forked from M-Labs/it-infra
remove aux config
This commit is contained in:
parent
6d31b77f0e
commit
622cc04c5e
|
@ -1,53 +0,0 @@
|
||||||
{ config, pkgs, lib, ... }:
|
|
||||||
with lib;
|
|
||||||
let
|
|
||||||
makeBackup = pkgs.writeScript "make-backupdl" ''
|
|
||||||
#!${pkgs.bash}/bin/bash
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
export PATH=${pkgs.rsync}/bin:${pkgs.openssh}/bin
|
|
||||||
|
|
||||||
rsync --ignore-existing -av nixbld.m-labs.hk:/home/backupdl /var/lib/backupdl
|
|
||||||
'';
|
|
||||||
|
|
||||||
cfg = config.services.backupdl;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.services.backupdl = {
|
|
||||||
enable = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = "Enable backups";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
systemd.services.backupdl = {
|
|
||||||
description = "Nixbld backups download";
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
User = "backupdl";
|
|
||||||
Group = "backupdl";
|
|
||||||
ExecStart = "${makeBackup}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users.backupdl = {
|
|
||||||
name = "backupdl";
|
|
||||||
group = "backupdl";
|
|
||||||
description = "Nixbld backups download";
|
|
||||||
isSystemUser = true;
|
|
||||||
createHome = true;
|
|
||||||
home = "/var/lib/backupdl";
|
|
||||||
useDefaultShell = true;
|
|
||||||
};
|
|
||||||
users.extraGroups.backupdl = {};
|
|
||||||
|
|
||||||
systemd.timers.backupdl = {
|
|
||||||
description = "Nixbld backups download";
|
|
||||||
wantedBy = [ "timers.target" ];
|
|
||||||
timerConfig.OnCalendar = "*-*-* 18:00:00";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,230 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
netifWan = "enp0s25";
|
|
||||||
netifLan = "enp3s0";
|
|
||||||
netifWifi = "wlp1s0";
|
|
||||||
netifSit = "henet0";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports =
|
|
||||||
[
|
|
||||||
./hardware-configuration.nix
|
|
||||||
./backupdl-module.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.loader.grub.enable = true;
|
|
||||||
boot.loader.grub.version = 2;
|
|
||||||
boot.loader.grub.device = "/dev/sda";
|
|
||||||
|
|
||||||
boot.blacklistedKernelModules = [ "r8169" ];
|
|
||||||
boot.extraModulePackages = [ (pkgs.callPackage ./r8169 { kernel = config.boot.kernelPackages.kernel; }) ];
|
|
||||||
|
|
||||||
networking.hostName = "aux";
|
|
||||||
|
|
||||||
networking.interfaces."${netifWan}".useDHCP = true;
|
|
||||||
services.hostapd = {
|
|
||||||
enable = true;
|
|
||||||
interface = netifWifi;
|
|
||||||
hwMode = "g";
|
|
||||||
ssid = "M-Labs";
|
|
||||||
wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix);
|
|
||||||
extraConfig = ''
|
|
||||||
ieee80211d=1
|
|
||||||
country_code=HK
|
|
||||||
ieee80211n=1
|
|
||||||
wmm_enabled=1
|
|
||||||
auth_algs=1
|
|
||||||
wpa_key_mgmt=WPA-PSK
|
|
||||||
rsn_pairwise=CCMP
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
networking.interfaces."${netifLan}" = {
|
|
||||||
ipv4.addresses = [{
|
|
||||||
address = "192.168.1.1";
|
|
||||||
prefixLength = 24;
|
|
||||||
}];
|
|
||||||
ipv6.addresses = [{
|
|
||||||
address = "2001:470:f891:1::";
|
|
||||||
prefixLength = 64;
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
networking.interfaces."${netifWifi}" = {
|
|
||||||
ipv4.addresses = [{
|
|
||||||
address = "192.168.15.1";
|
|
||||||
prefixLength = 24;
|
|
||||||
}];
|
|
||||||
ipv6.addresses = [{
|
|
||||||
address = "2001:470:f891:2::";
|
|
||||||
prefixLength = 64;
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.sits."${netifSit}" = {
|
|
||||||
dev = netifWan;
|
|
||||||
remote = "216.218.221.6";
|
|
||||||
local = "94.190.212.123";
|
|
||||||
ttl = 255;
|
|
||||||
};
|
|
||||||
networking.interfaces."${netifSit}".ipv6 = {
|
|
||||||
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
|
||||||
routes = [{ address = "::"; prefixLength = 0; }];
|
|
||||||
};
|
|
||||||
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
|
|
||||||
boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
|
|
||||||
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
|
|
||||||
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
|
|
||||||
|
|
||||||
networking.firewall = {
|
|
||||||
allowedTCPPorts = [ 53 ];
|
|
||||||
allowedUDPPorts = [ 53 67 ];
|
|
||||||
trustedInterfaces = [ netifLan ];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.bind = {
|
|
||||||
enable = true;
|
|
||||||
listenOn = [];
|
|
||||||
listenOnIpv6 = [];
|
|
||||||
forwarders = [];
|
|
||||||
extraOptions = "listen-on-v6 port 5354 { ::1; };";
|
|
||||||
extraConfig = ''
|
|
||||||
zone "mil." IN {
|
|
||||||
type forward;
|
|
||||||
forward only;
|
|
||||||
forwarders { 74.82.42.42; };
|
|
||||||
};
|
|
||||||
'';
|
|
||||||
cacheNetworks = [ "::1/128" ];
|
|
||||||
};
|
|
||||||
services.dnsmasq = {
|
|
||||||
enable = true;
|
|
||||||
servers = ["::1#5354"];
|
|
||||||
extraConfig = ''
|
|
||||||
interface=${netifWifi}
|
|
||||||
interface=${netifLan}
|
|
||||||
bind-interfaces
|
|
||||||
dhcp-range=interface:${netifLan},192.168.1.81,192.168.1.254,24h
|
|
||||||
dhcp-range=interface:${netifWifi},192.168.15.10,192.168.15.254,24h
|
|
||||||
enable-ra
|
|
||||||
dhcp-range=interface:${netifLan},::,constructor:${netifLan},ra-names
|
|
||||||
dhcp-range=interface:${netifWifi},::,constructor:${netifWifi},ra-only
|
|
||||||
|
|
||||||
no-resolv
|
|
||||||
|
|
||||||
# Static IPv4s to make port redirections work
|
|
||||||
dhcp-host=chiron,192.168.1.201
|
|
||||||
dhcp-host=old-nixbld,192.168.1.202
|
|
||||||
|
|
||||||
# Google can't do DNS geolocation correctly and slows down websites of everyone using
|
|
||||||
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
|
|
||||||
# cannot reach.
|
|
||||||
address=/fonts.googleapis.com/142.250.207.74
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
networking.nat = {
|
|
||||||
enable = true;
|
|
||||||
externalInterface = netifWan;
|
|
||||||
internalInterfaces = [ netifLan netifWifi ];
|
|
||||||
forwardPorts = [
|
|
||||||
{ sourcePort = 2201; destination = "192.168.1.201:22"; proto = "tcp"; }
|
|
||||||
{ sourcePort = 2202; destination = "192.168.1.202:22"; proto = "tcp"; }
|
|
||||||
];
|
|
||||||
extraCommands = ''
|
|
||||||
iptables -w -N block-lan-from-wifi
|
|
||||||
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
|
|
||||||
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
|
|
||||||
iptables -w -A FORWARD -j block-lan-from-wifi
|
|
||||||
|
|
||||||
iptables -w -N block-insecure-devices
|
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
|
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
|
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source 00:0a:35:00:01:23 -j DROP # function generator
|
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:21:f1:ee -j DROP # siglent scope #2
|
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source 00:19:af:5b:dd:58 -j DROP # power supply
|
|
||||||
iptables -w -A FORWARD -j block-insecure-devices
|
|
||||||
'';
|
|
||||||
extraStopCommands = ''
|
|
||||||
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
|
|
||||||
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
|
|
||||||
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
|
|
||||||
|
|
||||||
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
|
||||||
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
|
||||||
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
time.timeZone = "Asia/Hong_Kong";
|
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
|
||||||
services.avahi.enable = true;
|
|
||||||
services.avahi.publish.enable = true;
|
|
||||||
services.avahi.publish.userServices = true;
|
|
||||||
services.printing.enable = true;
|
|
||||||
services.printing.drivers = [ pkgs.hplipWithPlugin ];
|
|
||||||
services.printing.browsing = true;
|
|
||||||
services.printing.listenAddresses = [ "*:631" ];
|
|
||||||
services.printing.defaultShared = true;
|
|
||||||
hardware.sane.enable = true;
|
|
||||||
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
|
|
||||||
systemd.sockets.cups.wants = [ "network-setup.service" ];
|
|
||||||
systemd.sockets.cups.after = [ "network-setup.service" ];
|
|
||||||
systemd.sockets.cups.wantedBy = [ "multi-user.target" ];
|
|
||||||
systemd.services.cups.wantedBy = [ "multi-user.target" ];
|
|
||||||
|
|
||||||
users.extraGroups.plugdev = { };
|
|
||||||
users.extraUsers.root = {
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
|
||||||
];
|
|
||||||
shell = pkgs.fish;
|
|
||||||
};
|
|
||||||
# https://github.com/NixOS/nixpkgs/issues/155357
|
|
||||||
security.sudo.enable = true;
|
|
||||||
users.users.sb = {
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = ["lp" "scanner" "plugdev"];
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
|
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
|
||||||
];
|
|
||||||
shell = pkgs.fish;
|
|
||||||
};
|
|
||||||
|
|
||||||
documentation.enable = false;
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
wget vim git usbutils pciutils file lm_sensors acpi
|
|
||||||
psmisc
|
|
||||||
iw
|
|
||||||
tmux
|
|
||||||
bind
|
|
||||||
nixopsUnstable
|
|
||||||
imagemagick
|
|
||||||
];
|
|
||||||
|
|
||||||
programs.mosh.enable = true;
|
|
||||||
programs.fish.enable = true;
|
|
||||||
|
|
||||||
services.openssh.enable = true;
|
|
||||||
services.openssh.forwardX11 = true;
|
|
||||||
services.openssh.passwordAuthentication = false;
|
|
||||||
services.openssh.extraConfig =
|
|
||||||
''
|
|
||||||
StreamLocalBindUnlink yes
|
|
||||||
'';
|
|
||||||
|
|
||||||
services.backupdl.enable = true;
|
|
||||||
|
|
||||||
services.udev.extraRules =
|
|
||||||
''
|
|
||||||
# label printer
|
|
||||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="plugdev"
|
|
||||||
'';
|
|
||||||
|
|
||||||
nix.settings.trusted-public-keys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
|
|
||||||
nix.settings.substituters = ["https://nixbld.m-labs.hk" "https://cache.nixos.org"];
|
|
||||||
nix.settings.trusted-users = ["sb"];
|
|
||||||
|
|
||||||
system.stateVersion = "22.05";
|
|
||||||
}
|
|
|
@ -1,42 +0,0 @@
|
||||||
{ stdenv, lib, kernel }:
|
|
||||||
|
|
||||||
|
|
||||||
let modDestDir = "$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/net/wireless/realtek/r8169";
|
|
||||||
|
|
||||||
in stdenv.mkDerivation rec {
|
|
||||||
name = "r8169-${kernel.version}-${version}";
|
|
||||||
version = "6.031.00";
|
|
||||||
|
|
||||||
src = ./r8169-${version}.tar.bz2;
|
|
||||||
|
|
||||||
hardeningDisable = [ "pic" ];
|
|
||||||
|
|
||||||
nativeBuildInputs = kernel.moduleBuildDependencies;
|
|
||||||
|
|
||||||
# rename to avoid conflict with totally broken piece of crap from mainline kernel
|
|
||||||
patchPhase =
|
|
||||||
''
|
|
||||||
substituteInPlace src/Makefile --replace r8169.o r8169-vendor.o
|
|
||||||
substituteInPlace src/Makefile --replace r8169-objs r8169-vendor-objs
|
|
||||||
'';
|
|
||||||
|
|
||||||
# avoid using the Makefile directly -- it doesn't understand
|
|
||||||
# any kernel but the current.
|
|
||||||
# based on the ArchLinux pkgbuild: https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/r8168
|
|
||||||
makeFlags = kernel.makeFlags ++ [
|
|
||||||
"-C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
|
|
||||||
"M=$(PWD)/src"
|
|
||||||
"modules"
|
|
||||||
];
|
|
||||||
preBuild = ''
|
|
||||||
makeFlagsArray+=("EXTRA_CFLAGS=-DCONFIG_R8169_NAPI -DCONFIG_R8169_VLAN -DCONFIG_ASPM -DENABLE_S5WOL -DENABLE_EEE")
|
|
||||||
'';
|
|
||||||
|
|
||||||
enableParallelBuilding = true;
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p ${modDestDir}
|
|
||||||
find . -name '*.ko' -exec cp --parents '{}' ${modDestDir} \;
|
|
||||||
find ${modDestDir} -name '*.ko' -exec xz -f '{}' \;
|
|
||||||
'';
|
|
||||||
}
|
|
Binary file not shown.
Loading…
Reference in New Issue