# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: let netifWan = "enp4s0"; netifLan = "enp5s0f1"; netifWifi = "wlp6s0"; netifSit = "henet0"; hydraWwwOutputs = "/var/www/hydra-outputs"; in { imports = [ ./hardware-configuration.nix ./backup-module.nix ./github-backup-module.nix ./afws-module.nix ./rt.nix (builtins.fetchTarball { url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/4966c0f63f04659015f064f2aa34b1893a16dfde/nixos-mailserver-nixos.tar.gz"; sha256 = "sha256:0bbv0hcwpm9vhvqnj51k84c3fx6x0vgv68yf0f8kdjvprpzxjdgk"; }) ]; boot.loader.grub.enable = true; boot.loader.grub.copyKernels = true; boot.loader.grub.device = "nodev"; boot.loader.grub.efiSupport = true; boot.loader.efi.canTouchEfiVariables = true; hardware.cpu.amd.updateMicrocode = true; boot.supportedFilesystems = ["zfs"]; boot.kernelParams = ["zfs.l2arc_write_max=536870912"]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; services.zfs.autoScrub.enable = true; services.zfs.autoScrub.interval = "monthly"; services.zfs.autoSnapshot.enable = true; systemd.suppressedSystemUnits = [ "hibernate.target" "suspend.target" "suspend-then-hibernate.target" "sleep.target" "hybrid-sleep.target" "systemd-hibernate.service" "systemd-hybrid-sleep.service" "systemd-suspend.service" "systemd-suspend-then-hibernate.service" ]; security.apparmor.enable = true; services.fail2ban.enable = true; services.fail2ban.ignoreIP = [ "94.190.212.123" "2001:470:18:390::2" ]; services.fail2ban.maxretry = 9; services.fail2ban.bantime-increment.enable = true; services.fail2ban.jails.sshd = '' enabled = true filter = sshd action = iptables-allports ''; services.fail2ban.jails.nginx-botsearch = '' enabled = true filter = nginx-botsearch action = iptables-allports ''; services.fail2ban.jails.nginx-limit-req = '' enabled = true filter = nginx-limit-req action = iptables-allports ''; services.fail2ban.jails.postfix = '' enabled = true filter = postfix action = iptables-allports ''; services.fail2ban.jails.dovecot = '' enabled = true filter = dovecot action = iptables-allports ''; networking = { hostName = "nixbld"; hostId = "e423f012"; firewall = { allowedTCPPorts = [ 53 80 443 7402 ]; allowedUDPPorts = [ 53 67 500 4500 ]; trustedInterfaces = [ netifLan ]; }; interfaces."${netifWan}".useDHCP = true; interfaces."${netifLan}" = { ipv4.addresses = [{ address = "192.168.1.1"; prefixLength = 24; }]; ipv6.addresses = [{ address = "2001:470:f891:1::"; prefixLength = 64; }]; # https://unix.stackexchange.com/questions/423502/iproute2-inherit-or-copy-table # we just copy what matters here. Ugly but easier. ipv4.routes = [ { address = "192.168.1.0"; prefixLength = 24; options.table = "1"; } ]; }; interfaces."${netifWifi}" = { ipv4.addresses = [{ address = "192.168.12.1"; prefixLength = 24; }]; ipv6.addresses = [{ address = "2001:470:f891:2::"; prefixLength = 64; }]; }; nat = { enable = true; externalInterface = netifWan; internalInterfaces = [ netifLan netifWifi ]; forwardPorts = [ { sourcePort = 2201; destination = "192.168.1.201:22"; proto = "tcp"; } { sourcePort = 2202; destination = "192.168.1.202:22"; proto = "tcp"; } { sourcePort = 2203; destination = "192.168.1.203:22"; proto = "tcp"; } { sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; } ]; extraCommands = '' iptables -w -N block-lan-from-wifi iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP iptables -w -A FORWARD -j block-lan-from-wifi iptables -w -N block-insecure-devices iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope iptables -w -A block-insecure-devices -m mac --mac-source 00:0a:35:00:01:23 -j DROP # function generator iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:21:f1:ee -j DROP # siglent scope #2 iptables -w -A block-insecure-devices -m mac --mac-source 00:19:af:5b:dd:58 -j DROP # power supply iptables -w -A block-insecure-devices -m mac --mac-source 28:58:be:dc:66:1f -j DROP # hikvision low-cost 780nm laser viewer iptables -w -A block-insecure-devices -m mac --mac-source bc:99:11:a4:d2:ac -j DROP # zyxel cloud switch iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet iptables -w -A FORWARD -j block-insecure-devices ''; extraStopCommands = '' iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true iptables -w -F block-lan-from-wifi 2>/dev/null|| true iptables -w -X block-lan-from-wifi 2>/dev/null|| true iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true iptables -w -F block-insecure-devices 2>/dev/null|| true iptables -w -X block-insecure-devices 2>/dev/null|| true ''; }; sits."${netifSit}" = { dev = netifWan; remote = "216.218.221.6"; local = "94.190.212.123"; ttl = 255; }; interfaces."${netifSit}".ipv6 = { addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }]; routes = [{ address = "::"; prefixLength = 0; }]; }; greTunnels.alt0 = { dev = netifWan; remote = "103.206.98.1"; local = "94.190.212.123"; ttl = 255; type = "tun"; }; interfaces.alt0 = { ipv4.addresses = [ { address = "103.206.98.227"; prefixLength = 31; } ]; ipv4.routes = [ { address = "0.0.0.0"; prefixLength = 0; via = "103.206.98.226"; options.table = "1"; } ]; }; vlans = { vlan0 = { id = 2; interface = netifLan; }; }; interfaces.vlan0 = { ipv4.addresses = [{ address = "103.206.98.200"; prefixLength = 29; }]; ipv4.routes = [ { address = "103.206.98.200"; prefixLength = 29; options.table = "1"; } ]; }; }; boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1"; boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1"; boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0"; boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0"; services.strongswan-swanctl.enable = true; services.strongswan-swanctl.swanctl.connections.altnet = { local_addrs = [ "94.190.212.123" ]; remote_addrs = [ "103.206.98.1" ]; local.main = { auth = "pubkey"; id = "fqdn:m-labs.hk"; pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ]; }; remote.main = { auth = "pubkey"; id = "fqdn:igw0.hkg.as150788.net"; pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ]; }; children.alt0 = { mode = "transport"; ah_proposals = [ "sha256-curve25519" ]; remote_ts = [ "103.206.98.1[gre]" ]; local_ts = [ "94.190.212.123[gre]" ]; start_action = "start"; }; }; systemd.services.custom-network-setup = { wantedBy = [ "network.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.0/24 table 1"; ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1"; }; }; # https://kb.isc.org/docs/dnssec-key-and-signing-policy # chown named.named /etc/nixos/named services.bind = { enable = true; listenOn = [ "94.190.212.123" ]; listenOnIpv6 = [ "2001:470:18:390::2" ]; forwarders = []; extraOptions = "listen-on-v6 port 5354 { ::1; };"; cacheNetworks = [ "::1/128" ]; directory = "/etc/nixos/named"; zones = { "m-labs.hk" = { name = "m-labs.hk"; master = true; file = "/etc/nixos/named/m-labs.hk"; extraConfig = '' dnssec-policy "default"; inline-signing yes; notify explicit; also-notify { 213.239.220.50; # ns1.qnetp.net 216.218.130.2; # ns1.he.net }; ''; slaves = [ "213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net "216.218.133.2" "2001:470:600::2" # slave.dns.he.net ]; }; "m-labs.ph" = { name = "m-labs.ph"; master = true; file = "/etc/nixos/named/m-labs.ph"; extraConfig = '' notify explicit; also-notify { 216.218.130.2; # ns1.he.net }; ''; slaves = [ "216.218.133.2" "2001:470:600::2" # slave.dns.he.net ]; }; "193thz.com" = { name = "193thz.com"; master = true; file = "/etc/nixos/named/193thz.com"; extraConfig = '' dnssec-policy "default"; inline-signing yes; notify explicit; also-notify { 216.218.130.2; # ns1.he.net }; ''; slaves = [ "216.218.133.2" "2001:470:600::2" # slave.dns.he.net ]; }; "200-29.98.206.103.in-addr.arpa" = { name = "200-29.98.206.103.in-addr.arpa"; master = true; file = "/etc/nixos/named/200-29.98.206.103.in-addr.arpa"; extraConfig = '' dnssec-policy "default"; inline-signing yes; notify explicit; also-notify { 216.218.130.2; # ns1.he.net }; ''; slaves = [ "216.218.133.2" "2001:470:600::2" # slave.dns.he.net ]; }; }; extraConfig = '' zone "mil." IN { type forward; forward only; forwarders { 74.82.42.42; }; }; ''; }; services.hostapd = { enable = true; interface = netifWifi; hwMode = "g"; ssid = "M-Labs"; wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix); extraConfig = '' ieee80211d=1 country_code=HK ieee80211n=1 wmm_enabled=1 auth_algs=1 wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP ''; }; services.dnsmasq = { enable = true; settings = { server = ["::1#5354"]; interface = [ netifLan netifWifi ]; bind-interfaces = true; dhcp-range = [ "interface:${netifLan},192.168.1.81,192.168.1.254,24h" "interface:${netifWifi},192.168.12.10,192.168.12.254,24h" "interface:${netifLan},::,constructor:${netifLan},ra-names" "interface:${netifWifi},::,constructor:${netifWifi},ra-only" ]; enable-ra = true; no-resolv = true; dhcp-host = [ # Static IPv4s to make Red Pitayas with factory firmware less annoying "rp-f05cc9,192.168.1.190" "rp-f0612e,192.168.1.191" # Static IPv4s to make port redirections work "rpi-1,192.168.1.201" "rpi-2,192.168.1.202" "rpi-3,192.168.1.203" "rpi-4,192.168.1.204" ]; address = [ # Static IP addresses for non-DHCP boards "/thermostat/192.168.1.26" "/powercycler/192.168.1.31" "/kc705/192.168.1.50" "/zynq-experiments/192.168.1.51" "/zc706/192.168.1.52" "/zc706-2/192.168.1.53" "/cora-z7/192.168.1.54" "/rust-pitaya/192.168.1.55" "/kasli/192.168.1.70" "/kasli-customer/192.168.1.75" "/stabilizer-customer/192.168.1.76" # Google can't do DNS geolocation correctly and slows down websites of everyone using # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you # cannot reach. "/fonts.googleapis.com/142.250.207.74" ]; dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077 dhcp-boot = [ "tag:!ipxe,ipxe.efi" "tag:ipxe,http://perso.m-labs.hk/sb/netboot/netboot.ipxe" ]; enable-tftp = netifLan; tftp-root = "${pkgs.ipxe}"; }; }; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "de"; }; # Set your time zone. time.timeZone = "Asia/Hong_Kong"; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ wget vim git file lm_sensors acpi pciutils psmisc nixopsUnstable irssi tmux usbutils imagemagick jq zip unzip iw nvme-cli borgbackup bind waypipe (callPackage ./afws { inherit pkgs; }) (callPackage ./labelprinter { inherit pkgs; }) ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; # List services that you want to enable: services.apcupsd.enable = true; services.apcupsd.configText = '' UPSTYPE usb NISIP 127.0.0.1 BATTERYLEVEL 10 MINUTES 5 ''; # Enable the OpenSSH daemon. services.openssh.enable = true; services.openssh.settings.PasswordAuthentication = false; services.openssh.settings.GatewayPorts = "clientspecified"; programs.mosh.enable = true; programs.fish.enable = true; programs.zsh.enable = true; # Enable CUPS to print documents. services.avahi.enable = true; services.avahi.allowInterfaces = [ netifLan ]; services.avahi.publish.enable = true; services.avahi.publish.userServices = true; nixpkgs.config.allowUnfree = true; services.printing.enable = true; services.printing.drivers = [ pkgs.hplipWithPlugin ]; services.printing.browsing = true; services.printing.listenAddresses = [ "*:631" ]; services.printing.defaultShared = true; hardware.sane.enable = true; hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ]; services.udev.extraRules = '' # label printer SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp" ''; users.extraUsers.root = { openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg==" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" ]; shell = pkgs.fish; }; # https://github.com/NixOS/nixpkgs/issues/155357 security.sudo.enable = true; users.extraUsers.sb = { isNormalUser = true; extraGroups = ["lp" "scanner" "afws"]; openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ==" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" ]; shell = pkgs.fish; }; users.extraUsers.rj = { isNormalUser = true; extraGroups = ["afws"]; }; users.extraUsers.nkrackow = { isNormalUser = true; extraGroups = ["afws"]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ==" ]; }; users.extraUsers.backupdl = { isNormalUser = true; extraGroups = ["nextcloud"]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbH+l0FIBTPdUKOS9H5OOT5ro/nljKLsiCTzTzublCScdPPmCNy27ORbLgNHX5Ughlug5wr2rAIU9AexV+L71V5MeVHUWDfKgRsNIpUTtY6wpJkAP7r1ipk2kTWc/sxhrxyPea62cohmy1dOeLlwXO6U8FnsiZfYKmgjZ8wuTo6ixDB8krXsAZ8VY/bj5WFcXqeW8GF1Qjpel7HgpCpj3HIUyC63uwIyUoYe+cgnhjzNLbRYdU9Yx2iqcUCwEUX2cMdz5VX+xbLkL8CWcuiMFg6TFo+CUPFtuA/kVzHcZ4Pa3BiilL3rf7oXlIXGN12JVsN+caX7j2weVqm2b5u5eVsyDxiLx1KA37ukq92CYAAdOuKE+saMPsLuOn+Qd9B6D5oYnYgsWg460uEGgwczwOTXLAZTT5wrwRaKIE+ezKqtRP+Tz7l2IEixulyj1MUR+XpSwECZXiFJx5DGofwzxcd2kWnNOPBReDkHv0At5ZLNIrLuxFMz2L6UXbqvHwEu8= backupdl@minipc" ]; }; users.extraUsers.occheung = { isNormalUser = true; openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig==" ]; }; users.extraUsers.spaqin = { isNormalUser = true; extraGroups = ["lp" "scanner" "afws"]; openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ==" ]; shell = pkgs.zsh; }; users.extraUsers.esavkin = { isNormalUser = true; extraGroups = ["lp" "afws"]; openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA==" ]; }; users.extraUsers.derppening = { isNormalUser = true; openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ==" ]; }; users.extraUsers.dpn = { isNormalUser = true; openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGChLocYJi8XcSJkIjT2Olm3jPGjtRq5aORa5G9F3OqmjCfvav9Q5+2Mc64XqHtNTffnJuDe4gv+lVJatC0URvPs2HyxXmxRK0jgkkLSUsV2SYLlgMqHW3jsrdh6wKBmkg==" ]; }; users.extraUsers.nix = { isNormalUser = true; }; boot.kernel.sysctl."kernel.dmesg_restrict" = true; services.udev.packages = [ pkgs.sane-backends ]; nix.settings.max-jobs = 10; nix.nrBuildUsers = 64; nix.settings.trusted-users = ["sb"]; services.hydra = { enable = true; useSubstitutes = true; hydraURL = "https://nixbld.m-labs.hk"; notificationSender = "hydra@m-labs.hk"; minimumDiskFree = 15; # in GB minimumDiskFreeEvaluator = 1; extraConfig = '' binary_cache_secret_key_file = /etc/nixos/secret/nixbld.m-labs.hk-1 max_output_size = 10000000000 job = web:web:web command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web job = web:web:nmigen-docs command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs job = artiq:sipyco:sipyco-manual-html command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-html job = artiq:sipyco:sipyco-manual-pdf command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-pdf job = artiq:main-beta:artiq-manual-html command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-beta job = artiq:main-beta:artiq-manual-pdf command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf-beta job = artiq:extra-beta:conda-channel command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta job = artiq:main:artiq-manual-html command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html job = artiq:main:artiq-manual-pdf command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf job = artiq:extra:conda-channel command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel job = artiq:full-legacy:artiq-manual-html command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy job = artiq:full-legacy:artiq-manual-latexpdf command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf-legacy job = artiq:full-legacy:conda-channel command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy job = artiq:*:conda-channel command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON) job = artiq:extra-beta:msys2-repos command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta job = artiq:artiq-nac3:msys2-repos command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3 jobs = artiq:fast.*:extended-tests inputs = artiqSrc useShortContext = 1 authorization = token ${(import /etc/nixos/secret/github_tokens.nix).artiq} sb=${(import /etc/nixos/secret/gitea_tokens.nix).artiq-zynq} ''; }; systemd.services.hydra-www-outputs-init = { description = "Set up a hydra-owned directory for build outputs"; wantedBy = [ "multi-user.target" ]; requiredBy = [ "hydra-queue-runner.service" ]; before = [ "hydra-queue-runner.service" ]; serviceConfig = { Type = "oneshot"; ExecStart = [ "${pkgs.coreutils}/bin/mkdir -p ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives" "${pkgs.coreutils}/bin/chown hydra-queue-runner:hydra ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives" ]; }; }; services.afws.enable = true; nix.extraOptions = '' secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1 experimental-features = nix-command flakes ''; nix.settings.extra-sandbox-paths = ["/opt"]; services.munin-node.enable = true; services.munin-cron = { enable = true; hosts = '' [${config.networking.hostName}] address localhost ''; }; services.mlabs-backup.enable = true; services.ghbackup.enable = true; services.gitea = { enable = true; appName = "M-Labs Git"; mailerPasswordFile = "/etc/nixos/secret/mailerpassword"; settings = { server = { ROOT_URL = "https://git.m-labs.hk/"; HTTP_PORT = 3001; }; indexer = { REPO_INDEXER_ENABLED = true; }; mailer = { ENABLED = true; HOST = "mail.m-labs.hk:587"; FROM = "sysop@m-labs.hk"; USER = "sysop@m-labs.hk"; }; service = { ENABLE_NOTIFY_MAIL = true; DISABLE_REGISTRATION = true; }; attachment = { ALLOWED_TYPES = "*/*"; }; log.LEVEL = "Warn"; session.COOKIE_SECURE = true; }; }; systemd.tmpfiles.rules = [ "L+ '${config.services.gitea.stateDir}/custom/templates/home.tmpl' - - - - ${./gitea-home.tmpl}" "L+ '${config.services.gitea.stateDir}/custom/templates/user/auth/signin.tmpl' - - - - ${./gitea-signin.tmpl}" ]; services.mattermost = { enable = true; siteUrl = "https://chat.m-labs.hk/"; mutableConfig = true; }; services.postgresql.package = pkgs.postgresql_11; services.matterbridge = { enable = true; configPath = "/etc/nixos/secret/matterbridge.toml"; }; nixpkgs.config.packageOverrides = super: let self = super.pkgs; in { nix = super.nix.overrideAttrs(oa: { patches = oa.patches or [] ++ [ ./nix-28-networked-derivations.patch ]; }); hydra_unstable = super.hydra_unstable.overrideAttrs(oa: { patches = oa.patches or [] ++ [ ./hydra-conda.patch ./hydra-msys2.patch ./hydra-restrictdist.patch ./hydra-hack-allowed-uris.patch # work around https://github.com/NixOS/nix/issues/5039 ]; hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ]; doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above. }); matterbridge = super.matterbridge.overrideAttrs(oa: { patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ]; }); }; security.acme.acceptTerms = true; security.acme.defaults.email = "sb" + "@m-labs.hk"; # https://github.com/NixOS/nixpkgs/issues/106862 systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ]; systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ]; services.nginx = { enable = true; recommendedProxySettings = true; recommendedGzipSettings = true; recommendedTlsSettings = true; virtualHosts = let mainWebsite = { addSSL = true; enableACME = true; root = "${hydraWwwOutputs}/web"; extraConfig = '' error_page 404 /404.html; ''; locations."^~ /fonts/".extraConfig = '' expires 60d; ''; locations."^~ /js/".extraConfig = '' expires 60d; ''; locations."/MathJax/" = { alias = "/var/www/MathJax/"; extraConfig = '' expires 60d; ''; }; # legacy URLs, redirect to avoid breaking people's bookmarks locations."/gateware.html".extraConfig = '' return 301 /gateware/migen/; ''; locations."/migen".extraConfig = '' return 301 /gateware/migen/; ''; locations."/artiq".extraConfig = '' return 301 /experiment-control/artiq/; ''; locations."/artiq/resources.html".extraConfig = '' return 301 /experiment-control/resources/; ''; # autogenerated manuals locations."/artiq/sipyco-manual/" = { alias = "${hydraWwwOutputs}/sipyco-manual-html/"; }; locations."=/artiq/sipyco-manual.pdf" = { alias = "${hydraWwwOutputs}/sipyco-manual-pdf/SiPyCo.pdf"; }; locations."/artiq/manual-beta/" = { alias = "${hydraWwwOutputs}/artiq-manual-html-beta/"; }; locations."=/artiq/manual-beta.pdf" = { alias = "${hydraWwwOutputs}/artiq-manual-pdf-beta/ARTIQ.pdf"; }; locations."/artiq/manual/" = { alias = "${hydraWwwOutputs}/artiq-manual-html/"; }; locations."=/artiq/manual.pdf" = { alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf"; }; locations."/artiq/manual-legacy/" = { alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/share/doc/artiq-manual/html/"; }; locations."=/artiq/manual-legacy.pdf" = { alias = "${hydraWwwOutputs}/artiq-manual-latexpdf-legacy/share/doc/artiq-manual/ARTIQ.pdf"; }; # legacy content locations."/migen/manual/" = { alias = "/var/www/m-labs.hk.old/migen/manual/"; }; locations."/artiq/manual-release-4/" = { alias = "/var/www/m-labs.hk.old/artiq/manual-release-4/"; }; locations."/artiq/manual-release-3/" = { alias = "/var/www/m-labs.hk.old/artiq/manual-release-3/"; }; locations."/artiq/manual-release-2/" = { alias = "/var/www/m-labs.hk.old/artiq/manual-release-2/"; }; }; in { "m-labs.hk" = mainWebsite; "www.m-labs.hk" = mainWebsite; "m-labs.ph" = mainWebsite; "www.m-labs.ph" = mainWebsite; "lab.m-labs.hk" = { forceSSL = true; enableACME = true; locations."/munin/".alias = "/var/www/munin/"; locations."/munin/".extraConfig = '' auth_basic "Munin"; auth_basic_user_file /etc/nixos/secret/muninpasswd; ''; }; "nixbld.m-labs.hk" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3000"; }; "msys2.m-labs.hk" = { forceSSL = true; enableACME = true; locations."/artiq-beta/" = { alias = "${hydraWwwOutputs}/artiq-msys2-repos-beta/"; extraConfig = '' autoindex on; ''; }; locations."/artiq-nac3/" = { alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/"; extraConfig = '' autoindex on; ''; }; }; "conda.m-labs.hk" = { forceSSL = true; enableACME = true; locations."/artiq-beta/" = { alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/"; extraConfig = '' autoindex on; index bogus_index_file; ''; }; locations."/artiq/" = { alias = "${hydraWwwOutputs}/artiq-conda-channel/"; extraConfig = '' autoindex on; index bogus_index_file; ''; }; locations."/artiq-legacy/" = { alias = "${hydraWwwOutputs}/artiq-conda-channel-legacy/"; extraConfig = '' autoindex on; index bogus_index_file; ''; }; locations."/artiq-archives/" = { alias = "${hydraWwwOutputs}/artiq-conda-channel-archives/"; extraConfig = '' autoindex on; index bogus_index_file; ''; }; }; "afws.m-labs.hk" = { enableACME = true; locations."/" = { proxyPass = "http://localhost:3771"; proxyWebsockets = true; extraConfig = '' proxy_read_timeout 2h; ''; }; }; "git.m-labs.hk" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:3001"; extraConfig = '' client_max_body_size 300M; ''; }; "chat.m-labs.hk" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:8065"; locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "http://127.0.0.1:8065"; locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true; }; "hooks.m-labs.hk" = { forceSSL = true; enableACME = true; locations."/mattermost-github".extraConfig = '' include ${pkgs.nginx}/conf/uwsgi_params; uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-mgi.sock; ''; locations."/rfq".extraConfig = '' include ${pkgs.nginx}/conf/uwsgi_params; uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-rfq.sock; ''; }; "forum.m-labs.hk" = { forceSSL = true; enableACME = true; root = "/var/www/flarum/public"; locations."~ \.php$".extraConfig = '' fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket}; fastcgi_index index.php; ''; extraConfig = '' index index.php; include /var/www/flarum/.nginx.conf; ''; }; "perso.m-labs.hk" = { addSSL = true; enableACME = true; root = "/var/www/perso"; }; "rt.m-labs.hk" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:4201"; extraConfig = '' client_max_body_size 100M; ''; }; locations."/REST/1.0/NoAuth" = { proxyPass = "http://127.0.0.1:4201"; extraConfig = '' client_max_body_size 100M; allow 127.0.0.1; deny all; ''; }; }; "files.m-labs.hk" = { forceSSL = true; enableACME = true; }; "docs.m-labs.hk" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://localhost:9825"; locations."/socket.io/".proxyPass = "http://localhost:9825"; locations."/socket.io/".proxyWebsockets = true; }; "193thz.com" = { addSSL = true; enableACME = true; root = "/var/www/193thz"; }; "www.193thz.com" = { addSSL = true; enableACME = true; root = "/var/www/193thz"; }; "nmigen.net" = { addSSL = true; enableACME = true; root = "${hydraWwwOutputs}/nmigen-docs"; }; "www.nmigen.net" = { addSSL = true; enableACME = true; root = "${hydraWwwOutputs}/nmigen-docs"; }; }; }; services.uwsgi = { enable = true; plugins = [ "python3" ]; instance = { type = "emperor"; vassals = { mattermostgithub = import ./mattermost-github-integration/uwsgi-config.nix { inherit config pkgs; }; rfq = import ./rfq/uwsgi-config.nix { inherit config pkgs; }; }; }; }; services.mysql = { enable = true; package = pkgs.mariadb; }; services.phpfpm.pools.flarum = { user = "nobody"; settings = { "listen.owner" = "nginx"; "listen.group" = "nginx"; "listen.mode" = "0600"; "pm" = "dynamic"; "pm.max_children" = 5; "pm.start_servers" = 2; "pm.min_spare_servers" = 1; "pm.max_spare_servers" = 3; "pm.max_requests" = 500; }; }; services.rt = { enable = true; package = pkgs.rt.overrideAttrs(oa: { patches = oa.patches or [] ++ [ ./rt-session.patch ]; }); organization = "M-Labs"; domain = "rt.m-labs.hk"; rtName = "Helpdesk"; ownerEmail = "sb" + "@m-labs.hk"; commentAddress = "helpdesk" + "@m-labs.hk"; correspondAddress = "helpdesk" + "@m-labs.hk"; sendmailPath = "${pkgs.msmtp}/bin/msmtp"; sendmailArguments = ["-t" "-C" "/etc/nixos/secret/rt_msmtp.conf"]; }; systemd.services.rt-fetchmail = { description = "Fetchmail for RT"; wantedBy = [ "multi-user.target" ]; after = [ "dovecot2.service" ]; serviceConfig = { Restart = "on-failure"; User = "rt"; Group = "rt"; ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'"; }; }; mailserver = { enable = true; localDnsResolver = false; # conflicts with dnsmasq fqdn = "mail.m-labs.hk"; domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" ]; enablePop3 = true; enablePop3Ssl = true; certificateScheme = "acme-nginx"; } // (import /etc/nixos/secret/email_settings.nix); services.roundcube = { enable = true; hostName = "mail.m-labs.hk"; extraConfig = '' $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; $config['smtp_user'] = "%u"; $config['smtp_pass'] = "%p"; ''; }; services.nextcloud = { enable = true; package = pkgs.nextcloud26; hostName = "files.m-labs.hk"; https = true; enableBrokenCiphersForSSE = false; maxUploadSize = "2G"; config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt"; }; services.hedgedoc = { enable = true; settings = { port = 9825; domain = "docs.m-labs.hk"; protocolUseSSL = true; allowEmailRegister = false; allowAnonymous = false; db = { dialect = "sqlite"; storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; }; }; }; system.stateVersion = "21.05"; }