nixbld: add explanation about sigin requirements on gitea

* The puny little battery that the UPS came with has been replaced with a 200Ah one, so the reported estimates are pessimistic.
* Disable self-test which kills the mechanical relays inside the UPS after a few years.

nixbld-etc-nixos/backup-module.nix

@@ -28,9 +28,10 @@ let
     ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
     ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
     ${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
+    ${config.services.postgresql.package}/bin/pg_dump nextcloud > nextcloud.sql
 
     exec 6< /etc/nixos/secret/backup-passphrase
-    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
+    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /home/sb/backed /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql nextcloud.sql | \
         ${pkgs.bzip2}/bin/bzip2 | \
         ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
   '';

nixbld-etc-nixos/configuration.nix

@@ -20,8 +20,8 @@ in
       ./afws-module.nix
       ./rt.nix
       (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/63209b1def2c9fc891ad271f474a3464a5833294/nixos-mailserver-nixos.tar.gz";
+        sha256 = "sha256:05k4nj2cqz1c5zgqa0c6b8sp3807ps385qca74fgs6cdc415y3qw";
       })
     ];
 
@@ -53,7 +53,7 @@ in
 
   services.fail2ban.enable = true;
   services.fail2ban.ignoreIP = [ "94.190.212.123" "2001:470:18:390::2" ];
-  services.fail2ban.maxretry = 9;
+  services.fail2ban.maxretry = 7;
   services.fail2ban.bantime-increment.enable = true;
   services.fail2ban.jails.sshd = {
     settings = {
@@ -61,18 +61,6 @@ in
       action = "iptables-allports";
     };
   };
-  services.fail2ban.jails.nginx-botsearch = {
-    settings = {
-      filter = "nginx-botsearch";
-      action = "iptables-allports";
-    };
-  };
-  services.fail2ban.jails.nginx-limit-req = {
-    settings = {
-      filter = "nginx-limit-req";
-      action = "iptables-allports";
-    };
-  };
   services.fail2ban.jails.postfix = {
     settings = {
       filter = "postfix";
@@ -598,6 +586,9 @@ in
     psmisc
 
     wget
+    bind
+    whois
+
     vim
     git
     file
@@ -606,8 +597,8 @@ in
 
     nixops_unstable_minimal
     borgbackup
-    bind
     waypipe
+
     (callPackage ./afws { inherit pkgs; })
     (callPackage ./labelprinter { inherit pkgs; })
   ];
@@ -623,8 +614,9 @@ in
   services.apcupsd.configText = ''
     UPSTYPE usb
     NISIP 127.0.0.1
-    BATTERYLEVEL 10
-    MINUTES 5
+    BATTERYLEVEL 1
+    MINUTES 1
+    SELFTEST OFF
   '';
 
   # Enable the OpenSSH daemon.
@@ -923,6 +915,7 @@ in
       service = {
         ENABLE_NOTIFY_MAIL = true;
         DISABLE_REGISTRATION = true;
+        REQUIRE_SIGNIN_VIEW = "expensive";
       };
 
       attachment = {
@@ -936,7 +929,6 @@ in
   };
   systemd.tmpfiles.rules = [
     "L+ '${config.services.gitea.stateDir}/custom/templates/home.tmpl' - - - - ${./gitea-home.tmpl}"
-    "L+ '${config.services.gitea.stateDir}/custom/templates/user/auth/signin.tmpl' - - - - ${./gitea-signin.tmpl}"
   ];
 
   services.mattermost = {
@@ -970,6 +962,7 @@ in
       hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
       doCheck = false;  # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
     });
+    gitea = super.callPackage ./gitea/package.nix {};
     mattermost = super.mattermost.overrideAttrs(oldAttrs: {
       webapp = oldAttrs.webapp.overrideAttrs (webappAttrs: {
         patches = webappAttrs.patches or [ ] ++ [ ./mattermost-remove-free-banner.patch ];
@@ -1161,7 +1154,6 @@ in
         forceSSL = true;
         enableACME = true;
         locations."/".proxyPass = "http://127.0.0.1:3001";
-        locations."/".extraConfig = "if ($http_user_agent ~* (ClaudeBot|GPTBot|AwarioBot|meta-externalagent|Amazonbot|DataForSeoBot|bingbot|Bytespider|AhrefsBot|SemrushBot)) { return 403; }";
         extraConfig = ''
           client_max_body_size 300M;
         '';
@@ -1349,12 +1341,16 @@ in
 
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud30;
-    extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
+    package = pkgs.nextcloud31;
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps) forms deck groupfolders tasks;
+    };
     hostName = "files.m-labs.hk";
     https = true;
     maxUploadSize = "2G";
     config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
+    config.dbtype = "pgsql";
+    config.dbhost = "/run/postgresql";
     settings.default_phone_region = "HK";
     settings.log_type = "file";
     phpOptions."opcache.interned_strings_buffer" = "12";

nixbld-etc-nixos/flarum/default.nix

@@ -23,7 +23,7 @@ php.buildComposerProject (finalAttrs: {
 
   composerLock = ./composer.lock;
   composerStrictValidation = false;
-  vendorHash = "sha256-rWvIKiQVyfvUprYfm/+Jdq+DO5qymyWp+Xh0c0nY2Cw=";
+  vendorHash = "sha256-S79nFpbLA1vJp8mKRVmQbdvO1LcUZThmgzQjVQDzmRM=";
 
   meta = with lib; {
     changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";

nixbld-etc-nixos/gitea-home.tmpl

@@ -17,6 +17,9 @@
 			<p class="large">
 				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
 			</p>
+			<p class="large">
+			  Due to excessive amounts of server resources being wasted by AI bots, <a href="https://github.com/go-gitea/gitea/pull/34024">many functionalities currently require sign-in</a>. You can always clone git repositories anonymously and access most of that functionality on your local machine. We apologize for the inconvenience and look forward to rolling out a less obtrusive solution when one becomes available.
+			</p>
 		</div>
 	</div>
 </div>

nixbld-etc-nixos/gitea-signin.tmpl

@@ -1,11 +0,0 @@
-{{template "base/head" .}}
-<div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
-	{{template "user/auth/signin_navbar" .}}
-	<div class="ui middle very relaxed page grid">
-		<div class="ui container column fluid">
-			{{template "user/auth/signin_inner" .}}
-			To get an account (also available to external contributors), simply write to sb@m-labs.hk.
-		</div>
-	</div>
-</div>
-{{template "base/footer" .}}

nixbld-etc-nixos/gitea/allow-src.patch

@@ -0,0 +1,13 @@
+diff '--color=auto' -Naur gitea-1.23.7.orig/routers/common/blockexpensive.go gitea-1.23.7/routers/common/blockexpensive.go
+--- gitea-1.23.7.orig/routers/common/blockexpensive.go	2025-04-20 21:42:28.210137661 +0100
++++ gitea-1.23.7/routers/common/blockexpensive.go	2025-04-20 21:48:47.743843506 +0100
+@@ -45,9 +45,6 @@
+ 		"/{username}/{reponame}/commit/",
+ 		"/{username}/{reponame}/commits/",
+ 		"/{username}/{reponame}/graph",
+-		"/{username}/{reponame}/media/",
+-		"/{username}/{reponame}/raw/",
+-		"/{username}/{reponame}/src/",
+ 
+ 		// issue & PR related (no trailing slash)
+ 		"/{username}/{reponame}/issues",

nixbld-etc-nixos/gitea/package.nix

@@ -0,0 +1,120 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitHub,
+  makeWrapper,
+  git,
+  bash,
+  coreutils,
+  compressDrvWeb,
+  gitea,
+  gzip,
+  openssh,
+  sqliteSupport ? true,
+  nixosTests,
+  buildNpmPackage,
+}:
+
+let
+  frontend = buildNpmPackage {
+    pname = "gitea-frontend";
+    inherit (gitea) src version;
+
+    npmDepsHash = "sha256-5i3aB1QgH5NK5yDZySFlraVGU+Kh6J4Y2zvFqJX5kJs=";
+
+    # use webpack directly instead of 'make frontend' as the packages are already installed
+    buildPhase = ''
+      BROWSERSLIST_IGNORE_OLD_DATA=true npx webpack
+    '';
+
+    installPhase = ''
+      mkdir -p $out
+      cp -R public $out/
+    '';
+  };
+in
+buildGoModule rec {
+  pname = "gitea";
+  version = "1.23.7";
+
+  src = fetchFromGitHub {
+    owner = "go-gitea";
+    repo = "gitea";
+    tag = "v${gitea.version}";
+    hash = "sha256-pdmRujcLnQBIQXc26MPpoLbbV00KMaVHPY4xTsitaCA=";
+  };
+
+  proxyVendor = true;
+
+  vendorHash = "sha256-h9RnHv4weGfHwpmuEhQbsYDd5fKc439m0gF/BgDVIdA=";
+
+  outputs = [
+    "out"
+    "data"
+  ];
+
+  patches = [ ./static-root-path.patch ./allow-src.patch ];
+
+  # go-modules derivation doesn't provide $data
+  # so we need to wait until it is built, and then
+  # at that time we can then apply the substituteInPlace
+  overrideModAttrs = _: { postPatch = null; };
+
+  postPatch = ''
+    substituteInPlace modules/setting/server.go --subst-var data
+  '';
+
+  subPackages = [ "." ];
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  tags = lib.optionals sqliteSupport [
+    "sqlite"
+    "sqlite_unlock_notify"
+  ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X main.Version=${version}"
+    "-X 'main.Tags=${lib.concatStringsSep " " tags}'"
+  ];
+
+  postInstall = ''
+    mkdir $data
+    ln -s ${frontend}/public $data/public
+    cp -R ./{templates,options} $data
+    mkdir -p $out
+    cp -R ./options/locale $out/locale
+
+    wrapProgram $out/bin/gitea \
+      --prefix PATH : ${
+        lib.makeBinPath [
+          bash
+          coreutils
+          git
+          gzip
+          openssh
+        ]
+      }
+  '';
+
+  passthru = {
+    data-compressed =
+      lib.warn "gitea.passthru.data-compressed is deprecated. Use \"compressDrvWeb gitea.data\"."
+        (compressDrvWeb gitea.data { });
+
+    tests = nixosTests.gitea;
+  };
+
+  meta = with lib; {
+    description = "Git with a cup of tea";
+    homepage = "https://about.gitea.com";
+    license = licenses.mit;
+    maintainers = with maintainers; [
+      techknowlogick
+      SuperSandro2000
+    ];
+    mainProgram = "gitea";
+  };
+}

nixbld-etc-nixos/gitea/static-root-path.patch

@@ -0,0 +1,13 @@
+diff --git a/modules/setting/server.go b/modules/setting/server.go
+index 183906268..fa02e8915 100644
+--- a/modules/setting/server.go
++++ b/modules/setting/server.go
+@@ -319,7 +319,7 @@ func loadServerFrom(rootCfg ConfigProvider) {
+ 	OfflineMode = sec.Key("OFFLINE_MODE").MustBool()
+ 	Log.DisableRouterLog = sec.Key("DISABLE_ROUTER_LOG").MustBool()
+ 	if len(StaticRootPath) == 0 {
+-		StaticRootPath = AppWorkPath
++		StaticRootPath = "@data@"
+ 	}
+ 	StaticRootPath = sec.Key("STATIC_ROOT_PATH").MustString(StaticRootPath)
+ 	StaticCacheTime = sec.Key("STATIC_CACHE_TIME").MustDuration(6 * time.Hour)

nixops/avscan-module.nix

@@ -1,45 +0,0 @@
-{ config, pkgs, lib, ... }:
-with lib;
-let
-  avscan = pkgs.writeScript "avscan" ''
-    #!${pkgs.bash}/bin/bash
-
-    for user in $(cut -d":" -f1 /etc/passwd); do
-      if [ -d "/home/$user" ]; then
-          nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
-      fi
-    done
-  '';
-  cfg = config.services.avscan;
-in
-{
-  options.services.avscan = {
-    enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Enable antivirus scan";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.clamav.updater.enable = true;
-    services.clamav.updater.interval = "daily";
-    services.clamav.updater.frequency = 1;
-
-    systemd.services.avscan = {
-      description = "Antivirus scan";
-      serviceConfig = {
-        Type = "oneshot";
-        User = "root";
-        Group = "root";
-        ExecStart = "${avscan}";
-      };
-    };
-
-    systemd.timers.avscan = {
-      description = "Antivirus scan";
-      wantedBy = [ "timers.target" ];
-      timerConfig.OnCalendar = "Mon *-*-* 13:00:00";
-    };
-  };
-}

nixops/common-users.nix

@@ -55,13 +55,6 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMoGOV9HoFkm6S6zMfOc8ivUcGzKFxuqpmOXKQtg2nn5Kh6ByMuuAHFlvKISILBaWgXN8lPQN9VjLuXV93oG4Pe7u8EVw20IGbA6RZ4Pnnr1xQBESPbye+72taLvyQlxGA=="
     ];
   };
-  esavkin = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
-    ];
-  };
   flo = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];

nixops/desktop.nix

@@ -17,7 +17,6 @@ in
   imports =
     [
       (./. + "/${host}-hardware-configuration.nix")
-      ./avscan-module.nix
     ];
   nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
     libp11 = super.libp11.override({ openssl = super.openssl_1_1; });
@@ -91,8 +90,6 @@ in
     setuid = true;
   };
 
-  services.avscan.enable = true;
-
   services.openssh.enable = true;
   services.openssh.authorizedKeysInHomedir = false;
   services.openssh.settings.PasswordAuthentication = false;

nixops/extra-udev.nix

@@ -24,4 +24,6 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660"
 # DSLogic
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
+# chinese Lattice USB-2B
+SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6010", MODE="0660", GROUP="plugdev"
 ''

nixops/vulcan-hardware-configuration.nix

@@ -38,4 +38,15 @@
   hardware.cpu.intel.updateMicrocode = true;
   
   system.stateVersion = "23.05";
+
+  specialisation.virtualgpu = {
+    configuration = {
+      boot.kernelModules = [ "vfio_pci" "vfio" ];
+      boot.kernelParams = [ "intel_iommu=on" ];
+      boot.extraModprobeConfig =
+        ''
+        options vfio-pci ids=1002:67df,1002:aaf0
+        '';
+    };
+  };
 }