diff --git a/aux-etc-nixos/backupdl-module.nix b/aux-etc-nixos/backupdl-module.nix deleted file mode 100644 index ad8917bd..00000000 --- a/aux-etc-nixos/backupdl-module.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, pkgs, lib, ... }: -with lib; -let - makeBackup = pkgs.writeScript "make-backupdl" '' - #!${pkgs.bash}/bin/bash - - set -e - - export PATH=${pkgs.rsync}/bin:${pkgs.openssh}/bin - - rsync --ignore-existing -av nixbld.m-labs.hk:/home/backupdl /var/lib/backupdl - ''; - - cfg = config.services.backupdl; -in -{ - options.services.backupdl = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable backups"; - }; - }; - - config = mkIf cfg.enable { - systemd.services.backupdl = { - description = "Nixbld backups download"; - serviceConfig = { - Type = "oneshot"; - User = "backupdl"; - Group = "backupdl"; - ExecStart = "${makeBackup}"; - }; - }; - - users.users.backupdl = { - name = "backupdl"; - group = "backupdl"; - description = "Nixbld backups download"; - isSystemUser = true; - createHome = true; - home = "/var/lib/backupdl"; - useDefaultShell = true; - }; - users.extraGroups.backupdl = {}; - - systemd.timers.backupdl = { - description = "Nixbld backups download"; - wantedBy = [ "timers.target" ]; - timerConfig.OnCalendar = "*-*-* 18:00:00"; - }; - }; -} diff --git a/aux-etc-nixos/configuration.nix b/aux-etc-nixos/configuration.nix deleted file mode 100644 index e86d0086..00000000 --- a/aux-etc-nixos/configuration.nix +++ /dev/null @@ -1,230 +0,0 @@ -{ config, pkgs, ... }: - -let - netifWan = "enp0s25"; - netifLan = "enp3s0"; - netifWifi = "wlp1s0"; - netifSit = "henet0"; -in -{ - imports = - [ - ./hardware-configuration.nix - ./backupdl-module.nix - ]; - - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/sda"; - - boot.blacklistedKernelModules = [ "r8169" ]; - boot.extraModulePackages = [ (pkgs.callPackage ./r8169 { kernel = config.boot.kernelPackages.kernel; }) ]; - - networking.hostName = "aux"; - - networking.interfaces."${netifWan}".useDHCP = true; - services.hostapd = { - enable = true; - interface = netifWifi; - hwMode = "g"; - ssid = "M-Labs"; - wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix); - extraConfig = '' - ieee80211d=1 - country_code=HK - ieee80211n=1 - wmm_enabled=1 - auth_algs=1 - wpa_key_mgmt=WPA-PSK - rsn_pairwise=CCMP - ''; - }; - networking.interfaces."${netifLan}" = { - ipv4.addresses = [{ - address = "192.168.1.1"; - prefixLength = 24; - }]; - ipv6.addresses = [{ - address = "2001:470:f891:1::"; - prefixLength = 64; - }]; - }; - networking.interfaces."${netifWifi}" = { - ipv4.addresses = [{ - address = "192.168.15.1"; - prefixLength = 24; - }]; - ipv6.addresses = [{ - address = "2001:470:f891:2::"; - prefixLength = 64; - }]; - }; - - networking.sits."${netifSit}" = { - dev = netifWan; - remote = "216.218.221.6"; - local = "94.190.212.123"; - ttl = 255; - }; - networking.interfaces."${netifSit}".ipv6 = { - addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }]; - routes = [{ address = "::"; prefixLength = 0; }]; - }; - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1"; - boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1"; - boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0"; - boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0"; - - networking.firewall = { - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 67 ]; - trustedInterfaces = [ netifLan ]; - }; - - services.bind = { - enable = true; - listenOn = []; - listenOnIpv6 = []; - forwarders = []; - extraOptions = "listen-on-v6 port 5354 { ::1; };"; - extraConfig = '' - zone "mil." IN { - type forward; - forward only; - forwarders { 74.82.42.42; }; - }; - ''; - cacheNetworks = [ "::1/128" ]; - }; - services.dnsmasq = { - enable = true; - servers = ["::1#5354"]; - extraConfig = '' - interface=${netifWifi} - interface=${netifLan} - bind-interfaces - dhcp-range=interface:${netifLan},192.168.1.81,192.168.1.254,24h - dhcp-range=interface:${netifWifi},192.168.15.10,192.168.15.254,24h - enable-ra - dhcp-range=interface:${netifLan},::,constructor:${netifLan},ra-names - dhcp-range=interface:${netifWifi},::,constructor:${netifWifi},ra-only - - no-resolv - - # Static IPv4s to make port redirections work - dhcp-host=chiron,192.168.1.201 - dhcp-host=old-nixbld,192.168.1.202 - - # Google can't do DNS geolocation correctly and slows down websites of everyone using - # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you - # cannot reach. - address=/fonts.googleapis.com/142.250.207.74 - ''; - }; - networking.nat = { - enable = true; - externalInterface = netifWan; - internalInterfaces = [ netifLan netifWifi ]; - forwardPorts = [ - { sourcePort = 2201; destination = "192.168.1.201:22"; proto = "tcp"; } - { sourcePort = 2202; destination = "192.168.1.202:22"; proto = "tcp"; } - ]; - extraCommands = '' - iptables -w -N block-lan-from-wifi - iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP - iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP - iptables -w -A FORWARD -j block-lan-from-wifi - - iptables -w -N block-insecure-devices - iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA - iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope - iptables -w -A block-insecure-devices -m mac --mac-source 00:0a:35:00:01:23 -j DROP # function generator - iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:21:f1:ee -j DROP # siglent scope #2 - iptables -w -A block-insecure-devices -m mac --mac-source 00:19:af:5b:dd:58 -j DROP # power supply - iptables -w -A FORWARD -j block-insecure-devices - ''; - extraStopCommands = '' - iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true - iptables -w -F block-lan-from-wifi 2>/dev/null|| true - iptables -w -X block-lan-from-wifi 2>/dev/null|| true - - iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true - iptables -w -F block-insecure-devices 2>/dev/null|| true - iptables -w -X block-insecure-devices 2>/dev/null|| true - ''; - }; - - time.timeZone = "Asia/Hong_Kong"; - - nixpkgs.config.allowUnfree = true; - services.avahi.enable = true; - services.avahi.publish.enable = true; - services.avahi.publish.userServices = true; - services.printing.enable = true; - services.printing.drivers = [ pkgs.hplipWithPlugin ]; - services.printing.browsing = true; - services.printing.listenAddresses = [ "*:631" ]; - services.printing.defaultShared = true; - hardware.sane.enable = true; - hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ]; - systemd.sockets.cups.wants = [ "network-setup.service" ]; - systemd.sockets.cups.after = [ "network-setup.service" ]; - systemd.sockets.cups.wantedBy = [ "multi-user.target" ]; - systemd.services.cups.wantedBy = [ "multi-user.target" ]; - - users.extraGroups.plugdev = { }; - users.extraUsers.root = { - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" - ]; - shell = pkgs.fish; - }; - # https://github.com/NixOS/nixpkgs/issues/155357 - security.sudo.enable = true; - users.users.sb = { - isNormalUser = true; - extraGroups = ["lp" "scanner" "plugdev"]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" - ]; - shell = pkgs.fish; - }; - - documentation.enable = false; - environment.systemPackages = with pkgs; [ - wget vim git usbutils pciutils file lm_sensors acpi - psmisc - iw - tmux - bind - nixopsUnstable - imagemagick - ]; - - programs.mosh.enable = true; - programs.fish.enable = true; - - services.openssh.enable = true; - services.openssh.forwardX11 = true; - services.openssh.passwordAuthentication = false; - services.openssh.extraConfig = - '' - StreamLocalBindUnlink yes - ''; - - services.backupdl.enable = true; - - services.udev.extraRules = - '' - # label printer - SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="plugdev" - ''; - - nix.settings.trusted-public-keys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="]; - nix.settings.substituters = ["https://nixbld.m-labs.hk" "https://cache.nixos.org"]; - nix.settings.trusted-users = ["sb"]; - - system.stateVersion = "22.05"; -} diff --git a/aux-etc-nixos/r8169/default.nix b/aux-etc-nixos/r8169/default.nix deleted file mode 100644 index 0545b41c..00000000 --- a/aux-etc-nixos/r8169/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ stdenv, lib, kernel }: - - -let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/r8169"; - -in stdenv.mkDerivation rec { - name = "r8169-${kernel.version}-${version}"; - version = "6.031.00"; - - src = ./r8169-${version}.tar.bz2; - - hardeningDisable = [ "pic" ]; - - nativeBuildInputs = kernel.moduleBuildDependencies; - - # rename to avoid conflict with totally broken piece of crap from mainline kernel - patchPhase = - '' - substituteInPlace src/Makefile --replace r8169.o r8169-vendor.o - substituteInPlace src/Makefile --replace r8169-objs r8169-vendor-objs - ''; - - # avoid using the Makefile directly -- it doesn't understand - # any kernel but the current. - # based on the ArchLinux pkgbuild: https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/r8168 - makeFlags = kernel.makeFlags ++ [ - "-C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" - "M=$(PWD)/src" - "modules" - ]; - preBuild = '' - makeFlagsArray+=("EXTRA_CFLAGS=-DCONFIG_R8169_NAPI -DCONFIG_R8169_VLAN -DCONFIG_ASPM -DENABLE_S5WOL -DENABLE_EEE") - ''; - - enableParallelBuilding = true; - - installPhase = '' - mkdir -p ${modDestDir} - find . -name '*.ko' -exec cp --parents '{}' ${modDestDir} \; - find ${modDestDir} -name '*.ko' -exec xz -f '{}' \; - ''; -} diff --git a/aux-etc-nixos/r8169/r8169-6.031.00.tar.bz2 b/aux-etc-nixos/r8169/r8169-6.031.00.tar.bz2 deleted file mode 100644 index 6048caec..00000000 Binary files a/aux-etc-nixos/r8169/r8169-6.031.00.tar.bz2 and /dev/null differ