forked from M-Labs/it-infra
Compare commits
26 Commits
134-intl-c
...
master
|
@ -26,9 +26,10 @@ let
|
|||
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
|
||||
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
|
||||
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
|
||||
${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
|
||||
|
||||
exec 6< /etc/nixos/secret/backup-passphrase
|
||||
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
|
||||
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
|
||||
${pkgs.bzip2}/bin/bzip2 | \
|
||||
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
|
||||
'';
|
||||
|
|
|
@ -6,6 +6,8 @@ let
|
|||
netifLan = "enp5s0f1";
|
||||
netifWifi = "wlp6s0";
|
||||
netifSit = "henet0";
|
||||
netifAlt = "alt0";
|
||||
netifAltVlan = "vlan0";
|
||||
hydraWwwOutputs = "/var/www/hydra-outputs";
|
||||
in
|
||||
{
|
||||
|
@ -176,11 +178,20 @@ in
|
|||
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
|
||||
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
|
||||
iptables -w -A FORWARD -j block-insecure-devices
|
||||
|
||||
iptables -w -N pccw-sucks
|
||||
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
|
||||
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||
iptables -w -A FORWARD -j pccw-sucks
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
||||
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
||||
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
||||
|
||||
iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
|
||||
iptables -w -F pccw-sucks 2>/dev/null|| true
|
||||
iptables -w -X pccw-sucks 2>/dev/null|| true
|
||||
'';
|
||||
};
|
||||
sits."${netifSit}" = {
|
||||
|
@ -193,14 +204,14 @@ in
|
|||
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
||||
routes = [{ address = "::"; prefixLength = 0; }];
|
||||
};
|
||||
greTunnels.alt0 = {
|
||||
greTunnels."${netifAlt}" = {
|
||||
dev = netifWan;
|
||||
remote = "103.206.98.1";
|
||||
local = "94.190.212.123";
|
||||
ttl = 255;
|
||||
type = "tun";
|
||||
};
|
||||
interfaces.alt0 = {
|
||||
interfaces."${netifAlt}" = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "103.206.98.227";
|
||||
|
@ -217,12 +228,12 @@ in
|
|||
];
|
||||
};
|
||||
vlans = {
|
||||
vlan0 = {
|
||||
"${netifAltVlan}" = {
|
||||
id = 2;
|
||||
interface = netifLan;
|
||||
};
|
||||
};
|
||||
interfaces.vlan0 = {
|
||||
interfaces."${netifAltVlan}" = {
|
||||
ipv4.addresses = [{
|
||||
address = "103.206.98.200";
|
||||
prefixLength = 29;
|
||||
|
@ -255,7 +266,7 @@ in
|
|||
id = "fqdn:igw0.hkg.as150788.net";
|
||||
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
||||
};
|
||||
children.alt0 = {
|
||||
children."${netifAlt}" = {
|
||||
mode = "transport";
|
||||
ah_proposals = [ "sha256-curve25519" ];
|
||||
remote_ts = [ "103.206.98.1[gre]" ];
|
||||
|
@ -263,6 +274,11 @@ in
|
|||
start_action = "start";
|
||||
};
|
||||
};
|
||||
# prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070
|
||||
systemd.services.strongswan-swanctl = {
|
||||
after = [ "network-addresses-${netifAlt}.service" ];
|
||||
requires = [ "network-addresses-${netifAlt}.service" ];
|
||||
};
|
||||
|
||||
systemd.services.network-custom-route-backup = {
|
||||
wantedBy = [ "network.target" ];
|
||||
|
@ -375,10 +391,14 @@ in
|
|||
notify explicit;
|
||||
also-notify {
|
||||
216.218.130.2; # ns1.he.net
|
||||
213.239.220.50; # ns1.qnetp.net
|
||||
88.198.32.245; # new qnetp
|
||||
};
|
||||
'';
|
||||
slaves = [
|
||||
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
||||
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
|
||||
"88.198.32.245" # new qnetp
|
||||
];
|
||||
};
|
||||
"200-29.98.206.103.in-addr.arpa" = {
|
||||
|
@ -620,6 +640,13 @@ in
|
|||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
||||
];
|
||||
};
|
||||
users.extraUsers.flo = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["afws"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
|
||||
];
|
||||
};
|
||||
users.extraUsers.derppening = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
|
@ -651,6 +678,10 @@ in
|
|||
job = web:web:web
|
||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
|
||||
</runcommand>
|
||||
<runcommand>
|
||||
job = web:web:web-intl
|
||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@5.78.86.156:/var/www/m-labs-intl.com/html/
|
||||
</runcommand>
|
||||
<runcommand>
|
||||
job = web:web:nmigen-docs
|
||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
|
||||
|
@ -762,6 +793,10 @@ in
|
|||
services.gitea = {
|
||||
enable = true;
|
||||
appName = "M-Labs Git";
|
||||
database = {
|
||||
type = "postgres";
|
||||
socket = "/run/postgresql";
|
||||
};
|
||||
mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
|
||||
settings = {
|
||||
server = {
|
||||
|
@ -809,12 +844,20 @@ in
|
|||
siteUrl = "https://chat.m-labs.hk/";
|
||||
mutableConfig = true;
|
||||
};
|
||||
services.postgresql.package = pkgs.postgresql_12;
|
||||
services.matterbridge = {
|
||||
enable = true;
|
||||
configPath = "/etc/nixos/secret/matterbridge.toml";
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
package = pkgs.postgresql_15;
|
||||
settings.listen_addresses = pkgs.lib.mkForce "";
|
||||
identMap =
|
||||
''
|
||||
rt rt rt_user
|
||||
'';
|
||||
};
|
||||
|
||||
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
|
||||
nix = super.nix.overrideAttrs(oa: {
|
||||
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
|
||||
|
@ -1025,15 +1068,6 @@ in
|
|||
"forum.m-labs.hk" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "/var/www/flarum/public";
|
||||
locations."~ \.php$".extraConfig = ''
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
|
||||
fastcgi_index index.php;
|
||||
'';
|
||||
extraConfig = ''
|
||||
index index.php;
|
||||
include /var/www/flarum/.nginx.conf;
|
||||
'';
|
||||
};
|
||||
"perso.m-labs.hk" = {
|
||||
addSSL = true;
|
||||
|
@ -1105,23 +1139,18 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.mysql = {
|
||||
enable = true;
|
||||
package = pkgs.mariadb;
|
||||
};
|
||||
services.phpfpm.pools.flarum = {
|
||||
user = "nobody";
|
||||
settings = {
|
||||
"listen.owner" = "nginx";
|
||||
"listen.group" = "nginx";
|
||||
"listen.mode" = "0600";
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 5;
|
||||
"pm.start_servers" = 2;
|
||||
"pm.min_spare_servers" = 1;
|
||||
"pm.max_spare_servers" = 3;
|
||||
"pm.max_requests" = 500;
|
||||
package = pkgs.lib.mkForce pkgs.mariadb;
|
||||
ensureDatabases = pkgs.lib.mkForce [];
|
||||
ensureUsers = pkgs.lib.mkForce [];
|
||||
};
|
||||
services.flarum = {
|
||||
enable = true;
|
||||
package = pkgs.callPackage ./flarum {};
|
||||
domain = "forum.m-labs.hk";
|
||||
createDatabaseLocally = true;
|
||||
};
|
||||
|
||||
services.rt = {
|
||||
|
@ -1154,10 +1183,11 @@ in
|
|||
enable = true;
|
||||
localDnsResolver = false; # conflicts with dnsmasq
|
||||
fqdn = "mail.m-labs.hk";
|
||||
domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
|
||||
domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ];
|
||||
enablePop3 = true;
|
||||
enablePop3Ssl = true;
|
||||
certificateScheme = "acme-nginx";
|
||||
policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
|
||||
} // (import /etc/nixos/secret/email_settings.nix);
|
||||
services.roundcube = {
|
||||
enable = true;
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
lib,
|
||||
php,
|
||||
fetchFromGitHub,
|
||||
fetchpatch,
|
||||
}:
|
||||
|
||||
php.buildComposerProject (finalAttrs: {
|
||||
pname = "flarum";
|
||||
version = "1.8.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "flarum";
|
||||
repo = "flarum";
|
||||
rev = "v${finalAttrs.version}";
|
||||
hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
# Add useful extensions from https://github.com/FriendsOfFlarum
|
||||
# Extensions included: fof/upload, fof/polls, fof/subscribed
|
||||
./fof-extensions.patch
|
||||
];
|
||||
|
||||
composerLock = ./composer.lock;
|
||||
composerStrictValidation = false;
|
||||
vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";
|
||||
|
||||
meta = with lib; {
|
||||
changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
|
||||
description = "Flarum is a delightfully simple discussion platform for your website";
|
||||
homepage = "https://github.com/flarum/flarum";
|
||||
license = lib.licenses.mit;
|
||||
maintainers = with maintainers; [
|
||||
fsagbuya
|
||||
jasonodoom
|
||||
];
|
||||
};
|
||||
})
|
|
@ -0,0 +1,16 @@
|
|||
diff --git a/composer.json b/composer.json
|
||||
index c63b5f8..5ad1186 100644
|
||||
--- a/composer.json
|
||||
+++ b/composer.json
|
||||
@@ -37,7 +37,10 @@
|
||||
"flarum/sticky": "*",
|
||||
"flarum/subscriptions": "*",
|
||||
"flarum/suspend": "*",
|
||||
- "flarum/tags": "*"
|
||||
+ "flarum/tags": "*",
|
||||
+ "fof/polls": "*",
|
||||
+ "fof/subscribed": "*",
|
||||
+ "fof/upload": "*"
|
||||
},
|
||||
"config": {
|
||||
"preferred-install": "dist",
|
|
@ -1,7 +1,7 @@
|
|||
$TTL 7200
|
||||
|
||||
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
|
||||
2024060601
|
||||
2024081503
|
||||
7200
|
||||
3600
|
||||
86400
|
||||
|
@ -10,11 +10,22 @@ $TTL 7200
|
|||
|
||||
NS ns.m-labs-intl.com.
|
||||
NS ns1.he.net.
|
||||
NS ns1.qnetp.net.
|
||||
|
||||
A 5.78.86.156
|
||||
AAAA 2a01:4ff:1f0:83de::1
|
||||
MX 10 mail.m-labs-intl.com.
|
||||
TXT "v=spf1 mx -all"
|
||||
TXT "google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
|
||||
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
|
||||
|
||||
ns A 94.190.212.123
|
||||
ns AAAA 2001:470:18:390::2
|
||||
|
||||
mail A 5.78.86.156
|
||||
mail AAAA 2a01:4ff:1f0:83de::1
|
||||
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
|
||||
_dmarc TXT "v=DMARC1; p=none"
|
||||
|
||||
www CNAME @
|
||||
hooks CNAME @
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
$TTL 7200
|
||||
|
||||
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
||||
2024060201
|
||||
2024080501
|
||||
7200
|
||||
3600
|
||||
86400
|
||||
|
@ -43,17 +43,7 @@ files CNAME @
|
|||
docs CNAME @
|
||||
|
||||
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
|
||||
rpi-2 AAAA 2001:470:f891:1:ba27:ebff:fef0:e9e6
|
||||
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
|
||||
chiron AAAA 2001:470:f891:1:7f02:9ebf:bee9:3dc7
|
||||
old-nixbld AAAA 2001:470:f891:1:a07b:f49a:a4ef:aad9
|
||||
zeus AAAA 2001:470:f891:1:4fd7:e70a:68bf:e9c1
|
||||
franz AAAA 2001:470:f891:1:1b65:a743:2335:f5c6
|
||||
hera AAAA 2001:470:f891:1:8b5e:404d:ef4e:9d92
|
||||
hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
|
||||
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
|
||||
|
||||
aux A 42.200.147.171
|
||||
|
||||
router.alt A 103.206.98.200
|
||||
stewardship1.alt A 103.206.98.201
|
||||
|
|
|
@ -19,14 +19,9 @@ let
|
|||
Set($Timezone, '${cfg.timeZone}');
|
||||
|
||||
Set($DatabaseType, 'Pg');
|
||||
Set($DatabaseHost, 'localhost');
|
||||
Set($DatabaseUser, 'rt_user');
|
||||
Set($DatabaseHost, '/run/postgresql');
|
||||
Set($DatabaseUser, 'rt');
|
||||
Set($DatabaseName, 'rt5');
|
||||
# Read database password from file
|
||||
open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
|
||||
my $dbpw = do { local $/; <$fh> };
|
||||
$dbpw =~ s/^\s+|\s+$//g;
|
||||
Set($DatabasePassword, $dbpw);
|
||||
|
||||
# System (Logging)
|
||||
Set($LogToSTDERR, undef); # Don't log twice
|
||||
|
@ -154,13 +149,6 @@ in {
|
|||
type = str;
|
||||
};
|
||||
|
||||
dbPasswordFile = mkOption {
|
||||
description = "File containing the database password";
|
||||
type = str;
|
||||
default = "/etc/nixos/secret/rtpasswd";
|
||||
internal = true;
|
||||
};
|
||||
|
||||
domain = mkOption {
|
||||
description = "Which domain RT is running on";
|
||||
type = str;
|
||||
|
@ -245,8 +233,6 @@ in {
|
|||
|
||||
PrivateNetwork = false;
|
||||
MemoryDenyWriteExecute = false;
|
||||
|
||||
ReadOnlyPaths = [ cfg.dbPasswordFile ];
|
||||
};
|
||||
|
||||
environment = {
|
||||
|
|
|
@ -111,35 +111,6 @@
|
|||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
|
||||
];
|
||||
};
|
||||
architeuthis = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMhLPEGWDUauFHjiVduBMJrIMKT8SvtTDHXDVudUZrhewQy08h4NEEyWmczP4WMeyugI/L/a+J+Vc8mImgqSoHw52823LVcnR9EKnJoqnwAHU/J+41vIWAN2LAryd4p9yg=="
|
||||
];
|
||||
};
|
||||
abdul = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
|
||||
];
|
||||
};
|
||||
lyken = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ88QJlh/+F/xwXQlPEmQVmtycb8FfabxCdeiP3gTHUCV8y4PLh3ubY+EsY+Xhy/GlOAPdX7KSpiII3dndYfwZWzorXVoPBhhPKEIumFBOinWfp5kRVzWOD61gCwsYoVBg=="
|
||||
];
|
||||
};
|
||||
wanglm = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNhRITe/qj/zvW2dZbXNmyJxLHPgJAynlWh6NCGGarJbkhj8c1UFLUo2Hv7xqGil4PZnPGru4WwHX0RhWS/I39UPzfVvuntRGenNqqpo2T9Ble80QCawpZ2c07w7FkVq7g=="
|
||||
];
|
||||
};
|
||||
|
||||
|
||||
dpn = {
|
||||
isNormalUser = true;
|
||||
|
|
|
@ -23,4 +23,5 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660"
|
|||
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
|
||||
# DSLogic
|
||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
|
||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
|
||||
''
|
||||
|
|
|
@ -8,9 +8,9 @@
|
|||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-intel" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
|
@ -18,12 +18,6 @@
|
|||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/4E51-B390";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0022" "dmask=0022" ];
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
|
@ -31,13 +25,13 @@
|
|||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
||||
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.intel.updateMicrocode = true;
|
||||
|
||||
boot.loader.systemd-boot.enable = true;
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
|
||||
nixpkgs.config.nvidia.acceptLicense = true;
|
||||
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
connections {
|
||||
bypass-ipsec {
|
||||
remote_addrs = 127.0.0.1
|
||||
children {
|
||||
bypass-isakmp-v4 {
|
||||
local_ts = 0.0.0.0/0[udp/isakmp]
|
||||
remote_ts = 0.0.0.0/0[udp/isakmp]
|
||||
mode = pass
|
||||
start_action = trap
|
||||
}
|
||||
bypass-isakmp-v6 {
|
||||
local_ts = ::/0[udp/isakmp]
|
||||
remote_ts = ::/0[udp/isakmp]
|
||||
mode = pass
|
||||
start_action = trap
|
||||
}
|
||||
}
|
||||
}
|
||||
m_labs {
|
||||
version = 2
|
||||
encap = no
|
||||
mobike = no
|
||||
send_certreq = no
|
||||
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
|
||||
local_addrs = 103.206.98.1
|
||||
remote_addrs = 94.190.212.123
|
||||
local {
|
||||
auth = pubkey
|
||||
id = fqdn:igw0.hkg.as150788.net
|
||||
pubkeys = igw0.hkg.as150788.net
|
||||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = fqdn:m-labs.hk
|
||||
pubkeys = m-labs.hk
|
||||
}
|
||||
children {
|
||||
con1 {
|
||||
mode = transport
|
||||
ah_proposals = sha256-curve25519,sha256-ecp256
|
||||
esp_proposals =
|
||||
local_ts = 103.206.98.1[gre]
|
||||
remote_ts = 94.190.212.123[gre]
|
||||
start_action = none
|
||||
close_action = none
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue