
settings = {
filter = "nginx-limit-req";
action = "iptables-allports";
};
};
services.fail2ban.jails.postfix = {
settings = {
filter = "postfix";
action = "iptables-allports";
};
};
services.fail2ban.jails.dovecot = {
settings = {
filter = "dovecot";
action = "iptables-allports";
};
};
networking = {
hostName = "nixbld";
hostId = "e423f012";
firewall = {
allowedTCPPorts = [ 53 80 443 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ];
trustedInterfaces = [ netifLan ];
};
interfaces."${netifWan}".useDHCP = true;
interfaces."${netifLan}" = {
ipv4.addresses = [{
address = "192.168.1.1";
prefixLength = 24;
}];
ipv6.addresses = [{
address = "2001:470:f891:1::";
prefixLength = 64;
}];
# https://unix.stackexchange.com/questions/423502/iproute2-inherit-or-copy-table
# we just copy what matters here. Ugly but easier.
ipv4.routes = [
{
address = "192.168.1.0";
prefixLength = 24;
options.table = "1";
}
];
};
interfaces."${netifWifi}" = {
ipv4.addresses = [{
address = "192.168.12.1";
prefixLength = 24;
}];
ipv6.addresses = [{
address = "2001:470:f891:2::";
prefixLength = 64;
}];
};
nat = {
enable = true;
externalInterface = netifWan;
internalInterfaces = [ netifLan netifWifi ];
forwardPorts = [
{ sourcePort = 2201; destination = "192.168.1.201:22"; proto = "tcp"; }
{ sourcePort = 2202; destination = "192.168.1.202:22"; proto = "tcp"; }
{ sourcePort = 2203; destination = "192.168.1.203:22"; proto = "tcp"; }
{ sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
];
extraCommands = ''
iptables -w -N block-lan-from-wifi
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
iptables -w -A FORWARD -j block-lan-from-wifi
iptables -w -N block-insecure-devices
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
iptables -w -A block-insecure-devices -m mac --mac-source 00:0a:35:00:01:23 -j DROP # function generator
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:21:f1:ee -j DROP # siglent scope #2
iptables -w -A block-insecure-devices -m mac --mac-source 00:19:af:5b:dd:58 -j DROP # power supply
iptables -w -A block-insecure-devices -m mac --mac-source 28:58:be:dc:66:1f -j DROP # hikvision low-cost 780nm laser viewer
iptables -w -A block-insecure-devices -m mac --mac-source bc:99:11:a4:d2:ac -j DROP # zyxel cloud switch
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
iptables -w -A FORWARD -j block-insecure-devices
'';
extraStopCommands = ''
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
iptables -w -F block-insecure-devices 2>/dev/null|| true
iptables -w -X block-insecure-devices 2>/dev/null|| true
'';
};
sits."${netifSit}" = {
dev = netifWan;
remote = "216.218.221.6";
local = "94.190.212.123";
ttl = 255;
};
interfaces."${netifSit}".ipv6 = {
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
routes = [{ address = "::"; prefixLength = 0; }];
};
greTunnels.alt0 = {
dev = netifWan;
remote = "103.206.98.1";
local = "94.190.212.123";
ttl = 255;
type = "tun";
};
interfaces.alt0 = {
ipv4.addresses = [
{
address = "103.206.98.227";
prefixLength = 31;
}
];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "103.206.98.226";
options.table = "1";
}
];
};
vlans = {
vlan0 = {
id = 2;
interface = netifLan;
};
};
interfaces.vlan0 = {
ipv4.addresses = [{
address = "103.206.98.200";
prefixLength = 29;
}];
ipv4.routes = [
{
address = "103.206.98.200";
prefixLength = 29;
options.table = "1";
}
];
};
};
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
services.strongswan-swanctl.enable = true;
services.strongswan-swanctl.swanctl.connections.altnet = {
local_addrs = [ "94.190.212.123" ];
remote_addrs = [ "103.206.98.1" ];
local.main = {
auth = "pubkey";
id = "fqdn:m-labs.hk";
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
};
remote.main = {
auth = "pubkey";
id = "fqdn:igw0.hkg.as150788.net";
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
};
children.alt0 = {
mode = "transport";
ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "103.206.98.1[gre]" ];
local_ts = [ "94.190.212.123[gre]" ];
start_action = "start";
};
};
systemd.services.custom-network-setup = {
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.0/24 table 1";
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
};
};
# https://kb.isc.org/docs/dnssec-key-and-signing-policy
# chown named.named /etc/nixos/named
services.bind = {
enable = true;
listenOn = [ "94.190.212.123" ];
listenOnIpv6 = [ "2001:470:18:390::2" ];
forwarders = [];
extraOptions = "listen-on-v6 port 5354 { ::1; };";
cacheNetworks = [ "::1/128" ];
directory = "/etc/nixos/named";
zones = {
"m-labs.hk" = {
name = "m-labs.hk";
master = true;
file = "/etc/nixos/named/m-labs.hk";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
213.239.220.50; # ns1.qnetp.net
216.218.130.2; # ns1.he.net
88.198.32.245; # new qnetp
};
'';
slaves = [
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
"88.198.32.245" # new qnetp
];
};
"m-labs.ph" = {
name = "m-labs.ph";
master = true;
file = "/etc/nixos/named/m-labs.ph";
extraConfig =
''
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
"193thz.com" = {
name = "193thz.com";
master = true;
file = "/etc/nixos/named/193thz.com";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
"malloctech.fr" = {
name = "malloctech.fr";
master = true;
file = "/etc/nixos/named/malloctech.fr";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
"200-29.98.206.103.in-addr.arpa" = {
name = "200-29.98.206.103.in-addr.arpa";
master = true;
file = "/etc/nixos/named/200-29.98.206.103.in-addr.arpa";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
};
extraConfig = ''
zone "mil." IN {
type forward;
forward only;
forwarders { 74.82.42.42; };
};
'';
};
services.hostapd = {
enable = true;
radios.${netifWifi} = {
band = "2g";
countryCode = "HK";
networks.${netifWifi} = {
ssid = "M-Labs";
authentication.saePasswords = [
{ password = (import /etc/nixos/secret/wifi_password.nix); }
];
};
};
};
services.dnsmasq = {
enable = true;
settings = {
server = ["::1#5354"];
interface = [ netifLan netifWifi ];
bind-interfaces = true;
dhcp-range = [
"interface:${netifLan},192.168.1.81,192.168.1.254,24h"
"interface:${netifWifi},192.168.12.10,192.168.12.254,24h"
"interface:${netifLan},::,constructor:${netifLan},ra-names"
"interface:${netifWifi},::,constructor:${netifWifi},ra-only"
];
enable-ra = true;
no-resolv = true;
dhcp-host = [
# Static IPv4s to make Red Pitayas with factory firmware less annoying
"rp-f05cc9,192.168.1.190"
"rp-f0612e,192.168.1.191"
# Static IPv4s to make port redirections work
"rpi-1,192.168.1.201"
"rpi-2,192.168.1.202"
"rpi-3,192.168.1.203"
"rpi-4,192.168.1.204"
];
address = [
# Static IP addresses for non-DHCP boards
"/thermostat/192.168.1.26"
"/powercycler/192.168.1.31"
"/kc705/192.168.1.50"
"/zynq-experiments/192.168.1.51"
"/zc706/192.168.1.52"
"/zc706-2/192.168.1.53"
"/cora-z7/192.168.1.54"
"/rust-pitaya/192.168.1.55"
"/kasli/192.168.1.70"
"/kasli-customer/192.168.1.75"
"/stabilizer-customer/192.168.1.76"
# Google can't do DNS geolocation correctly and slows down websites of everyone using
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
# cannot reach.
"/fonts.googleapis.com/142.250.207.74"
];
dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
dhcp-boot = [
"tag:!ipxe,ipxe.efi"
"tag:ipxe,http://m-labs.hk/nuc-netboot/netboot.ipxe"
];
enable-tftp = netifLan;
tftp-root = "${pkgs.ipxe}";
};
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "de";
};
# Set your time zone.
time.timeZone = "Asia/Hong_Kong";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim git file lm_sensors acpi pciutils psmisc nixopsUnstable
irssi tmux usbutils imagemagick jq zip unzip
iw
nvme-cli
borgbackup
bind
waypipe
(callPackage ./afws { inherit pkgs; })
(callPackage ./labelprinter { inherit pkgs; })
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
services.apcupsd.enable = true;
services.apcupsd.configText = ''
UPSTYPE usb
NISIP 127.0.0.1
BATTERYLEVEL 10
MINUTES 5
'';
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.openssh.settings.GatewayPorts = "clientspecified";
programs.mosh.enable = true;
programs.fish.enable = true;
programs.zsh.enable = true;
# Enable CUPS to print documents.
services.avahi.enable = true;
services.avahi.allowInterfaces = [ netifLan ];
services.avahi.publish.enable = true;
services.avahi.publish.userServices = true;
nixpkgs.config.allowUnfree = true;
services.printing.enable = true;
services.printing.drivers = [ pkgs.hplipWithPlugin ];
services.printing.browsing = true;
services.printing.listenAddresses = [ "*:631" ];
services.printing.defaultShared = true;
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
services.saned.enable = true;
services.saned.extraConfig = "192.168.1.0/24";
services.udev.extraRules =
''
# label printer
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
'';
users.extraUsers.root = {
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
];
shell = pkgs.fish;
};
# https://github.com/NixOS/nixpkgs/issues/155357
security.sudo.enable = true;
users.extraUsers.sb = {
isNormalUser = true;
extraGroups = ["lp" "scanner" "afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
];
shell = pkgs.fish;
};
users.extraUsers.rj = {
isNormalUser = true;
extraGroups = ["afws"];
};
users.extraUsers.nkrackow = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
];
};
users.extraUsers.spaqin = {
isNormalUser = true;
extraGroups = ["lp" "afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
];
shell = pkgs.zsh;
};
users.extraUsers.therobs12 = {
isNormalUser = true;
extraGroups = ["lp" "afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
];
};
users.extraUsers.morgan = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
];
};
users.extraUsers.derppening = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
];
};
users.extraUsers.nix = {
isNormalUser = true;
};
boot.kernel.sysctl."kernel.dmesg_restrict" = true;
services.udev.packages = [ pkgs.sane-backends ];
nix.settings.max-jobs = 10;
nix.nrBuildUsers = 64;
services.hydra = {
enable = true;
useSubstitutes = true;
hydraURL = "https://nixbld.m-labs.hk";
notificationSender = "hydra@m-labs.hk";
minimumDiskFree = 15; # in GB
minimumDiskFreeEvaluator = 1;
extraConfig =
''
binary_cache_secret_key_file = /etc/nixos/secret/nixbld.m-labs.hk-1
max_output_size = 10000000000
job = web:web:web
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
job = web:web:nmigen-docs
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
job = artiq:sipyco:sipyco-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-html
job = artiq:sipyco:sipyco-manual-pdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-pdf
job = artiq:main-beta:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-beta
job = artiq:main-beta:artiq-manual-pdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf-beta
job = artiq:extra-beta:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta
job = artiq:main:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html
job = artiq:main:artiq-manual-pdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf
job = artiq:extra:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel
job = artiq:full-legacy:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy
job = artiq:full-legacy:artiq-manual-latexpdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf-legacy
job = artiq:full-legacy:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy
job = artiq:*:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON)
job = artiq:extra-beta:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
job = artiq:main-nac3:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3
jobs = artiq:fast.*:extended-tests
inputs = artiqSrc
useShortContext = 1
authorization = token ${(import /etc/nixos/secret/github_tokens.nix).artiq}
sb=${(import /etc/nixos/secret/gitea_tokens.nix).artiq-zynq}
'';
};
systemd.services.hydra-www-outputs-init = {
description = "Set up a hydra-owned directory for build outputs";
wantedBy = [ "multi-user.target" ];
requiredBy = [ "hydra-queue-runner.service" ];
before = [ "hydra-queue-runner.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = [
"${pkgs.coreutils}/bin/mkdir -p ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives"
"${pkgs.coreutils}/bin/chown hydra-queue-runner:hydra ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives"
];
};
};
services.afws.enable = true;
nix.extraOptions = ''
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
experimental-features = nix-command flakes
'';
nix.settings.extra-sandbox-paths = ["/opt"];
services.mlabs-backup.enable = true;
services.ghbackup.enable = true;
services.gitea = {
enable = true;
appName = "M-Labs Git";
mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
settings = {
server = {
ROOT_URL = "https://git.m-labs.hk/";
HTTP_PORT = 3001;
};
indexer = {
REPO_INDEXER_ENABLED = true;
};
mailer = {
ENABLED = true;
HOST = "mail.m-labs.hk:587";
FROM = "sysop@m-labs.hk";
USER = "sysop@m-labs.hk";
};
service = {
ENABLE_NOTIFY_MAIL = true;
DISABLE_REGISTRATION = true;
};
attachment = {
ALLOWED_TYPES = "*/*";
};
log.LEVEL = "Warn";
session.COOKIE_SECURE = true;
};
};
systemd.tmpfiles.rules = [
"L+ '${config.services.gitea.stateDir}/custom/templates/home.tmpl' - - - - ${./gitea-home.tmpl}"
"L+ '${config.services.gitea.stateDir}/custom/templates/user/auth/signin.tmpl' - - - - ${./gitea-signin.tmpl}"
];
services.mattermost = {
enable = true;
siteUrl = "https://chat.m-labs.hk/";
mutableConfig = true;
};
services.postgresql.package = pkgs.postgresql_12;
services.matterbridge = {
enable = true;
configPath = "/etc/nixos/secret/matterbridge.toml";
};
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
nix = super.nix.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
});
hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
patches = oa.patches or [] ++ [
./hydra-conda.patch
./hydra-msys2.patch
./hydra-restrictdist.patch
./hydra-hack-allowed-uris.patch # work around https://github.com/NixOS/nix/issues/5039
];
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
});
matterbridge = super.matterbridge.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
});
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "sb" + "@m-labs.hk";
# https://github.com/NixOS/nixpkgs/issues/106862
systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
virtualHosts = let
mainWebsite = {
addSSL = true;
enableACME = true;
root = "${hydraWwwOutputs}/web";
extraConfig = ''
error_page 404 /404.html;
'';
locations."^~ /fonts/".extraConfig = ''
expires 60d;
'';
locations."^~ /js/".extraConfig = ''
expires 60d;
'';
locations."/MathJax/" = {
alias = "/var/www/MathJax/";
extraConfig = ''
expires 60d;
'';
};
locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
# legacy URLs, redirect to avoid breaking people's bookmarks
locations."/gateware.html".extraConfig = ''
return 301 /gateware/migen/;
'';
locations."/migen".extraConfig = ''
return 301 /gateware/migen/;
'';
locations."/artiq".extraConfig = ''
return 301 /experiment-control/artiq/;
'';
locations."/artiq/resources.html".extraConfig = ''
return 301 /experiment-control/resources/;
'';
# autogenerated manuals
locations."/artiq/sipyco-manual/" = {
alias = "${hydraWwwOutputs}/sipyco-manual-html/";
};
locations."=/artiq/sipyco-manual.pdf" = {
alias = "${hydraWwwOutputs}/sipyco-manual-pdf/SiPyCo.pdf";
};
locations."/artiq/manual-beta/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html-beta/";
};
locations."=/artiq/manual-beta.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-pdf-beta/ARTIQ.pdf";
};
locations."/artiq/manual/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html/";
};
locations."=/artiq/manual.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf";
};
locations."/artiq/manual-legacy/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/share/doc/artiq-manual/html/";
};
locations."=/artiq/manual-legacy.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-latexpdf-legacy/share/doc/artiq-manual/ARTIQ.pdf";
};
# legacy content
locations."/migen/manual/" = {
alias = "/var/www/m-labs.hk.old/migen/manual/";
};
locations."/artiq/manual-release-4/" = {
alias = "/var/www/m-labs.hk.old/artiq/manual-release-4/";
};
locations."/artiq/manual-release-3/" = {
alias = "/var/www/m-labs.hk.old/artiq/manual-release-3/";
};
locations."/artiq/manual-release-2/" = {
alias = "/var/www/m-labs.hk.old/artiq/manual-release-2/";
};
};
in {
"m-labs.hk" = mainWebsite;
"www.m-labs.hk" = mainWebsite;
"m-labs.ph" = mainWebsite;
"www.m-labs.ph" = mainWebsite;
"nixbld.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:3000";
};
"msys2.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/artiq-beta/" = {
alias = "${hydraWwwOutputs}/artiq-msys2-repos-beta/";
extraConfig = ''
autoindex on;
'';
};
locations."/artiq-nac3/" = {
alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/";
extraConfig = ''
autoindex on;
'';
};
};
"conda.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/artiq-beta/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/";
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
locations."/artiq/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel/";
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
locations."/artiq-legacy/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-legacy/";
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
locations."/artiq-archives/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-archives/";
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
};
"afws.m-labs.hk" = {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3771";
proxyWebsockets = true;
extraConfig =
''
proxy_read_timeout 2h;
'';
};
};
"git.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
extraConfig = ''
client_max_body_size 300M;
'';
};
"chat.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:8065";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "http://127.0.0.1:8065";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true;
};
"hooks.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/mattermost-github".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-mgi.sock;
'';
locations."/rfq".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-rfq.sock;
'';
};
"forum.m-labs.hk" = {
forceSSL = true;
enableACME = true;
root = "/var/www/flarum/public";
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
fastcgi_index index.php;
'';
extraConfig = ''
index index.php;
include /var/www/flarum/.nginx.conf;
'';
};
"perso.m-labs.hk" = {
addSSL = true;
enableACME = true;
root = "/var/www/perso";
};
"rt.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:4201";
extraConfig = ''
client_max_body_size 100M;
'';
};
locations."/REST/1.0/NoAuth" = {
proxyPass = "http://127.0.0.1:4201";
extraConfig = ''
client_max_body_size 100M;
allow 127.0.0.1;
deny all;
'';
};
};
"files.m-labs.hk" = {
forceSSL = true;
enableACME = true;
};
"docs.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:9825";
locations."/socket.io/".proxyPass = "http://localhost:9825";
locations."/socket.io/".proxyWebsockets = true;
};
"193thz.com" = {
addSSL = true;
enableACME = true;
root = "/var/www/193thz";
};
"www.193thz.com" = {
addSSL = true;
enableACME = true;
root = "/var/www/193thz";
};
"nmigen.net" = {
addSSL = true;
enableACME = true;
root = "${hydraWwwOutputs}/nmigen-docs";
};
"www.nmigen.net" = {
addSSL = true;
enableACME = true;
root = "${hydraWwwOutputs}/nmigen-docs";
};
};
};
services.uwsgi = {
enable = true;
plugins = [ "python3" ];
instance = {
type = "emperor";
vassals = {
mattermostgithub = import ./mattermost-github-integration/uwsgi-config.nix { inherit config pkgs; };
rfq = import ./rfq/uwsgi-config.nix { inherit config pkgs; };
};
};
};
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
services.phpfpm.pools.flarum = {
user = "nobody";
settings = {
"listen.owner" = "nginx";
"listen.group" = "nginx";
"listen.mode" = "0600";
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
services.rt = {
enable = true;
package = pkgs.rt.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./rt-session.patch ];
});
organization = "M-Labs";
domain = "rt.m-labs.hk";
rtName = "Helpdesk";
ownerEmail = "sb" + "@m-labs.hk";
commentAddress = "helpdesk" + "@m-labs.hk";
correspondAddress = "helpdesk" + "@m-labs.hk";
sendmailPath = "${pkgs.msmtp}/bin/msmtp";
sendmailArguments = ["-t" "-C" "/etc/nixos/secret/rt_msmtp.conf"];
};
systemd.services.rt-fetchmail = {
description = "Fetchmail for RT";
wantedBy = [ "multi-user.target" ];
after = [ "dovecot2.service" ];
serviceConfig = {
Restart = "on-failure";
User = "rt";
Group = "rt";
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
};
};
mailserver = {
enable = true;
localDnsResolver = false; # conflicts with dnsmasq
fqdn = "mail.m-labs.hk";
domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
enablePop3 = true;
enablePop3Ssl = true;
certificateScheme = "acme-nginx";
} // (import /etc/nixos/secret/email_settings.nix);
services.roundcube = {
enable = true;
hostName = "mail.m-labs.hk";
extraConfig = ''
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
hostName = "files.m-labs.hk";
https = true;
maxUploadSize = "2G";
config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
config.defaultPhoneRegion = "HK";
};
services.hedgedoc = {
enable = true;
settings = {
port = 9825;
domain = "docs.m-labs.hk";
protocolUseSSL = true;
allowEmailRegister = false;
allowAnonymous = false;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
};
};
system.stateVersion = "21.05";
}