Compare commits

..

562 Commits

Author SHA1 Message Date
e4b6c68ae3 nixops: add back abdul 2024-12-18 18:19:29 +08:00
060c6bfe21 nixbld: unscramble email addresses for gitea 2024-12-04 21:21:36 +08:00
da74156ca8 Reduce websites duplication
Redirect www.* URLs to non-www.* with default 301 code in order to reduce number of copies of the websites in search engines

Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-12-04 16:55:36 +08:00
9558882e2b dmesg_restrict is now default on NixOS 24.11 2024-12-04 12:33:07 +08:00
9e74ec65bb nixbld: hydra-restrictdist not needed anymore 2024-12-04 12:25:40 +08:00
1b51f86343 nixbld: patch correct hydra package 2024-12-04 12:25:23 +08:00
b088c11806 nixbld: reduce mattermost spam 2024-12-04 12:06:12 +08:00
6510ba9a2d nixbld: nixpkgs 24.11 2024-12-03 19:27:26 +08:00
81cfe07acd unscramble email 2024-12-03 17:41:25 +08:00
a8593a2e97 flarum: update core and packages 2024-11-29 11:49:31 +08:00
7f10e2b817 nixops: remove juno 2024-11-27 18:52:28 +08:00
2f1235a997 update sb backup key 2024-11-26 21:46:47 +08:00
c7ea537622 Revert "Break cycle dependency of tunnel netdev services on network setup"
Does not solve the problem.

This reverts commit b1779b57cc.
2024-11-25 12:11:36 +08:00
d1236d548d afws: enable file logging with afws group permissions 2024-11-22 15:34:23 +08:00
98c1ecd325 nixops: nixpkgs 24.11 compatibility 2024-11-16 18:49:26 +08:00
45e718d65a nixops: add esavkin to wireshark group 2024-11-06 15:25:21 +08:00
243deb96be nixbld: update Nix patch 2024-11-05 18:45:40 +08:00
b1779b57cc Break cycle dependency of tunnel netdev services on network setup
This changes the following chain after nixos-rebuild switch with modified tunnel interfaces:
stop network-setup -> stop TUN-netdev -> stop network-addresses-TUN -> start network-addresses-TUN (fails since it depends on TUN-netdev which is off).

Chain after this change:
stop TUN-netdev -> stop network-setup -> stop network-addresses-TUN -> start TUN-netdev -> start network-addresses-TUN -> start network-setup

Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-10-30 17:23:52 +08:00
4f8d84e3ef nixbld: enable prioNixbld for new defenestrate 2024-10-30 14:53:56 +08:00
eabd92d2e8 Use tunnel for uploading web-intl
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-10-24 17:35:34 +08:00
04a64c3710 nixbld: set up RT for m-labs-intl.com 2024-10-24 15:49:41 +08:00
d27ee750a2 m-labs-intl.com VPS setup information
Co-authored-by: Egor Savkin <es@m-labs.hk>
Co-committed-by: Egor Savkin <es@m-labs.hk>
2024-10-21 15:48:17 +08:00
14e9d63ab7 nixbld: apply TCP MSS clamping to USA tunnel 2024-10-17 15:08:27 +08:00
19aee9b59f nixbld: send mail from m-labs-intl.com through trump0 2024-10-17 15:04:50 +08:00
f8a3d54b54 nixbld: update simple-nixos-mailserver 2024-10-17 15:04:14 +08:00
c499a7ce86 nixbld: keep checking SPF for email from tunnel
GRE preserves source IP information.
2024-10-17 14:48:04 +08:00
476f5d1d6c nixbld: update to nextcloud 30 2024-10-16 11:33:07 +08:00
ecf40fb2db nixbld: fix firewall issue with incoming USA tunnel connections 2024-10-15 21:27:43 +08:00
34102e66ad nixbld: install nextcloud forms app 2024-10-15 16:22:33 +08:00
93ae830468 nixbld: disable IPv6 MX for m-labs-intl.com 2024-10-14 14:23:15 +08:00
8af66556b9 nixbld: remove google fonts workaround 2024-10-11 17:27:10 +08:00
94cff9bb09 nixbld: revert 233998b8 (did not fix the problem) 2024-10-08 16:11:12 +08:00
2bf7bb0638 nixbld: connect to USA VPN 2024-10-08 16:09:56 +08:00
3419fe6013 nixbld: remove nkrackow user 2024-10-05 10:15:13 +08:00
ec53c0cbdd nixbld: add eduardotenholder user 2024-10-02 18:41:45 +08:00
0258f5cff4 nixbld: reorganize users (NFC) 2024-10-02 18:40:48 +08:00
b723b7f8c0 nixbld: clean up/update systemPackages 2024-09-30 15:12:01 +08:00
0c336f3dd7 nixbld: do not log refused connections
Happen all the time and spam the kernel log.
2024-09-30 14:40:09 +08:00
11181f0397 nixbld: flarum createDatabaseLocally no longer needed
https://github.com/NixOS/nixpkgs/pull/341340
2024-09-23 10:52:08 +08:00
aaf70f36df nixops: remove user accounts 2024-09-13 13:23:15 +08:00
4a288abe2b nixbld: keep automatic flarum DB migrations 2024-09-10 17:12:44 +08:00
246a375dfb add remote IPsec settings 2024-09-05 14:36:37 +08:00
635f90f0c7 nixbld/flarum: use nix 2024-08-31 17:27:16 +08:00
8a187ba5b9 nixbld: SIT can take larger packets 2024-08-29 18:55:52 +08:00
9383227c5b nixbld: consistent netif variables 2024-08-29 18:53:33 +08:00
233998b8f3 nixbld: work around tunnel bring-up race condition 2024-08-29 18:40:17 +08:00
90a6b84c09 nixbld: work around tunnel TCPMSS issues 2024-08-29 18:39:52 +08:00
23e1fa029a nixbld: upgrade postgresql 2024-08-25 11:06:19 +08:00
75035b387e Skip SPF for mails originating from intl
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-08-20 10:59:27 +08:00
4f48ea611a nixops: remove wanglm user 2024-08-19 11:18:06 +08:00
6dc8214102 nixbld/backup: include gitea DB dump 2024-08-17 18:26:46 +08:00
a6b216bb87 nixbld/gitea: move to postgresql 2024-08-17 18:18:56 +08:00
6e21a95ba8 nixbld/named: add qnetp slave DNS for m-labs-intl.com 2024-08-15 19:52:42 +08:00
d08186a27a nixbld/named: enable CAA for m-labs-intl.com 2024-08-14 11:52:25 +08:00
5d132565e6 nixbld/named: add hooks.m-labs-intl.com 2024-08-14 11:42:38 +08:00
97ca7ea3ce nixbld: mail setup for m-labs-intl.com WIP 2024-08-14 11:38:19 +08:00
e24c167f8b Revert "nixbld: block SAP spam"
Option seems to have no effect.

This reverts commit b769b47075.
2024-08-14 10:58:49 +08:00
18194be5c3 nixbld: deploy web2019 to the intl domain
Co-authored-by: Egor Savkin <es@m-labs.hk>
Co-committed-by: Egor Savkin <es@m-labs.hk>
2024-08-14 10:54:52 +08:00
7781d6236e nixbld/rt: disable TCP 2024-08-11 12:19:15 +08:00
93e19c74e9 nixbld/rt: use psql peer authentication 2024-08-11 12:12:28 +08:00
4ccab3cf2b nixbld: remove outdated DNS records 2024-08-05 19:13:34 +08:00
69fe8c9866 nixbld: add flo user 2024-08-01 07:32:11 +08:00
b769b47075 nixbld: block SAP spam 2024-07-02 09:56:02 +02:00
f0668fa5b7 juno: mobo swap 2024-06-27 14:20:30 +08:00
8422d16978 nixops: add new DSLogic USB ID 2024-06-26 13:29:20 +08:00
872dcaa6bc nixbld: serve m-labs-intl.com domain 2024-06-06 17:29:07 +08:00
ca895df9f3 nixbld: switch to gitea built-in SSH server 2024-06-06 16:27:39 +08:00
4e6686dbe9 nixbld: fix gitea emails 2024-06-06 13:52:35 +08:00
f973d2969a nixbld: fix gitea emails 2024-06-05 11:23:24 +08:00
18a41e1c88 nixbld: work around for hydra input issues in restricted mode 2024-06-03 22:39:00 +08:00
f49a0f825e nixops: typo 2024-06-02 20:29:37 +08:00
6c3a89df02 nixops: update wanglm key 2024-06-02 20:24:25 +08:00
bbc4d663a9 nixops: add new machines 2024-06-02 17:55:40 +08:00
adad8e9894 nixops: add new users 2024-06-02 17:55:19 +08:00
f07b292d3b nixbld: disallow user SSH keys 2024-06-02 14:10:10 +08:00
d91ff8300d nixops: disallow user SSH keys 2024-06-02 14:04:02 +08:00
bd6c61094f nixbld: update letsencrypt CAA URI
https://github.com/NixOS/nixpkgs/issues/316608
2024-06-02 13:50:48 +08:00
cc0bf224df nixbld: install mpd 2024-06-02 13:50:24 +08:00
41aeae7b2d nixbld: update simple-nixos-mailserver 2024-06-02 12:59:47 +08:00
1eac9d249d nixbld: nixos 24.05 2024-06-02 12:52:17 +08:00
c3d9b9a7a1 nixbld: small cleanup 2024-06-02 12:52:01 +08:00
b6263c7dd9 nixops: fix /boot mount options 2024-05-30 18:43:54 +08:00
2446d0c946 nixops: mount /opt on rc 2024-05-30 18:41:43 +08:00
8879147c8d nixops: add DSLogic to udev 2024-05-30 12:21:04 +08:00
ca37637771 desktop: install memtest86 2024-05-29 17:59:37 +08:00
6e7b4aa4a9 nixops: add athena machine 2024-05-28 15:27:21 +08:00
a22e270ac8 nixbld: replace deprecated gitea mailer setting 2024-05-28 11:44:55 +08:00
bc20cf499b add architeuthis user 2024-05-26 20:24:01 +08:00
9285123f8e desktop: install ghex 2024-05-24 21:46:12 +08:00
9845ea7832 nixops: nixos 24.05 renamed options 2024-05-24 11:09:02 +08:00
a202452e5c nixops: add missing stateVersion 2024-05-24 10:40:37 +08:00
55cfda91e0 nixbld: fix nextcloud logging 2024-05-24 09:58:19 +08:00
543e9468cc nixbld: fix nextcloud opcache warning 2024-05-24 09:49:17 +08:00
6487eab3c7 nixbld: update nextcloud 2024-05-23 22:58:39 +08:00
96f7264258 nixbld: enable audio 2024-05-23 22:21:10 +08:00
6018eca294 nixbld: enable SSH X11 forwarding 2024-05-23 22:20:56 +08:00
584c9e560c nixops: add rc machine 2024-05-23 22:07:42 +08:00
37f24f5898 nixops: update permissions 2024-05-16 13:40:57 +08:00
4c7f35bc75 nixbld: allow routing between wifi and LAN 2024-05-06 10:57:33 +08:00
2cd3ae1337 nixbld: fix routing policy for wifi 2024-05-06 10:57:11 +08:00
7f1972fc9d nixbld: add backup IP to DNS 2024-05-06 10:44:54 +08:00
5729c4998a nixbld: add backup internet connection 2024-05-06 10:32:10 +08:00
60aacb6a1b nixbld: cleanup routing policy 2024-05-06 10:31:45 +08:00
bfd5e0289a nixbld: enable indexing on perso.m-labs.hk 2024-05-06 09:48:16 +08:00
2c9be41ce4 Revert "nixbld: disable substituters"
NixOS bug festival

This reverts commit 5576b82d15.
2024-04-13 16:47:30 +08:00
8ceaad6e16 nixops: franz no longer need special kernel 2024-04-12 10:41:02 +08:00
b1fc3914bf nixbld: update lp group 2024-04-12 09:40:40 +08:00
16fbcef5bf nixbld: add IP for new qnetp DNS slave 2024-04-12 09:40:17 +08:00
0f54fbc893 nixops: add vulcan machine 2024-04-10 12:01:18 +08:00
bae360f4ca nixbld: update users 2024-04-10 11:40:16 +08:00
325fe232b3 nixops: add back therobs12 2024-04-10 11:21:58 +08:00
5576b82d15 nixbld: disable substituters 2024-04-05 12:51:33 +08:00
576087913a nixbld: remove sb from trusted users 2024-04-05 12:51:20 +08:00
38dbad4488 nixops: remove old rpi 2024-02-16 18:10:05 +08:00
219268fcfd desktop: remove fcitx 2024-02-14 16:51:04 +08:00
a2b4e61e1d nixops: add linus to wireshark 2024-02-02 16:32:45 +08:00
22583c7f8e nixbld: enable network scanner 2024-01-23 17:35:29 +08:00
bae181fd7e nixops: install xsane 2024-01-23 17:34:32 +08:00
6a2065399c nixops: remove unused accounts 2024-01-23 13:27:51 +08:00
f372bdb378 nixbld: add morgan account 2024-01-23 13:25:55 +08:00
9389faea2f backup: add dl module 2024-01-17 13:54:42 +08:00
82760bc05d backup: do not store on disk 2024-01-17 13:50:28 +08:00
139f6b3353 backup: skip 2023 mattermost files 2024-01-17 13:50:12 +08:00
c01cea6f7a named: add CAA records everywhere, add IP for zynq board 2024-01-09 08:33:54 +08:00
eddc77e026 nixbld: automatically build and set up netboot nixos installer 2024-01-07 19:13:27 +08:00
b88f91da47 desktop: install kicad 2024-01-02 10:39:06 +08:00
184936f4bc nixbld: remove munin 2023-12-16 13:55:31 +08:00
b5d45edf79 nixbld: remove apparmor
setting up profiles remains a pain
2023-12-16 13:55:11 +08:00
e7c1746832 nixbld: NixOS 23.11 2023-12-16 13:03:19 +08:00
c34d9cc7cf nixbld: host malloctech email 2023-12-13 18:29:51 +08:00
9ca16a2677 nixbld: fix 193thz.com DNS zone 2023-12-13 18:27:46 +08:00
cf893a8a71 desktop: enable armv7l-linux binfmt emulation 2023-12-12 17:26:25 +08:00
e319c2f65c nixbld: enable armv7l-linux binfmt emulation 2023-12-12 17:23:05 +08:00
ec40a17f1c add alternate USB ID for LibreVNA 2023-11-29 14:05:56 +08:00
62897304cc update udev USB devices 2023-11-29 11:09:37 +08:00
68539bcb37 juno: nvidia license 2023-11-28 18:38:59 +08:00
fc3434d3d7 desktop: NixOS 23.11 2023-11-28 14:25:22 +08:00
e9801c8ca3 nixbld: fix hydra job name for msys2 nac3 packages 2023-11-25 17:24:33 +08:00
3cbd3f5bf3 nixbld: try ACME-CAA 2023-11-20 12:01:37 +08:00
b62479ecc1 desktop: 32-bit compat 2023-11-07 20:39:21 +08:00
40b29da7bd desktop: openssl workaround 2023-11-07 20:39:10 +08:00
351229b866 update sb key 2023-11-01 19:22:51 +08:00
b10f158a48 nixbld: update CPU microcode 2023-09-29 11:53:48 +08:00
68333e5616 nixbld: add DNS entries for nasty-gareth.alt 2023-09-28 10:39:08 +08:00
656d4e1901 nixbld: add derppening user 2023-09-20 18:23:27 +08:00
60fe5a91de nixbld: backup 193THz.com 2023-09-06 18:39:17 +08:00
e5257122b1 nixbld: host 193thz.com 2023-09-05 22:04:27 +08:00
a4ebfb23e4 nixops: add derppening user 2023-09-04 10:36:12 +08:00
522accf0a8 nixbld: fix sending email to altnet 2023-09-03 17:23:53 +08:00
6550ad5302 nixbld: debloat backups 2023-08-31 14:15:53 +08:00
ccc08184e4 nixops: update permitted openssl version 2023-08-22 10:34:57 +08:00
4c9d96dae3 nixbld: add HP printer to firewall blocklist 2023-08-08 19:02:59 +08:00
9ebdb06699 nixbld: add dpn user 2023-08-04 19:45:44 +08:00
98072481e7 nixbld: add atse.alt.m-labs.hk 2023-08-04 17:11:36 +08:00
4247301a62 desktop: uninstall xpra 2023-08-02 11:48:50 +08:00
a9ca6a4f7b desktop: uninstall tigervnc 2023-08-02 11:47:37 +08:00
b247c38dc6 desktop: install gqrx 2023-08-02 11:44:05 +08:00
0bd10ba44c avscan: fix OnCalendar string 2023-07-24 14:00:18 +08:00
454130650f add clamav scan 2023-07-21 18:00:01 +08:00
c89551c610 nixbld: open strongswan ports 2023-07-15 14:23:06 +08:00
6ec5e436a2 nixbld: fix altnet routing 2023-07-13 18:25:05 +08:00
4d17e7c293 add VLAN settings 2023-07-13 13:56:19 +08:00
39a6ea69f6 nixbld: altnet setup 2023-07-13 13:56:10 +08:00
c2c7e67549 nixbld: block zyxel cloud switch 2023-07-13 09:35:32 +08:00
4c62ba7f9d nixbld: block hikvision device 2023-07-12 17:41:05 +08:00
257c2dc432 nixbld: fix mysql backup auth 2023-07-07 17:29:24 +08:00
e2c2dbbeeb nixbld: autostart iPXE HTTP boot 2023-07-02 16:31:25 +08:00
a9ee77b9e8 nixbld: serve iPXE on LAN 2023-07-02 16:15:24 +08:00
5034ca20ce nixops: remove den512 user 2023-06-29 18:14:47 +08:00
a6cdeb134c nixops: add atse user 2023-06-20 14:01:32 +08:00
c5cf50be9d nixops: remove twlaw user 2023-06-20 13:58:58 +08:00
dbd20c6418 nixbld: update simple-nixos-mailserver 2023-06-13 10:54:20 +08:00
5b97509351 nixops: add demeter machine 2023-06-07 20:24:20 +08:00
31642415a2 nixops: add morgan user 2023-06-06 16:23:29 +08:00
10405dbcd5 nixops: add juno machine 2023-06-06 16:17:28 +08:00
b810c84f6d nixops: update CPU microcodes 2023-06-06 16:16:35 +08:00
63a01abbc1 add Linus user 2023-06-05 12:04:43 +08:00
2227e816bc nixbld: update dnsmasq settings 2023-06-04 22:40:14 +08:00
6b35c751d8 nixbld: NixOS 23.05 compatibility 2023-06-02 17:36:05 +08:00
7177c0c66a nixops: fix openssl permitted package 2023-06-01 10:08:15 +08:00
5497d5d124 nixops: update users 2023-06-01 10:00:39 +08:00
d21c31aae5 nixbld: add esavkin to lp group 2023-05-31 18:11:18 +08:00
f5837877d2 nixbld: increase nextcloud max upload size 2023-05-30 21:34:36 +08:00
6b36d3280d nixops: nixos 23.05 SSH config 2023-05-24 12:48:41 +08:00
77ba57e8fa disable X11 forwarding (replaced with waypipe) 2023-05-24 12:45:34 +08:00
c4918ac478 nixops: nixos 23.05 compat 2023-05-23 19:53:48 +08:00
ffb286ba05 nixops: work around openssl3 pam_p11 breakage 2023-05-23 17:38:50 +08:00
2f704a7534 desktop: install waypipe 2023-05-03 20:53:49 +08:00
2813d2c8cd desktop: install xournal 2023-04-19 18:15:43 +08:00
5223d9fd89 afws: move more code into module file, use new reload mechanism 2023-04-08 17:49:03 +08:00
0640cfad04 nixbld: increase AFWS WebSocket timeout 2023-04-07 16:02:07 +08:00
6c6f11ed7d nixbld: set up ACME certificate for AFWS 2023-04-07 14:39:05 +08:00
0442916420 nixbld: afws websocket proxy settings 2023-04-05 13:37:35 +08:00
c8c38f79c0 nixbld: set recommendedTlsSettings 2023-04-05 13:37:11 +08:00
b7d9df794e nixbld: close legacy firewall ports 2023-04-05 12:42:42 +08:00
6507e3a679 vscode -> vscodium 2023-04-03 17:49:40 +08:00
933fa8bb84 add flo user 2023-03-27 16:20:11 +08:00
622cc04c5e remove aux config 2023-03-23 15:23:38 +08:00
6d31b77f0e add .ph site 2023-03-23 15:22:25 +08:00
253094dc13 nixops: remove rpi-server 2023-03-14 11:17:52 +08:00
488f5758a3 nixops: prefer LAN cache 2023-03-14 11:17:25 +08:00
66bdf4b939 nixops: remove topquark12 user 2023-03-14 11:16:10 +08:00
ff37c5949e nixbld: add esavkin 2023-03-03 18:29:45 +08:00
22900dc926 nixops: remove creotech user 2023-02-19 17:07:59 +08:00
8ea7b06218 remove therobs12 user 2023-02-16 11:55:29 +08:00
c9f774d011 nixbld: install labelprinter 2023-02-10 18:26:12 +08:00
28902ae068 nixops: fix gnome-keyring/ssh-agent conflict, install geary on desktops 2023-02-02 17:23:08 +08:00
5a6e269605 nixops: add users 2023-02-01 16:57:46 +08:00
1782a41ce6 nixops: remove wlph17 user 2023-02-01 16:43:35 +08:00
9babd68652 nixbld: give backupdl access to nextcloud 2023-01-31 15:41:15 +08:00
b3f5f687aa nixbld: cleanup backupdl keys 2023-01-30 16:14:12 +08:00
af27584100 nixbld: remove topquark12 user 2023-01-30 16:12:13 +08:00
4c7a2dfce3 nixbld: label printer permissions 2023-01-30 16:12:00 +08:00
30fa569bdc nixbld: block more insecure devices 2023-01-30 16:08:27 +08:00
9dee7c1888 nixbld: update backupdl key 2023-01-29 20:19:05 +08:00
0faa05aec3 nixbld: add back qnetp DNS 2023-01-29 18:29:16 +08:00
21a7d1c36e nixbld: update LAN AAAA records 2023-01-29 18:01:31 +08:00
faff3a5eef nixbld: relocation 2023-01-29 12:11:31 +08:00
3210289ebf fix *.mil DNS lookups 2023-01-28 09:54:13 +08:00
dd0ebf1c47 nixbld: move to he.net DNS 2023-01-27 14:48:14 +08:00
2c770e9929 nixbld: better workaround against crappy registrar without glue records
PCCW's static.imsbiz.com is wonky and not always available for all IPs, so stop using it.
2023-01-16 16:07:58 +08:00
06db9dd054 franz: intel_idle is still buggy 2023-01-04 11:54:41 +08:00
fb54880765 nixbld: start rt-fetchmail after dovecot 2023-01-04 11:54:30 +08:00
ea0b7d6dc7 nixbld: enable POP3 2022-12-25 11:07:02 +08:00
3b224c56aa nixbld: ignore local IP for fail2ban 2022-12-24 15:42:35 +08:00
755bfaf593 aux: fix plugdev group 2022-12-20 10:32:32 +08:00
162ad28a52 hydra: allow eval from duke gitlab 2022-12-17 14:58:35 +08:00
141f303a09 desktop: install jinja2 and latex 2022-12-14 23:20:30 +08:00
a0f39a611c aux: add sb to plugdev 2022-12-14 18:28:36 +08:00
0052d22c9e aux: label printer permissions 2022-12-10 19:17:33 +08:00
dbc9f4c68d remote setup 2022-12-10 19:17:22 +08:00
f518eb1470 nixops: remove esavkin temp key 2022-12-06 14:24:43 +08:00
8f138ca016 nixops: add srayman89 user 2022-12-06 14:22:17 +08:00
15d99bc68b nixbld: persist DNSSEC private key
https://github.com/NixOS/nixpkgs/issues/204391
2022-12-05 10:00:35 +08:00
70a7ce5d30 nixbld: remove obsolete ssh key 2022-12-03 17:14:23 +08:00
2af492e37e nixbld: NixOS 22.11 2022-12-03 16:29:32 +08:00
3e0fb18e8c aux: update network driver 2022-11-29 10:35:36 +08:00
9930b9a6df nixops: nixos 22.11 2022-11-29 10:14:26 +08:00
530108554c nixops: remove obsolete config 2022-11-29 10:12:35 +08:00
31a877fdd3 aux: nixos 22.11 2022-11-22 11:55:22 +08:00
bfeea65383 aux: scanning 2022-11-18 15:20:18 +08:00
88dd1a5fc4 nixbld: update therobs shell 2022-11-11 17:58:10 +08:00
cecda7e28b nixbld: update users 2022-11-11 17:46:10 +08:00
2d9b7767a6 nixbld: enable aarch64-linux binfmt emulation 2022-11-09 21:14:11 +08:00
a7450362ce aux: ipv6 2022-11-04 16:45:29 +08:00
fb745a11e3 nixbld: new msys2 repos 2022-11-03 19:09:35 +08:00
150fac48bf nixops: remove yuk user 2022-11-01 08:15:39 +08:00
9624dec47a nixops: use wayland versions of thunderbird and firefox 2022-10-21 11:49:46 +08:00
d061a3386c nixops: add wlph17 user 2022-10-17 21:53:59 +08:00
e31c796266 simplify aarch64 nix remote builds 2022-10-14 19:38:12 +08:00
2448fe7d20 aux: use 192.168.1.x on LAN
match default ARTIQ core device IPs
2022-10-02 14:24:32 +08:00
bc848547fd aux: chiron port redirect 2022-09-30 17:39:07 +08:00
0c8019516d nixbld: fix bind DNSSEC configuration for new version
https://gitlab.isc.org/isc-projects/bind9/-/issues/3554
2022-09-30 16:46:39 +08:00
98f8183f0a aux: block more devices 2022-09-28 19:00:12 +08:00
bace5b59aa nixops: old-nixbld amd gpu 2022-09-28 12:08:31 +08:00
9868d51ec5 nixops: new old-nixbld hardware 2022-09-27 19:53:23 +08:00
b9299a79a1 nixops: temporary ssh key for esavkin 2022-09-27 11:19:09 +08:00
d2bfca1f25 nixbld: serve nmigen docs 2022-09-27 11:07:13 +08:00
74f56f7ccc aux: add backupdl 2022-09-24 09:07:55 +08:00
a3edbfa316 aux: nix settings 2022-09-23 11:39:17 +08:00
50b7482100 aux: install nixops 2022-09-23 11:39:06 +08:00
afcd0f8c0a aux: remove ssh reverse proxy 2022-09-23 11:03:06 +08:00
4ca9ef4e73 aux: block insecure devices 2022-09-23 11:02:56 +08:00
4f78630024 aux: new network card 2022-09-23 11:02:44 +08:00
9bc617a019 nixbld: fix munin auth 2022-09-23 11:00:49 +08:00
4b23f8d66f nixbld: update DNS zone 2022-09-23 10:58:41 +08:00
9216ef519e nixops: remove juno machine 2022-09-23 10:55:44 +08:00
97ba57fbcd aux: replace garbage r8169 driver from mainline kernel 2022-09-23 09:55:32 +08:00
e2e4b0842a nixbld: add yuk account 2022-09-21 10:12:25 +08:00
de8809f52a aux: fix printer sharing 2022-09-20 09:21:16 +08:00
0ce1e64d60 rpi-server: remove cups 2022-09-19 15:57:44 +08:00
47be5dc72e nixops: add esavkin user 2022-09-19 10:43:44 +08:00
a815367e07 nixops: remove cnc machine 2022-09-19 10:35:50 +08:00
dba987be15 aux: ssh reverse proxy
https://spoton.cz/index.php/2017/12/04/reverse-ssh-proxy-with-systemd/
2022-09-17 19:41:19 +08:00
e15b25055b add aux router configuration 2022-09-17 19:22:48 +08:00
382c8bfaab nixbld: add aux key for backupdl 2022-09-17 19:19:00 +08:00
ac022776e7 nixbld: SSH reverse proxy setup 2022-09-17 19:13:54 +08:00
e9b02d0c72 nixbld: disable kk105 account 2022-09-13 08:50:16 +08:00
e75b5959c2 nixops: install inkscape 2022-09-13 08:50:05 +08:00
e29943f3f8 nixops: remove joplin 2022-09-02 18:11:12 +08:00
f8e01cab2b nixops: install vscodevim 2022-09-02 18:11:05 +08:00
8f32828342 nixops: remove user accounts 2022-09-02 18:10:40 +08:00
cd215e9e66 nixbld: backup hedgedoc 2022-09-02 18:10:17 +08:00
663e030aa8 nixbld: update named zone serial 2022-09-01 11:39:56 +08:00
365ec54358 nixbld: install hedgedoc 2022-09-01 11:39:47 +08:00
20175f7bc0 nixbld: rfc2181 forbids mx cname 2022-09-01 10:55:31 +08:00
66a517c64a add yuk user 2022-08-29 14:29:41 +08:00
05cf3524f0 nixops: remove z78078 user 2022-08-17 18:17:23 +08:00
dc8db5fbee rfq: do not write email password to the Nix store 2022-08-13 11:43:01 +08:00
dc08412ba2 update email settings 2022-08-13 11:22:01 +08:00
13bfee7be2 switch email server 2022-08-13 10:25:53 +08:00
a517d429ab work around Google DNS geolocation fuckup 2022-08-12 18:37:42 +08:00
077e963d4a nixops: cnc reinstall 2022-08-10 15:04:00 +08:00
7dc4866314 nixbld: more email setup 2022-08-09 17:45:26 +08:00
5f7cb6113e nixbld: block siglent internet 2022-08-03 12:52:26 +08:00
a147bb3883 nixbld: add topquark12 2022-07-31 19:40:45 +08:00
80ee7911cd nixbld: disable jitsi
Jitsi is bloated and overly complex, and the NixOS package is too limited.
https://discourse.nixos.org/t/setting-up-authentication-on-a-jitsi-server/17549
2022-07-25 18:33:40 +08:00
66d7dd6efe nixbld: enable more fail2ban filters 2022-07-25 18:33:24 +08:00
93a40ea87d nixbld: reduce gitea spamminess 2022-07-25 18:33:08 +08:00
96537e1fb7 rpi-ext: bind cups to localhost 2022-07-20 17:50:01 +08:00
eb42f0718c nixops: wifi on rpi4 needs pkgs.linuxPackages_rpi4 2022-07-12 17:01:38 +08:00
e5250c88fb nixbld: web/hydra setup for flakes in ARTIQ stable 2022-07-08 19:00:38 +08:00
276d651b96 nixops: use correct openocd package for rpi 2022-07-08 11:34:52 +08:00
ef492c5710 rpi: hardware patch for fan 2022-07-07 17:49:15 +08:00
048863593a nixbld: remove obsolete ACME workaround 2022-07-04 16:22:40 +08:00
328a85c504 nixbld: install nextcloud 2022-06-30 17:33:09 +08:00
3ef19cbe93 nixbld: m-labs.hk DNS zone 2022-06-28 14:44:14 +08:00
6333165321 nixbld: setup email server for m-labs.hk 2022-06-27 18:17:30 +08:00
8bc44199fc nixbld: make bind CLI tools available 2022-06-27 18:16:38 +08:00
66a7a29b0a nixbld: do not create backups during ZFS scrubs 2022-06-27 18:15:57 +08:00
cef6b7263a nixbld: backup mail 2022-06-27 18:15:47 +08:00
08ab958a76 nixbld: use semi-automatic DNSSEC 2022-06-27 13:08:16 +08:00
3909d7428d nixbld: DNS server (WIP) 2022-06-26 16:57:17 +08:00
70ad63ca56 nixbld: block internet access on insecure device 2022-06-23 15:33:37 +08:00
836d01b0c0 nixops: add z78078 user 2022-06-19 14:21:14 +08:00
6cb5c84a9b nixbld: enable mail server again 2022-06-18 13:58:51 +08:00
2df3b02f29 xc3sprog fixed 2022-06-17 16:06:16 +08:00
60e00349ee nixops: new disk in juno 2022-06-17 12:48:08 +08:00
7f599bdbc9 nixbld: remove gitea patch (merged upstream) 2022-06-07 10:17:15 +08:00
ae5e85d611 nixbld: re-add networked derivations patch 2022-06-04 13:52:21 +08:00
429cbb0c8d add garywan user 2022-05-31 17:48:16 +08:00
964e7cfe99 nixops: disable ca-derivations
https://github.com/NixOS/nixpkgs/issues/174900
2022-05-27 19:02:23 +08:00
a93565d9cc nixops: add wongwaiki user 2022-05-27 17:49:14 +08:00
f5b533d2d5 nixops: install guake 2022-05-27 17:49:00 +08:00
3003183e25 nixops: use artiq flake for openocd 2022-05-26 19:30:23 +08:00
75987781f5 nixops: nixos 22.05 (WIP) 2022-05-26 13:18:48 +08:00
5f1ff14380 afws_module: fix nix command 2022-05-26 13:05:34 +08:00
5354daf585 nixbld: NixOS 22.05 2022-05-26 12:12:14 +08:00
cb75072f15 nixbld: add kk105 2022-05-26 10:57:19 +08:00
84a22c0232 nixops: create kk105 account 2022-05-14 15:56:36 +08:00
b2a2cdb963 nixops: adjust groups 2022-05-14 15:56:26 +08:00
708582f2f7 hera: remove libvirt bridge 2022-05-07 19:32:27 +08:00
da3a82a52d nixbld: add spaqin 2022-05-06 16:55:00 +08:00
aba22c34ca nixbld: add nkrackow 2022-05-05 19:23:40 +08:00
2f418aa01e remove user accounts 2022-05-01 10:20:00 +08:00
a58a613418 nixbld: add .science tld 2022-04-14 12:17:22 +08:00
61c008ff43 nixbld: publish msys2 repos on web 2022-04-05 11:14:17 +08:00
7a14264be4 hydra: fix msys2 icon 2022-04-04 15:39:28 +08:00
fd09cd0c00 nixops: add wylited account 2022-04-04 15:05:52 +08:00
a8d28d2cbc hydra: add msys2 type 2022-04-04 15:05:39 +08:00
e1e723ece5 nixbld: backup afws 2022-03-20 10:49:59 +08:00
28ca789aae nixbld: use flake output for beta conda channel 2022-02-12 18:50:08 +08:00
0c04f014d7 nixbld: use sipyco flake output for manual 2022-02-12 11:23:19 +08:00
d4c36b8cfd nixbld: use ARTIQ flake output for manual 2022-02-12 10:19:15 +08:00
0b8aa97192 nixbld: run AFWS server 2022-02-07 14:31:37 +08:00
322d267caf hydra: update evalSettings.allowedUris 2022-02-07 14:31:21 +08:00
a270418cfc nixbld: exclude new gitea archive location from backups 2022-02-02 10:53:11 +08:00
c1fc3575b2 welcome back topquark12 2022-01-24 11:18:42 +08:00
38438ef25a add therobs12 to libvirtd 2022-01-19 18:40:23 +08:00
c19dac833d update tom's key 2022-01-19 18:38:18 +08:00
2b1f416d90 nixops: newer kernel for NUC 2022-01-17 18:51:08 +08:00
995f8897a4 nixbld: work around hidden hydra sudo dependency 2022-01-17 18:48:23 +08:00
8e20a3df6e nixbld: update gitea templates 2022-01-04 15:17:17 +08:00
e01a0c6802 nixops: fix spice-client-glib-usb-acl-helper 2022-01-03 17:24:34 +08:00
910506d3e4 nixbld: enable fail2ban 2022-01-03 14:34:57 +08:00
ec7e9209f5 nixbld: improve root account security 2022-01-03 13:46:57 +08:00
f8f816f723 nixops: remove harry account 2021-12-18 13:10:22 +08:00
9984369a50 nixops: upgrade hitl key to ssh-ed25519 (2) 2021-12-03 18:34:09 +08:00
a2b6f63b34 nixops: upgrade hitl key to ssh-ed25519 2021-12-03 18:00:11 +08:00
b70908f864 nixbld: restrict maxJobs again to avoid Vivado OOM 2021-12-03 11:03:36 +08:00
9013af9e92 nixops: use kernel 5.14 for nuc 2021-12-02 11:03:41 +08:00
d46fde5bf2 nixops: nixos 21.11 WIP 2021-12-01 22:09:51 +08:00
5e8606a74e nixops: fix old-nixbld graphics driver 2021-12-01 20:27:54 +08:00
a0cb49b59d nixbld: nixos 21.11 2021-12-01 18:11:06 +08:00
628e5fb9d7 nixbld: cleanup buildMachines 2021-11-25 10:42:01 +08:00
e8527e496b nixbld: include rt in backups 2021-11-25 00:15:09 +08:00
c5c22da2ba nixbld: update nixops 2021-11-24 23:57:18 +08:00
8114dcfb6d nixbld: remove memtest86 2021-11-24 23:57:06 +08:00
29830b0ae9 nixbld: more frequent backups 2021-11-24 23:56:48 +08:00
3e2061c47b nixbld: fix rt group 2021-11-23 13:52:00 +08:00
f5ff63b74b nixbld: remove hkadmin 2021-11-22 12:19:00 +08:00
ae6915ab44 nixbld: fix RT startup 2021-11-22 12:18:06 +08:00
813b4831c6 nixbld: cleanup 2021-11-22 12:17:58 +08:00
c75cf3456b nixbld: improve backup
include Mattermost attachments
stop using expensive and insecure dropbox
2021-11-16 14:21:59 +08:00
f8a30b55a8 nixops: update user shell 2021-11-12 15:26:10 +08:00
7342601788 nixbld: add occheung user 2021-11-11 12:12:46 +08:00
8ff694ca8d nixops: fix system.stateVersion 2021-10-31 16:09:08 +08:00
f56cc392d7 nixops: install joplin 2021-10-30 15:19:11 +08:00
bcc5502ec6 rt: prevent text attachments from appearing inline on web interface 2021-10-27 12:20:08 +08:00
71b49ba6fe nixops: use latest kernel for NUC
fixes video driver bug
2021-10-25 21:37:38 +08:00
0e3b1faed8 nixops: disable iwlwifi garbage
Won't connect to a network for more than 5 minutes and is a constant source of memory corruption.
2021-10-25 21:04:49 +08:00
1ce672bb31 nixops: add franz machine 2021-10-25 19:06:37 +08:00
92e373ac93 update users 2021-10-14 12:46:04 +08:00
00d29eba4d nixbld: install borgbackup 2021-09-18 16:35:25 +08:00
f09ca8b0c1 nixops: give stevefan1999 wireshark permission 2021-09-17 12:22:09 +08:00
427b0def7f nixops: enable libvirt bridge on hera 2021-09-13 12:35:04 +08:00
38b83ee8d9 nixops: add stevefan1999 user 2021-09-13 11:28:39 +08:00
e9f41e2746 nixops: install yubico-piv-tool 2021-09-13 10:06:35 +08:00
3318ea9b38 nixops: add old-nixbld machine 2021-09-03 19:02:07 +08:00
82e161dba3 hydra: hack-patch allowed URIs to work around Nix issue #5039 2021-09-01 19:59:23 +08:00
1093e326e5 nixops: remove starchen user 2021-09-01 10:31:19 +08:00
0d06d7b819 nixops: create new accounts 2021-08-30 16:07:21 +08:00
afa961ddfa remove leo user 2021-08-21 16:34:02 +08:00
593a90184b remove kai user 2021-08-21 16:33:07 +08:00
4ce9c2a718 nixbld: enable flakes 2021-08-18 14:53:01 +08:00
b21d20edb0 nixops: enable nix flakes on desktop machines 2021-08-16 16:39:11 +08:00
48be2c6edc nixops: remove topquark12 user 2021-08-16 16:17:02 +08:00
c96b3793c4 rt: persistent sessions 2021-08-12 13:39:53 +08:00
63250304d2 rt: fix default queue (2) 2021-08-11 16:01:32 +08:00
89dd90075e rt: fix default queue 2021-08-11 15:35:23 +08:00
223ab96b5a nixbld: fix RT SSL 2021-08-11 12:02:33 +08:00
0e548d1eff nixbld: handle incoming RT emails 2021-08-11 11:57:05 +08:00
e3578011a5 rt: email setup WIP 2021-08-11 10:54:24 +08:00
d9536ff5db rt: fix API security problem 2021-08-11 10:54:12 +08:00
a385c2db4b rt: stop using tmpfiles for db password file permissions 2021-08-11 10:53:48 +08:00
a97302a80a nixbld: RT working, no mail 2021-08-10 21:28:14 +08:00
ef3544f8f3 nixbld: publish conda channel archives 2021-08-10 19:08:25 +08:00
b008838cd2 nixops: open UDP port for Stabilizer experiments 2021-08-10 10:43:19 +08:00
977cccc997 nixbld: fix hooks page breaking github backups
https://github.com/josegonzalez/python-github-backup/issues/176
2021-08-09 13:46:46 +08:00
01212b4e51 nixbld: install iw and nvme-cli 2021-08-09 13:32:37 +08:00
adccf47d3c nixbld: wifi problems 2021-08-09 13:32:18 +08:00
7d073e371c nixbld: add github backups 2021-08-07 17:47:16 +08:00
4c394a0976 nixbld: wifi problems 2021-08-07 17:45:53 +08:00
a0f445b0dd nixbld: remove old flarum files 2021-08-07 13:47:26 +08:00
9474dfa3a2 nixbld: fix stateVersion 2021-08-07 13:19:47 +08:00
58252a93a4 nixbld: new server 2021-08-07 12:24:31 +08:00
5f0d45a73a rpi: create nixbld user for HITL CI 2021-08-04 10:24:18 +08:00
b7a49505bc nixbld: end mailserver experiment
This was going well, until some assholes at Gmail decided to block our IP address and as usual PCCW are useless when it
comes to changing to a whitelisted IP.

https://support.google.com/mail/answer/10336?p=NotAuthorizedError

Fuck Google.
Fuck PCCW.
2021-08-02 13:32:29 +08:00
7821200a58 nixops: add spaqin account 2021-07-17 16:42:39 +08:00
4352b447c3 nixops: add sb to trusted nix users 2021-07-13 16:55:51 +08:00
ad0e54c927 add udev rule for logic analyzer 2021-07-07 16:21:07 +08:00
37050259d0 Revert "nixops: add harry to wheel group"
This reverts commit f1adab58ad.
2021-07-07 16:19:31 +08:00
311fc5edf6 common-users: ssh key for root 2021-06-16 11:54:38 +08:00
a13d579c9b rpi-server: fix cups startup 2021-06-15 15:18:14 +08:00
c828cf290d rpi-server: disable audio 2021-06-15 14:32:29 +08:00
d032757901 replace stdenv.lib. Closes #19 2021-06-15 10:12:01 +08:00
b7cef86473 nixbld: nixos 21.05 2021-06-07 09:56:05 +08:00
7621f7d8b7 nixops: create plugdev group on rpi-ext 2021-06-04 16:35:31 +08:00
4704f1257d Revert "nixops: add ychenfo temporary key"
This reverts commit dc1286251b.
2021-06-04 15:51:42 +08:00
8647914897 nixops: install imagemagick on rpi-server 2021-06-04 14:06:05 +08:00
8924e769f0 nixops: work around devicetree breakage in nixpkgs
This reverts the effects of nixpkgs commit 6c9df40a4bc819fcab0836ad28ee944c8ce66db0
and restores the old behavior.
2021-06-03 07:17:55 +08:00
ba53cfcc8c nixops: add common udev rules on rpi-server 2021-06-02 17:25:32 +08:00
d38b89efc2 nixops: nixpkgs 21.05 compatibility 2021-06-02 08:57:07 +08:00
8eded4637b nixops: optimize deployment 2021-06-02 08:56:36 +08:00
dc1286251b nixops: add ychenfo temporary key 2021-06-01 10:11:54 +08:00
4542ea1f45 add geekzjk user 2021-05-31 12:17:55 +08:00
19a69a14d6 nixops: add starchen user 2021-05-28 16:07:18 +08:00
3b4f5d27c8 nixbld: reduce zfs scrub frequency 2021-05-28 16:07:09 +08:00
573ab0102e nixops: disable suspend more aggressively 2021-05-25 17:19:04 +08:00
f4e618ae9b nixops: cleanup 2021-05-25 17:18:49 +08:00
f1adab58ad nixops: add harry to wheel group 2021-05-25 09:26:22 +08:00
82b257d054 Revert "nixops: remove occheung user"
This reverts commit 3a3f14e5c1.
2021-05-25 09:24:07 +08:00
fb691ae3d6 nixops: create ychenfo user 2021-05-21 13:28:28 +08:00
811778fe9e nixops: create kai user 2021-05-17 15:57:02 +08:00
4fc5d2e56a nixbld: fix gitea logo 2021-05-13 15:51:50 +08:00
2f8d46d872 nixbld: update for newer hydra (2021-05-03) 2021-05-13 15:46:52 +08:00
7b6ed95090 nixbld: disable Nix flarum module
hacky and buggy

https://github.com/NixOS/nixpkgs/pull/96869
2021-05-06 10:09:26 +08:00
9185cdcec1 nixbld: update flarum deps 2021-05-06 06:41:32 +08:00
a680baed40 nixbld: fix hydra-send-stats 2021-04-24 18:19:33 +08:00
be8881892f nixbld: upgrade flarum and remove unused extensions 2021-04-24 18:13:44 +08:00
82934c8498 rpi: fix more PCIe/USB breakage 2021-04-24 17:13:05 +08:00
536a134b32 nixbld: Hydra sysbuild patch merged upstream
https://github.com/NixOS/hydra/issues/784
2021-04-24 17:08:04 +08:00
43005f0f65 nixbld: update Nix patches 2021-04-24 17:07:14 +08:00
5e455cf60d rpi-1: broke and replaced with v4 hardware 2021-04-24 17:06:52 +08:00
88c8dafe53 rpi-server: fix USB/PCIe breakage 2021-04-17 16:56:36 +08:00
4d0768364a nixops: install evince on light setup 2021-04-12 21:14:41 +08:00
4d01bfc6e0 update users 2021-04-12 21:13:24 +08:00
86c840d7f0 nixbld: minor flarum updates, install FoF/subscribed 2021-04-05 14:20:26 +08:00
7d04f99e33 nixbld: implement fbda8b064 correctly 2021-04-05 00:08:44 +08:00
81c1dcf138 add vivek to experimental users 2021-03-31 20:14:34 +08:00
b56510dbbf nixops: fix command-not-found 2021-03-29 14:01:46 +08:00
4773c9c387 nixops: cleanup rpi bootloader setup 2021-03-28 20:42:59 +08:00
713e3cb635 nixops: udev rules on light.nix 2021-03-23 16:28:01 +08:00
1900c497f9 Revert "add glados to experimental users"
This reverts commit bb6db330c3.
2021-03-22 12:59:32 +08:00
ce3b5f5bea rpi-ext: allow printing from ext wifi 2021-03-19 15:47:11 +08:00
94aecce3e2 rpi-ext: better security 2021-03-17 20:58:47 +08:00
42e67398bf rpi-ext: audio server 2021-03-17 18:39:46 +08:00
fbda8b0643 nixbld: disable IPv6 DAD
dnsmasq silently stops sending RAs on interfaces where DAD has kicked in, which creates very annoying obscure network
problems for everyone (e.g. IPv6 default route deleted 30min after boot) when an address conflict has occured,
even after the address conflict is no longer present.
nixbld should have authority on LAN IP addresses anyway.
2021-03-14 17:04:39 +08:00
58f613a2cf nixops: add label printer to plugdev 2021-03-11 12:56:17 +08:00
e99fd13de5 fish-nix-shell -> any-nix-shell 2021-03-10 18:38:59 +08:00
bb6db330c3 add glados to experimental users 2021-03-07 16:51:07 +08:00
dbc288c813 fix IP for rpi-5, rename to rpi-ext 2021-03-05 18:57:20 +08:00
4da3cd5325 nixops: static IP for rpi-5 2021-03-04 17:19:13 +08:00
f42fc3b986 nixops: create ext wifi network 2021-03-04 15:54:55 +08:00
a2a7b7458f nixbld: route ext wifi network 2021-03-04 15:54:41 +08:00
c500ddfca7 nixops: add guest account 2021-02-28 13:48:08 +08:00
688b8f2172 nixops: install libvirtd 2021-02-28 13:31:13 +08:00
14b3060964 nixops: add leo to plugdev/dialout 2021-02-24 11:19:51 +08:00
72645fa687 Revert "add nisrine to experimental users"
This reverts commit 3dbab390ae.
2021-02-19 23:32:58 +08:00
ed9746f3f4 nixbld: set up artiq-legacy 2021-02-17 16:09:20 +08:00
3a3f14e5c1 nixops: remove occheung user 2021-02-01 19:42:38 +08:00
ade7b63e55 nixops: enable rpi fans 2021-02-01 19:33:35 +08:00
3dbab390ae add nisrine to experimental users 2021-01-30 17:26:30 +08:00
374e1fff24 rpi: allow client-specified SSH bind 2021-01-28 16:05:15 +08:00
ed42476712 nixbld: work around Gitea token syntax problem (#14) 2021-01-27 11:59:10 +08:00
6d7235dfc4 nixbld: freeze nixos-mailserver commit 2021-01-26 18:26:17 +08:00
e5b8b37bed nixbld: update secret_permissions 2021-01-26 18:19:06 +08:00
e94fc3ea85 hydra: add patch for, configure giteastatus plugin
Fixes M-Labs/nix-scripts#32
2021-01-25 21:17:54 +01:00
6ef06b5d0b nixops: open port 6000 on rpi2 2021-01-23 18:56:22 +08:00
169876e211 nixbld: add account creation note to gitea signin page 2021-01-23 17:20:05 +08:00
b03087717a nixops: rpi-5 server (WIP) 2021-01-13 17:31:44 +08:00
7cf7847a81 nixops: add creotech to experimental users 2021-01-12 22:16:52 +08:00
6bc5b75ccb nixbld: fix gitea errors 500
https://github.com/go-gitea/gitea/issues/14274
2021-01-11 16:19:30 +08:00
775e4573b7 Revert "nixops: switch to grub"
Tickles UEFI bugs in EFI motherboards

This reverts commit 4a758ec029.
2021-01-03 16:01:15 +08:00
5fcc2a8548 Revert "nixops: install libvirtd, add virtualized-gpu specialisation"
doesn't work on MSI motherboards

This reverts commit b2382ad8b4.
2021-01-03 15:57:23 +08:00
255f8f4d8a nixops: update users 2020-12-21 16:40:27 +08:00
b2382ad8b4 nixops: install libvirtd, add virtualized-gpu specialisation
for running Windoze trashware that non-software engineers love
2020-12-21 16:39:18 +08:00
4a758ec029 nixops: switch to grub
Grub supports selecting specialisations at boot time.
2020-12-21 16:38:09 +08:00
483f49cdcd nixops: cleanup 2020-12-21 16:36:37 +08:00
1fa9caf1b8 nixbld: work around nixos bug with acme and local dns resolver
https://github.com/NixOS/nixpkgs/issues/106862
2020-12-21 13:04:24 +08:00
6379ae6886 nixops: sync nix channel 2020-12-12 15:01:38 +08:00
d963c7936a Revert "nixops: virtualbox"
This reverts commit bcae762e1e.
2020-12-12 14:27:43 +08:00
55b74b62b7 nixops: remove dsleung user 2020-12-01 16:46:41 +08:00
bcae762e1e nixops: virtualbox 2020-11-24 19:33:52 +08:00
c10f5c256d nixops: update experimental users 2020-11-24 19:32:05 +08:00
5ea921f80f nixbld: disable openhardware.hk 2020-11-06 15:05:33 +08:00
5322347cb2 nixbld: fix acme permissions 2020-11-06 14:58:35 +08:00
be704047e7 nixops: nixos 20.09 2020-11-06 14:33:07 +08:00
cffeaeba23 nixbld: nixos 20.09 WIP 2020-11-06 14:33:07 +08:00
b10ee89454 nixbld: update Nix unstable patch for networked derivations
Fixes Gitea issue #7
2020-11-05 17:22:26 +01:00
8f62706b08 nixbld: update users 2020-10-27 14:57:07 +08:00
e9379d3b88 nixops: update experimental users 2020-10-22 20:18:47 +08:00
9cd9eb43f4 nixbld: add static IPs for cora and rust-pitaya 2020-10-14 12:53:51 +08:00
ae27312e53 nixops: update experimental users 2020-10-14 10:14:31 +08:00
dfa0cc7fea nixops: use 20.09 for unstable packages 2020-10-13 16:30:31 +08:00
eb78ee2a7d nixops: install sshfs on rpi 2020-10-13 16:30:14 +08:00
3738849e22 nixops: delete old experimental user accounts 2020-10-13 14:13:26 +08:00
aa8bdf47a0 nixops: add yrw to experimental users 2020-10-13 14:13:11 +08:00
eb83761291 nixops: add fpn to experimental users 2020-10-08 09:00:42 +08:00
444d74a7a5 nixops: temporarily add Tom's old SSH key again 2020-10-07 15:39:31 +08:00
4ec72130b1 nixbld: add Nix unstable patch for networked derivations
Fixes Gitea issue #7
2020-10-06 00:45:56 +02:00
71c611a6ad nixops: remove cw user 2020-09-30 17:48:23 +08:00
b095a9aa50 nixops: add jim to experimental users 2020-09-18 12:44:01 +08:00
9de37e4f53 nixops: install sshfs 2020-09-17 18:14:55 +08:00
91d1e91d4f nixops: add cp to experimental users 2020-09-11 19:39:27 +08:00
f184d1bf9e nixops: add gs to experimental-users 2020-09-11 15:28:41 +08:00
1dc91fc77f nixops: install uhubctl on rpi 2020-09-11 15:27:25 +08:00
9717fb7b59 nixops: share extra udev rules 2020-09-11 15:27:01 +08:00
3c865cca8b nixops: set up uhubctl for power cycling shitty embedded devices 2020-09-10 11:13:32 +08:00
1adcc243f8 nixops: update experimental users 2020-09-09 11:27:15 +08:00
0ce37aa008 nixops: add experimental users 2020-09-08 13:34:36 +08:00
d7e62e48e5 nixops: update permissions and ssh keys 2020-09-04 18:17:08 +08:00
568bbecd90 nixops: allow plugdev access to dfu/booster 2020-09-03 19:36:55 +08:00
988939bffd nixops: open mqtt port on desktop machines 2020-09-03 19:36:37 +08:00
8ad847c7fa hydra: configure githubstatus plugin
Part of M-Labs/nix-scripts#32
2020-09-02 19:55:15 +02:00
e3690e50f0 nixbld: enable gitea code search 2020-08-31 17:39:28 +08:00
24e1201ab1 flarum: init 2020-08-22 02:25:43 +02:00
b8dae38b00 update SSH keys 2020-08-18 14:47:11 +08:00
4d8214d00e nixbld: open firewall for jitsi-videobridge 2020-08-03 15:32:06 +08:00
420796a547 nixbld: install jitsi 2020-08-03 15:19:56 +08:00
5322606804 disable homu
Not used anymore.
2020-08-02 20:44:01 +08:00
c6c392d10f Revert "hydra: move store to zfs"
This is a mess: https://github.com/NixOS/hydra/issues/796

This reverts commit ac2ea5621d.
2020-07-29 19:03:34 +08:00
c49e1fbade nixbld: also store backups on zfs tank 2020-07-27 20:28:34 +08:00
bb1320e576 users: add tom 2020-07-27 17:39:33 +08:00
ac2ea5621d hydra: move store to zfs 2020-07-26 23:53:04 +08:00
2cdff2b132 nixbld: turn on zfs autosnapshot 2020-07-26 22:29:38 +08:00
d2f7181a1f nixbld: continue zfs setup 2020-07-26 22:21:31 +08:00
deaf3e9e75 nixbld: enable ZFS 2020-07-25 19:21:41 +08:00
25c87f2daa add GPG key for pca006132 2020-07-23 14:56:06 +08:00
29984c6af6 nixops: enable wireshark gui on desktop 2020-07-18 10:21:10 +08:00
56b7218bba nixops: enable mosh 2020-07-18 10:16:11 +08:00
a860e94c5f nixops: add dpn to wireshark group 2020-07-18 10:13:23 +08:00
b645a2e965 desktop: install xpra 2020-07-15 18:25:06 +08:00
bebfe728de nixops: set StreamLocalBindUnlink 2020-07-15 12:32:57 +08:00
b29ee1d386 users: add dpn 2020-07-15 01:10:36 +08:00
cface475b0 add astro to wireshark group 2020-07-14 16:51:03 +08:00
8e61a3a80c nixops: add occheung to wireshark group 2020-07-10 18:30:18 +08:00
9ece86e653 nixops: changed pca006132's shell to zsh 2020-07-09 15:55:48 +08:00
dc2cfa2fdb nixops: enable network.enableRollback
This avoids rebuilding everything if GC has been run between deploys.
https://github.com/NixOS/nixops/issues/272
2020-07-06 12:36:56 +08:00
e0e00de13e nixops: add udev rule for stm32 devkit 2020-07-06 11:01:48 +08:00
805a3e33ad nixbld: add Nix 'networked' derivations
This obsoletes the fixed-output derivation hack previously used on Hydra, and the associated retry patch.
2020-07-04 16:02:30 +08:00
5e4582bebe add cw user 2020-07-03 12:51:07 +08:00
75 changed files with 12905 additions and 1864 deletions

56
backupdl-module.nix Normal file
View File

@ -0,0 +1,56 @@
{ config, pkgs, lib, ... }:
with lib;
let
makeBackup = pkgs.writeScript "make-backupdl" ''
#!${pkgs.bash}/bin/bash
set -e
export PATH=${pkgs.rsync}/bin:${pkgs.openssh}/bin
FILENAME=backup-`${pkgs.coreutils}/bin/date +%F`.tar.bz2.gpg
ssh nixbld.m-labs.hk mlabs-backup > /hdd/backupdl/backupdl/$FILENAME
rsync -az nixbld.m-labs.hk:/var/lib/nextcloud/data /hdd/backupdl/nextcloud
'';
cfg = config.services.backupdl;
in
{
options.services.backupdl = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable backups";
};
};
config = mkIf cfg.enable {
systemd.services.backupdl = {
description = "Nixbld backups download";
serviceConfig = {
Type = "oneshot";
User = "backupdl";
Group = "backupdl";
ExecStart = "${makeBackup}";
};
};
users.users.backupdl = {
name = "backupdl";
group = "backupdl";
description = "Nixbld backups download";
isSystemUser = true;
createHome = true;
home = "/hdd/backupdl";
useDefaultShell = true;
};
users.extraGroups.backupdl = {};
systemd.timers.backupdl = {
description = "Nixbld backups download";
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "wednesday,sunday *-*-* 08:00:00";
};
};
}

View File

@ -0,0 +1,18 @@
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 5.78.86.156/32
- 2a01:4ff:1f0:83de::2/64
- 2a01:4ff:1f0:83de::3/64
- 2a01:4ff:1f0:83de::4/64
tunnels:
gre1:
mode: gre
local: 5.78.86.156
remote: 94.190.212.123
addresses:
- 10.47.3.0/31

View File

@ -0,0 +1,14 @@
[Unit]
Description=GRE tunnel to the main host
After=network.target
[Service]
Type=simple
User=root
ExecStart=/root/gretun.sh
ExecStop=/root/gretun_down.sh
Restart=on-failure
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

10
m-labs-intl/gretun.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

10
m-labs-intl/gretun_down.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

View File

@ -0,0 +1,81 @@
upstream rfq_server {
server 127.0.0.1:5000;
}
server {
limit_conn addr 5;
root /var/www/m-labs-intl.com/html;
index index.html index.htm index.nginx-debian.html;
server_name m-labs-intl.com;
location / {
try_files $uri $uri/ =404;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name www.m-labs-intl.com;
return 301 https://m-labs-intl.com$request_uri;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name hooks.m-labs-intl.com;
limit_conn addr 5;
location /rfq {
proxy_pass http://rfq_server/rfq;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 30;
proxy_connect_timeout 30;
proxy_send_timeout 30;
}
location / {
return 418;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
limit_conn addr 5;
if ($host = m-labs-intl.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.m-labs-intl.com) {
return 301 https://m-labs-intl.com$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
return 301 https://$host$request_uri;
}

View File

@ -0,0 +1,34 @@
connections {
m_labs {
version = 2
encap = no
mobike = no
send_certreq = no
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
local_addrs = 5.78.86.156
remote_addrs = 94.190.212.123
local {
auth = pubkey
id = fqdn:m-labs-intl.com
pubkeys = m-labs-intl.com
}
remote {
auth = pubkey
id = fqdn:m-labs.hk
pubkeys = m-labs.hk
}
children {
con1 {
mode = transport
ah_proposals = sha256-curve25519,sha256-ecp256
esp_proposals =
local_ts = 5.78.86.156[gre]
remote_ts = 94.190.212.123[gre]
start_action = start
close_action = none
}
}
}
}

0
m-labs-intl/mail.secret Normal file
View File

65
m-labs-intl/nginx.conf Normal file
View File

@ -0,0 +1,65 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
# Rate limiting
limit_conn_zone $binary_remote_addr zone=addr:10m;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

12
m-labs-intl/rfq.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=RFQ service
After=network.target
[Service]
Type=simple
User=rfqserver
ExecStart=/home/rfqserver/runrfq.sh
Restart=on-failure
[Install]
WantedBy=multi-user.target

14
m-labs-intl/runrfq.sh Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env bash
export FLASK_DEBUG=0
export FLASK_MAIL_SERVER=mail.m-labs.hk
export FLASK_MAIL_PORT=465
export FLASK_MAIL_USE_SSL=True
export FLASK_MAIL_USERNAME=sysop-intl@m-labs-intl.com
export FLASK_MAIL_PASSWORD_FILE=/home/rfqserver/mail.secret
export FLASK_MAIL_RECIPIENT=sales@m-labs.hk
export FLASK_MAIL_SENDER=sysop-intl@m-labs-intl.com
cd /home/rfqserver/web2019/server
source venv/bin/activate
python3 -m flask --app rfq run --port=5000

99
m-labs-intl/setup.md Normal file
View File

@ -0,0 +1,99 @@
# Setup m-labs-intl.com server
```shell
# Install required packages
apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
# Set up networks (includes GRE)
cp 60-tunnels.yaml /etc/netplan/
netplan apply
# set up IPsec-AH connection
cp m-labs.hk.conf /etc/swanctl/conf.d/
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
systemctl enable strongswan --now
systemctl restart strongswan
# Set up website
cp m-labs-intl.com /etc/nginx/sites-available/
cp nginx.conf /etc/nginx/
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
systemctl enable nginx --now
service nginx restart
# Issue SSL certificate - website only, the mail is on the HK side
certbot --nginx
service nginx restart
# Create a user for automatic website deployment from nixbld
useradd -m zolaupd
mkdir -p /var/www/m-labs-intl.com/html
chown -R zolaupd /var/www/m-labs-intl.com/
sudo -u zolaupd sh -c '
cd /home/zolaupd;
mkdir /home/zolaupd/.ssh;
echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
chmod 700 .ssh/
chmod 600 .ssh/authorized_keys
'
# Create a user for RFQ hooks service
useradd -m rfqserver
cp runrfq.sh /home/rfqserver/
cp mail.secret /home/rfqserver/
chown rfqserver /home/rfqserver/runrfq.sh
chmod +x /home/rfqserver/runrfq.sh
chown rfqserver /home/rfqserver/mail.secret
sudo -u rfqserver sh -c '
cd /home/rfqserver;
git clone https://git.m-labs.hk/M-Labs/web2019.git;
cd web2019;
python3 -m venv ./venv;
source venv/bin/activate;
pip install -r requirements.txt;
'
cp rfq.service /etc/systemd/system/
# Automate port forwarding rules creation
cp gretun.sh /root/gretun.sh
cp gretun_down.sh /root/gretun_down.sh
chmod u+x /root/gretun.sh
chmod u+x /root/gretun_down.sh
cp gretun.service /etc/systemd/system/
# Enable custom services
systemctl daemon-reload
systemctl enable rfq.service --now
systemctl enable gretun.service --now
# Setup basic firewall rules
ufw default deny
ufw default allow outgoing
ufw allow from 94.190.212.123
ufw allow from 2001:470:f891:1::/64
ufw allow from 202.77.7.238
ufw allow from 2001:470:18:390::2
ufw allow "Nginx HTTP"
ufw allow "Nginx HTTPS"
ufw limit OpenSSH
ufw allow 25/tcp
ufw allow 587/tcp
ufw limit 500,4500/udp
ufw route allow in on gre1 out on eth0
ufw allow from 10.47.3.0/31
ufw show added
ufw enable
```

View File

@ -0,0 +1,66 @@
{ config, pkgs, lib, ... }:
with lib;
let
afws = pkgs.callPackage ./afws { inherit pkgs; };
in
{
options.services.afws = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable AFWS server";
};
logFile = mkOption {
type = types.str;
default = "/var/lib/afws/logs/afws.log";
description = "Path to the log file";
};
logBackupCount = mkOption {
type = types.int;
default = 30;
description = "Number of daily log files to keep";
};
};
config = mkIf config.services.afws.enable {
systemd.services.afws = {
description = "AFWS server";
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p "$(dirname ${config.services.afws.logFile})"
chown afws:afws "$(dirname ${config.services.afws.logFile})"
'';
serviceConfig = {
User = "afws";
Group = "afws";
ExecStart = ''
${afws}/bin/afws_server \
--log-file ${config.services.afws.logFile} \
--log-backup-count ${toString config.services.afws.logBackupCount}
'';
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
};
path = [ pkgs.nix pkgs.git ];
};
security.acme.certs."afws.m-labs.hk".postRun =
''
mkdir -p /var/lib/afws/cert
cp cert.pem /var/lib/afws/cert
cp key.pem /var/lib/afws/cert
chown -R afws:afws /var/lib/afws/cert
'';
security.acme.certs."afws.m-labs.hk".reloadServices = [ "afws.service" ];
users.users.afws = {
name = "afws";
group = "afws";
description = "AFWS server user";
isSystemUser = true;
createHome = false;
home = "/var/lib/afws";
useDefaultShell = true;
};
users.extraGroups.afws = {};
};
}

View File

@ -1,27 +1,37 @@
{ config, pkgs, lib, ... }:
with lib;
let
excludePaths = [
"/var/lib/gitea/repositories/*/*.git/archives"
"/var/lib/gitea/data/repo-archive"
"/var/lib/gitea/data/indexers"
"/var/vmail/m-labs.hk/js"
"/var/lib/afws/.cache"
"/var/lib/mattermost/data/2019*"
"/var/lib/mattermost/data/2020*"
"/var/lib/mattermost/data/2021*"
"/var/lib/mattermost/data/2022*"
"/var/lib/mattermost/data/2023*"
];
makeBackup = pkgs.writeScript "make-backup" ''
#!${pkgs.bash}/bin/bash
#!${pkgs.bash}/bin/bash -p
set -e
umask 0077
DBDUMPDIR=`mktemp -d`
pushd $DBDUMPDIR
trap "rm -rf $DBDUMPDIR" EXIT
cd $DBDUMPDIR
${config.services.mysql.package}/bin/mysqldump --single-transaction flarum > flarum.sql
${pkgs.sudo}/bin/sudo -u mattermost ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
${pkgs.gnutar}/bin/tar cf - --exclude "/var/lib/gitea/repositories/*/*.git/archives" /etc/nixos /var/lib/gitea flarum.sql mattermost.sql | \
exec 6< /etc/nixos/secret/backup-passphrase
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
${pkgs.bzip2}/bin/bzip2 | \
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-file /etc/nixos/secret/backup-passphrase | \
${pkgs.rclone}/bin/rclone rcat --config /etc/nixos/secret/rclone.conf dropbox:backup-`date +%F`.tar.bz2.gpg
popd
rm -rf $DBDUMPDIR
echo Backup done
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
'';
cfg = config.services.mlabs-backup;
in
@ -35,20 +45,20 @@ in
};
config = mkIf cfg.enable {
systemd.services.mlabs-backup = {
description = "M-Labs backup";
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
ExecStart = "${makeBackup}";
users.extraGroups.backupdl = { };
users.extraUsers.backupdl = {
isNormalUser = true;
extraGroups = ["backupdl" "nextcloud"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbH+l0FIBTPdUKOS9H5OOT5ro/nljKLsiCTzTzublCScdPPmCNy27ORbLgNHX5Ughlug5wr2rAIU9AexV+L71V5MeVHUWDfKgRsNIpUTtY6wpJkAP7r1ipk2kTWc/sxhrxyPea62cohmy1dOeLlwXO6U8FnsiZfYKmgjZ8wuTo6ixDB8krXsAZ8VY/bj5WFcXqeW8GF1Qjpel7HgpCpj3HIUyC63uwIyUoYe+cgnhjzNLbRYdU9Yx2iqcUCwEUX2cMdz5VX+xbLkL8CWcuiMFg6TFo+CUPFtuA/kVzHcZ4Pa3BiilL3rf7oXlIXGN12JVsN+caX7j2weVqm2b5u5eVsyDxiLx1KA37ukq92CYAAdOuKE+saMPsLuOn+Qd9B6D5oYnYgsWg460uEGgwczwOTXLAZTT5wrwRaKIE+ezKqtRP+Tz7l2IEixulyj1MUR+XpSwECZXiFJx5DGofwzxcd2kWnNOPBReDkHv0At5ZLNIrLuxFMz2L6UXbqvHwEu8= backupdl@minipc"
];
};
};
systemd.timers.mlabs-backup = {
description = "M-Labs backup";
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "weekly";
security.wrappers.mlabs-backup = {
source = makeBackup;
setuid = true;
owner = "root";
group = "backupdl";
permissions = "g+x";
};
};
}

File diff suppressed because it is too large Load Diff

9796
nixbld-etc-nixos/flarum/composer.lock generated Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,39 @@
{
lib,
php,
fetchFromGitHub,
fetchpatch,
}:
php.buildComposerProject (finalAttrs: {
pname = "flarum";
version = "1.8.1";
src = fetchFromGitHub {
owner = "flarum";
repo = "flarum";
rev = "v${finalAttrs.version}";
hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
};
patches = [
# Add useful extensions from https://github.com/FriendsOfFlarum
# Extensions included: fof/upload, fof/polls, fof/subscribed
./fof-extensions.patch
];
composerLock = ./composer.lock;
composerStrictValidation = false;
vendorHash = "sha256-GLE5ZtzZmQ8YbitV6LG744QHoGxlj5TfC5wP2a3eFpU=";
meta = with lib; {
changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
description = "Flarum is a delightfully simple discussion platform for your website";
homepage = "https://github.com/flarum/flarum";
license = lib.licenses.mit;
maintainers = with maintainers; [
fsagbuya
jasonodoom
];
};
})

View File

@ -0,0 +1,16 @@
diff --git a/composer.json b/composer.json
index c63b5f8..5ad1186 100644
--- a/composer.json
+++ b/composer.json
@@ -37,7 +37,10 @@
"flarum/sticky": "*",
"flarum/subscriptions": "*",
"flarum/suspend": "*",
- "flarum/tags": "*"
+ "flarum/tags": "*",
+ "fof/polls": "*",
+ "fof/subscribed": "*",
+ "fof/upload": "*"
},
"config": {
"preferred-install": "dist",

View File

@ -0,0 +1,61 @@
diff --git a/github_backup/github_backup.py b/github_backup/github_backup.py
index 4ef8b7e..82cbdca 100644
--- a/github_backup/github_backup.py
+++ b/github_backup/github_backup.py
@@ -425,7 +425,7 @@ def get_github_repo_url(args, repository):
return repo_url
-def retrieve_data_gen(args, template, query_args=None, single_request=False):
+def retrieve_data_gen(args, template, query_args=None, single_request=False, optional=False):
auth = get_auth(args, encode=not args.as_app)
query_args = get_query_args(query_args)
per_page = 100
@@ -452,6 +452,11 @@ def retrieve_data_gen(args, template, query_args=None, single_request=False):
else:
read_error = False
+ # Requested data does not exist for this repository, but that was expected.
+ # Generate an empty list.
+ if status_code == 404 and optional:
+ return
+
# be gentle with API request limit and throttle requests if remaining requests getting low
limit_remaining = int(r.headers.get('x-ratelimit-remaining', 0))
if args.throttle_limit and limit_remaining <= args.throttle_limit:
@@ -509,8 +514,8 @@ def retrieve_data_gen(args, template, query_args=None, single_request=False):
break
-def retrieve_data(args, template, query_args=None, single_request=False):
- return list(retrieve_data_gen(args, template, query_args, single_request))
+def retrieve_data(args, template, query_args=None, single_request=False, optional=False):
+ return list(retrieve_data_gen(args, template, query_args, single_request, optional))
def get_query_args(query_args=None):
@@ -1011,7 +1016,8 @@ def backup_hooks(args, repo_cwd, repository, repos_template):
'hooks',
template,
output_file,
- hook_cwd)
+ hook_cwd,
+ optional=not args.include_hooks)
except SystemExit:
log_info("Unable to read hooks, skipping")
@@ -1158,12 +1164,12 @@ def backup_account(args, output_directory):
account_cwd)
-def _backup_data(args, name, template, output_file, output_directory):
+def _backup_data(args, name, template, output_file, output_directory, optional=False):
skip_existing = args.skip_existing
if not skip_existing or not os.path.exists(output_file):
log_info('Retrieving {0} {1}'.format(args.user, name))
mkdir_p(output_directory)
- data = retrieve_data(args, template)
+ data = retrieve_data(args, template, optional=optional)
log_info('Writing {0} {1} to disk'.format(len(data), name))
with codecs.open(output_file, 'w', encoding='utf-8') as f:

View File

@ -3,7 +3,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div>
<img class="logo" src="{{AppSubUrl}}/img/gitea-lg.png" />
<img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg"/>
</div>
<div class="hero">
<h1 class="ui icon header title">
@ -15,7 +15,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column">
<p class="large">
Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have.
Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
</p>
</div>
</div>

View File

@ -0,0 +1,11 @@
{{template "base/head" .}}
<div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
{{template "user/auth/signin_navbar" .}}
<div class="ui middle very relaxed page grid">
<div class="ui container column fluid">
{{template "user/auth/signin_inner" .}}
To get an account (also available to external contributors), simply write to sb@m-labs.hk.
</div>
</div>
</div>
{{template "base/footer" .}}

View File

@ -0,0 +1,67 @@
{ config, pkgs, lib, ... }:
with lib;
let
python-github-backup = pkgs.python3Packages.buildPythonApplication {
name = "python-github-backup";
src = pkgs.fetchFromGitHub {
owner = "josegonzalez";
repo = "python-github-backup";
rev = "18e78a4d66120961590836e63d1fa939e4d036f3";
sha256 = "1c5qxyv322z5zkx8mxdwdqrnjgqhk00aqcgwkn53b4xkfr2idkbn";
};
patches = [ ./ghbackup-179.patch ];
propagatedBuildInputs = [ pkgs.git ];
};
token = (import /etc/nixos/secret/github_tokens.nix).backup;
makeBackup = pkgs.writeScript "make-ghbackup" ''
#!${pkgs.bash}/bin/bash
set -e
${python-github-backup}/bin/github-backup m-labs -t ${token} --all -i -o /var/lib/ghbackup/m-labs
${python-github-backup}/bin/github-backup quartiq -t ${token} --all -i -o /var/lib/ghbackup/quartiq
${python-github-backup}/bin/github-backup sinara-hw -t ${token} --all -i -o /var/lib/ghbackup/sinara-hw
echo GitHub backup done
'';
cfg = config.services.ghbackup;
in
{
options.services.ghbackup = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable backups";
};
};
config = mkIf cfg.enable {
systemd.services.ghbackup = {
description = "GitHub backup";
serviceConfig = {
Type = "oneshot";
User = "ghbackup";
Group = "ghbackup";
ExecStart = "${makeBackup}";
};
};
users.users.ghbackup = {
name = "ghbackup";
group = "ghbackup";
description = "GitHub backups user";
isSystemUser = true;
createHome = true;
home = "/var/lib/ghbackup";
useDefaultShell = true;
};
users.extraGroups.ghbackup = {};
systemd.timers.ghbackup = {
description = "GitHub backup";
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "daily";
};
};
}

View File

@ -1,13 +0,0 @@
diff --git a/homu/git_helper.py b/homu/git_helper.py
index 0f70c69..f53fb57 100755
--- a/homu/git_helper.py
+++ b/homu/git_helper.py
@@ -7,7 +7,7 @@ SSH_KEY_FILE = os.path.join(os.path.dirname(__file__), '../cache/key')
def main():
- args = ['ssh', '-i', SSH_KEY_FILE, '-S', 'none'] + sys.argv[1:]
+ args = ['ssh', '-o', 'StrictHostKeyChecking=no', '-i', SSH_KEY_FILE, '-S', 'none'] + sys.argv[1:]
os.execvp('ssh', args)

View File

@ -1,52 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
homu = pkgs.callPackage ./pkg.nix {};
cfg = config.services.homu;
in
{
options.services.homu = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable the bot";
};
dbDir = mkOption {
type = types.str;
default = "/var/db/homu";
description = "Path to the database file (use the same path in config.toml)";
};
config = mkOption {
description = "Location of config.toml";
type = types.str;
};
};
config = mkIf cfg.enable {
users.users.homu = {
group = "homu";
home = cfg.dbDir;
createHome = true;
};
users.groups.homu = {};
systemd.services.homu = {
description = "Homu bot";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${homu}/bin/homu -c ${cfg.config}";
Restart = "always";
RestartSec = "5sec";
User = "homu";
Group = "homu";
};
};
};
}

View File

@ -1,26 +0,0 @@
diff --git a/homu/git_helper.py b/homu/git_helper.py
index 0f70c69..732230c 100755
--- a/homu/git_helper.py
+++ b/homu/git_helper.py
@@ -3,7 +3,7 @@
import sys
import os
-SSH_KEY_FILE = os.path.join(os.path.dirname(__file__), '../cache/key')
+SSH_KEY_FILE = os.path.expanduser("~/cache/key")
def main():
diff --git a/homu/main.py b/homu/main.py
index 16b60a2..a2e109a 100644
--- a/homu/main.py
+++ b/homu/main.py
@@ -649,7 +649,7 @@ def git_push(git_cmd, branch, state):
def init_local_git_cmds(repo_cfg, git_cfg):
- fpath = 'cache/{}/{}'.format(repo_cfg['owner'], repo_cfg['name'])
+ fpath = '{}/cache/{}/{}'.format(os.path.expanduser("~"), repo_cfg['owner'], repo_cfg['name'])
url = 'git@github.com:{}/{}.git'.format(repo_cfg['owner'], repo_cfg['name']) # noqa
if not os.path.exists(SSH_KEY_FILE):

View File

@ -1,34 +0,0 @@
{ python3Packages, python3, fetchFromGitHub, git, openssh }:
let
uritemplate_0_2_0 = python3Packages.github3_py.overrideAttrs(oa: rec {
version = "0.2.0";
src = python3Packages.fetchPypi {
pname = "uritemplate.py";
inherit version;
sha256 = "1pfk04pmnysz0383lwzgig8zqlwiv2n4pmq51f0mc60zz1jimq4g";
};
});
github3_py_0_9_6 = python3Packages.github3_py.overrideAttrs(oa: rec {
version = "0.9.6";
src = python3Packages.fetchPypi {
pname = "github3.py";
inherit version;
sha256 = "1i8xnh586z4kka7pjl7cy08fmzjs14c8jdp8ykb9jjpzsy2xncdq";
};
propagatedBuildInputs = [ python3Packages.requests uritemplate_0_2_0 ];
});
in
python3Packages.buildPythonApplication {
name = "homu";
src = fetchFromGitHub {
owner = "servo";
repo = "homu";
rev = "2ea53e76ebac3e5fa11bc39054b3cd4c42eff607";
sha256 = "1ih7s8zfbpq0qb9vqbxzr0r4s9ff52l4ipr916kwbck3ygliq3r9";
};
patches = [ ./patch-cache-directory.patch ./disable-ssh-host-keycheck.patch ];
postInstall = "chmod 755 $out/${python3.sitePackages}/homu/git_helper.py";
propagatedBuildInputs = [ github3_py_0_9_6 git openssh ] ++ (with python3Packages; [ toml jinja2 requests bottle waitress retrying ]);
checkPhase = "python -m unittest discover tests -v";
}

View File

@ -0,0 +1,122 @@
diff --git a/src/root/product-list.tt b/src/root/product-list.tt
index 4d545b3e..6049c2a6 100644
--- a/src/root/product-list.tt
+++ b/src/root/product-list.tt
@@ -162,6 +162,11 @@
<img src="[% c.uri_for("/static/images/iso.png") %]" alt="ISO" />
</td>
<td>ISO-9660 CD/DVD image</td>
+ [% CASE "msys2" %]
+ <td>
+ <img src="[% c.uri_for("/static/images/msys2.svg") %]" alt="MSYS2" width="32" height="32" />
+ </td>
+ <td>MSYS2 package</td>
[% CASE "binary-dist" %]
<td>
<img src="[% c.uri_for("/static/images/binary-dist.png") %]" alt="Binary distribution" />
diff --git a/src/root/static/images/msys2.svg b/src/root/static/images/msys2.svg
new file mode 100644
index 00000000..46baff50
--- /dev/null
+++ b/src/root/static/images/msys2.svg
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ width="36.777081mm"
+ height="36.777081mm"
+ viewBox="0 0 36.77708 36.777081"
+ version="1.1"
+ id="svg8"
+ inkscape:version="1.1.1 (3bf5ae0d25, 2021-09-20)"
+ sodipodi:docname="msys2_logo.svg"
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:dc="http://purl.org/dc/elements/1.1/">
+ <defs
+ id="defs2" />
+ <sodipodi:namedview
+ id="base"
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1.0"
+ inkscape:pageopacity="0.0"
+ inkscape:pageshadow="2"
+ inkscape:zoom="3.959798"
+ inkscape:cx="121.34457"
+ inkscape:cy="27.274119"
+ inkscape:document-units="mm"
+ inkscape:current-layer="layer1"
+ showgrid="false"
+ fit-margin-top="0"
+ fit-margin-left="0"
+ fit-margin-right="0"
+ fit-margin-bottom="0"
+ inkscape:window-width="2560"
+ inkscape:window-height="1371"
+ inkscape:window-x="0"
+ inkscape:window-y="32"
+ inkscape:window-maximized="1"
+ inkscape:pagecheckerboard="true" />
+ <metadata
+ id="metadata5">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ inkscape:label="Layer 1"
+ inkscape:groupmode="layer"
+ id="layer1"
+ transform="translate(-122.70998,-169.48973)">
+ <rect
+ style="fill:#894c84;fill-opacity:1;stroke-width:0"
+ id="rect946"
+ width="36.777081"
+ height="36.777081"
+ x="122.70998"
+ y="169.48973" />
+ <path
+ style="fill:#d35e64;fill-opacity:1;stroke-width:0.133635"
+ d="m 142.72948,201.89184 c -0.32408,-0.25492 -0.35455,-0.35395 -0.3187,-1.03567 l 0.0396,-0.75379 h 0.45908 c 0.44506,0 0.45934,0.0163 0.46772,0.53453 l 0.009,0.53454 0.70308,0.0405 c 0.53885,0.031 0.7217,-0.008 0.78281,-0.16735 0.15971,-0.41619 -0.10726,-0.89779 -0.98636,-1.77935 -0.49365,-0.49504 -1.03351,-1.07713 -1.19967,-1.29353 -0.38599,-0.50269 -0.40844,-1.38334 -0.0467,-1.83013 0.23417,-0.28918 0.35554,-0.31548 1.45595,-0.31548 1.36938,0 1.67817,0.15986 1.80376,0.93383 0.11523,0.71006 -0.0673,1.20433 -0.44479,1.20433 -0.26632,0 -0.34178,-0.0979 -0.46372,-0.60136 -0.13305,-0.54937 -0.1843,-0.60509 -0.59283,-0.64461 -0.24596,-0.0238 -0.58921,-0.008 -0.76279,0.036 -0.59536,0.14942 -0.37642,0.57816 0.95393,1.86806 l 1.26953,1.23092 v 0.90178 c 0,1.37811 -0.0436,1.41874 -1.52348,1.41874 -1.06598,0 -1.29877,-0.0409 -1.60514,-0.28187 z"
+ id="path3828"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#d35e64;fill-opacity:1;stroke-width:0.133635"
+ d="m 148.05027,204.08841 c 0.0471,-0.28134 0.11947,-1.05275 0.16076,-1.71424 0.0703,-1.12643 0.0353,-1.35529 -0.55133,-3.60814 -0.34453,-1.32299 -0.6573,-2.54073 -0.69504,-2.70611 -0.0594,-0.26014 -0.0147,-0.30067 0.33149,-0.30067 0.22006,0 0.46737,0.081 0.54957,0.18007 0.0822,0.099 0.30254,0.86578 0.48964,1.70385 0.41743,1.86975 0.45345,1.99148 0.58914,1.99148 0.15912,0 0.35622,-0.563 0.74822,-2.13717 0.38958,-1.56447 0.48518,-1.73823 0.9564,-1.73823 0.39274,0 0.46132,-0.43504 -0.70121,4.4477 -0.46869,1.96849 -0.93011,3.74249 -1.02539,3.94223 -0.11781,0.24694 -0.29559,0.37716 -0.55559,0.40696 -0.37406,0.0429 -0.38048,0.0327 -0.29666,-0.46773 z"
+ id="path3830"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#d35e64;fill-opacity:1;stroke-width:0.133635"
+ d="m 155.37958,199.87478 -0.001,1.04324 c 0,0 0.0415,0.99571 -0.10812,1.13694 -0.15218,0.14363 -0.72994,0.11875 -1.5324,0.11875 -1.39413,0 -1.4684,-0.0143 -1.66996,-0.32193 -0.14282,-0.21797 -0.19775,-0.55241 -0.17012,-1.03567 0.0397,-0.69411 0.0518,-0.71373 0.43989,-0.71373 0.2965,0 0.40947,0.0687 0.43951,0.26726 0.13121,0.86712 0.13264,0.86863 0.81803,0.86863 1.33065,0 1.18669,-0.7429 -0.41998,-2.16732 -0.98712,-0.87515 -1.3045,-1.34704 -1.30163,-1.93531 0.005,-1.02426 0.44219,-1.37639 1.70885,-1.37639 1.4449,0 1.89746,0.36739 1.89746,1.54037 0,0.85 -0.80733,1.01376 -0.94108,0.1909 -0.113,-0.69515 -0.21979,-0.79583 -0.84414,-0.79583 -0.59087,0 -0.88668,0.17572 -0.88861,0.52786 -5.3e-4,0.11392 0.5857,0.76291 1.30294,1.44221"
+ id="path3832"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="ccssccscsccsssscc" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path3826"
+ d="m 125.15872,195.23965 c -0.30592,-0.19939 -0.0836,-0.86189 0.8607,-2.56497 1.58255,-2.85415 5.22198,-10.62008 6.75854,-14.42159 0.91204,-2.25643 0.98557,-2.83541 0.41825,-3.29345 -0.30201,-0.24384 -0.34148,-0.33999 -0.22153,-0.53956 0.44174,-0.73497 2.98816,-1.05046 4.06353,-0.50346 1.1982,0.60947 1.74884,2.08184 2.47139,6.60826 0.57628,3.61017 1.00176,6.0369 1.0809,6.16495 0.21334,0.34519 0.63685,-0.49885 2.24466,-4.47355 2.25297,-5.56961 3.24559,-7.35862 4.41748,-7.9617 0.51912,-0.26714 0.89922,-0.34492 1.8995,-0.38866 1.60332,-0.0701 1.6509,-0.0327 1.64898,1.29653 -0.002,1.7237 -0.0807,1.96599 -0.76359,2.3662 -1.27599,0.74779 -2.16809,2.00702 -2.17,3.06305 -0.003,1.44987 1.07869,1.89961 2.0727,0.86208 0.20781,-0.2169 0.42671,-0.39436 0.48646,-0.39436 0.0597,0 0.10898,0.55626 0.10941,1.23612 5.2e-4,0.67987 0.0579,1.58514 0.12779,2.01171 0.14392,0.87871 0.16421,0.83597 -1.8354,3.86646 -1.11067,1.68327 -1.20806,1.92146 -0.90836,2.22164 0.18169,0.18198 0.60193,0.22609 2.48831,0.26119 l 2.26971,0.0422 0.55893,0.7403 c 0.68294,0.90455 0.72637,1.39945 0.1851,2.10909 -0.49391,0.64756 -1.48498,1.35585 -2.16303,1.54588 -0.98995,0.27744 -2.22523,-0.26803 -3.29926,-1.45686 -1.37797,-1.52525 -1.99486,-3.94203 -2.17991,-8.54021 -0.0642,-1.59436 -0.13883,-2.29481 -0.24099,-2.26075 -0.0814,0.0271 -0.99576,2.00431 -2.03189,4.39371 -3.28691,7.57995 -3.68415,8.28612 -4.54018,8.07127 -0.53578,-0.13448 -1.34919,-1.06203 -1.9102,-2.17825 -1.10951,-2.20757 -1.73511,-5.05031 -2.03723,-9.25721 -0.0871,-1.21273 -0.20858,-2.26094 -0.26996,-2.32935 -0.13588,-0.15144 -0.58442,0.82294 -2.08397,4.52711 -2.01481,4.97699 -2.79643,6.54288 -3.82036,7.65371 -0.87044,0.94432 -3.13721,1.88044 -3.68648,1.52243 z"
+ style="fill:#f9f9f9;stroke-width:0.133635" />
+ <g
+ id="g957"
+ transform="translate(36.843901,36.777081)"
+ style="fill:#999999">
+ <path
+ style="fill:#999999;fill-opacity:1;stroke-width:0.264583"
+ d="m 118.48002,154.38963 c -0.21263,-0.77937 -0.60053,-0.53763 -3.77862,-0.53763 -4.23812,0 -4.51001,0.21718 -2.65413,-2.44723 2.45703,-3.52744 3.4906,-5.92399 2.80851,-6.96499 -0.4719,-0.72022 -1.01247,-0.62449 -1.92709,0.34127 -0.84859,0.89603 -1.86894,0.41779 -1.86894,-0.95587 0,-2.01205 2.80561,-3.99992 5.38938,-3.9922 1.61399,0.005 2.43642,0.4039 3.21581,1.56044 1.12027,1.66236 0.73145,3.8557 -1.134,6.39695 -1.54383,2.10311 -0.73385,3.61259 0.95572,1.78109 1.46292,-1.68793 1.55952,0.86073 1.49098,1.70283 -0.2309,2.69619 -2.07701,4.65709 -2.49762,3.11534 z"
+ id="path961"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="sscccscccccs" />
+ </g>
+ </g>
+</svg>

View File

@ -1,32 +0,0 @@
diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
index a9b0d558..71869ba0 100644
--- a/src/lib/Hydra/Controller/Root.pm
+++ b/src/lib/Hydra/Controller/Root.pm
@@ -19,6 +19,11 @@ use Net::Prometheus;
# Put this controller at top-level.
__PACKAGE__->config->{namespace} = '';
+sub isRedistRestricted {
+ my ($path) = @_;
+
+ return index($path, "-RESTRICTDIST-") >= 0;
+}
sub noLoginNeeded {
my ($c) = @_;
@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
$path = $Nix::Config::storeDir . "/$path";
gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
+ notFound($c, "Redistribution restricted") if isRedistRestricted($path);
$c->stash->{current_view} = 'NixNAR';
$c->stash->{storePath} = $path;
@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
setCacheHeaders($c, 60 * 60);
return;
}
+ notFound($c, "Redistribution restricted") if isRedistRestricted($path);
$c->stash->{storePath} = $path;
$c->forward('Hydra::View::NARInfo');

View File

@ -1,19 +0,0 @@
commit 86bf81c0b8a51bffa4b4b566e1caaac6f0e041d3
Author: Sebastien Bourdeauducq <sb@m-labs.hk>
Date: Thu Mar 14 17:45:32 2019 +0800
add option to disable retries on transient failures
diff --git a/src/hydra-queue-runner/build-remote.cc b/src/hydra-queue-runner/build-remote.cc
index 69c430eb..bdbc808d 100644
--- a/src/hydra-queue-runner/build-remote.cc
+++ b/src/hydra-queue-runner/build-remote.cc
@@ -344,7 +344,7 @@ void State::buildRemote(ref<Store> destStore,
break;
case BuildResult::TransientFailure:
result.stepStatus = bsFailed;
- result.canRetry = true;
+ result.canRetry = get(step->drv->env, "__hydraRetry").value_or("1") == "1";
result.errorMsg = "";
break;
case BuildResult::TimedOut:

View File

@ -1,25 +0,0 @@
diff --git a/src/lib/Hydra/Schema/Builds.pm b/src/lib/Hydra/Schema/Builds.pm
index d4334300..014d07ce 100644
--- a/src/lib/Hydra/Schema/Builds.pm
+++ b/src/lib/Hydra/Schema/Builds.pm
@@ -608,6 +608,7 @@ makeQueries('', "");
makeQueries('ForProject', "and project = ?");
makeQueries('ForJobset', "and jobset_id = ?");
makeQueries('ForJob', "and jobset_id = ? and job = ?");
+makeQueries('ForJobName', "and jobset_id = (select id from jobsets j where j.name = ?) and job = ?");
my %hint = (
diff --git a/src/script/hydra-eval-jobset b/src/script/hydra-eval-jobset
index ea336bfc..2f208418 100755
--- a/src/script/hydra-eval-jobset
+++ b/src/script/hydra-eval-jobset
@@ -142,7 +142,7 @@ sub fetchInputSystemBuild {
$projectName ||= $project->name;
$jobsetName ||= $jobset->name;
- my @latestBuilds = $db->resultset('LatestSucceededForJob')
+ my @latestBuilds = $db->resultset('LatestSucceededForJobName')
->search({}, {bind => [$jobsetName, $jobName]});
my @validBuilds = ();

View File

@ -0,0 +1,29 @@
$TTL 7200
@ SOA ns.193thz.com. sb.m-labs.hk. (
2024060201
7200
3600
86400
600)
NS ns.193thz.com.
NS ns1.he.net.
A 94.190.212.123
A 202.77.7.238
AAAA 2001:470:18:390::2
MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
ns A 94.190.212.123
ns AAAA 2001:470:18:390::2
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9T0cONxGXeyETE0bJ6NJVGT58fVFrfb+WxQhMskCN/mJhODyDTkRCjzE8ZnKhZGjkFZNG+PoSZlW+kpSS1LvMwzQpMRaH4zAzIexffR0l7rJR1MuQiVMsfGWpO2SLEuN74L2qH8SUBHZjrRpeSaFxwQm+prIOzZe5wTZStt/6qQIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
www CNAME @

View File

@ -0,0 +1,20 @@
$TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2024060201
7200
3600
86400
600)
NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
NS ns1.he.net.
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
200 PTR router.alt.m-labs.hk.
201 PTR stewardship1.alt.m-labs.hk.
202 PTR stewardship2.alt.m-labs.hk.
203 PTR atse.alt.m-labs.hk.
204 PTR nasty-gareth.alt.m-labs.hk.
205 PTR zynq.alt.m-labs.hk.

View File

@ -0,0 +1,30 @@
$TTL 7200
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
2024101401
7200
3600
86400
600)
NS ns.m-labs-intl.com.
NS ns1.he.net.
NS ns1.qnetp.net.
A 5.78.86.156
AAAA 2a01:4ff:1f0:83de::1
MX 10 mail.m-labs-intl.com.
TXT "v=spf1 mx -all"
TXT "google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
ns A 94.190.212.123
ns AAAA 2001:470:18:390::2
mail A 5.78.86.156
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
www CNAME @
hooks CNAME @

View File

@ -0,0 +1,53 @@
$TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2024080501
7200
3600
86400
600)
NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
NS ns1.qnetp.net.
NS ns1.he.net.
A 94.190.212.123
A 202.77.7.238
AAAA 2001:470:18:390::2
MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
mail A 94.190.212.123
mail A 202.77.7.238
mail AAAA 2001:470:18:390::2
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
lab CNAME @
www CNAME @
nixbld CNAME @
msys2 CNAME @
conda CNAME @
afws CNAME @
git CNAME @
chat CNAME @
hooks CNAME @
forum CNAME @
perso CNAME @
rt CNAME @
files CNAME @
docs CNAME @
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
router.alt A 103.206.98.200
stewardship1.alt A 103.206.98.201
stewardship2.alt A 103.206.98.202
atse.alt A 103.206.98.203
nasty-gareth.alt A 103.206.98.204
zynq.alt A 103.206.98.205

View File

@ -0,0 +1,28 @@
$TTL 7200
@ SOA ns1.m-labs.ph. sb.m-labs.hk. (
2024060201
7200
3600
86400
600)
NS ns1.m-labs.ph.
NS ns1.he.net.
A 94.190.212.123
A 202.77.7.238
AAAA 2001:470:18:390::2
MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
ns1 A 94.190.212.123
ns1 AAAA 2001:470:18:390::2
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPUlkoA4Gucsin6P5LSohSOpPbpOELkbKDz9MmB4Zzj4QdcQNtMzU3Uis8WZwVXknQ/6URoDdTa4aR8+PwMi5fjKpLM8ZAnnHJHYebZPDRq6lQo3VGdaCu9NhdjYwFhvK9VRyhwI9i7DUptdLsu/OzbgTlCdWQTOr+MFEkYwmxLQIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
www CNAME @

View File

@ -0,0 +1,23 @@
$TTL 7200
@ SOA ns.malloctech.fr. sb.m-labs.hk. (
2024060201
7200
3600
86400
600)
NS ns.malloctech.fr.
NS ns1.he.net.
MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=LALF-fafTnmkL-18m3CzwFjSwEV1C7NeKexiNfMYsOw"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
ns A 94.190.212.123
ns AAAA 2001:470:18:390::2
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+Op2B9cdVxwyweChOBJtk4LGkLUfxunI3a7sSL0aVnntfPWkKgY7zTL8iOJaqdt/DkkvOz++HEsn3AzleXsdibaTC9x6kgrMVgkrsYOKA4bWDLJiUfgq7vvRMdkw6rOqlJp9+faXKIKwtMG9Ckd1+rHBsaFwe7EE0coLbhGZaQQIDAQAB"
_dmarc TXT "v=DMARC1; p=none"

View File

@ -0,0 +1,80 @@
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 2a09e3dd4..7dc03855f 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
assert(derivationType);
+ networked = parsedDrv->getBoolAttr("__networked");
+
/* Are we doing a chroot build? */
{
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
@@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
else if (settings.sandboxMode == smDisabled)
useChroot = false;
else if (settings.sandboxMode == smRelaxed)
- useChroot = derivationType->isSandboxed() && !noChroot;
+ useChroot = !networked && derivationType->isSandboxed() && !noChroot;
}
auto & localStore = getLocalStore();
@@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
"nogroup:x:65534:\n", sandboxGid()));
/* Create /etc/hosts with localhost entry. */
- if (derivationType->isSandboxed())
+ if (!networked && derivationType->isSandboxed())
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
/* Make the closure of the inputs available in the chroot,
@@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
us.
*/
- if (derivationType->isSandboxed())
+ if (!networked && derivationType->isSandboxed())
privateNetwork = true;
userNamespaceSync.create();
@@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
to the builder is generally impure, but the output of
fixed-output derivations is by definition pure (since we
already know the cryptographic hash of the output). */
- if (!derivationType->isSandboxed()) {
+ if (networked || !derivationType->isSandboxed()) {
auto & impureEnv = settings.impureEnv.get();
if (!impureEnv.empty())
experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
@@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
/* Fixed-output derivations typically need to access the
network, so give them access to /etc/resolv.conf and so
on. */
- if (!derivationType->isSandboxed()) {
+ if (networked || !derivationType->isSandboxed()) {
// Only use nss functions to resolve hosts and
// services. Dont use it for anything else that may
// be configured for this system. This limits the
@@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
#include "sandbox-defaults.sb"
;
- if (!derivationType->isSandboxed())
+ if (networked || !derivationType->isSandboxed())
sandboxProfile +=
#include "sandbox-network.sb"
;
diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
index bf25cf2a6..28f8c1e95 100644
--- a/src/libstore/unix/build/local-derivation-goal.hh
+++ b/src/libstore/unix/build/local-derivation-goal.hh
@@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
*/
Path chrootRootDir;
+ bool networked;
+
/**
* RAII object to delete the chroot directory.
*/

View File

@ -14,6 +14,13 @@ from werkzeug.middleware.proxy_fix import ProxyFix
load_dotenv()
mail_password_file = getenv("FLASK_MAIL_PASSWORD_FILE")
if mail_password_file is not None:
with open(mail_password_file, "r") as f:
mail_password = f.read().strip()
else:
mail_password = None
app = Flask(__name__)
app.config.update(
DEBUG=getenv("FLASK_DEBUG") == "True",
@ -22,7 +29,7 @@ app.config.update(
MAIL_USE_SSL=getenv("FLASK_MAIL_USE_SSL"),
MAIL_DEBUG=False,
MAIL_USERNAME=getenv("FLASK_MAIL_USERNAME"),
MAIL_PASSWORD=getenv("FLASK_MAIL_PASSWORD"),
MAIL_PASSWORD=mail_password,
MAIL_RECIPIENT=getenv("FLASK_MAIL_RECIPIENT"),
MAIL_SENDER=getenv("FLASK_MAIL_SENDER")
)

View File

@ -7,13 +7,13 @@ in {
pythonPackages = self: [ pkg ];
module = "rfq:app";
env = [
"FLASK_MAIL_SERVER=ssl.serverraum.org"
"FLASK_MAIL_SERVER=mail.m-labs.hk"
"FLASK_MAIL_PORT=465"
"FLASK_MAIL_USE_SSL=True"
"FLASK_MAIL_USERNAME=sales@m-labs.hk"
"FLASK_MAIL_PASSWORD=${import /etc/nixos/secret/sales_password.nix}"
"FLASK_MAIL_USERNAME=sysop@m-labs.hk"
"FLASK_MAIL_PASSWORD_FILE=/etc/nixos/secret/rfqpassword"
"FLASK_MAIL_RECIPIENT=sales@m-labs.hk"
"FLASK_MAIL_SENDER=sales@m-labs.hk"
"FLASK_MAIL_SENDER=sysop@m-labs.hk"
];
socket = "${config.services.uwsgi.runDir}/uwsgi-rfq.sock";
# allow access from nginx

View File

@ -0,0 +1,11 @@
diff '--color=auto' -Naur rt-5.0.1/lib/RT/Interface/Web.pm rtpatched/lib/RT/Interface/Web.pm
--- rt-5.0.1/lib/RT/Interface/Web.pm 1970-01-01 08:00:01.000000000 +0800
+++ rtpatched/lib/RT/Interface/Web.pm 2021-08-12 13:34:08.870669968 +0800
@@ -948,6 +948,7 @@
-path => RT->Config->Get('WebPath'),
-secure => ( RT->Config->Get('WebSecureCookies') ? 1 : 0 ),
-httponly => ( RT->Config->Get('WebHttpOnlyCookies') ? 1 : 0 ),
+ -expires => '+6M',
);
$HTML::Mason::Commands::r->err_headers_out->{'Set-Cookie'} = $cookie->as_string;

298
nixbld-etc-nixos/rt.nix Normal file
View File

@ -0,0 +1,298 @@
# based on https://gist.github.com/ajs124/ff04ab14435908d914cf5cedbc56a52e
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.rt;
configFile = pkgs.writeTextFile {
name = "RT_SiteConfig.pm";
text = ''
use utf8;
# System (Base configuration)
Set($rtname, '${cfg.rtName}'); # Changing this will break responses to existing tickets
Set($Organization, '${cfg.organization}'); # Changing this will break all existing tickets
Set($CorrespondAddress, '${cfg.correspondAddress}');
Set($CommentAddress, '${cfg.commentAddress}');
Set($WebDomain, '${cfg.domain}');
Set($Timezone, '${cfg.timeZone}');
Set($DatabaseType, 'Pg');
Set($DatabaseHost, '/run/postgresql');
Set($DatabaseUser, 'rt');
Set($DatabaseName, 'rt5');
# System (Logging)
Set($LogToSTDERR, undef); # Don't log twice
# System (Incoming mail gateway)
Set($OwnerEmail, '${cfg.ownerEmail}');
Set($MaxAttachmentSize, 15360000);
Set($CheckMoreMSMailHeaders, 1);
Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
Set($LoopsToRTOwner, 0);
# System (Outgoing mail)
Set($SetOutgoingMailFrom, 'helpdesk@m-labs.hk');
# System (Sendmail configuration)
Set($SendmailPath, '${cfg.sendmailPath}');
Set($SendmailArguments, '${concatStringsSep " " cfg.sendmailArguments}');
# System (Application logic)
Set($ParseNewMessageForTicketCcs, 1);
# System (Extra Security)
Set($RestrictLoginReferrer, 1);
# System (Date and time handling)
Set($DefaultTimeUnitsToHours, 1);
Set($TimeInICal, 1);
Set($DateTimeFormat, 'RFC2822');
# System (Authorization and user configuration)
Set($AutoLogoff, 262800); # 6 months
Set($WebSecureCookies, 1);
# Web Interface (Base configuration)
Set($CanonicalizeRedirectURLs, 1);
Set($CanonicalizeURLsInFeeds, 1);
Set($WebBaseURL, '${cfg.baseUrl}');
Set($LogoLinkURL, '${cfg.baseUrl}');
# Web Interface (Home page)
Set($DefaultSummaryRows, 50);
# Web Interface (Ticket search)
Set($DefaultSearchResultOrder, 'DESC'); # Display newer tickets first
Set($SearchResultsAutoRedirect, 1); # Don't show result list when there is only one match
Set(%FullTextSearch,
Enable => 1,
Indexed => 1,
Column => 'ContentIndex',
Table => 'AttachmentsIndex',
);
# Web Interface (Ticket options)
Set($ShowMoreAboutPrivilegedUsers, 1);
Set($MoreAboutRequestorGroupsLimit, undef);
Set($HideUnsetFieldsOnDisplay, 1);
# Web Interface (Articles)
Set($ArticleOnTicketCreate, 0);
# Web Interface (Message box properties)
Set($MessageBoxRichText, 0);
Set($MessageBoxIncludeSignatureOnComment, 0);
# Web Interface (Transaction display)
Set($MaxInlineBody, 0);
Set($SuppressInlineTextFiles, 1);
# Web Interface (Administrative interface)
Set($ShowRTPortal, 0);
Set($ShowEditSsytemConfig, 0);
# Features (External storage)
Set(%ExternalStorage,
Type => 'Disk',
Path => '/var/lib/rt/attachments',
);
Set($ExternalStorageCutoffSize, 0);
# Features (Cryptography)
Set(%Crypt, RejectOnMissingPrivateKey => 0, RejectOnBadData => 0, AllowEncryptDataInDB => 0);
Set(%SMIME, Enable => 1, Keyring => '${pkgs.cacert}/etc/ssl/certs/');
Set(%GnuPG, Enable => 1);
Set(%GnuPGOptions,
'keyserver' => 'hkp://keys.openpgp.org',
'always-trust' => undef,
'auto-key-locate' => 'keyserver',
'keyserver-options' => 'auto-key-retrieve'
);
${cfg.extraConfig}
1;
'';
checkPhase = ''
${pkgs.perl}/bin/perl -c $out
'';
};
in {
options.services.rt = with types; {
enable = mkEnableOption "rt system";
package = mkOption {
description = "Package to use";
default = pkgs.rt;
defaultText = "pkgs.rt";
type = package;
};
baseUrl = mkOption {
description = "Base URL for web interface";
default = "https://${cfg.domain}";
defaultText = "https://\${cfg.domain}";
type = str;
};
commentAddress = mkOption {
description = "Default address from/to which comments are sent";
type = str;
};
correspondAddress = mkOption {
description = "Default address from/to which correspondences are sent";
type = str;
};
domain = mkOption {
description = "Which domain RT is running on";
type = str;
};
ownerEmail = mkOption {
description = "Address of a human who manages RT. RT will send errors generated by the mail gateway to this address; it will also be displayed as the contact person on the RT's login page.";
type = str;
};
port = mkOption {
description = "Which port rt-server should listen on";
type = port;
default = 4201;
};
sendmailPath = mkOption {
description = "Sendmail binary used to send... mail";
default = "${pkgs.msmtp}/bin/sendmail";
defaultText = "\${pkgs.msmtp}/bin/sendmail";
type = str;
};
sendmailArguments = mkOption {
description = "Arguments to call sendmailPath with";
default = [ ];
type = listOf (oneOf [ str path ]);
};
timeZone = mkOption {
description = "Used to convert times entered by users into GMT, as they are stored in the database, and back again; users can override this";
type = str;
default = config.time.timeZone;
defaultText = "[time.timeZone]";
};
rtName = mkOption {
description = "Name of this RT instance";
type = str;
};
organization = mkOption {
description = "Name of the organization of this instance";
type = str;
};
extraConfig = mkOption {
description = "Verbatim config to append to generated on";
type = lines;
default = "";
};
};
config = let
components = [
"rt-clean-sessions"
"rt-email-dashboards"
"rt-email-digest-daily"
"rt-email-digest-weekly"
"rt-externalize-attachments"
"rt-fulltext-indexer"
"rt-validator"
];
mkTimer = name: {
"${name}" = {
wantedBy = [ "timers.target" ];
timerConfig.Unit = [ "${name}.service" ];
};
};
mkService = name: extraArgs: {
"${name}" = {
stopIfChanged = false;
serviceConfig = {
ExecStart = if extraArgs == ""
then "${cfg.package}/bin/${name}"
else mkForce "${cfg.package}/bin/${name} ${extraArgs}";
User = "rt";
Group = "rt";
PrivateNetwork = false;
MemoryDenyWriteExecute = false;
};
environment = {
RT_SITE_CONFIG = configFile;
};
path = with pkgs; [
w3m
];
};
};
in (mkIf cfg.enable {
systemd.services = mkMerge ((map (c: mkService c "") components) ++ [
(mkService "rt-server" "--port ${toString cfg.port} --server Starman")
(mkService "rt-clean-sessions" "--skip-user")
(mkService "rt-fulltext-indexer" "--limit 500000")
(mkService "rt-validator" "--check")
{
rt-server = {
serviceConfig = {
StateDirectory = [ "rt/" "rt/attachments/" "rt/shredder/" "rt/smime/" ];
RuntimeDirectory = [ "rt/" "rt/mason_data/" ];
LogsDirectory = "rt/";
};
after = [ "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
};
}
{
rt-externalize-attachments = {
serviceConfig.StateDirectory = "rt/attachments/";
};
}
{ rt-email-digest-daily.serviceConfig.ExecStart = mkForce "${cfg.package}/bin/rt-email-digest -m daily"; }
{ rt-email-digest-weekly.serviceConfig.ExecStart = mkForce "${cfg.package}/bin/rt-email-digest -m weekly"; }
]);
systemd.timers = mkMerge ((map mkTimer components) ++ [
{
rt-clean-sessions.timerConfig.OnCalendar = "daily";
rt-email-dashboards.timerConfig.OnCalendar = "hourly";
rt-email-digest-daily.timerConfig.OnCalendar = "daily";
rt-email-digest-weekly.timerConfig.OnCalendar = "weekly";
rt-externalize-attachments.timerConfig.OnCalendar = "01:00";
rt-fulltext-indexer.timerConfig.OnCalendar = "02:00";
rt-validator.timerConfig.OnCalendar = "*-*-01 03:00:00";
}
]);
users.users.rt = {
isSystemUser = true;
group = "rt";
};
users.groups.rt = {};
systemd.tmpfiles.rules = [
"d /var/lib/secrets/rt 0500 rt rt -"
"d /var/lib/rt/gpg 0700 rt rt -"
];
});
}

View File

@ -1,11 +1,11 @@
-rw------- 1 root root backup-passphrase
-rw------- 1 root root email_accounts.nix
-rw------- 1 homu homu homu.toml
-rw------- 1 root root gitea_tokens.nix
-rw------- 1 root root github_tokens.nix
-rw-rw---- 1 gitea gitea mailerpassword
-rw------- 1 matterbridge matterbridge matterbridge.toml
-rw------- 1 uwsgi uwsgi mattermost-github-integration.py
-rw------- 1 nginx nginx muninpasswd
-rw-rw---- 1 hydra hydra nixbld.m-labs.hk-1
-rw-rw---- 1 hydra hydra nix_id_rsa
-rw------- 1 root root rclone.conf
-rw------- 1 root root wifi_password.nix
-rw------- 1 sb users wifi_ext_password.nix

View File

@ -0,0 +1,45 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/89463254-b38d-45db-92b6-0f7d92a44f47";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/F84B-ACC5";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "23.11";
}

45
nixops/avscan-module.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
with lib;
let
avscan = pkgs.writeScript "avscan" ''
#!${pkgs.bash}/bin/bash
for user in $(cut -d":" -f1 /etc/passwd); do
if [ -d "/home/$user" ]; then
nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
fi
done
'';
cfg = config.services.avscan;
in
{
options.services.avscan = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable antivirus scan";
};
};
config = mkIf cfg.enable {
services.clamav.updater.enable = true;
services.clamav.updater.interval = "daily";
services.clamav.updater.frequency = 1;
systemd.services.avscan = {
description = "Antivirus scan";
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
ExecStart = "${avscan}";
};
};
systemd.timers.avscan = {
description = "Antivirus scan";
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "Mon *-*-* 13:00:00";
};
};
}

View File

@ -1,6 +1,3 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
@ -21,13 +18,18 @@
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/060C-8772";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 16;
nix.settings.max-jobs = lib.mkDefault 16;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "19.03";
}

View File

@ -1,29 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ata_generic" "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "usbhid" "floppy" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/35d9c50c-e479-43a9-8324-b8ded5b71844";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/d8480389-c558-4c46-a58f-00207315dbdd"; }
];
nix.maxJobs = lib.mkDefault 2;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
services.xserver.videoDrivers = ["intel"];
}

View File

@ -1,12 +1,18 @@
{ pkgs, ... }:
{
root = {
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
];
};
sb = {
isNormalUser = true;
extraGroups = ["wheel" "plugdev" "dialout"];
extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
];
};
rj = {
@ -19,26 +25,12 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
];
};
harry = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout" "wireshark"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDcPNCgtdz8erFPRrAwCr4JrkeYXJUUvoRBgP0X2HlzJgDe1Inuo6sC6CGcO3IXbf4MwVA9XEp8BYPHARVeEHhufg/0wnIABLx2GcK99yxOLDUe4h/3YwtqvOcqHEsDx7w=="
];
};
astro = {
guest = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJJTSJdpDh82486uPiMhhyhnci4tScp5uUe7156MBC8 a"
];
shell = pkgs.bashInteractive;
};
pca006132 = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBE/sPOOiw3843+rrcYV2pOVkffNc1xsOgnuCUmy1Fa2VF8x9kqmgQv61sxsuKRkKKoinvqrASxLkWVd6nkiiDuEISibEXs8r1BwuT05cS7RkEhCakSMZ6y/iqOtjt2bx+A=="
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPsv4UMEFV0UHeHdA9R3sC+qoMxrqhcuFqwqWMI4AF/lixwcbRyA8QKiu/7R22m2u6pp+Zk6hYqcxdgClI4uN2oQhVjJX6wEgfT94vC/67OKJI/NNVsR8G0lr0ufCo4Lbw=="
];
};
occheung = {
@ -48,11 +40,90 @@
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig=="
];
};
dsleung = {
spaqin = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDbE7HzZKSwGbgRnzwrzCzb3gZKLSritwnEpHS4sa9oXJ5oLFkuFZOpPYDeiMlbUJ9jCk5FRmkLYIkrbz06SUr7P/eUjxu79ENi3RhfVu+ZrrPvgkhKvM/CiXvw3xCOu0w=="
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
];
shell = pkgs.zsh;
};
srayman89 = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout" "libvirtd"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMoGOV9HoFkm6S6zMfOc8ivUcGzKFxuqpmOXKQtg2nn5Kh6ByMuuAHFlvKISILBaWgXN8lPQN9VjLuXV93oG4Pe7u8EVw20IGbA6RZ4Pnnr1xQBESPbye+72taLvyQlxGA=="
];
};
esavkin = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
];
};
flo = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
];
};
srenblad = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLoMzO8XIkUTKUC0R05EmXn3V6gm2oMvXhh+j68G9TDBeb8x0WFkz16NPclsXdMcb2dFhtLmxUHwB5L4zWSuyYkqr0YRrtly3uwXe5Wnyz1ZAkxoq7YjQlanWSri11U8xw=="
];
};
linuswck = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAFYwmik6/xY1vb9aKBOpKklKOwSJJ0PEgNwWNULghZGJ0g4CTk04LXLSMYBm1SW74df8YMgaE/eoidq6smN6hKIgo8s3qPQGZAi4UXffMs2ciqXNa/zZcCu3PyZvyksxA=="
];
};
morgan = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
];
};
atse = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJHMX1YDnBPQfZyGVtc93u4TIFWqnHEe6WB/eTeiOjFulitXzGfhsODZ08GzTi2+YKk7spRiPKNwRPTKFuW2PPe3Xig8b75qRMIeIVX3b7e0i6xP85eg4jdiz0LD2YGUHQ=="
];
};
derppening = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
];
};
therobs12 = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
];
};
abdul = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
];
};
dpn = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGChLocYJi8XcSJkIjT2Olm3jPGjtRq5aORa5G9F3OqmjCfvav9Q5+2Mc64XqHtNTffnJuDe4gv+lVJatC0URvPs2HyxXmxRK0jgkkLSUsV2SYLlgMqHW3jsrdh6wKBmkg=="
];
};
}

View File

@ -0,0 +1,46 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/c7fa9c3e-56ca-4258-a49c-3f064efbd58c";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/76A2-F01F";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "23.05";
}

View File

@ -2,20 +2,48 @@
{ config, pkgs, ... }:
let
m-labs = import (fetchTarball https://nixbld.m-labs.hk/channel/custom/artiq/full/artiq-full/nixexprs.tar.xz) { inherit pkgs; };
pkgs-unstable = import (fetchTarball https://github.com/NixOS/nixpkgs/archive/master.tar.gz) {};
artiq = builtins.getFlake git+https://github.com/m-labs/artiq.git;
in
{
deployment.targetHost = host;
deployment.hasFastConnection = true;
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite";
boot.loader.systemd-boot.memtest86.enable = true;
boot.loader.grub.memtest86.enable = true;
boot.kernel.sysctl."kernel.dmesg_restrict" = false;
disabledModules = [ "security/pam.nix" ];
imports =
[
(./. + "/${host}-hardware-configuration.nix")
./pam_p11
./avscan-module.nix
];
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
libp11 = super.libp11.override({ openssl = super.openssl_1_1; });
pam_p11 = super.pam_p11.overrideAttrs(oa: {
patches = [];
postPatch = ''
substituteInPlace src/match_openssh.c --replace \
'"%s/.ssh/authorized_keys", pw->pw_dir)' \
'"/etc/ssh/authorized_keys.d/%s", pw->pw_name)'
'';
});
gnome = super.gnome // {
gnome-keyring = super.gnome.gnome-keyring.overrideAttrs(oa: {
configureFlags = oa.configureFlags ++ ["--disable-ssh-agent"];
});
};
};
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
boot.binfmt.emulatedSystems = [ "armv7l-linux" ];
networking.hostName = host;
networking.firewall.allowedTCPPorts = [ 1883 ];
networking.firewall.allowedUDPPorts = [ 1883 ];
time.timeZone = "Asia/Hong_Kong";
@ -23,38 +51,63 @@ in
# $ nix search wget
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
opensc yubikey-manager yubikey-manager-qt
wget vim gitAndTools.gitFull firefox chromium thunderbird hexchat
usbutils pciutils file lm_sensors audacious acpi
opensc yubikey-manager yubikey-manager-qt yubico-piv-tool
wget vim gitAndTools.gitFull sshfs
firefox
thunderbird
chromium
usbutils pciutils uhubctl file lm_sensors audacious acpi
gimp imagemagick
(python3.withPackages(ps: with ps; [ numpy scipy matplotlib qtconsole regex ]))
(python3.withPackages(ps: with ps; [ numpy scipy matplotlib qtconsole regex jinja2 ]))
texlive.combined.scheme-full
mosh psmisc libreoffice-fresh
gtkwave telnet unzip zip gnupg
gnome3.gnome-tweaks
inkscape
xournal
xsane
gtkwave unzip zip gnupg
gnome-tweaks
ghex
jq sublime3 rink qemu_kvm
tmux xc3sprog m-labs.openocd screen gdb minicom picocom tigervnc
tmux screen gdb minicom picocom
artiq.packages.x86_64-linux.openocd-bscanspi
xc3sprog
gqrx
emacs bat ripgrep
pkgs-unstable.rust-analyzer
(pkgs-unstable.vscode-with-extensions.override {
vscodeExtensions = [
pkgs-unstable.vscode-extensions.matklad.rust-analyzer
];
})
(import ./fish-nix-shell)
guake
vscodium
waypipe
virt-manager spice-gtk
kicad
any-nix-shell
];
programs.wireshark.enable = true;
programs.wireshark.package = pkgs.wireshark;
virtualisation.libvirtd.enable = true;
virtualisation.libvirtd.qemu.ovmf.enable = true;
security.wrappers.spice-client-glib-usb-acl-helper = {
source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
owner = "root";
group = "root";
setuid = true;
};
services.avscan.enable = true;
services.openssh.enable = true;
services.openssh.forwardX11 = true;
services.openssh.passwordAuthentication = false;
hardware.u2f.enable = true;
services.openssh.authorizedKeysInHomedir = false;
services.openssh.settings.PasswordAuthentication = false;
services.openssh.extraConfig =
''
StreamLocalBindUnlink yes
'';
programs.mosh.enable = true;
services.pcscd.enable = true;
programs.ssh.extraConfig =
''
PKCS11Provider "${pkgs.opensc}/lib/opensc-pkcs11.so"
'';
programs.ssh.startAgent = true;
services.gnome3.gnome-keyring.enable = pkgs.lib.mkForce false;
programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
security.pam.p11.enable = true;
@ -74,76 +127,54 @@ in
};
services.avahi = {
enable = true;
nssmdns = true;
nssmdns4 = true;
};
# Enable sound.
sound.enable = true;
hardware.pulseaudio = {
enable = true;
extraModules = [ pkgs.pulseaudio-modules-bt ];
package = pkgs.pulseaudioFull;
};
hardware.graphics.enable32Bit = true;
i18n.inputMethod = {
enabled = "fcitx";
fcitx.engines = with pkgs.fcitx-engines; [ table-extra m17n ];
};
fonts.fonts = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "us";
services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
services.xserver.libinput.enable = true;
services.xserver.xkb.layout = "us";
services.xserver.xkb.options = "eurosign:e";
services.xserver.displayManager.gdm.enable = true;
services.xserver.displayManager.gdm.autoSuspend = false;
powerManagement.enable = false;
services.xserver.desktopManager.gnome3.enable = true;
environment.gnome3.excludePackages = [ pkgs.epiphany pkgs.gnome3.geary ];
services.xserver.desktopManager.gnome.enable = true;
environment.gnome.excludePackages = [ pkgs.epiphany ];
systemd.suppressedSystemUnits = [
"hibernate.target"
"suspend.target"
"suspend-then-hibernate.target"
"sleep.target"
"hybrid-sleep.target"
"systemd-hibernate.service"
"systemd-hybrid-sleep.service"
"systemd-suspend.service"
"systemd-suspend-then-hibernate.service"
];
hardware.bluetooth.enable = true;
programs.zsh.enable = true;
programs.fish.enable = true;
programs.fish.promptInit = ''
fish-nix-shell --info-right | source
any-nix-shell fish --info-right | source
'';
users.mutableUsers = false;
users.defaultUserShell = pkgs.fish;
users.extraGroups.plugdev = { };
users.extraUsers = import ./common-users.nix { inherit pkgs; };
security.sudo.wheelNeedsPassword = false;
services.udev.packages = [ m-labs.openocd ];
services.udev.extraRules = ''
# leaf maple
SUBSYSTEM=="usb", ATTRS{idVendor}=="1eaf", ATTRS{idProduct}=="0003", MODE="0660", GROUP="plugdev"
SUBSYSTEM=="usb", ATTRS{idVendor}=="1eaf", ATTRS{idProduct}=="0004", MODE="0660", GROUP="plugdev"
# glasgow
SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", MODE="0660", GROUP="plugdev"
# hackrf
SUBSYSTEM=="usb", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="6089", MODE="0660", GROUP="plugdev"
# bladerf
SUBSYSTEM=="usb", ATTRS{idVendor}=="2cf0", ATTRS{idProduct}=="5250", MODE="0660", GROUP="plugdev"
# personal measurement device
SUBSYSTEM=="usb", ATTRS{idVendor}=="09db", ATTRS{idProduct}=="007a", MODE="0660", GROUP="plugdev"
# saleae
SUBSYSTEM=="usb", ATTRS{idVendor}=="0925", ATTRS{idProduct}=="3881", MODE="0660", GROUP="plugdev"
# ocean optics
SUBSYSTEM=="usb", ATTRS{idVendor}=="2457", ATTRS{idProduct}=="1002", MODE="0660", GROUP="plugdev"
# yubikey
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", MODE="0660", GROUP="plugdev"
services.udev.packages = [ artiq.packages.x86_64-linux.openocd-bscanspi ];
services.udev.extraRules = (import ./extra-udev.nix);
nix.settings.trusted-public-keys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
nix.settings.substituters = ["https://nixbld.m-labs.hk?priority=10"];
nix.settings.extra-sandbox-paths = ["/opt"];
nix.extraOptions = ''
experimental-features = nix-command flakes impure-derivations
'';
nix.binaryCachePublicKeys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
nix.binaryCaches = ["https://nixbld.m-labs.hk" "https://cache.nixos.org"];
nix.sandboxPaths = ["/opt"];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "19.03"; # Did you read the comment?
}

27
nixops/extra-udev.nix Normal file
View File

@ -0,0 +1,27 @@
''
# hackrf
SUBSYSTEM=="usb", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="6089", MODE="0660", GROUP="plugdev"
# bladerf
SUBSYSTEM=="usb", ATTRS{idVendor}=="2cf0", ATTRS{idProduct}=="5250", MODE="0660", GROUP="plugdev"
# personal measurement device
SUBSYSTEM=="usb", ATTRS{idVendor}=="09db", ATTRS{idProduct}=="007a", MODE="0660", GROUP="plugdev"
# saleae
SUBSYSTEM=="usb", ATTRS{idVendor}=="0925", ATTRS{idProduct}=="3881", MODE="0660", GROUP="plugdev"
# ocean optics
SUBSYSTEM=="usb", ATTRS{idVendor}=="2457", ATTRS{idProduct}=="1002", MODE="0660", GROUP="plugdev"
# yubikey
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", MODE="0660", GROUP="plugdev"
# label printer
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="plugdev"
# dfu/booster
SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0660", GROUP="plugdev"
# Renkforce USB hub with power control
SUBSYSTEM=="usb", ATTRS{idVendor}=="2109", ATTRS{idProduct}=="0812", MODE="0660", GROUP="plugdev"
SUBSYSTEM=="usb", ATTRS{idVendor}=="2109", ATTRS{idProduct}=="2812", MODE="0660", GROUP="plugdev"
# LibreVNA
SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
# DSLogic
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
''

View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2018 haslersn
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

View File

@ -1,50 +0,0 @@
# fish-nix-shell
fish support for the *nix-shell* environment of the Nix package manager.
## Installation
### Installation in the user environment
Execute
```
nix-env -if https://github.com/haslersn/fish-nix-shell/archive/master.tar.gz
```
and add the following to your *~/.config/fish/config.fish*. Create it if it doesn't exist.
```
fish-nix-shell --info-right | source
```
### System-wide installation
Add the package to your */etc/nixos/configuration.nix*:
```
environment.systemPackages = with pkgs; [
#
# Other packages here ...
#
(import (fetchGit "https://github.com/haslersn/fish-nix-shell"))
];
```
and then execute: `sudo nixos-rebuild switch`
If you want to configure it system-wide, also add:
```
programs.fish.enable = true;
programs.fish.promptInit = ''
fish-nix-shell --info-right | source
'';
```
## Flags
The `fish-nix-shell` command **optionally** takes the following flags:
| Flag | Meaning |
| - | - |
| `--info-right` | While in a *fish-nix-shell*, display information about the loaded packages at the right.

View File

@ -1,34 +0,0 @@
#!/bin/sh
function init_fish () {
cat <<EOF
# Overwrite the nix-shell command
function nix-shell
fish-nix-shell-wrapper \$argv
set -gx FISH_NIX_SHELL_EXIT_STATUS \$status
end
EOF
for arg in "$@"; do
case "$arg" in
--info-right)
cat <<EOF
# Print additional information inside a nix-shell environment
function fish_right_prompt
nix-shell-info
set -e FISH_NIX_SHELL_EXIT_STATUS
end
EOF
;;
*) exit 1;;
esac
done
}
cat <<EOF
# If you see this output, you probably forgot to pipe this output into 'source':
# fish-nix-shell $@ | source
EOF
init_fish "$@"

View File

@ -1,22 +0,0 @@
#!/bin/sh
fns () {
pkgs=$FISH_NIX_SHELL_PKGS
for arg in "$@"; do
if [[ $arg == -* ]]; then
pkg=
if [[ $arg == --pure ]] || [[ $arg == --command ]] || [[ $arg == --run ]]; then
command nix-shell $@
return
elif [[ $arg == -p ]] || [[ $arg == --packages ]]; then
pkg=1
fi
elif [[ $pkg == 1 ]]; then
pkgs+=" "$arg
fi
done
if [[ -n $name ]] && [[ $name != shell ]]; then
pkgs+=" "$name
fi
env FISH_NIX_SHELL_PKGS="$pkgs" nix-shell "$@" --command fish
}
fns "$@"

View File

@ -1,21 +0,0 @@
#!/bin/sh
if [[ $IN_NIX_SHELL != "" ]]; then
printf "\033[1;32m"
output=$(echo $FISH_NIX_SHELL_PKGS | xargs)
if [[ -n $name ]] && [[ $name != shell ]]; then
output+=" "$name
fi
if [[ -n $output ]]; then
output=$(echo $output $additional_pkgs | tr ' ' '\n' | sort -u | tr '\n' ' ' | xargs)
printf "$output "
else
printf "[unknown nix-shell] "
fi
printf "\033[0m"
elif [[ $FISH_NIX_SHELL_EXIT_STATUS ]]; then
if [[ $FISH_NIX_SHELL_EXIT_STATUS == 0 ]]; then
printf "\033[1;36mexited nix-shell \033[0m"
else
printf "\033[1;31mERROR \033[0m"
fi
fi

View File

@ -1,16 +0,0 @@
with import <nixpkgs> {}; stdenv.mkDerivation rec {
name = "fish-nix-shell";
src = fetchGit "https://github.com/haslersn/fish-nix-shell";
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
mkdir -p $out
cp LICENSE $out
cp -r bin $out
wrapProgram $out/bin/fish-nix-shell
wrapProgram $out/bin/fish-nix-shell-wrapper --prefix PATH ":" ${fish}/bin
wrapProgram $out/bin/nix-shell-info
'';
meta.description = "fish support for the nix-shell environment of the Nix package manager.";
meta.license = "MIT";
meta.homepage = https://github.com/haslersn/fish-nix-shell;
}

View File

@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.blacklistedKernelModules = [ "iwlwifi" ];
boot.extraModulePackages = [ ];
boot.kernelParams = ["intel_idle.max_cstate=1"];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/37e69920-a60d-4cb0-ae2f-b812f7a35dc8";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A33B-F001";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "21.05";
}

View File

@ -1,6 +1,3 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
@ -21,13 +18,18 @@
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8C30-F6DC";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 16;
nix.settings.max-jobs = lib.mkDefault 16;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "19.03";
}

View File

@ -1,6 +1,3 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
@ -21,13 +18,18 @@
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/E085-5F21";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 16;
nix.settings.max-jobs = lib.mkDefault 16;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "19.03";
}

View File

@ -1,30 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/62a38d9c-452c-4648-be12-6131e95b8276";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/88F6-46F2";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
}

View File

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/315af039-6799-43ac-8999-7da69a6fbd1e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/45B7-790E";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "24.05";
}

View File

@ -1,112 +0,0 @@
{ host }:
{ config, pkgs, ... }:
{
deployment.targetHost = host;
disabledModules = [ "security/pam.nix" ];
imports =
[
(./. + "/${host}-hardware-configuration.nix")
./pam_p11
];
networking.hostName = host;
time.timeZone = "Asia/Hong_Kong";
# List packages installed in system profile. To search, run:
# $ nix search wget
documentation.enable = false;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
opensc
wget vim git firefox usbutils pciutils file lm_sensors acpi
gimp imagemagick
(python3.withPackages(ps: with ps; [ numpy scipy ]))
psmisc
telnet unzip zip gnupg
sublime3 rink
tmux screen tigervnc
(import ./fish-nix-shell)
];
programs.wireshark.enable = true;
services.openssh.enable = true;
services.openssh.forwardX11 = true;
services.openssh.passwordAuthentication = false;
hardware.u2f.enable = true;
services.pcscd.enable = true;
programs.ssh.extraConfig =
''
PKCS11Provider "${pkgs.opensc}/lib/opensc-pkcs11.so"
'';
programs.ssh.startAgent = true;
programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
security.pam.p11.enable = true;
# Enable CUPS to print documents.
services.printing = {
enable = true;
extraConf =
''
Browsing Off
BrowseLocalProtocols none
'';
browsedConf =
''
BrowseRemoteProtocols none
BrowseProtocols none
'';
};
services.avahi = {
enable = true;
nssmdns = true;
};
# Enable sound.
sound.enable = true;
hardware.pulseaudio = {
enable = true;
extraModules = [ pkgs.pulseaudio-modules-bt ];
package = pkgs.pulseaudioFull;
};
i18n.inputMethod = {
enabled = "fcitx";
fcitx.engines = with pkgs.fcitx-engines; [ table-extra m17n ];
};
fonts.fonts = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra ];
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "us";
services.xserver.xkbOptions = "eurosign:e";
# Enable touchpad support.
services.xserver.libinput.enable = true;
services.xserver.displayManager.lightdm.enable = true;
services.xserver.desktopManager.xfce.enable = true;
programs.fish.enable = true;
programs.fish.promptInit = ''
fish-nix-shell --info-right | source
'';
users.mutableUsers = false;
users.defaultUserShell = pkgs.fish;
users.extraGroups.plugdev = { };
users.extraUsers = import ./common-users.nix { inherit pkgs; };
security.sudo.wheelNeedsPassword = false;
nix.binaryCachePublicKeys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
nix.binaryCaches = ["https://nixbld.m-labs.hk" "https://cache.nixos.org"];
nix.sandboxPaths = ["/opt"];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "19.03"; # Did you read the comment?
}

View File

@ -1,13 +1,22 @@
{
rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = false; };
rpi-2 = import ./rpi.nix { host = "rpi-2"; rpi4 = false; };
rpi-3 = import ./rpi.nix { host = "rpi-3"; rpi4 = true; };
network.storage.legacy = {
databasefile = "~/.nixops/deployments.nixops";
};
network.enableRollback = true;
rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = true; };
rpi-4 = import ./rpi.nix { host = "rpi-4"; rpi4 = true; };
rpi-5 = import ./rpi.nix { host = "rpi-5"; rpi4 = true; };
juno = import ./desktop.nix { host = "juno"; };
zeus = import ./desktop.nix { host = "zeus"; };
hera = import ./desktop.nix { host = "hera"; };
hestia = import ./desktop.nix { host = "hestia"; };
chiron = import ./desktop.nix { host = "chiron"; };
cnc = import ./light.nix { host = "cnc"; };
old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
franz = import ./desktop.nix { host = "franz"; };
demeter = import ./desktop.nix { host = "demeter"; };
vulcan = import ./desktop.nix { host = "vulcan"; };
rc = import ./desktop.nix { host = "rc"; };
athena = import ./desktop.nix { host = "athena"; };
jupiter = import ./desktop.nix { host = "jupiter"; };
saturn = import ./desktop.nix { host = "saturn"; };
}

View File

@ -0,0 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/69b15848-1cfc-4e3e-91de-1df0d2fc7a80";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D0A3-DDAE";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.amd.updateMicrocode = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "22.05";
}

View File

@ -1,843 +0,0 @@
# This module provides configuration for the PAM (Pluggable
# Authentication Modules) system.
{ config, lib, pkgs, ... }:
with lib;
let
pam_p11 = pkgs.callPackage ./pam_p11.nix {};
parentConfig = config;
pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in {
options = {
name = mkOption {
example = "sshd";
type = types.str;
description = "Name of the PAM service.";
};
unixAuth = mkOption {
default = true;
type = types.bool;
description = ''
Whether users can log in with passwords defined in
<filename>/etc/shadow</filename>.
'';
};
rootOK = mkOption {
default = false;
type = types.bool;
description = ''
If set, root doesn't need to authenticate (e.g. for the
<command>useradd</command> service).
'';
};
p11Auth = mkOption {
default = config.security.pam.p11.enable;
type = types.bool;
description = ''
If set, keys listed in
<filename>~/.ssh/authorized_keys</filename> and
<filename>~/.eid/authorized_certificates</filename>
can be used to log in with the associated PKCS#11 tokens.
'';
};
u2fAuth = mkOption {
default = config.security.pam.u2f.enable;
type = types.bool;
description = ''
If set, users listed in
<filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or
<filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is
not set) are able to log in with the associated U2F key. Path can be
changed using <option>security.pam.u2f.authFile</option> option.
'';
};
yubicoAuth = mkOption {
default = config.security.pam.yubico.enable;
type = types.bool;
description = ''
If set, users listed in
<filename>~/.yubico/authorized_yubikeys</filename>
are able to log in with the associated Yubikey tokens.
'';
};
googleAuthenticator = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
If set, users with enabled Google Authenticator (created
<filename>~/.google_authenticator</filename>) will be required
to provide Google Authenticator token to log in.
'';
};
};
usbAuth = mkOption {
default = config.security.pam.usb.enable;
type = types.bool;
description = ''
If set, users listed in
<filename>/etc/pamusb.conf</filename> are able to log in
with the associated USB key.
'';
};
otpwAuth = mkOption {
default = config.security.pam.enableOTPW;
type = types.bool;
description = ''
If set, the OTPW system will be used (if
<filename>~/.otpw</filename> exists).
'';
};
googleOsLoginAccountVerification = mkOption {
default = false;
type = types.bool;
description = ''
If set, will use the Google OS Login PAM modules
(<literal>pam_oslogin_login</literal>,
<literal>pam_oslogin_admin</literal>) to verify possible OS Login
users and set sudoers configuration accordingly.
This only makes sense to enable for the <literal>sshd</literal> PAM
service.
'';
};
googleOsLoginAuthentication = mkOption {
default = false;
type = types.bool;
description = ''
If set, will use the <literal>pam_oslogin_login</literal>'s user
authentication methods to authenticate users using 2FA.
This only makes sense to enable for the <literal>sshd</literal> PAM
service.
'';
};
fprintAuth = mkOption {
default = config.services.fprintd.enable;
type = types.bool;
description = ''
If set, fingerprint reader will be used (if exists and
your fingerprints are enrolled).
'';
};
oathAuth = mkOption {
default = config.security.pam.oath.enable;
type = types.bool;
description = ''
If set, the OATH Toolkit will be used.
'';
};
sshAgentAuth = mkOption {
default = false;
type = types.bool;
description = ''
If set, the calling user's SSH agent is used to authenticate
against the keys in the calling user's
<filename>~/.ssh/authorized_keys</filename>. This is useful
for <command>sudo</command> on password-less remote systems.
'';
};
duoSecurity = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
If set, use the Duo Security pam module
<literal>pam_duo</literal> for authentication. Requires
configuration of <option>security.duosec</option> options.
'';
};
};
startSession = mkOption {
default = false;
type = types.bool;
description = ''
If set, the service will register a new session with
systemd's login manager. For local sessions, this will give
the user access to audio devices, CD-ROM drives. In the
default PolicyKit configuration, it also allows the user to
reboot the system.
'';
};
setEnvironment = mkOption {
type = types.bool;
default = true;
description = ''
Whether the service should set the environment variables
listed in <option>environment.sessionVariables</option>
using <literal>pam_env.so</literal>.
'';
};
setLoginUid = mkOption {
type = types.bool;
description = ''
Set the login uid of the process
(<filename>/proc/self/loginuid</filename>) for auditing
purposes. The login uid is only set by entry points like
<command>login</command> and <command>sshd</command>, not by
commands like <command>sudo</command>.
'';
};
forwardXAuth = mkOption {
default = false;
type = types.bool;
description = ''
Whether X authentication keys should be passed from the
calling user to the target user (e.g. for
<command>su</command>)
'';
};
pamMount = mkOption {
default = config.security.pam.mount.enable;
type = types.bool;
description = ''
Enable PAM mount (pam_mount) system to mount fileystems on user login.
'';
};
allowNullPassword = mkOption {
default = false;
type = types.bool;
description = ''
Whether to allow logging into accounts that have no password
set (i.e., have an empty password field in
<filename>/etc/passwd</filename> or
<filename>/etc/group</filename>). This does not enable
logging into disabled accounts (i.e., that have the password
field set to <literal>!</literal>). Note that regardless of
what the pam_unix documentation says, accounts with hashed
empty passwords are always allowed to log in.
'';
};
nodelay = mkOption {
default = false;
type = types.bool;
description = ''
Wheather the delay after typing a wrong password should be disabled.
'';
};
requireWheel = mkOption {
default = false;
type = types.bool;
description = ''
Whether to permit root access only to members of group wheel.
'';
};
limits = mkOption {
description = ''
Attribute set describing resource limits. Defaults to the
value of <option>security.pam.loginLimits</option>.
'';
};
showMotd = mkOption {
default = false;
type = types.bool;
description = "Whether to show the message of the day.";
};
makeHomeDir = mkOption {
default = false;
type = types.bool;
description = ''
Whether to try to create home directories for users
with <literal>$HOME</literal>s pointing to nonexistent
locations on session login.
'';
};
updateWtmp = mkOption {
default = false;
type = types.bool;
description = "Whether to update <filename>/var/log/wtmp</filename>.";
};
logFailures = mkOption {
default = false;
type = types.bool;
description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>.";
};
enableAppArmor = mkOption {
default = false;
type = types.bool;
description = ''
Enable support for attaching AppArmor profiles at the
user/group level, e.g., as part of a role based access
control scheme.
'';
};
enableKwallet = mkOption {
default = false;
type = types.bool;
description = ''
If enabled, pam_wallet will attempt to automatically unlock the
user's default KDE wallet upon login. If the user has no wallet named
"kdewallet", or the login password does not match their wallet
password, KDE will prompt separately after login.
'';
};
sssdStrictAccess = mkOption {
default = false;
type = types.bool;
description = "enforce sssd access control";
};
enableGnomeKeyring = mkOption {
default = false;
type = types.bool;
description = ''
If enabled, pam_gnome_keyring will attempt to automatically unlock the
user's default Gnome keyring upon login. If the user login password does
not match their keyring password, Gnome Keyring will prompt separately
after login.
'';
};
text = mkOption {
type = types.nullOr types.lines;
description = "Contents of the PAM service file.";
};
};
config = {
name = mkDefault name;
setLoginUid = mkDefault cfg.startSession;
limits = mkDefault config.security.pam.loginLimits;
# !!! TODO: move the LDAP stuff to the LDAP module, and the
# Samba stuff to the Samba module. This requires that the PAM
# module provides the right hooks.
text = mkDefault
(''
# Account management.
account required pam_unix.so
${optionalString use_ldap
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
"account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
"account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
${optionalString config.krb5.enable
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
${optionalString cfg.googleOsLoginAccountVerification ''
account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
''}
# Authentication management.
${optionalString cfg.googleOsLoginAuthentication
"auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}
${optionalString cfg.rootOK
"auth sufficient pam_rootok.so"}
${optionalString cfg.requireWheel
"auth required pam_wheel.so use_uid"}
${optionalString cfg.logFailures
"auth required pam_tally.so"}
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
${optionalString cfg.fprintAuth
"auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
"auth ${p11.control} ${pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"}
${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth
"auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"}"}
${optionalString cfg.usbAuth
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
"auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth
"auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"}
'' +
# Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
# after it succeeds. Certain modules need to run after pam_unix
# prompts the user for password so we run it once with 'required' at an
# earlier point and it will run again with 'sufficient' further down.
# We use try_first_pass the second time to avoid prompting password twice
(optionalString (cfg.unixAuth &&
(config.security.pam.enableEcryptfs
|| cfg.pamMount
|| cfg.enableKwallet
|| cfg.enableGnomeKeyring
|| cfg.googleAuthenticator.enable
|| cfg.duoSecurity.enable)) ''
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
${optionalString config.security.pam.enableEcryptfs
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
${optionalString cfg.pamMount
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString cfg.enableKwallet
("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
" kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
${optionalString cfg.enableGnomeKeyring
"auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
${optionalString cfg.googleAuthenticator.enable
"auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
${optionalString cfg.duoSecurity.enable
"auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}
'') + ''
${optionalString cfg.unixAuth
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"}
${optionalString cfg.otpwAuth
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
${optionalString use_ldap
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
${optionalString config.services.sssd.enable
"auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"}
${optionalString config.krb5.enable ''
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
''}
auth required pam_deny.so
# Password management.
password sufficient pam_unix.so nullok sha512
${optionalString config.security.pam.enableEcryptfs
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
${optionalString cfg.pamMount
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString use_ldap
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.services.sssd.enable
"password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"}
${optionalString config.krb5.enable
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
${optionalString config.services.samba.syncPasswordsByPam
"password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
${optionalString cfg.enableGnomeKeyring
"password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"}
# Session management.
${optionalString cfg.setEnvironment ''
session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
''}
session required pam_unix.so
${optionalString cfg.setLoginUid
"session ${
if config.boot.isContainer then "optional" else "required"
} pam_loginuid.so"}
${optionalString cfg.makeHomeDir
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"}
${optionalString cfg.updateWtmp
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
${optionalString config.security.pam.enableEcryptfs
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
${optionalString use_ldap
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.services.sssd.enable
"session optional ${pkgs.sssd}/lib/security/pam_sss.so"}
${optionalString config.krb5.enable
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
${optionalString cfg.otpwAuth
"session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
${optionalString cfg.startSession
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
${optionalString cfg.forwardXAuth
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
${optionalString (cfg.limits != [])
"session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
${optionalString (cfg.showMotd && config.users.motd != null)
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
${optionalString cfg.pamMount
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
${optionalString (cfg.enableKwallet)
("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
" kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
${optionalString (cfg.enableGnomeKeyring)
"session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
${optionalString (config.virtualisation.lxc.lxcfs.enable)
"session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"}
'');
};
};
inherit (pkgs) pam_krb5 pam_ccreds;
use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
# Create a limits.conf(5) file.
makeLimitsConf = limits:
pkgs.writeText "limits.conf"
(concatMapStrings ({ domain, type, item, value }:
"${domain} ${type} ${item} ${toString value}\n")
limits);
motd = pkgs.writeText "motd" config.users.motd;
makePAMService = name: service:
{ name = "pam.d/${name}";
value.source = pkgs.writeText "${name}.pam" service.text;
};
in
{
imports = [
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
];
###### interface
options = {
security.pam.loginLimits = mkOption {
default = [];
example =
[ { domain = "ftp";
type = "hard";
item = "nproc";
value = "0";
}
{ domain = "@student";
type = "-";
item = "maxlogins";
value = "4";
}
];
description =
'' Define resource limits that should apply to users or groups.
Each item in the list should be an attribute set with a
<varname>domain</varname>, <varname>type</varname>,
<varname>item</varname>, and <varname>value</varname>
attribute. The syntax and semantics of these attributes
must be that described in the limits.conf(5) man page.
Note that these limits do not apply to systemd services,
whose limits can be changed via <option>systemd.extraConfig</option>
instead.
'';
};
security.pam.services = mkOption {
default = [];
type = with types; loaOf (submodule pamOpts);
description =
''
This option defines the PAM services. A service typically
corresponds to a program that uses PAM,
e.g. <command>login</command> or <command>passwd</command>.
Each attribute of this set defines a PAM service, with the attribute name
defining the name of the service.
'';
};
security.pam.makeHomeDir.skelDirectory = mkOption {
type = types.str;
default = "/var/empty";
example = "/etc/skel";
description = ''
Path to skeleton directory whose contents are copied to home
directories newly created by <literal>pam_mkhomedir</literal>.
'';
};
security.pam.enableSSHAgentAuth = mkOption {
type = types.bool;
default = false;
description =
''
Enable sudo logins if the user's SSH agent provides a key
present in <filename>~/.ssh/authorized_keys</filename>.
This allows machines to exclusively use SSH keys instead of
passwords.
'';
};
security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module";
security.pam.p11 = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enables P11 PAM (<literal>pam_p11</literal>) module.
If set, users can log in with SSH keys and PKCS#11 tokens.
More information can be found <link
xlink:href="https://github.com/OpenSC/pam_p11">here</link>.
'';
};
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use the PKCS#11 device instead of the regular password,
use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
for better understanding of this option.
'';
};
};
security.pam.u2f = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enables U2F PAM (<literal>pam-u2f</literal>) module.
If set, users listed in
<filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or
<filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is
not set) are able to log in with the associated U2F key. The path can
be changed using <option>security.pam.u2f.authFile</option> option.
File format is:
<literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal>
This file can be generated using <command>pamu2fcfg</command> command.
More information can be found <link
xlink:href="https://developers.yubico.com/pam-u2f/">here</link>.
'';
};
authFile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
By default <literal>pam-u2f</literal> module reads the keys from
<filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or
<filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is
not set).
If you want to change auth file locations or centralize database (for
example use <filename>/etc/u2f-mappings</filename>) you can set this
option.
File format is:
<literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal>
This file can be generated using <command>pamu2fcfg</command> command.
More information can be found <link
xlink:href="https://developers.yubico.com/pam-u2f/">here</link>.
'';
};
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use U2F device instead of regular password, use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
for better understanding of this option.
'';
};
debug = mkOption {
default = false;
type = types.bool;
description = ''
Debug output to stderr.
'';
};
interactive = mkOption {
default = false;
type = types.bool;
description = ''
Set to prompt a message and wait before testing the presence of a U2F device.
Recommended if your device doesnt have a tactile trigger.
'';
};
cue = mkOption {
default = false;
type = types.bool;
description = ''
By default <literal>pam-u2f</literal> module does not inform user
that he needs to use the u2f device, it just waits without a prompt.
If you set this option to <literal>true</literal>,
<literal>cue</literal> option is added to <literal>pam-u2f</literal>
module and reminder message will be displayed.
'';
};
};
security.pam.yubico = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
Enables Yubico PAM (<literal>yubico-pam</literal>) module.
If set, users listed in
<filename>~/.yubico/authorized_yubikeys</filename>
are able to log in with the associated Yubikey tokens.
The file must have only one line:
<literal>username:yubikey_token_id1:yubikey_token_id2</literal>
More information can be found <link
xlink:href="https://developers.yubico.com/yubico-pam/">here</link>.
'';
};
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use Yubikey instead of regular password, use "sufficient".
Read
<citerefentry>
<refentrytitle>pam.conf</refentrytitle>
<manvolnum>5</manvolnum>
</citerefentry>
for better understanding of this option.
'';
};
id = mkOption {
example = "42";
type = types.str;
description = "client id";
};
debug = mkOption {
default = false;
type = types.bool;
description = ''
Debug output to stderr.
'';
};
mode = mkOption {
default = "client";
type = types.enum [ "client" "challenge-response" ];
description = ''
Mode of operation.
Use "client" for online validation with a YubiKey validation service such as
the YubiCloud.
Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1
Challenge-Response configurations. See the man-page ykpamcfg(1) for further
details on how to configure offline Challenge-Response validation.
More information can be found <link
xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>.
'';
};
};
security.pam.enableEcryptfs = mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)";
users.motd = mkOption {
default = null;
example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
type = types.nullOr types.lines;
description = "Message of the day shown to users when they log in.";
};
};
###### implementation
config = {
environment.systemPackages =
# Include the PAM modules in the system path mostly for the manpages.
[ pkgs.pam ]
++ optional config.users.ldap.enable pam_ldap
++ optional config.services.sssd.enable pkgs.sssd
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
++ optionals config.security.pam.p11.enable [ pam_p11 ]
++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ];
boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];
security.wrappers = {
unix_chkpwd = {
source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
owner = "root";
setuid = true;
};
};
environment.etc = mapAttrs' makePAMService config.security.pam.services;
security.pam.services =
{ other.text =
''
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so
'';
# Most of these should be moved to specific modules.
i3lock = {};
i3lock-color = {};
vlock = {};
xlock = {};
xscreensaver = {};
runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };
/* FIXME: should runuser -l start a systemd session? Currently
it complains "Cannot create session: Already running in a
session". */
runuser-l = { rootOK = true; unixAuth = false; };
};
};
}

View File

@ -1,23 +0,0 @@
{ stdenv, fetchFromGitHub, autoreconfHook, pkg-config, openssl, libp11, pam }:
stdenv.mkDerivation rec {
pname = "pam_p11";
version = "0.3.1";
src = fetchFromGitHub {
owner = "OpenSC";
repo = "pam_p11";
rev = "pam_p11-${version}";
sha256 = "1caidy18rq5zk82d51x8vwidmkhwmanf3qm25x1yrdlbhxv6m7lk";
};
patchPhase =
''
substituteInPlace src/match_openssh.c --replace \
'"%s/.ssh/authorized_keys", pw->pw_dir)' \
'"/etc/ssh/authorized_keys.d/%s", pw->pw_name)'
'';
nativeBuildInputs = [ autoreconfHook pkg-config ];
buildInputs = [ pam openssl libp11 ];
}

View File

@ -0,0 +1,50 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/348c924c-1d86-44ff-84af-2594f414e7d0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1BDC-44BB";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/opt" =
{ device = "/dev/disk/by-uuid/cf0f51b6-7b95-4c74-9390-37dc4c86f32b";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "23.11";
}

View File

@ -1,32 +1,23 @@
{ host, rpi4 }:
{ host, rpi4, experimental-users ? false }:
{ config, pkgs, ... }:
let
m-labs = import (fetchTarball https://nixbld.m-labs.hk/channel/custom/artiq/full/artiq-full/nixexprs.tar.xz) { inherit pkgs; };
artiq = builtins.getFlake git+https://github.com/m-labs/artiq.git;
in
{
deployment.targetHost = host;
deployment.hasFastConnection = true;
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite";
nixpkgs.system = "aarch64-linux";
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
boot.initrd.includeDefaultModules = false;
boot.kernel.sysctl."kernel.dmesg_restrict" = false;
boot.loader.generic-extlinux-compatible.enable = !rpi4;
boot.loader.raspberryPi = pkgs.lib.mkIf rpi4 {
enable = true;
version = 4;
};
boot.kernelPackages = pkgs.lib.mkIf rpi4 pkgs.linuxPackages_latest;
fileSystems = if rpi4 then {
"/boot" = {
device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
} else {
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
@ -34,30 +25,51 @@ in
};
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
services.openssh.authorizedKeysInHomedir = false;
services.openssh.settings.PasswordAuthentication = false;
services.openssh.settings.GatewayPorts = "clientspecified";
services.openssh.extraConfig =
''
StreamLocalBindUnlink yes
'';
programs.mosh.enable = true;
networking.hostName = host;
time.timeZone = "Asia/Hong_Kong";
users.extraGroups.plugdev = { };
users.mutableUsers = false;
users.defaultUserShell = pkgs.fish;
users.extraUsers = (import ./common-users.nix { inherit pkgs; }) // {
nix = {
nixbld = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJGICdNM9mHHAa1Cxk9Wz3YLkIEeqrIQGxM0aoy1g5O"
];
};
};
security.sudo.wheelNeedsPassword = false;
services.udev.packages = [ m-labs.openocd ];
services.udev.packages = [ artiq.packages.aarch64-linux.openocd-bscanspi ];
services.udev.extraRules = (import ./extra-udev.nix);
documentation.enable = false;
environment.systemPackages = with pkgs; [
psmisc wget vim git usbutils lm_sensors file telnet mosh tmux xc3sprog m-labs.openocd screen gdb minicom picocom
psmisc wget vim git sshfs usbutils uhubctl lm_sensors file mosh tmux
artiq.packages.aarch64-linux.openocd-bscanspi
xc3sprog
screen gdb minicom picocom
];
programs.zsh.enable = true;
programs.fish.enable = true;
programs.wireshark.enable = true;
nix.binaryCachePublicKeys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
nix.binaryCaches = ["https://cache.nixos.org" "https://nixbld.m-labs.hk"];
nix.trustedUsers = ["root" "nix"];
nix.settings.trusted-public-keys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
nix.settings.substituters = ["https://nixbld.m-labs.hk?priority=10"];
nix.settings.trusted-users = ["root" "sb"];
nix.extraOptions = ''
experimental-features = nix-command flakes impure-derivations
'';
}

View File

@ -0,0 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/51d521ec-4807-4b71-8a89-116b89f72d2e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/877D-AF6A";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "24.05";
}

View File

@ -0,0 +1,41 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/67168ae0-6448-4b40-b278-406290224b4f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8F4B-AD84";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "23.05";
}

View File

@ -1,6 +1,3 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, ... }:
{
@ -21,13 +18,18 @@
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/91B4-E546";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 16;
nix.settings.max-jobs = lib.mkDefault 16;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.intel.updateMicrocode = true;
system.stateVersion = "19.03";
}

49
remote-ipsec.txt Normal file
View File

@ -0,0 +1,49 @@
connections {
bypass-ipsec {
remote_addrs = 127.0.0.1
children {
bypass-isakmp-v4 {
local_ts = 0.0.0.0/0[udp/isakmp]
remote_ts = 0.0.0.0/0[udp/isakmp]
mode = pass
start_action = trap
}
bypass-isakmp-v6 {
local_ts = ::/0[udp/isakmp]
remote_ts = ::/0[udp/isakmp]
mode = pass
start_action = trap
}
}
}
m_labs {
version = 2
encap = no
mobike = no
send_certreq = no
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
local_addrs = 103.206.98.1
remote_addrs = 94.190.212.123
local {
auth = pubkey
id = fqdn:igw0.hkg.as150788.net
pubkeys = igw0.hkg.as150788.net
}
remote {
auth = pubkey
id = fqdn:m-labs.hk
pubkeys = m-labs.hk
}
children {
con1 {
mode = transport
ah_proposals = sha256-curve25519,sha256-ecp256
esp_proposals =
local_ts = 103.206.98.1[gre]
remote_ts = 94.190.212.123[gre]
start_action = none
close_action = none
}
}
}
}

BIN
vlan-settings-1.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 142 KiB

BIN
vlan-settings-2.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 143 KiB

BIN
vlan-settings-3.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 56 KiB