forked from M-Labs/it-infra
Compare commits
8 Commits
| Author | SHA1 | Date |
|---|---|---|
 Florian Agbuya
|
d1236d548d | |
 Sebastien Bourdeauducq
|
98c1ecd325 | |
|
Sébastien Bourdeauducq
|
45e718d65a | |
|
Sébastien Bourdeauducq
|
243deb96be | |
 Egor Savkin
|
b1779b57cc | |
|
Sébastien Bourdeauducq
|
4f8d84e3ef | |
|
Egor Savkin
|
eabd92d2e8 | |
|
Sébastien Bourdeauducq
|
04a64c3710 |
|
|
@ -10,16 +10,34 @@ in
|
|||
default = false;
|
||||
description = "Enable AFWS server";
|
||||
};
|
||||
logFile = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/afws/logs/afws.log";
|
||||
description = "Path to the log file";
|
||||
};
|
||||
logBackupCount = mkOption {
|
||||
type = types.int;
|
||||
default = 30;
|
||||
description = "Number of daily log files to keep";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf config.services.afws.enable {
|
||||
systemd.services.afws = {
|
||||
description = "AFWS server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = ''
|
||||
mkdir -p "$(dirname ${config.services.afws.logFile})"
|
||||
chown afws:afws "$(dirname ${config.services.afws.logFile})"
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "afws";
|
||||
Group = "afws";
|
||||
ExecStart = "${afws}/bin/afws_server";
|
||||
ExecStart = ''
|
||||
${afws}/bin/afws_server \
|
||||
--log-file ${config.services.afws.logFile} \
|
||||
--log-backup-count ${toString config.services.afws.logBackupCount}
|
||||
'';
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
|
||||
};
|
||||
path = [ pkgs.nix pkgs.git ];
|
||||
|
|
|
|||
|
|
@ -358,6 +358,14 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
# Break cycle dependency making netdev service stop when network-setup is stopped
|
||||
systemd.services."${netifAlt}-netdev" = {
|
||||
partOf = pkgs.lib.mkOverride 1 [ ];
|
||||
};
|
||||
systemd.services."${netifUSA}-netdev" = {
|
||||
partOf = pkgs.lib.mkOverride 1 [ ];
|
||||
};
|
||||
|
||||
# https://kb.isc.org/docs/dnssec-key-and-signing-policy
|
||||
# chown named.named /etc/nixos/named
|
||||
services.bind = {
|
||||
|
|
@ -755,7 +763,7 @@ in
|
|||
</runcommand>
|
||||
<runcommand>
|
||||
job = web:web:web-intl
|
||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@5.78.86.156:/var/www/m-labs-intl.com/html/
|
||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
|
||||
</runcommand>
|
||||
<runcommand>
|
||||
job = web:web:nmigen-docs
|
||||
|
|
@ -982,7 +990,7 @@ in
|
|||
expires 60d;
|
||||
'';
|
||||
};
|
||||
locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
|
||||
locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
|
||||
|
||||
# legacy URLs, redirect to avoid breaking people's bookmarks
|
||||
locations."/gateware.html".extraConfig = ''
|
||||
|
|
@ -1249,7 +1257,18 @@ in
|
|||
Restart = "on-failure";
|
||||
User = "rt";
|
||||
Group = "rt";
|
||||
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
|
||||
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
|
||||
};
|
||||
};
|
||||
systemd.services.rt-fetchmail-intl = {
|
||||
description = "Fetchmail for RT (intl)";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "dovecot2.service" ];
|
||||
serviceConfig = {
|
||||
Restart = "on-failure";
|
||||
User = "rt";
|
||||
Group = "rt";
|
||||
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
|
||||
index 64b55ca6a..9b4e52b8e 100644
|
||||
index 763045a80..d7c5cc82e 100644
|
||||
--- a/src/libstore/build/local-derivation-goal.cc
|
||||
+++ b/src/libstore/build/local-derivation-goal.cc
|
||||
@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||
@@ -190,6 +190,8 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||
|
||||
assert(derivationType);
|
||||
|
||||
|
|
@ -11,7 +11,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
|||
/* Are we doing a chroot build? */
|
||||
{
|
||||
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
||||
@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||
@@ -207,7 +209,7 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||
else if (settings.sandboxMode == smDisabled)
|
||||
useChroot = false;
|
||||
else if (settings.sandboxMode == smRelaxed)
|
||||
|
|
@ -20,7 +20,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
|||
}
|
||||
|
||||
auto & localStore = getLocalStore();
|
||||
@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
|
||||
@@ -717,7 +719,7 @@ void LocalDerivationGoal::startBuilder()
|
||||
"nogroup:x:65534:\n", sandboxGid()));
|
||||
|
||||
/* Create /etc/hosts with localhost entry. */
|
||||
|
|
@ -29,7 +29,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
|||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
||||
|
||||
/* Make the closure of the inputs available in the chroot,
|
||||
@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
|
||||
@@ -921,7 +923,7 @@ void LocalDerivationGoal::startBuilder()
|
||||
us.
|
||||
*/
|
||||
|
||||
|
|
@ -38,7 +38,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
|||
privateNetwork = true;
|
||||
|
||||
userNamespaceSync.create();
|
||||
@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
|
||||
@@ -1160,7 +1162,7 @@ void LocalDerivationGoal::initEnv()
|
||||
to the builder is generally impure, but the output of
|
||||
fixed-output derivations is by definition pure (since we
|
||||
already know the cryptographic hash of the output). */
|
||||
|
|
@ -47,7 +47,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
|||
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
||||
env[i] = getEnv(i).value_or("");
|
||||
}
|
||||
@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
|
||||
@@ -1829,7 +1831,7 @@ void LocalDerivationGoal::runChild()
|
||||
/* Fixed-output derivations typically need to access the
|
||||
network, so give them access to /etc/resolv.conf and so
|
||||
on. */
|
||||
|
|
@ -56,21 +56,21 @@ index 64b55ca6a..9b4e52b8e 100644
|
|||
// Only use nss functions to resolve hosts and
|
||||
// services. Don’t use it for anything else that may
|
||||
// be configured for this system. This limits the
|
||||
@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
|
||||
#include "sandbox-defaults.sb"
|
||||
;
|
||||
@@ -2071,7 +2073,7 @@ void LocalDerivationGoal::runChild()
|
||||
#include "sandbox-defaults.sb"
|
||||
;
|
||||
|
||||
- if (!derivationType->isSandboxed())
|
||||
+ if (networked || !derivationType->isSandboxed())
|
||||
sandboxProfile +=
|
||||
#include "sandbox-network.sb"
|
||||
;
|
||||
- if (!derivationType->isSandboxed())
|
||||
+ if (networked || !derivationType->isSandboxed())
|
||||
sandboxProfile +=
|
||||
#include "sandbox-network.sb"
|
||||
;
|
||||
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
|
||||
index 0a05081c7..4c251718c 100644
|
||||
index 86b86c01e..95b03aae8 100644
|
||||
--- a/src/libstore/build/local-derivation-goal.hh
|
||||
+++ b/src/libstore/build/local-derivation-goal.hh
|
||||
@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
||||
|
||||
@@ -82,6 +82,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
||||
*/
|
||||
Path chrootRootDir;
|
||||
|
||||
+ bool networked;
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ let
|
|||
Set($OwnerEmail, '${cfg.ownerEmail}');
|
||||
Set($MaxAttachmentSize, 15360000);
|
||||
Set($CheckMoreMSMailHeaders, 1);
|
||||
Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$');
|
||||
Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
|
||||
Set($LoopsToRTOwner, 0);
|
||||
|
||||
# System (Outgoing mail)
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@
|
|||
};
|
||||
esavkin = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout" "libvirtd"];
|
||||
extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
|
||||
];
|
||||
|
|
|
|||
|
|
@ -64,8 +64,8 @@ in
|
|||
xournal
|
||||
xsane
|
||||
gtkwave unzip zip gnupg
|
||||
gnome3.gnome-tweaks
|
||||
gnome3.ghex
|
||||
gnome-tweaks
|
||||
ghex
|
||||
jq sublime3 rink qemu_kvm
|
||||
tmux screen gdb minicom picocom
|
||||
artiq.packages.x86_64-linux.openocd-bscanspi
|
||||
|
|
@ -129,17 +129,9 @@ in
|
|||
nssmdns4 = true;
|
||||
};
|
||||
|
||||
# Enable sound.
|
||||
sound.enable = true;
|
||||
hardware.pulseaudio = {
|
||||
enable = true;
|
||||
package = pkgs.pulseaudioFull;
|
||||
};
|
||||
hardware.graphics.enable32Bit = true;
|
||||
|
||||
hardware.opengl.driSupport32Bit = true;
|
||||
hardware.pulseaudio.support32Bit = true;
|
||||
|
||||
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
|
||||
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
services.xserver.enable = true;
|
||||
|
|
|
|||
Loading…
Reference in New Issue