Compare commits

...

65 Commits

Author SHA1 Message Date
e4b6c68ae3 nixops: add back abdul 2024-12-18 18:19:29 +08:00
060c6bfe21 nixbld: unscramble email addresses for gitea 2024-12-04 21:21:36 +08:00
da74156ca8 Reduce websites duplication
Redirect www.* URLs to non-www.* with default 301 code in order to reduce number of copies of the websites in search engines

Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-12-04 16:55:36 +08:00
9558882e2b dmesg_restrict is now default on NixOS 24.11 2024-12-04 12:33:07 +08:00
9e74ec65bb nixbld: hydra-restrictdist not needed anymore 2024-12-04 12:25:40 +08:00
1b51f86343 nixbld: patch correct hydra package 2024-12-04 12:25:23 +08:00
b088c11806 nixbld: reduce mattermost spam 2024-12-04 12:06:12 +08:00
6510ba9a2d nixbld: nixpkgs 24.11 2024-12-03 19:27:26 +08:00
81cfe07acd unscramble email 2024-12-03 17:41:25 +08:00
a8593a2e97 flarum: update core and packages 2024-11-29 11:49:31 +08:00
7f10e2b817 nixops: remove juno 2024-11-27 18:52:28 +08:00
2f1235a997 update sb backup key 2024-11-26 21:46:47 +08:00
c7ea537622 Revert "Break cycle dependency of tunnel netdev services on network setup"
Does not solve the problem.

This reverts commit b1779b57cc.
2024-11-25 12:11:36 +08:00
d1236d548d afws: enable file logging with afws group permissions 2024-11-22 15:34:23 +08:00
98c1ecd325 nixops: nixpkgs 24.11 compatibility 2024-11-16 18:49:26 +08:00
45e718d65a nixops: add esavkin to wireshark group 2024-11-06 15:25:21 +08:00
243deb96be nixbld: update Nix patch 2024-11-05 18:45:40 +08:00
b1779b57cc Break cycle dependency of tunnel netdev services on network setup
This changes the following chain after nixos-rebuild switch with modified tunnel interfaces:
stop network-setup -> stop TUN-netdev -> stop network-addresses-TUN -> start network-addresses-TUN (fails since it depends on TUN-netdev which is off).

Chain after this change:
stop TUN-netdev -> stop network-setup -> stop network-addresses-TUN -> start TUN-netdev -> start network-addresses-TUN -> start network-setup

Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-10-30 17:23:52 +08:00
4f8d84e3ef nixbld: enable prioNixbld for new defenestrate 2024-10-30 14:53:56 +08:00
eabd92d2e8 Use tunnel for uploading web-intl
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-10-24 17:35:34 +08:00
04a64c3710 nixbld: set up RT for m-labs-intl.com 2024-10-24 15:49:41 +08:00
d27ee750a2 m-labs-intl.com VPS setup information
Co-authored-by: Egor Savkin <es@m-labs.hk>
Co-committed-by: Egor Savkin <es@m-labs.hk>
2024-10-21 15:48:17 +08:00
14e9d63ab7 nixbld: apply TCP MSS clamping to USA tunnel 2024-10-17 15:08:27 +08:00
19aee9b59f nixbld: send mail from m-labs-intl.com through trump0 2024-10-17 15:04:50 +08:00
f8a3d54b54 nixbld: update simple-nixos-mailserver 2024-10-17 15:04:14 +08:00
c499a7ce86 nixbld: keep checking SPF for email from tunnel
GRE preserves source IP information.
2024-10-17 14:48:04 +08:00
476f5d1d6c nixbld: update to nextcloud 30 2024-10-16 11:33:07 +08:00
ecf40fb2db nixbld: fix firewall issue with incoming USA tunnel connections 2024-10-15 21:27:43 +08:00
34102e66ad nixbld: install nextcloud forms app 2024-10-15 16:22:33 +08:00
93ae830468 nixbld: disable IPv6 MX for m-labs-intl.com 2024-10-14 14:23:15 +08:00
8af66556b9 nixbld: remove google fonts workaround 2024-10-11 17:27:10 +08:00
94cff9bb09 nixbld: revert 233998b8 (did not fix the problem) 2024-10-08 16:11:12 +08:00
2bf7bb0638 nixbld: connect to USA VPN 2024-10-08 16:09:56 +08:00
3419fe6013 nixbld: remove nkrackow user 2024-10-05 10:15:13 +08:00
ec53c0cbdd nixbld: add eduardotenholder user 2024-10-02 18:41:45 +08:00
0258f5cff4 nixbld: reorganize users (NFC) 2024-10-02 18:40:48 +08:00
b723b7f8c0 nixbld: clean up/update systemPackages 2024-09-30 15:12:01 +08:00
0c336f3dd7 nixbld: do not log refused connections
Happen all the time and spam the kernel log.
2024-09-30 14:40:09 +08:00
11181f0397 nixbld: flarum createDatabaseLocally no longer needed
https://github.com/NixOS/nixpkgs/pull/341340
2024-09-23 10:52:08 +08:00
aaf70f36df nixops: remove user accounts 2024-09-13 13:23:15 +08:00
4a288abe2b nixbld: keep automatic flarum DB migrations 2024-09-10 17:12:44 +08:00
246a375dfb add remote IPsec settings 2024-09-05 14:36:37 +08:00
635f90f0c7 nixbld/flarum: use nix 2024-08-31 17:27:16 +08:00
8a187ba5b9 nixbld: SIT can take larger packets 2024-08-29 18:55:52 +08:00
9383227c5b nixbld: consistent netif variables 2024-08-29 18:53:33 +08:00
233998b8f3 nixbld: work around tunnel bring-up race condition 2024-08-29 18:40:17 +08:00
90a6b84c09 nixbld: work around tunnel TCPMSS issues 2024-08-29 18:39:52 +08:00
23e1fa029a nixbld: upgrade postgresql 2024-08-25 11:06:19 +08:00
75035b387e Skip SPF for mails originating from intl
Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-08-20 10:59:27 +08:00
4f48ea611a nixops: remove wanglm user 2024-08-19 11:18:06 +08:00
6dc8214102 nixbld/backup: include gitea DB dump 2024-08-17 18:26:46 +08:00
a6b216bb87 nixbld/gitea: move to postgresql 2024-08-17 18:18:56 +08:00
6e21a95ba8 nixbld/named: add qnetp slave DNS for m-labs-intl.com 2024-08-15 19:52:42 +08:00
d08186a27a nixbld/named: enable CAA for m-labs-intl.com 2024-08-14 11:52:25 +08:00
5d132565e6 nixbld/named: add hooks.m-labs-intl.com 2024-08-14 11:42:38 +08:00
97ca7ea3ce nixbld: mail setup for m-labs-intl.com WIP 2024-08-14 11:38:19 +08:00
e24c167f8b Revert "nixbld: block SAP spam"
Option seems to have no effect.

This reverts commit b769b47075.
2024-08-14 10:58:49 +08:00
18194be5c3 nixbld: deploy web2019 to the intl domain
Co-authored-by: Egor Savkin <es@m-labs.hk>
Co-committed-by: Egor Savkin <es@m-labs.hk>
2024-08-14 10:54:52 +08:00
7781d6236e nixbld/rt: disable TCP 2024-08-11 12:19:15 +08:00
93e19c74e9 nixbld/rt: use psql peer authentication 2024-08-11 12:12:28 +08:00
4ccab3cf2b nixbld: remove outdated DNS records 2024-08-05 19:13:34 +08:00
69fe8c9866 nixbld: add flo user 2024-08-01 07:32:11 +08:00
b769b47075 nixbld: block SAP spam 2024-07-02 09:56:02 +02:00
f0668fa5b7 juno: mobo swap 2024-06-27 14:20:30 +08:00
8422d16978 nixops: add new DSLogic USB ID 2024-06-26 13:29:20 +08:00
31 changed files with 10546 additions and 248 deletions

View File

@ -0,0 +1,18 @@
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- 5.78.86.156/32
- 2a01:4ff:1f0:83de::2/64
- 2a01:4ff:1f0:83de::3/64
- 2a01:4ff:1f0:83de::4/64
tunnels:
gre1:
mode: gre
local: 5.78.86.156
remote: 94.190.212.123
addresses:
- 10.47.3.0/31

View File

@ -0,0 +1,14 @@
[Unit]
Description=GRE tunnel to the main host
After=network.target
[Service]
Type=simple
User=root
ExecStart=/root/gretun.sh
ExecStop=/root/gretun_down.sh
Restart=on-failure
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

10
m-labs-intl/gretun.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

10
m-labs-intl/gretun_down.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

View File

@ -0,0 +1,81 @@
upstream rfq_server {
server 127.0.0.1:5000;
}
server {
limit_conn addr 5;
root /var/www/m-labs-intl.com/html;
index index.html index.htm index.nginx-debian.html;
server_name m-labs-intl.com;
location / {
try_files $uri $uri/ =404;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name www.m-labs-intl.com;
return 301 https://m-labs-intl.com$request_uri;
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
server_name hooks.m-labs-intl.com;
limit_conn addr 5;
location /rfq {
proxy_pass http://rfq_server/rfq;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 30;
proxy_connect_timeout 30;
proxy_send_timeout 30;
}
location / {
return 418;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
limit_conn addr 5;
if ($host = m-labs-intl.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = www.m-labs-intl.com) {
return 301 https://m-labs-intl.com$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
return 301 https://$host$request_uri;
}

View File

@ -0,0 +1,34 @@
connections {
m_labs {
version = 2
encap = no
mobike = no
send_certreq = no
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
local_addrs = 5.78.86.156
remote_addrs = 94.190.212.123
local {
auth = pubkey
id = fqdn:m-labs-intl.com
pubkeys = m-labs-intl.com
}
remote {
auth = pubkey
id = fqdn:m-labs.hk
pubkeys = m-labs.hk
}
children {
con1 {
mode = transport
ah_proposals = sha256-curve25519,sha256-ecp256
esp_proposals =
local_ts = 5.78.86.156[gre]
remote_ts = 94.190.212.123[gre]
start_action = start
close_action = none
}
}
}
}

0
m-labs-intl/mail.secret Normal file
View File

65
m-labs-intl/nginx.conf Normal file
View File

@ -0,0 +1,65 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
# Rate limiting
limit_conn_zone $binary_remote_addr zone=addr:10m;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

12
m-labs-intl/rfq.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=RFQ service
After=network.target
[Service]
Type=simple
User=rfqserver
ExecStart=/home/rfqserver/runrfq.sh
Restart=on-failure
[Install]
WantedBy=multi-user.target

14
m-labs-intl/runrfq.sh Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env bash
export FLASK_DEBUG=0
export FLASK_MAIL_SERVER=mail.m-labs.hk
export FLASK_MAIL_PORT=465
export FLASK_MAIL_USE_SSL=True
export FLASK_MAIL_USERNAME=sysop-intl@m-labs-intl.com
export FLASK_MAIL_PASSWORD_FILE=/home/rfqserver/mail.secret
export FLASK_MAIL_RECIPIENT=sales@m-labs.hk
export FLASK_MAIL_SENDER=sysop-intl@m-labs-intl.com
cd /home/rfqserver/web2019/server
source venv/bin/activate
python3 -m flask --app rfq run --port=5000

99
m-labs-intl/setup.md Normal file
View File

@ -0,0 +1,99 @@
# Setup m-labs-intl.com server
```shell
# Install required packages
apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
# Set up networks (includes GRE)
cp 60-tunnels.yaml /etc/netplan/
netplan apply
# set up IPsec-AH connection
cp m-labs.hk.conf /etc/swanctl/conf.d/
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
systemctl enable strongswan --now
systemctl restart strongswan
# Set up website
cp m-labs-intl.com /etc/nginx/sites-available/
cp nginx.conf /etc/nginx/
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
systemctl enable nginx --now
service nginx restart
# Issue SSL certificate - website only, the mail is on the HK side
certbot --nginx
service nginx restart
# Create a user for automatic website deployment from nixbld
useradd -m zolaupd
mkdir -p /var/www/m-labs-intl.com/html
chown -R zolaupd /var/www/m-labs-intl.com/
sudo -u zolaupd sh -c '
cd /home/zolaupd;
mkdir /home/zolaupd/.ssh;
echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
chmod 700 .ssh/
chmod 600 .ssh/authorized_keys
'
# Create a user for RFQ hooks service
useradd -m rfqserver
cp runrfq.sh /home/rfqserver/
cp mail.secret /home/rfqserver/
chown rfqserver /home/rfqserver/runrfq.sh
chmod +x /home/rfqserver/runrfq.sh
chown rfqserver /home/rfqserver/mail.secret
sudo -u rfqserver sh -c '
cd /home/rfqserver;
git clone https://git.m-labs.hk/M-Labs/web2019.git;
cd web2019;
python3 -m venv ./venv;
source venv/bin/activate;
pip install -r requirements.txt;
'
cp rfq.service /etc/systemd/system/
# Automate port forwarding rules creation
cp gretun.sh /root/gretun.sh
cp gretun_down.sh /root/gretun_down.sh
chmod u+x /root/gretun.sh
chmod u+x /root/gretun_down.sh
cp gretun.service /etc/systemd/system/
# Enable custom services
systemctl daemon-reload
systemctl enable rfq.service --now
systemctl enable gretun.service --now
# Setup basic firewall rules
ufw default deny
ufw default allow outgoing
ufw allow from 94.190.212.123
ufw allow from 2001:470:f891:1::/64
ufw allow from 202.77.7.238
ufw allow from 2001:470:18:390::2
ufw allow "Nginx HTTP"
ufw allow "Nginx HTTPS"
ufw limit OpenSSH
ufw allow 25/tcp
ufw allow 587/tcp
ufw limit 500,4500/udp
ufw route allow in on gre1 out on eth0
ufw allow from 10.47.3.0/31
ufw show added
ufw enable
```

View File

@ -10,16 +10,34 @@ in
default = false; default = false;
description = "Enable AFWS server"; description = "Enable AFWS server";
}; };
logFile = mkOption {
type = types.str;
default = "/var/lib/afws/logs/afws.log";
description = "Path to the log file";
};
logBackupCount = mkOption {
type = types.int;
default = 30;
description = "Number of daily log files to keep";
};
}; };
config = mkIf config.services.afws.enable { config = mkIf config.services.afws.enable {
systemd.services.afws = { systemd.services.afws = {
description = "AFWS server"; description = "AFWS server";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p "$(dirname ${config.services.afws.logFile})"
chown afws:afws "$(dirname ${config.services.afws.logFile})"
'';
serviceConfig = { serviceConfig = {
User = "afws"; User = "afws";
Group = "afws"; Group = "afws";
ExecStart = "${afws}/bin/afws_server"; ExecStart = ''
${afws}/bin/afws_server \
--log-file ${config.services.afws.logFile} \
--log-backup-count ${toString config.services.afws.logBackupCount}
'';
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
}; };
path = [ pkgs.nix pkgs.git ]; path = [ pkgs.nix pkgs.git ];

View File

@ -26,9 +26,10 @@ let
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql ${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
exec 6< /etc/nixos/secret/backup-passphrase exec 6< /etc/nixos/secret/backup-passphrase
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \ ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
${pkgs.bzip2}/bin/bzip2 | \ ${pkgs.bzip2}/bin/bzip2 | \
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6 ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
''; '';

View File

@ -6,6 +6,9 @@ let
netifLan = "enp5s0f1"; netifLan = "enp5s0f1";
netifWifi = "wlp6s0"; netifWifi = "wlp6s0";
netifSit = "henet0"; netifSit = "henet0";
netifUSA = "trump0";
netifAlt = "alt0";
netifAltVlan = "vlan0";
hydraWwwOutputs = "/var/www/hydra-outputs"; hydraWwwOutputs = "/var/www/hydra-outputs";
in in
{ {
@ -17,8 +20,8 @@ in
./afws-module.nix ./afws-module.nix
./rt.nix ./rt.nix
(builtins.fetchTarball { (builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz"; url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/nixos-mailserver-nixos.tar.gz";
sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv"; sha256 = "sha256:1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma";
}) })
]; ];
@ -90,6 +93,15 @@ in
allowedTCPPorts = [ 53 80 443 2222 7402 ]; allowedTCPPorts = [ 53 80 443 2222 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ]; allowedUDPPorts = [ 53 67 500 4500 ];
trustedInterfaces = [ netifLan ]; trustedInterfaces = [ netifLan ];
logRefusedConnections = false;
extraCommands = ''
iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
'';
extraStopCommands = ''
iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
'';
}; };
useDHCP = false; useDHCP = false;
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
@ -176,11 +188,21 @@ in
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
iptables -w -A FORWARD -j block-insecure-devices iptables -w -A FORWARD -j block-insecure-devices
iptables -w -N pccw-sucks
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
iptables -w -A FORWARD -j pccw-sucks
''; '';
extraStopCommands = '' extraStopCommands = ''
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
iptables -w -F block-insecure-devices 2>/dev/null|| true iptables -w -F block-insecure-devices 2>/dev/null|| true
iptables -w -X block-insecure-devices 2>/dev/null|| true iptables -w -X block-insecure-devices 2>/dev/null|| true
iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
iptables -w -F pccw-sucks 2>/dev/null|| true
iptables -w -X pccw-sucks 2>/dev/null|| true
''; '';
}; };
sits."${netifSit}" = { sits."${netifSit}" = {
@ -193,14 +215,37 @@ in
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }]; addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
routes = [{ address = "::"; prefixLength = 0; }]; routes = [{ address = "::"; prefixLength = 0; }];
}; };
greTunnels.alt0 = { greTunnels."${netifUSA}" = {
dev = netifWan;
remote = "5.78.86.156";
local = "94.190.212.123";
ttl = 255;
type = "tun";
};
greTunnels."${netifAlt}" = {
dev = netifWan; dev = netifWan;
remote = "103.206.98.1"; remote = "103.206.98.1";
local = "94.190.212.123"; local = "94.190.212.123";
ttl = 255; ttl = 255;
type = "tun"; type = "tun";
}; };
interfaces.alt0 = { interfaces."${netifUSA}" = {
ipv4.addresses = [
{
address = "10.47.3.1";
prefixLength = 31;
}
];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "10.47.3.0";
options.table = "3";
}
];
};
interfaces."${netifAlt}" = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "103.206.98.227"; address = "103.206.98.227";
@ -217,12 +262,12 @@ in
]; ];
}; };
vlans = { vlans = {
vlan0 = { "${netifAltVlan}" = {
id = 2; id = 2;
interface = netifLan; interface = netifLan;
}; };
}; };
interfaces.vlan0 = { interfaces."${netifAltVlan}" = {
ipv4.addresses = [{ ipv4.addresses = [{
address = "103.206.98.200"; address = "103.206.98.200";
prefixLength = 29; prefixLength = 29;
@ -255,7 +300,7 @@ in
id = "fqdn:igw0.hkg.as150788.net"; id = "fqdn:igw0.hkg.as150788.net";
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ]; pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
}; };
children.alt0 = { children."${netifAlt}" = {
mode = "transport"; mode = "transport";
ah_proposals = [ "sha256-curve25519" ]; ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "103.206.98.1[gre]" ]; remote_ts = [ "103.206.98.1[gre]" ];
@ -263,6 +308,27 @@ in
start_action = "start"; start_action = "start";
}; };
}; };
services.strongswan-swanctl.swanctl.connections.usa = {
local_addrs = [ "94.190.212.123" ];
remote_addrs = [ "5.78.86.156" ];
local.main = {
auth = "pubkey";
id = "fqdn:m-labs.hk";
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
};
remote.main = {
auth = "pubkey";
id = "fqdn:m-labs-intl.com";
pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
};
children."${netifUSA}" = {
mode = "transport";
ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "5.78.86.156[gre]" ];
local_ts = [ "94.190.212.123[gre]" ];
start_action = "start";
};
};
systemd.services.network-custom-route-backup = { systemd.services.network-custom-route-backup = {
wantedBy = [ "network.target" ]; wantedBy = [ "network.target" ];
@ -273,6 +339,15 @@ in
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2"; ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
}; };
}; };
systemd.services.network-custom-route-usa = {
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
};
};
systemd.services.network-custom-route-alt = { systemd.services.network-custom-route-alt = {
wantedBy = [ "network.target" ]; wantedBy = [ "network.target" ];
serviceConfig = { serviceConfig = {
@ -375,10 +450,14 @@ in
notify explicit; notify explicit;
also-notify { also-notify {
216.218.130.2; # ns1.he.net 216.218.130.2; # ns1.he.net
213.239.220.50; # ns1.qnetp.net
88.198.32.245; # new qnetp
}; };
''; '';
slaves = [ slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net "216.218.133.2" "2001:470:600::2" # slave.dns.he.net
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
"88.198.32.245" # new qnetp
]; ];
}; };
"200-29.98.206.103.in-addr.arpa" = { "200-29.98.206.103.in-addr.arpa" = {
@ -412,6 +491,7 @@ in
enable = true; enable = true;
radios.${netifWifi} = { radios.${netifWifi} = {
band = "2g"; band = "2g";
channel = 7;
countryCode = "HK"; countryCode = "HK";
networks.${netifWifi} = { networks.${netifWifi} = {
ssid = "M-Labs"; ssid = "M-Labs";
@ -461,11 +541,6 @@ in
"/kasli/192.168.1.70" "/kasli/192.168.1.70"
"/kasli-customer/192.168.1.75" "/kasli-customer/192.168.1.75"
"/stabilizer-customer/192.168.1.76" "/stabilizer-customer/192.168.1.76"
# Google can't do DNS geolocation correctly and slows down websites of everyone using
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
# cannot reach.
"/fonts.googleapis.com/142.250.207.74"
]; ];
dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077 dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
@ -491,10 +566,23 @@ in
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal lm_sensors
irssi tmux usbutils imagemagick jq zip unzip acpi
usbutils
pciutils
iw iw
nvme-cli nvme-cli
smartmontools
psmisc
wget
vim
git
file
imagemagick
jq
nixops_unstable_minimal
borgbackup borgbackup
bind bind
waypipe waypipe
@ -524,6 +612,7 @@ in
services.openssh.settings.X11Forwarding = true; services.openssh.settings.X11Forwarding = true;
services.openssh.authorizedKeysInHomedir = false; services.openssh.authorizedKeysInHomedir = false;
programs.mosh.enable = true; programs.mosh.enable = true;
programs.tmux.enable = true;
programs.fish.enable = true; programs.fish.enable = true;
programs.zsh.enable = true; programs.zsh.enable = true;
@ -550,7 +639,6 @@ in
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp" SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
''; '';
sound.enable = true;
services.mpd.enable = true; services.mpd.enable = true;
services.mpd.musicDirectory = "/tank/sb-public/FLAC"; services.mpd.musicDirectory = "/tank/sb-public/FLAC";
services.mpd.network.listenAddress = "192.168.1.1"; services.mpd.network.listenAddress = "192.168.1.1";
@ -567,38 +655,23 @@ in
users.extraUsers.root = { users.extraUsers.root = {
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
]; ];
shell = pkgs.fish; shell = pkgs.fish;
}; };
# https://github.com/NixOS/nixpkgs/issues/155357 # https://github.com/NixOS/nixpkgs/issues/155357
security.sudo.enable = true; security.sudo.enable = true;
# M-Labs HK
users.extraUsers.sb = { users.extraUsers.sb = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["lp" "scanner" "afws" "audio"]; extraGroups = ["lp" "scanner" "afws" "audio"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
]; ];
shell = pkgs.fish; shell = pkgs.fish;
}; };
users.extraUsers.rj = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
];
};
users.extraUsers.nkrackow = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
];
};
users.extraUsers.spaqin = { users.extraUsers.spaqin = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["lp" "afws"]; extraGroups = ["lp" "afws"];
@ -620,6 +693,35 @@ in
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
]; ];
}; };
# M-Labs PH
users.extraUsers.flo = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
];
};
# QUARTIQ
users.extraUsers.rj = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
];
};
users.extraUsers.eduardotenholder = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
];
};
# HKUST
users.extraUsers.derppening = { users.extraUsers.derppening = {
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
@ -630,7 +732,6 @@ in
users.extraUsers.nix = { users.extraUsers.nix = {
isNormalUser = true; isNormalUser = true;
}; };
boot.kernel.sysctl."kernel.dmesg_restrict" = true;
services.udev.packages = [ pkgs.sane-backends ]; services.udev.packages = [ pkgs.sane-backends ];
nix.settings.max-jobs = 10; nix.settings.max-jobs = 10;
@ -651,6 +752,10 @@ in
job = web:web:web job = web:web:web
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
</runcommand> </runcommand>
<runcommand>
job = web:web:web-intl
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
</runcommand>
<runcommand> <runcommand>
job = web:web:nmigen-docs job = web:web:nmigen-docs
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
@ -762,6 +867,10 @@ in
services.gitea = { services.gitea = {
enable = true; enable = true;
appName = "M-Labs Git"; appName = "M-Labs Git";
database = {
type = "postgres";
socket = "/run/postgresql";
};
mailerPasswordFile = "/etc/nixos/secret/mailerpassword"; mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
settings = { settings = {
server = { server = {
@ -809,32 +918,45 @@ in
siteUrl = "https://chat.m-labs.hk/"; siteUrl = "https://chat.m-labs.hk/";
mutableConfig = true; mutableConfig = true;
}; };
services.postgresql.package = pkgs.postgresql_12;
services.matterbridge = { services.matterbridge = {
enable = true; enable = true;
configPath = "/etc/nixos/secret/matterbridge.toml"; configPath = "/etc/nixos/secret/matterbridge.toml";
}; };
services.postgresql = {
package = pkgs.postgresql_15;
settings.listen_addresses = pkgs.lib.mkForce "";
identMap =
''
rt rt rt_user
'';
};
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in { nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
nix = super.nix.overrideAttrs(oa: { nix = super.nix.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ]; patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
}); });
hydra_unstable = super.hydra_unstable.overrideAttrs(oa: { hydra = super.hydra.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ patches = oa.patches or [] ++ [
./hydra-conda.patch ./hydra-conda.patch
./hydra-msys2.patch ./hydra-msys2.patch
./hydra-restrictdist.patch
]; ];
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ]; hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above. doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
}); });
mattermost = super.mattermost.overrideAttrs(oa: {
postInstall = oa.postInstall +
''
sed -i.bak "s/FREE EDITION//g" $out/client/*.js $out/client/*.js.map
'';
});
matterbridge = super.matterbridge.overrideAttrs(oa: { matterbridge = super.matterbridge.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ]; patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
}); });
}; };
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "sb" + "@m-labs.hk"; security.acme.defaults.email = "sb@m-labs.hk";
# https://github.com/NixOS/nixpkgs/issues/106862 # https://github.com/NixOS/nixpkgs/issues/106862
systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ]; systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
@ -864,7 +986,7 @@ in
expires 60d; expires 60d;
''; '';
}; };
locations."/nuc-netboot/".alias = "${import ./defenestrate}/"; locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
# legacy URLs, redirect to avoid breaking people's bookmarks # legacy URLs, redirect to avoid breaking people's bookmarks
locations."/gateware.html".extraConfig = '' locations."/gateware.html".extraConfig = ''
@ -922,9 +1044,17 @@ in
}; };
in { in {
"m-labs.hk" = mainWebsite; "m-labs.hk" = mainWebsite;
"www.m-labs.hk" = mainWebsite; "www.m-labs.hk" = {
addSSL = true;
enableACME = true;
globalRedirect = "m-labs.hk";
};
"m-labs.ph" = mainWebsite; "m-labs.ph" = mainWebsite;
"www.m-labs.ph" = mainWebsite; "www.m-labs.ph" = {
addSSL = true;
enableACME = true;
globalRedirect = "m-labs.ph";
};
"nixbld.m-labs.hk" = { "nixbld.m-labs.hk" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -1025,15 +1155,6 @@ in
"forum.m-labs.hk" = { "forum.m-labs.hk" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
root = "/var/www/flarum/public";
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
fastcgi_index index.php;
'';
extraConfig = ''
index index.php;
include /var/www/flarum/.nginx.conf;
'';
}; };
"perso.m-labs.hk" = { "perso.m-labs.hk" = {
addSSL = true; addSSL = true;
@ -1080,7 +1201,7 @@ in
"www.193thz.com" = { "www.193thz.com" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
root = "/var/www/193thz"; globalRedirect = "193thz.com";
}; };
"nmigen.net" = { "nmigen.net" = {
addSSL = true; addSSL = true;
@ -1090,7 +1211,7 @@ in
"www.nmigen.net" = { "www.nmigen.net" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
root = "${hydraWwwOutputs}/nmigen-docs"; globalRedirect = "nmigen.net";
}; };
}; };
}; };
@ -1105,23 +1226,17 @@ in
}; };
}; };
}; };
services.mysql = { services.mysql = {
enable = true; enable = true;
package = pkgs.mariadb; package = pkgs.lib.mkForce pkgs.mariadb;
}; ensureDatabases = pkgs.lib.mkForce [];
services.phpfpm.pools.flarum = { ensureUsers = pkgs.lib.mkForce [];
user = "nobody";
settings = {
"listen.owner" = "nginx";
"listen.group" = "nginx";
"listen.mode" = "0600";
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
}; };
services.flarum = {
enable = true;
package = pkgs.callPackage ./flarum {};
domain = "forum.m-labs.hk";
}; };
services.rt = { services.rt = {
@ -1146,7 +1261,18 @@ in
Restart = "on-failure"; Restart = "on-failure";
User = "rt"; User = "rt";
Group = "rt"; Group = "rt";
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'"; ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
};
};
systemd.services.rt-fetchmail-intl = {
description = "Fetchmail for RT (intl)";
wantedBy = [ "multi-user.target" ];
after = [ "dovecot2.service" ];
serviceConfig = {
Restart = "on-failure";
User = "rt";
Group = "rt";
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
}; };
}; };
@ -1154,11 +1280,28 @@ in
enable = true; enable = true;
localDnsResolver = false; # conflicts with dnsmasq localDnsResolver = false; # conflicts with dnsmasq
fqdn = "mail.m-labs.hk"; fqdn = "mail.m-labs.hk";
domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ]; domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ];
enablePop3 = true; enablePop3 = true;
enablePop3Ssl = true; enablePop3Ssl = true;
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
} // (import /etc/nixos/secret/email_settings.nix); } // (import /etc/nixos/secret/email_settings.nix);
services.postfix = {
mapFiles."sender_transport" = builtins.toFile "sender_transport" ''
@m-labs-intl.com intltunnel:
'';
config = {
sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
};
masterConfig."intltunnel" = {
type = "unix";
command = "smtp";
args = [
"-o" "inet_interfaces=10.47.3.1"
"-o" "smtp_helo_name=mail.m-labs-intl.com"
"-o" "inet_protocols=ipv4"
];
};
};
services.roundcube = { services.roundcube = {
enable = true; enable = true;
hostName = "mail.m-labs.hk"; hostName = "mail.m-labs.hk";
@ -1171,7 +1314,8 @@ in
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud29; package = pkgs.nextcloud30;
extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
hostName = "files.m-labs.hk"; hostName = "files.m-labs.hk";
https = true; https = true;
maxUploadSize = "2G"; maxUploadSize = "2G";

9796
nixbld-etc-nixos/flarum/composer.lock generated Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,39 @@
{
lib,
php,
fetchFromGitHub,
fetchpatch,
}:
php.buildComposerProject (finalAttrs: {
pname = "flarum";
version = "1.8.1";
src = fetchFromGitHub {
owner = "flarum";
repo = "flarum";
rev = "v${finalAttrs.version}";
hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
};
patches = [
# Add useful extensions from https://github.com/FriendsOfFlarum
# Extensions included: fof/upload, fof/polls, fof/subscribed
./fof-extensions.patch
];
composerLock = ./composer.lock;
composerStrictValidation = false;
vendorHash = "sha256-GLE5ZtzZmQ8YbitV6LG744QHoGxlj5TfC5wP2a3eFpU=";
meta = with lib; {
changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
description = "Flarum is a delightfully simple discussion platform for your website";
homepage = "https://github.com/flarum/flarum";
license = lib.licenses.mit;
maintainers = with maintainers; [
fsagbuya
jasonodoom
];
};
})

View File

@ -0,0 +1,16 @@
diff --git a/composer.json b/composer.json
index c63b5f8..5ad1186 100644
--- a/composer.json
+++ b/composer.json
@@ -37,7 +37,10 @@
"flarum/sticky": "*",
"flarum/subscriptions": "*",
"flarum/suspend": "*",
- "flarum/tags": "*"
+ "flarum/tags": "*",
+ "fof/polls": "*",
+ "fof/subscribed": "*",
+ "fof/upload": "*"
},
"config": {
"preferred-install": "dist",

View File

@ -15,7 +15,7 @@
<div class="ui stackable middle very relaxed page grid"> <div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column"> <div class="sixteen wide center column">
<p class="large"> <p class="large">
Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have. Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
</p> </p>
</div> </div>
</div> </div>

View File

@ -4,7 +4,7 @@
<div class="ui middle very relaxed page grid"> <div class="ui middle very relaxed page grid">
<div class="ui container column fluid"> <div class="ui container column fluid">
{{template "user/auth/signin_inner" .}} {{template "user/auth/signin_inner" .}}
To get an account (also available to external contributors), simply write to sb@m-***s.hk. To get an account (also available to external contributors), simply write to sb@m-labs.hk.
</div> </div>
</div> </div>
</div> </div>

View File

@ -1,32 +0,0 @@
diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
index a9b0d558..71869ba0 100644
--- a/src/lib/Hydra/Controller/Root.pm
+++ b/src/lib/Hydra/Controller/Root.pm
@@ -19,6 +19,11 @@ use Net::Prometheus;
# Put this controller at top-level.
__PACKAGE__->config->{namespace} = '';
+sub isRedistRestricted {
+ my ($path) = @_;
+
+ return index($path, "-RESTRICTDIST-") >= 0;
+}
sub noLoginNeeded {
my ($c) = @_;
@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
$path = $Nix::Config::storeDir . "/$path";
gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
+ notFound($c, "Redistribution restricted") if isRedistRestricted($path);
$c->stash->{current_view} = 'NixNAR';
$c->stash->{storePath} = $path;
@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
setCacheHeaders($c, 60 * 60);
return;
}
+ notFound($c, "Redistribution restricted") if isRedistRestricted($path);
$c->stash->{storePath} = $path;
$c->forward('Hydra::View::NARInfo');

View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. ( @ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
2024060601 2024101401
7200 7200
3600 3600
86400 86400
@ -10,11 +10,21 @@ $TTL 7200
NS ns.m-labs-intl.com. NS ns.m-labs-intl.com.
NS ns1.he.net. NS ns1.he.net.
NS ns1.qnetp.net.
A 5.78.86.156 A 5.78.86.156
AAAA 2a01:4ff:1f0:83de::1 AAAA 2a01:4ff:1f0:83de::1
MX 10 mail.m-labs-intl.com.
TXT "v=spf1 mx -all"
TXT "google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
ns A 94.190.212.123 ns A 94.190.212.123
ns AAAA 2001:470:18:390::2 ns AAAA 2001:470:18:390::2
mail A 5.78.86.156
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
www CNAME @ www CNAME @
hooks CNAME @

View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. ( @ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2024060201 2024080501
7200 7200
3600 3600
86400 86400
@ -43,17 +43,7 @@ files CNAME @
docs CNAME @ docs CNAME @
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93 rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
rpi-2 AAAA 2001:470:f891:1:ba27:ebff:fef0:e9e6
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9 rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
chiron AAAA 2001:470:f891:1:7f02:9ebf:bee9:3dc7
old-nixbld AAAA 2001:470:f891:1:a07b:f49a:a4ef:aad9
zeus AAAA 2001:470:f891:1:4fd7:e70a:68bf:e9c1
franz AAAA 2001:470:f891:1:1b65:a743:2335:f5c6
hera AAAA 2001:470:f891:1:8b5e:404d:ef4e:9d92
hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
aux A 42.200.147.171
router.alt A 103.206.98.200 router.alt A 103.206.98.200
stewardship1.alt A 103.206.98.201 stewardship1.alt A 103.206.98.201

View File

@ -1,8 +1,8 @@
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 64b55ca6a..9b4e52b8e 100644 index 2a09e3dd4..7dc03855f 100644
--- a/src/libstore/build/local-derivation-goal.cc --- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild() @@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
assert(derivationType); assert(derivationType);
@ -11,7 +11,7 @@ index 64b55ca6a..9b4e52b8e 100644
/* Are we doing a chroot build? */ /* Are we doing a chroot build? */
{ {
auto noChroot = parsedDrv->getBoolAttr("__noChroot"); auto noChroot = parsedDrv->getBoolAttr("__noChroot");
@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild() @@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
else if (settings.sandboxMode == smDisabled) else if (settings.sandboxMode == smDisabled)
useChroot = false; useChroot = false;
else if (settings.sandboxMode == smRelaxed) else if (settings.sandboxMode == smRelaxed)
@ -20,7 +20,7 @@ index 64b55ca6a..9b4e52b8e 100644
} }
auto & localStore = getLocalStore(); auto & localStore = getLocalStore();
@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder() @@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
"nogroup:x:65534:\n", sandboxGid())); "nogroup:x:65534:\n", sandboxGid()));
/* Create /etc/hosts with localhost entry. */ /* Create /etc/hosts with localhost entry. */
@ -29,7 +29,7 @@ index 64b55ca6a..9b4e52b8e 100644
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n"); writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
/* Make the closure of the inputs available in the chroot, /* Make the closure of the inputs available in the chroot,
@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder() @@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
us. us.
*/ */
@ -38,16 +38,16 @@ index 64b55ca6a..9b4e52b8e 100644
privateNetwork = true; privateNetwork = true;
userNamespaceSync.create(); userNamespaceSync.create();
@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv() @@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
to the builder is generally impure, but the output of to the builder is generally impure, but the output of
fixed-output derivations is by definition pure (since we fixed-output derivations is by definition pure (since we
already know the cryptographic hash of the output). */ already know the cryptographic hash of the output). */
- if (!derivationType->isSandboxed()) { - if (!derivationType->isSandboxed()) {
+ if (networked || !derivationType->isSandboxed()) { + if (networked || !derivationType->isSandboxed()) {
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings())) auto & impureEnv = settings.impureEnv.get();
env[i] = getEnv(i).value_or(""); if (!impureEnv.empty())
} experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild() @@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
/* Fixed-output derivations typically need to access the /* Fixed-output derivations typically need to access the
network, so give them access to /etc/resolv.conf and so network, so give them access to /etc/resolv.conf and so
on. */ on. */
@ -56,7 +56,7 @@ index 64b55ca6a..9b4e52b8e 100644
// Only use nss functions to resolve hosts and // Only use nss functions to resolve hosts and
// services. Dont use it for anything else that may // services. Dont use it for anything else that may
// be configured for this system. This limits the // be configured for this system. This limits the
@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild() @@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
#include "sandbox-defaults.sb" #include "sandbox-defaults.sb"
; ;
@ -65,12 +65,12 @@ index 64b55ca6a..9b4e52b8e 100644
sandboxProfile += sandboxProfile +=
#include "sandbox-network.sb" #include "sandbox-network.sb"
; ;
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
index 0a05081c7..4c251718c 100644 index bf25cf2a6..28f8c1e95 100644
--- a/src/libstore/build/local-derivation-goal.hh --- a/src/libstore/unix/build/local-derivation-goal.hh
+++ b/src/libstore/build/local-derivation-goal.hh +++ b/src/libstore/unix/build/local-derivation-goal.hh
@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal @@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
*/
Path chrootRootDir; Path chrootRootDir;
+ bool networked; + bool networked;

View File

@ -19,14 +19,9 @@ let
Set($Timezone, '${cfg.timeZone}'); Set($Timezone, '${cfg.timeZone}');
Set($DatabaseType, 'Pg'); Set($DatabaseType, 'Pg');
Set($DatabaseHost, 'localhost'); Set($DatabaseHost, '/run/postgresql');
Set($DatabaseUser, 'rt_user'); Set($DatabaseUser, 'rt');
Set($DatabaseName, 'rt5'); Set($DatabaseName, 'rt5');
# Read database password from file
open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
my $dbpw = do { local $/; <$fh> };
$dbpw =~ s/^\s+|\s+$//g;
Set($DatabasePassword, $dbpw);
# System (Logging) # System (Logging)
Set($LogToSTDERR, undef); # Don't log twice Set($LogToSTDERR, undef); # Don't log twice
@ -35,7 +30,7 @@ let
Set($OwnerEmail, '${cfg.ownerEmail}'); Set($OwnerEmail, '${cfg.ownerEmail}');
Set($MaxAttachmentSize, 15360000); Set($MaxAttachmentSize, 15360000);
Set($CheckMoreMSMailHeaders, 1); Set($CheckMoreMSMailHeaders, 1);
Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$'); Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
Set($LoopsToRTOwner, 0); Set($LoopsToRTOwner, 0);
# System (Outgoing mail) # System (Outgoing mail)
@ -154,13 +149,6 @@ in {
type = str; type = str;
}; };
dbPasswordFile = mkOption {
description = "File containing the database password";
type = str;
default = "/etc/nixos/secret/rtpasswd";
internal = true;
};
domain = mkOption { domain = mkOption {
description = "Which domain RT is running on"; description = "Which domain RT is running on";
type = str; type = str;
@ -245,8 +233,6 @@ in {
PrivateNetwork = false; PrivateNetwork = false;
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = false;
ReadOnlyPaths = [ cfg.dbPasswordFile ];
}; };
environment = { environment = {

View File

@ -4,7 +4,7 @@
root = { root = {
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
]; ];
}; };
sb = { sb = {
@ -12,7 +12,7 @@
extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"]; extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
]; ];
}; };
rj = { rj = {
@ -57,7 +57,7 @@
}; };
esavkin = { esavkin = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["plugdev" "dialout" "libvirtd"]; extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
]; ];
@ -111,13 +111,6 @@
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
]; ];
}; };
architeuthis = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMhLPEGWDUauFHjiVduBMJrIMKT8SvtTDHXDVudUZrhewQy08h4NEEyWmczP4WMeyugI/L/a+J+Vc8mImgqSoHw52823LVcnR9EKnJoqnwAHU/J+41vIWAN2LAryd4p9yg=="
];
};
abdul = { abdul = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["plugdev" "dialout"]; extraGroups = ["plugdev" "dialout"];
@ -125,21 +118,6 @@
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
]; ];
}; };
lyken = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ88QJlh/+F/xwXQlPEmQVmtycb8FfabxCdeiP3gTHUCV8y4PLh3ubY+EsY+Xhy/GlOAPdX7KSpiII3dndYfwZWzorXVoPBhhPKEIumFBOinWfp5kRVzWOD61gCwsYoVBg=="
];
};
wanglm = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNhRITe/qj/zvW2dZbXNmyJxLHPgJAynlWh6NCGGarJbkhj8c1UFLUo2Hv7xqGil4PZnPGru4WwHX0RhWS/I39UPzfVvuntRGenNqqpo2T9Ble80QCawpZ2c07w7FkVq7g=="
];
};
dpn = { dpn = {
isNormalUser = true; isNormalUser = true;

View File

@ -12,6 +12,7 @@ in
boot.loader.systemd-boot.memtest86.enable = true; boot.loader.systemd-boot.memtest86.enable = true;
boot.loader.grub.memtest86.enable = true; boot.loader.grub.memtest86.enable = true;
boot.kernel.sysctl."kernel.dmesg_restrict" = false;
imports = imports =
[ [
@ -64,8 +65,8 @@ in
xournal xournal
xsane xsane
gtkwave unzip zip gnupg gtkwave unzip zip gnupg
gnome3.gnome-tweaks gnome-tweaks
gnome3.ghex ghex
jq sublime3 rink qemu_kvm jq sublime3 rink qemu_kvm
tmux screen gdb minicom picocom tmux screen gdb minicom picocom
artiq.packages.x86_64-linux.openocd-bscanspi artiq.packages.x86_64-linux.openocd-bscanspi
@ -129,17 +130,9 @@ in
nssmdns4 = true; nssmdns4 = true;
}; };
# Enable sound. hardware.graphics.enable32Bit = true;
sound.enable = true;
hardware.pulseaudio = {
enable = true;
package = pkgs.pulseaudioFull;
};
hardware.opengl.driSupport32Bit = true; fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
hardware.pulseaudio.support32Bit = true;
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
# Enable the X11 windowing system. # Enable the X11 windowing system.
services.xserver.enable = true; services.xserver.enable = true;

View File

@ -23,4 +23,5 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660"
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev" SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
# DSLogic # DSLogic
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev" SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
'' ''

View File

@ -1,48 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/3dca09c8-f725-416a-9f89-b69297698ca9";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4E51-B390";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
nixpkgs.config.nvidia.acceptLicense = true;
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.displayManager.gdm.wayland = false;
system.stateVersion = "23.05";
}

View File

@ -13,7 +13,6 @@
chiron = import ./desktop.nix { host = "chiron"; }; chiron = import ./desktop.nix { host = "chiron"; };
old-nixbld = import ./desktop.nix { host = "old-nixbld"; }; old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
franz = import ./desktop.nix { host = "franz"; }; franz = import ./desktop.nix { host = "franz"; };
juno = import ./desktop.nix { host = "juno"; };
demeter = import ./desktop.nix { host = "demeter"; }; demeter = import ./desktop.nix { host = "demeter"; };
vulcan = import ./desktop.nix { host = "vulcan"; }; vulcan = import ./desktop.nix { host = "vulcan"; };
rc = import ./desktop.nix { host = "rc"; }; rc = import ./desktop.nix { host = "rc"; };

View File

@ -15,6 +15,7 @@ in
boot.loader.generic-extlinux-compatible.enable = true; boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208 boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
boot.initrd.includeDefaultModules = false; boot.initrd.includeDefaultModules = false;
boot.kernel.sysctl."kernel.dmesg_restrict" = false;
fileSystems = { fileSystems = {
"/" = { "/" = {

49
remote-ipsec.txt Normal file
View File

@ -0,0 +1,49 @@
connections {
bypass-ipsec {
remote_addrs = 127.0.0.1
children {
bypass-isakmp-v4 {
local_ts = 0.0.0.0/0[udp/isakmp]
remote_ts = 0.0.0.0/0[udp/isakmp]
mode = pass
start_action = trap
}
bypass-isakmp-v6 {
local_ts = ::/0[udp/isakmp]
remote_ts = ::/0[udp/isakmp]
mode = pass
start_action = trap
}
}
}
m_labs {
version = 2
encap = no
mobike = no
send_certreq = no
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
local_addrs = 103.206.98.1
remote_addrs = 94.190.212.123
local {
auth = pubkey
id = fqdn:igw0.hkg.as150788.net
pubkeys = igw0.hkg.as150788.net
}
remote {
auth = pubkey
id = fqdn:m-labs.hk
pubkeys = m-labs.hk
}
children {
con1 {
mode = transport
ah_proposals = sha256-curve25519,sha256-ecp256
esp_proposals =
local_ts = 103.206.98.1[gre]
remote_ts = 94.190.212.123[gre]
start_action = none
close_action = none
}
}
}
}