it-infra/nixbld-etc-nixos/configuration.nix

1125 lines
38 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let
netifWan = "enp4s0";
netifLan = "enp5s0f1";
netifWifi = "wlp6s0";
netifSit = "henet0";
hydraWwwOutputs = "/var/www/hydra-outputs";
in
{
imports =
[
./hardware-configuration.nix
./backup-module.nix
./github-backup-module.nix
./afws-module.nix
./rt.nix
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/008d78cc21959e33d0d31f375b88353a7d7121ae/nixos-mailserver-nixos.tar.gz";
sha256 = "sha256:0pnfyg4icsvrw390a227m8b1j5w8awicx5aza3d0fiyyzpnrpn5a";
})
];
boot.loader.grub.enable = true;
boot.loader.grub.copyKernels = true;
boot.loader.grub.device = "nodev";
boot.loader.grub.efiSupport = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.amd.updateMicrocode = true;
boot.supportedFilesystems = ["zfs"];
boot.kernelParams = ["zfs.l2arc_write_max=536870912"];
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
services.zfs.autoScrub.enable = true;
services.zfs.autoScrub.interval = "monthly";
services.zfs.autoSnapshot.enable = true;
systemd.suppressedSystemUnits = [
"hibernate.target"
"suspend.target"
"suspend-then-hibernate.target"
"sleep.target"
"hybrid-sleep.target"
"systemd-hibernate.service"
"systemd-hybrid-sleep.service"
"systemd-suspend.service"
"systemd-suspend-then-hibernate.service"
];
services.fail2ban.enable = true;
services.fail2ban.ignoreIP = [ "94.190.212.123" "2001:470:18:390::2" ];
services.fail2ban.maxretry = 9;
services.fail2ban.bantime-increment.enable = true;
services.fail2ban.jails.sshd = {
settings = {
filter = "sshd";
action = "iptables-allports";
};
};
services.fail2ban.jails.nginx-botsearch = {
settings = {
filter = "nginx-botsearch";
action = "iptables-allports";
};
};
services.fail2ban.jails.nginx-limit-req = {
settings = {
filter = "nginx-limit-req";
action = "iptables-allports";
};
};
services.fail2ban.jails.postfix = {
settings = {
filter = "postfix";
action = "iptables-allports";
};
};
services.fail2ban.jails.dovecot = {
settings = {
filter = "dovecot";
action = "iptables-allports";
};
};
networking = {
hostName = "nixbld";
hostId = "e423f012";
firewall = {
allowedTCPPorts = [ 53 80 443 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ];
trustedInterfaces = [ netifLan ];
};
interfaces."${netifWan}".useDHCP = true;
interfaces."${netifLan}" = {
ipv4.addresses = [{
address = "192.168.1.1";
prefixLength = 24;
}];
ipv6.addresses = [{
address = "2001:470:f891:1::";
prefixLength = 64;
}];
# https://unix.stackexchange.com/questions/423502/iproute2-inherit-or-copy-table
# we just copy what matters here. Ugly but easier.
ipv4.routes = [
{
address = "192.168.1.0";
prefixLength = 24;
options.table = "1";
}
];
};
interfaces."${netifWifi}" = {
ipv4.addresses = [{
address = "192.168.12.1";
prefixLength = 24;
}];
ipv6.addresses = [{
address = "2001:470:f891:2::";
prefixLength = 64;
}];
};
nat = {
enable = true;
externalInterface = netifWan;
internalInterfaces = [ netifLan netifWifi ];
forwardPorts = [
{ sourcePort = 2201; destination = "192.168.1.201:22"; proto = "tcp"; }
{ sourcePort = 2202; destination = "192.168.1.202:22"; proto = "tcp"; }
{ sourcePort = 2203; destination = "192.168.1.203:22"; proto = "tcp"; }
{ sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
];
extraCommands = ''
iptables -w -N block-lan-from-wifi
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
iptables -w -A FORWARD -j block-lan-from-wifi
iptables -w -N block-insecure-devices
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
iptables -w -A block-insecure-devices -m mac --mac-source 00:0a:35:00:01:23 -j DROP # function generator
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:21:f1:ee -j DROP # siglent scope #2
iptables -w -A block-insecure-devices -m mac --mac-source 00:19:af:5b:dd:58 -j DROP # power supply
iptables -w -A block-insecure-devices -m mac --mac-source 28:58:be:dc:66:1f -j DROP # hikvision low-cost 780nm laser viewer
iptables -w -A block-insecure-devices -m mac --mac-source bc:99:11:a4:d2:ac -j DROP # zyxel cloud switch
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
iptables -w -A FORWARD -j block-insecure-devices
'';
extraStopCommands = ''
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
iptables -w -F block-insecure-devices 2>/dev/null|| true
iptables -w -X block-insecure-devices 2>/dev/null|| true
'';
};
sits."${netifSit}" = {
dev = netifWan;
remote = "216.218.221.6";
local = "94.190.212.123";
ttl = 255;
};
interfaces."${netifSit}".ipv6 = {
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
routes = [{ address = "::"; prefixLength = 0; }];
};
greTunnels.alt0 = {
dev = netifWan;
remote = "103.206.98.1";
local = "94.190.212.123";
ttl = 255;
type = "tun";
};
interfaces.alt0 = {
ipv4.addresses = [
{
address = "103.206.98.227";
prefixLength = 31;
}
];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "103.206.98.226";
options.table = "1";
}
];
};
vlans = {
vlan0 = {
id = 2;
interface = netifLan;
};
};
interfaces.vlan0 = {
ipv4.addresses = [{
address = "103.206.98.200";
prefixLength = 29;
}];
ipv4.routes = [
{
address = "103.206.98.200";
prefixLength = 29;
options.table = "1";
}
];
};
};
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
services.strongswan-swanctl.enable = true;
services.strongswan-swanctl.swanctl.connections.altnet = {
local_addrs = [ "94.190.212.123" ];
remote_addrs = [ "103.206.98.1" ];
local.main = {
auth = "pubkey";
id = "fqdn:m-labs.hk";
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
};
remote.main = {
auth = "pubkey";
id = "fqdn:igw0.hkg.as150788.net";
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
};
children.alt0 = {
mode = "transport";
ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "103.206.98.1[gre]" ];
local_ts = [ "94.190.212.123[gre]" ];
start_action = "start";
};
};
systemd.services.custom-network-setup = {
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.0/24 table 1";
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
};
};
# https://kb.isc.org/docs/dnssec-key-and-signing-policy
# chown named.named /etc/nixos/named
services.bind = {
enable = true;
listenOn = [ "94.190.212.123" ];
listenOnIpv6 = [ "2001:470:18:390::2" ];
forwarders = [];
extraOptions = "listen-on-v6 port 5354 { ::1; };";
cacheNetworks = [ "::1/128" ];
directory = "/etc/nixos/named";
zones = {
"m-labs.hk" = {
name = "m-labs.hk";
master = true;
file = "/etc/nixos/named/m-labs.hk";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
213.239.220.50; # ns1.qnetp.net
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
"m-labs.ph" = {
name = "m-labs.ph";
master = true;
file = "/etc/nixos/named/m-labs.ph";
extraConfig =
''
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
"193thz.com" = {
name = "193thz.com";
master = true;
file = "/etc/nixos/named/193thz.com";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
"malloctech.fr" = {
name = "malloctech.fr";
master = true;
file = "/etc/nixos/named/malloctech.fr";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
"200-29.98.206.103.in-addr.arpa" = {
name = "200-29.98.206.103.in-addr.arpa";
master = true;
file = "/etc/nixos/named/200-29.98.206.103.in-addr.arpa";
extraConfig =
''
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {
216.218.130.2; # ns1.he.net
};
'';
slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
];
};
};
extraConfig = ''
zone "mil." IN {
type forward;
forward only;
forwarders { 74.82.42.42; };
};
'';
};
services.hostapd = {
enable = true;
radios.${netifWifi} = {
band = "2g";
countryCode = "HK";
networks.${netifWifi} = {
ssid = "M-Labs";
authentication.saePasswords = [
{ password = (import /etc/nixos/secret/wifi_password.nix); }
];
};
};
};
services.dnsmasq = {
enable = true;
settings = {
server = ["::1#5354"];
interface = [ netifLan netifWifi ];
bind-interfaces = true;
dhcp-range = [
"interface:${netifLan},192.168.1.81,192.168.1.254,24h"
"interface:${netifWifi},192.168.12.10,192.168.12.254,24h"
"interface:${netifLan},::,constructor:${netifLan},ra-names"
"interface:${netifWifi},::,constructor:${netifWifi},ra-only"
];
enable-ra = true;
no-resolv = true;
dhcp-host = [
# Static IPv4s to make Red Pitayas with factory firmware less annoying
"rp-f05cc9,192.168.1.190"
"rp-f0612e,192.168.1.191"
# Static IPv4s to make port redirections work
"rpi-1,192.168.1.201"
"rpi-2,192.168.1.202"
"rpi-3,192.168.1.203"
"rpi-4,192.168.1.204"
];
address = [
# Static IP addresses for non-DHCP boards
"/thermostat/192.168.1.26"
"/powercycler/192.168.1.31"
"/kc705/192.168.1.50"
"/zynq-experiments/192.168.1.51"
"/zc706/192.168.1.52"
"/zc706-2/192.168.1.53"
"/cora-z7/192.168.1.54"
"/rust-pitaya/192.168.1.55"
"/kasli/192.168.1.70"
"/kasli-customer/192.168.1.75"
"/stabilizer-customer/192.168.1.76"
# Google can't do DNS geolocation correctly and slows down websites of everyone using
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
# cannot reach.
"/fonts.googleapis.com/142.250.207.74"
];
dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
dhcp-boot = [
"tag:!ipxe,ipxe.efi"
"tag:ipxe,http://m-labs.hk/nuc-netboot/netboot.ipxe"
];
enable-tftp = netifLan;
tftp-root = "${pkgs.ipxe}";
};
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "de";
};
# Set your time zone.
time.timeZone = "Asia/Hong_Kong";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim git file lm_sensors acpi pciutils psmisc nixopsUnstable
irssi tmux usbutils imagemagick jq zip unzip
iw
nvme-cli
borgbackup
bind
waypipe
(callPackage ./afws { inherit pkgs; })
(callPackage ./labelprinter { inherit pkgs; })
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
services.apcupsd.enable = true;
services.apcupsd.configText = ''
UPSTYPE usb
NISIP 127.0.0.1
BATTERYLEVEL 10
MINUTES 5
'';
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.openssh.settings.GatewayPorts = "clientspecified";
programs.mosh.enable = true;
programs.fish.enable = true;
programs.zsh.enable = true;
# Enable CUPS to print documents.
services.avahi.enable = true;
services.avahi.allowInterfaces = [ netifLan ];
services.avahi.publish.enable = true;
services.avahi.publish.userServices = true;
nixpkgs.config.allowUnfree = true;
services.printing.enable = true;
services.printing.drivers = [ pkgs.hplipWithPlugin ];
services.printing.browsing = true;
services.printing.listenAddresses = [ "*:631" ];
services.printing.defaultShared = true;
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
services.saned.enable = true;
services.saned.extraConfig = "192.168.1.0/24";
services.udev.extraRules =
''
# label printer
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
'';
users.extraUsers.root = {
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
];
shell = pkgs.fish;
};
# https://github.com/NixOS/nixpkgs/issues/155357
security.sudo.enable = true;
users.extraUsers.sb = {
isNormalUser = true;
extraGroups = ["lp" "scanner" "afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
];
shell = pkgs.fish;
};
users.extraUsers.rj = {
isNormalUser = true;
extraGroups = ["afws"];
};
users.extraUsers.nkrackow = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
];
};
users.extraUsers.occheung = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig=="
];
};
users.extraUsers.spaqin = {
isNormalUser = true;
extraGroups = ["lp" "scanner" "afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
];
shell = pkgs.zsh;
};
users.extraUsers.esavkin = {
isNormalUser = true;
extraGroups = ["lp" "afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
];
};
users.extraUsers.morgan = {
isNormalUser = true;
extraGroups = ["lp"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
];
};
users.extraUsers.derppening = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
];
};
users.extraUsers.dpn = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGChLocYJi8XcSJkIjT2Olm3jPGjtRq5aORa5G9F3OqmjCfvav9Q5+2Mc64XqHtNTffnJuDe4gv+lVJatC0URvPs2HyxXmxRK0jgkkLSUsV2SYLlgMqHW3jsrdh6wKBmkg=="
];
};
users.extraUsers.nix = {
isNormalUser = true;
};
boot.kernel.sysctl."kernel.dmesg_restrict" = true;
services.udev.packages = [ pkgs.sane-backends ];
nix.settings.max-jobs = 4;
nix.settings.cores = 8;
nix.nrBuildUsers = 64;
services.hydra = {
enable = true;
hydraURL = "https://nixbld.m-labs.hk";
notificationSender = "hydra@m-labs.hk";
minimumDiskFree = 15; # in GB
minimumDiskFreeEvaluator = 1;
extraConfig =
''
binary_cache_secret_key_file = /etc/nixos/secret/nixbld.m-labs.hk-1
max_output_size = 10000000000
<runcommand>
job = web:web:web
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
</runcommand>
<runcommand>
job = web:web:nmigen-docs
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
</runcommand>
<runcommand>
job = artiq:sipyco:sipyco-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-html
</runcommand>
<runcommand>
job = artiq:sipyco:sipyco-manual-pdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-pdf
</runcommand>
<runcommand>
job = artiq:main-beta:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-beta
</runcommand>
<runcommand>
job = artiq:main-beta:artiq-manual-pdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf-beta
</runcommand>
<runcommand>
job = artiq:extra-beta:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta
</runcommand>
<runcommand>
job = artiq:main:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html
</runcommand>
<runcommand>
job = artiq:main:artiq-manual-pdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf
</runcommand>
<runcommand>
job = artiq:extra:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel
</runcommand>
<runcommand>
job = artiq:full-legacy:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy
</runcommand>
<runcommand>
job = artiq:full-legacy:artiq-manual-latexpdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf-legacy
</runcommand>
<runcommand>
job = artiq:full-legacy:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy
</runcommand>
<runcommand>
job = artiq:*:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON)
</runcommand>
<runcommand>
job = artiq:extra-beta:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
</runcommand>
<runcommand>
job = artiq:main-nac3:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3
</runcommand>
<githubstatus>
jobs = artiq:fast.*:extended-tests
inputs = artiqSrc
useShortContext = 1
authorization = token ${(import /etc/nixos/secret/github_tokens.nix).artiq}
</githubstatus>
<gitea_authorization>
sb=${(import /etc/nixos/secret/gitea_tokens.nix).artiq-zynq}
</gitea_authorization>
'';
};
systemd.services.hydra-www-outputs-init = {
description = "Set up a hydra-owned directory for build outputs";
wantedBy = [ "multi-user.target" ];
requiredBy = [ "hydra-queue-runner.service" ];
before = [ "hydra-queue-runner.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = [
"${pkgs.coreutils}/bin/mkdir -p ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives"
"${pkgs.coreutils}/bin/chown hydra-queue-runner:hydra ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives"
];
};
};
services.afws.enable = true;
nix.extraOptions = ''
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
experimental-features = nix-command flakes
'';
nix.settings.extra-sandbox-paths = ["/opt"];
nix.settings.substituters = pkgs.lib.mkForce [];
services.mlabs-backup.enable = true;
services.ghbackup.enable = true;
services.gitea = {
enable = true;
appName = "M-Labs Git";
mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
settings = {
server = {
ROOT_URL = "https://git.m-labs.hk/";
HTTP_PORT = 3001;
};
indexer = {
REPO_INDEXER_ENABLED = true;
};
mailer = {
ENABLED = true;
HOST = "mail.m-labs.hk:587";
FROM = "sysop@m-labs.hk";
USER = "sysop@m-labs.hk";
};
service = {
ENABLE_NOTIFY_MAIL = true;
DISABLE_REGISTRATION = true;
};
attachment = {
ALLOWED_TYPES = "*/*";
};
log.LEVEL = "Warn";
session.COOKIE_SECURE = true;
};
};
systemd.tmpfiles.rules = [
"L+ '${config.services.gitea.stateDir}/custom/templates/home.tmpl' - - - - ${./gitea-home.tmpl}"
"L+ '${config.services.gitea.stateDir}/custom/templates/user/auth/signin.tmpl' - - - - ${./gitea-signin.tmpl}"
];
services.mattermost = {
enable = true;
siteUrl = "https://chat.m-labs.hk/";
mutableConfig = true;
};
services.postgresql.package = pkgs.postgresql_12;
services.matterbridge = {
enable = true;
configPath = "/etc/nixos/secret/matterbridge.toml";
};
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
nix = super.nix.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
});
hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
patches = oa.patches or [] ++ [
./hydra-conda.patch
./hydra-msys2.patch
./hydra-restrictdist.patch
./hydra-hack-allowed-uris.patch # work around https://github.com/NixOS/nix/issues/5039
];
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
});
matterbridge = super.matterbridge.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
});
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "sb" + "@m-labs.hk";
# https://github.com/NixOS/nixpkgs/issues/106862
systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
systemd.services."acme-fixperms".after = [ "bind.service" "dnsmasq.service" ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
virtualHosts = let
mainWebsite = {
addSSL = true;
enableACME = true;
root = "${hydraWwwOutputs}/web";
extraConfig = ''
error_page 404 /404.html;
'';
locations."^~ /fonts/".extraConfig = ''
expires 60d;
'';
locations."^~ /js/".extraConfig = ''
expires 60d;
'';
locations."/MathJax/" = {
alias = "/var/www/MathJax/";
extraConfig = ''
expires 60d;
'';
};
locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
# legacy URLs, redirect to avoid breaking people's bookmarks
locations."/gateware.html".extraConfig = ''
return 301 /gateware/migen/;
'';
locations."/migen".extraConfig = ''
return 301 /gateware/migen/;
'';
locations."/artiq".extraConfig = ''
return 301 /experiment-control/artiq/;
'';
locations."/artiq/resources.html".extraConfig = ''
return 301 /experiment-control/resources/;
'';
# autogenerated manuals
locations."/artiq/sipyco-manual/" = {
alias = "${hydraWwwOutputs}/sipyco-manual-html/";
};
locations."=/artiq/sipyco-manual.pdf" = {
alias = "${hydraWwwOutputs}/sipyco-manual-pdf/SiPyCo.pdf";
};
locations."/artiq/manual-beta/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html-beta/";
};
locations."=/artiq/manual-beta.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-pdf-beta/ARTIQ.pdf";
};
locations."/artiq/manual/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html/";
};
locations."=/artiq/manual.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf";
};
locations."/artiq/manual-legacy/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/share/doc/artiq-manual/html/";
};
locations."=/artiq/manual-legacy.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-latexpdf-legacy/share/doc/artiq-manual/ARTIQ.pdf";
};
# legacy content
locations."/migen/manual/" = {
alias = "/var/www/m-labs.hk.old/migen/manual/";
};
locations."/artiq/manual-release-4/" = {
alias = "/var/www/m-labs.hk.old/artiq/manual-release-4/";
};
locations."/artiq/manual-release-3/" = {
alias = "/var/www/m-labs.hk.old/artiq/manual-release-3/";
};
locations."/artiq/manual-release-2/" = {
alias = "/var/www/m-labs.hk.old/artiq/manual-release-2/";
};
};
in {
"m-labs.hk" = mainWebsite;
"www.m-labs.hk" = mainWebsite;
"m-labs.ph" = mainWebsite;
"www.m-labs.ph" = mainWebsite;
"nixbld.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:3000";
};
"msys2.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/artiq-beta/" = {
alias = "${hydraWwwOutputs}/artiq-msys2-repos-beta/";
extraConfig = ''
autoindex on;
'';
};
locations."/artiq-nac3/" = {
alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/";
extraConfig = ''
autoindex on;
'';
};
};
"conda.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/artiq-beta/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/";
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
locations."/artiq/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel/";
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
locations."/artiq-legacy/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-legacy/";
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
locations."/artiq-archives/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-archives/";
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
};
"afws.m-labs.hk" = {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3771";
proxyWebsockets = true;
extraConfig =
''
proxy_read_timeout 2h;
'';
};
};
"git.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:3001";
extraConfig = ''
client_max_body_size 300M;
'';
};
"chat.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:8065";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "http://127.0.0.1:8065";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true;
};
"hooks.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/mattermost-github".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-mgi.sock;
'';
locations."/rfq".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-rfq.sock;
'';
};
"forum.m-labs.hk" = {
forceSSL = true;
enableACME = true;
root = "/var/www/flarum/public";
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
fastcgi_index index.php;
'';
extraConfig = ''
index index.php;
include /var/www/flarum/.nginx.conf;
'';
};
"perso.m-labs.hk" = {
addSSL = true;
enableACME = true;
root = "/var/www/perso";
};
"rt.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:4201";
extraConfig = ''
client_max_body_size 100M;
'';
};
locations."/REST/1.0/NoAuth" = {
proxyPass = "http://127.0.0.1:4201";
extraConfig = ''
client_max_body_size 100M;
allow 127.0.0.1;
deny all;
'';
};
};
"files.m-labs.hk" = {
forceSSL = true;
enableACME = true;
};
"docs.m-labs.hk" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:9825";
locations."/socket.io/".proxyPass = "http://localhost:9825";
locations."/socket.io/".proxyWebsockets = true;
};
"193thz.com" = {
addSSL = true;
enableACME = true;
root = "/var/www/193thz";
};
"www.193thz.com" = {
addSSL = true;
enableACME = true;
root = "/var/www/193thz";
};
"nmigen.net" = {
addSSL = true;
enableACME = true;
root = "${hydraWwwOutputs}/nmigen-docs";
};
"www.nmigen.net" = {
addSSL = true;
enableACME = true;
root = "${hydraWwwOutputs}/nmigen-docs";
};
};
};
services.uwsgi = {
enable = true;
plugins = [ "python3" ];
instance = {
type = "emperor";
vassals = {
mattermostgithub = import ./mattermost-github-integration/uwsgi-config.nix { inherit config pkgs; };
rfq = import ./rfq/uwsgi-config.nix { inherit config pkgs; };
};
};
};
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
services.phpfpm.pools.flarum = {
user = "nobody";
settings = {
"listen.owner" = "nginx";
"listen.group" = "nginx";
"listen.mode" = "0600";
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
services.rt = {
enable = true;
package = pkgs.rt.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./rt-session.patch ];
});
organization = "M-Labs";
domain = "rt.m-labs.hk";
rtName = "Helpdesk";
ownerEmail = "sb" + "@m-labs.hk";
commentAddress = "helpdesk" + "@m-labs.hk";
correspondAddress = "helpdesk" + "@m-labs.hk";
sendmailPath = "${pkgs.msmtp}/bin/msmtp";
sendmailArguments = ["-t" "-C" "/etc/nixos/secret/rt_msmtp.conf"];
};
systemd.services.rt-fetchmail = {
description = "Fetchmail for RT";
wantedBy = [ "multi-user.target" ];
after = [ "dovecot2.service" ];
serviceConfig = {
Restart = "on-failure";
User = "rt";
Group = "rt";
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
};
};
mailserver = {
enable = true;
localDnsResolver = false; # conflicts with dnsmasq
fqdn = "mail.m-labs.hk";
domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
enablePop3 = true;
enablePop3Ssl = true;
certificateScheme = "acme-nginx";
} // (import /etc/nixos/secret/email_settings.nix);
services.roundcube = {
enable = true;
hostName = "mail.m-labs.hk";
extraConfig = ''
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
hostName = "files.m-labs.hk";
https = true;
maxUploadSize = "2G";
config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
config.defaultPhoneRegion = "HK";
};
services.hedgedoc = {
enable = true;
settings = {
port = 9825;
domain = "docs.m-labs.hk";
protocolUseSSL = true;
allowEmailRegister = false;
allowAnonymous = false;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
};
};
system.stateVersion = "21.05";
}