forked from M-Labs/it-infra
Compare commits
10 Commits
19aee9b59f
...
d1236d548d
Author | SHA1 | Date |
---|---|---|
Florian Agbuya | d1236d548d | |
Sebastien Bourdeauducq | 98c1ecd325 | |
Sébastien Bourdeauducq | 45e718d65a | |
Sébastien Bourdeauducq | 243deb96be | |
Egor Savkin | b1779b57cc | |
Sébastien Bourdeauducq | 4f8d84e3ef | |
Egor Savkin | eabd92d2e8 | |
Sébastien Bourdeauducq | 04a64c3710 | |
Egor Savkin | d27ee750a2 | |
Sébastien Bourdeauducq | 14e9d63ab7 |
|
@ -0,0 +1,18 @@
|
||||||
|
network:
|
||||||
|
version: 2
|
||||||
|
renderer: networkd
|
||||||
|
ethernets:
|
||||||
|
eth0:
|
||||||
|
addresses:
|
||||||
|
- 5.78.86.156/32
|
||||||
|
- 2a01:4ff:1f0:83de::2/64
|
||||||
|
- 2a01:4ff:1f0:83de::3/64
|
||||||
|
- 2a01:4ff:1f0:83de::4/64
|
||||||
|
tunnels:
|
||||||
|
gre1:
|
||||||
|
mode: gre
|
||||||
|
local: 5.78.86.156
|
||||||
|
remote: 94.190.212.123
|
||||||
|
addresses:
|
||||||
|
- 10.47.3.0/31
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
[Unit]
|
||||||
|
Description=GRE tunnel to the main host
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User=root
|
||||||
|
ExecStart=/root/gretun.sh
|
||||||
|
ExecStop=/root/gretun_down.sh
|
||||||
|
Restart=on-failure
|
||||||
|
RemainAfterExit=yes
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -0,0 +1,10 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
|
||||||
|
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
|
||||||
|
|
||||||
|
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
|
||||||
|
/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
|
||||||
|
|
||||||
|
/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
@ -0,0 +1,10 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
|
||||||
|
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
|
||||||
|
|
||||||
|
/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
|
||||||
|
/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
|
||||||
|
|
||||||
|
/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
|
|
@ -0,0 +1,81 @@
|
||||||
|
upstream rfq_server {
|
||||||
|
server 127.0.0.1:5000;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
limit_conn addr 5;
|
||||||
|
|
||||||
|
root /var/www/m-labs-intl.com/html;
|
||||||
|
index index.html index.htm index.nginx-debian.html;
|
||||||
|
|
||||||
|
server_name m-labs-intl.com;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
listen [::]:443 ssl ipv6only=on; # managed by Certbot
|
||||||
|
listen 443 ssl; # managed by Certbot
|
||||||
|
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||||
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||||
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name www.m-labs-intl.com;
|
||||||
|
return 301 https://m-labs-intl.com$request_uri;
|
||||||
|
|
||||||
|
listen [::]:443 ssl; # managed by Certbot
|
||||||
|
listen 443 ssl; # managed by Certbot
|
||||||
|
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||||
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||||
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name hooks.m-labs-intl.com;
|
||||||
|
limit_conn addr 5;
|
||||||
|
|
||||||
|
location /rfq {
|
||||||
|
proxy_pass http://rfq_server/rfq;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_read_timeout 30;
|
||||||
|
proxy_connect_timeout 30;
|
||||||
|
proxy_send_timeout 30;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 418;
|
||||||
|
}
|
||||||
|
|
||||||
|
listen [::]:443 ssl; # managed by Certbot
|
||||||
|
listen 443 ssl; # managed by Certbot
|
||||||
|
ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
|
||||||
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||||
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
limit_conn addr 5;
|
||||||
|
if ($host = m-labs-intl.com) {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
} # managed by Certbot
|
||||||
|
|
||||||
|
|
||||||
|
if ($host = www.m-labs-intl.com) {
|
||||||
|
return 301 https://m-labs-intl.com$request_uri;
|
||||||
|
} # managed by Certbot
|
||||||
|
|
||||||
|
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
|
@ -0,0 +1,34 @@
|
||||||
|
|
||||||
|
|
||||||
|
connections {
|
||||||
|
m_labs {
|
||||||
|
version = 2
|
||||||
|
encap = no
|
||||||
|
mobike = no
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
|
||||||
|
local_addrs = 5.78.86.156
|
||||||
|
remote_addrs = 94.190.212.123
|
||||||
|
local {
|
||||||
|
auth = pubkey
|
||||||
|
id = fqdn:m-labs-intl.com
|
||||||
|
pubkeys = m-labs-intl.com
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
id = fqdn:m-labs.hk
|
||||||
|
pubkeys = m-labs.hk
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
con1 {
|
||||||
|
mode = transport
|
||||||
|
ah_proposals = sha256-curve25519,sha256-ecp256
|
||||||
|
esp_proposals =
|
||||||
|
local_ts = 5.78.86.156[gre]
|
||||||
|
remote_ts = 94.190.212.123[gre]
|
||||||
|
start_action = start
|
||||||
|
close_action = none
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,65 @@
|
||||||
|
user www-data;
|
||||||
|
worker_processes auto;
|
||||||
|
pid /run/nginx.pid;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 768;
|
||||||
|
# multi_accept on;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
# server_tokens off;
|
||||||
|
|
||||||
|
server_names_hash_bucket_size 64;
|
||||||
|
# server_name_in_redirect off;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
##
|
||||||
|
# SSL Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
# Rate limiting
|
||||||
|
limit_conn_zone $binary_remote_addr zone=addr:10m;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
|
||||||
|
# gzip_vary on;
|
||||||
|
# gzip_proxied any;
|
||||||
|
# gzip_comp_level 6;
|
||||||
|
# gzip_buffers 16 8k;
|
||||||
|
# gzip_http_version 1.1;
|
||||||
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Virtual Host Configs
|
||||||
|
##
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
include /etc/nginx/sites-enabled/*;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
[Unit]
|
||||||
|
Description=RFQ service
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=simple
|
||||||
|
User=rfqserver
|
||||||
|
ExecStart=/home/rfqserver/runrfq.sh
|
||||||
|
Restart=on-failure
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
|
@ -0,0 +1,14 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
export FLASK_DEBUG=0
|
||||||
|
export FLASK_MAIL_SERVER=mail.m-labs.hk
|
||||||
|
export FLASK_MAIL_PORT=465
|
||||||
|
export FLASK_MAIL_USE_SSL=True
|
||||||
|
export FLASK_MAIL_USERNAME=sysop-intl@m-labs-intl.com
|
||||||
|
export FLASK_MAIL_PASSWORD_FILE=/home/rfqserver/mail.secret
|
||||||
|
export FLASK_MAIL_RECIPIENT=sales@m-labs.hk
|
||||||
|
export FLASK_MAIL_SENDER=sysop-intl@m-labs-intl.com
|
||||||
|
|
||||||
|
cd /home/rfqserver/web2019/server
|
||||||
|
source venv/bin/activate
|
||||||
|
python3 -m flask --app rfq run --port=5000
|
|
@ -0,0 +1,99 @@
|
||||||
|
# Setup m-labs-intl.com server
|
||||||
|
|
||||||
|
```shell
|
||||||
|
# Install required packages
|
||||||
|
apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
|
||||||
|
strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
|
||||||
|
snap install --classic certbot
|
||||||
|
ln -s /snap/bin/certbot /usr/bin/certbot
|
||||||
|
|
||||||
|
# Set up networks (includes GRE)
|
||||||
|
cp 60-tunnels.yaml /etc/netplan/
|
||||||
|
netplan apply
|
||||||
|
|
||||||
|
# set up IPsec-AH connection
|
||||||
|
cp m-labs.hk.conf /etc/swanctl/conf.d/
|
||||||
|
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
|
||||||
|
sysctl -p
|
||||||
|
cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
|
||||||
|
pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
|
||||||
|
pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
|
||||||
|
cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
|
||||||
|
systemctl enable strongswan --now
|
||||||
|
systemctl restart strongswan
|
||||||
|
|
||||||
|
# Set up website
|
||||||
|
cp m-labs-intl.com /etc/nginx/sites-available/
|
||||||
|
cp nginx.conf /etc/nginx/
|
||||||
|
ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
|
||||||
|
systemctl enable nginx --now
|
||||||
|
service nginx restart
|
||||||
|
|
||||||
|
# Issue SSL certificate - website only, the mail is on the HK side
|
||||||
|
certbot --nginx
|
||||||
|
service nginx restart
|
||||||
|
|
||||||
|
# Create a user for automatic website deployment from nixbld
|
||||||
|
useradd -m zolaupd
|
||||||
|
mkdir -p /var/www/m-labs-intl.com/html
|
||||||
|
chown -R zolaupd /var/www/m-labs-intl.com/
|
||||||
|
sudo -u zolaupd sh -c '
|
||||||
|
cd /home/zolaupd;
|
||||||
|
mkdir /home/zolaupd/.ssh;
|
||||||
|
echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
|
||||||
|
chmod 700 .ssh/
|
||||||
|
chmod 600 .ssh/authorized_keys
|
||||||
|
'
|
||||||
|
|
||||||
|
# Create a user for RFQ hooks service
|
||||||
|
useradd -m rfqserver
|
||||||
|
cp runrfq.sh /home/rfqserver/
|
||||||
|
cp mail.secret /home/rfqserver/
|
||||||
|
chown rfqserver /home/rfqserver/runrfq.sh
|
||||||
|
chmod +x /home/rfqserver/runrfq.sh
|
||||||
|
chown rfqserver /home/rfqserver/mail.secret
|
||||||
|
|
||||||
|
sudo -u rfqserver sh -c '
|
||||||
|
cd /home/rfqserver;
|
||||||
|
git clone https://git.m-labs.hk/M-Labs/web2019.git;
|
||||||
|
cd web2019;
|
||||||
|
python3 -m venv ./venv;
|
||||||
|
source venv/bin/activate;
|
||||||
|
pip install -r requirements.txt;
|
||||||
|
'
|
||||||
|
cp rfq.service /etc/systemd/system/
|
||||||
|
|
||||||
|
# Automate port forwarding rules creation
|
||||||
|
cp gretun.sh /root/gretun.sh
|
||||||
|
cp gretun_down.sh /root/gretun_down.sh
|
||||||
|
chmod u+x /root/gretun.sh
|
||||||
|
chmod u+x /root/gretun_down.sh
|
||||||
|
cp gretun.service /etc/systemd/system/
|
||||||
|
|
||||||
|
# Enable custom services
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl enable rfq.service --now
|
||||||
|
systemctl enable gretun.service --now
|
||||||
|
|
||||||
|
# Setup basic firewall rules
|
||||||
|
ufw default deny
|
||||||
|
ufw default allow outgoing
|
||||||
|
|
||||||
|
ufw allow from 94.190.212.123
|
||||||
|
ufw allow from 2001:470:f891:1::/64
|
||||||
|
ufw allow from 202.77.7.238
|
||||||
|
ufw allow from 2001:470:18:390::2
|
||||||
|
ufw allow "Nginx HTTP"
|
||||||
|
ufw allow "Nginx HTTPS"
|
||||||
|
ufw limit OpenSSH
|
||||||
|
ufw allow 25/tcp
|
||||||
|
ufw allow 587/tcp
|
||||||
|
ufw limit 500,4500/udp
|
||||||
|
|
||||||
|
ufw route allow in on gre1 out on eth0
|
||||||
|
ufw allow from 10.47.3.0/31
|
||||||
|
|
||||||
|
ufw show added
|
||||||
|
ufw enable
|
||||||
|
```
|
|
@ -10,16 +10,34 @@ in
|
||||||
default = false;
|
default = false;
|
||||||
description = "Enable AFWS server";
|
description = "Enable AFWS server";
|
||||||
};
|
};
|
||||||
|
logFile = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/var/lib/afws/logs/afws.log";
|
||||||
|
description = "Path to the log file";
|
||||||
|
};
|
||||||
|
logBackupCount = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 30;
|
||||||
|
description = "Number of daily log files to keep";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf config.services.afws.enable {
|
config = mkIf config.services.afws.enable {
|
||||||
systemd.services.afws = {
|
systemd.services.afws = {
|
||||||
description = "AFWS server";
|
description = "AFWS server";
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
preStart = ''
|
||||||
|
mkdir -p "$(dirname ${config.services.afws.logFile})"
|
||||||
|
chown afws:afws "$(dirname ${config.services.afws.logFile})"
|
||||||
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "afws";
|
User = "afws";
|
||||||
Group = "afws";
|
Group = "afws";
|
||||||
ExecStart = "${afws}/bin/afws_server";
|
ExecStart = ''
|
||||||
|
${afws}/bin/afws_server \
|
||||||
|
--log-file ${config.services.afws.logFile} \
|
||||||
|
--log-backup-count ${toString config.services.afws.logBackupCount}
|
||||||
|
'';
|
||||||
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
|
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
|
||||||
};
|
};
|
||||||
path = [ pkgs.nix pkgs.git ];
|
path = [ pkgs.nix pkgs.git ];
|
||||||
|
|
|
@ -192,6 +192,7 @@ in
|
||||||
iptables -w -N pccw-sucks
|
iptables -w -N pccw-sucks
|
||||||
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
|
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
|
||||||
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||||
|
iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||||
iptables -w -A FORWARD -j pccw-sucks
|
iptables -w -A FORWARD -j pccw-sucks
|
||||||
'';
|
'';
|
||||||
extraStopCommands = ''
|
extraStopCommands = ''
|
||||||
|
@ -357,6 +358,14 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Break cycle dependency making netdev service stop when network-setup is stopped
|
||||||
|
systemd.services."${netifAlt}-netdev" = {
|
||||||
|
partOf = pkgs.lib.mkOverride 1 [ ];
|
||||||
|
};
|
||||||
|
systemd.services."${netifUSA}-netdev" = {
|
||||||
|
partOf = pkgs.lib.mkOverride 1 [ ];
|
||||||
|
};
|
||||||
|
|
||||||
# https://kb.isc.org/docs/dnssec-key-and-signing-policy
|
# https://kb.isc.org/docs/dnssec-key-and-signing-policy
|
||||||
# chown named.named /etc/nixos/named
|
# chown named.named /etc/nixos/named
|
||||||
services.bind = {
|
services.bind = {
|
||||||
|
@ -754,7 +763,7 @@ in
|
||||||
</runcommand>
|
</runcommand>
|
||||||
<runcommand>
|
<runcommand>
|
||||||
job = web:web:web-intl
|
job = web:web:web-intl
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@5.78.86.156:/var/www/m-labs-intl.com/html/
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
|
||||||
</runcommand>
|
</runcommand>
|
||||||
<runcommand>
|
<runcommand>
|
||||||
job = web:web:nmigen-docs
|
job = web:web:nmigen-docs
|
||||||
|
@ -981,7 +990,7 @@ in
|
||||||
expires 60d;
|
expires 60d;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
|
locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
|
||||||
|
|
||||||
# legacy URLs, redirect to avoid breaking people's bookmarks
|
# legacy URLs, redirect to avoid breaking people's bookmarks
|
||||||
locations."/gateware.html".extraConfig = ''
|
locations."/gateware.html".extraConfig = ''
|
||||||
|
@ -1248,7 +1257,18 @@ in
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
User = "rt";
|
User = "rt";
|
||||||
Group = "rt";
|
Group = "rt";
|
||||||
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
|
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services.rt-fetchmail-intl = {
|
||||||
|
description = "Fetchmail for RT (intl)";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "dovecot2.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Restart = "on-failure";
|
||||||
|
User = "rt";
|
||||||
|
Group = "rt";
|
||||||
|
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
|
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
|
||||||
index 64b55ca6a..9b4e52b8e 100644
|
index 763045a80..d7c5cc82e 100644
|
||||||
--- a/src/libstore/build/local-derivation-goal.cc
|
--- a/src/libstore/build/local-derivation-goal.cc
|
||||||
+++ b/src/libstore/build/local-derivation-goal.cc
|
+++ b/src/libstore/build/local-derivation-goal.cc
|
||||||
@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
|
@@ -190,6 +190,8 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||||
|
|
||||||
assert(derivationType);
|
assert(derivationType);
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
||||||
/* Are we doing a chroot build? */
|
/* Are we doing a chroot build? */
|
||||||
{
|
{
|
||||||
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
||||||
@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
|
@@ -207,7 +209,7 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||||
else if (settings.sandboxMode == smDisabled)
|
else if (settings.sandboxMode == smDisabled)
|
||||||
useChroot = false;
|
useChroot = false;
|
||||||
else if (settings.sandboxMode == smRelaxed)
|
else if (settings.sandboxMode == smRelaxed)
|
||||||
|
@ -20,7 +20,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
||||||
}
|
}
|
||||||
|
|
||||||
auto & localStore = getLocalStore();
|
auto & localStore = getLocalStore();
|
||||||
@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
|
@@ -717,7 +719,7 @@ void LocalDerivationGoal::startBuilder()
|
||||||
"nogroup:x:65534:\n", sandboxGid()));
|
"nogroup:x:65534:\n", sandboxGid()));
|
||||||
|
|
||||||
/* Create /etc/hosts with localhost entry. */
|
/* Create /etc/hosts with localhost entry. */
|
||||||
|
@ -29,7 +29,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
||||||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
||||||
|
|
||||||
/* Make the closure of the inputs available in the chroot,
|
/* Make the closure of the inputs available in the chroot,
|
||||||
@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
|
@@ -921,7 +923,7 @@ void LocalDerivationGoal::startBuilder()
|
||||||
us.
|
us.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
|
|
||||||
userNamespaceSync.create();
|
userNamespaceSync.create();
|
||||||
@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
|
@@ -1160,7 +1162,7 @@ void LocalDerivationGoal::initEnv()
|
||||||
to the builder is generally impure, but the output of
|
to the builder is generally impure, but the output of
|
||||||
fixed-output derivations is by definition pure (since we
|
fixed-output derivations is by definition pure (since we
|
||||||
already know the cryptographic hash of the output). */
|
already know the cryptographic hash of the output). */
|
||||||
|
@ -47,7 +47,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
||||||
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
||||||
env[i] = getEnv(i).value_or("");
|
env[i] = getEnv(i).value_or("");
|
||||||
}
|
}
|
||||||
@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
|
@@ -1829,7 +1831,7 @@ void LocalDerivationGoal::runChild()
|
||||||
/* Fixed-output derivations typically need to access the
|
/* Fixed-output derivations typically need to access the
|
||||||
network, so give them access to /etc/resolv.conf and so
|
network, so give them access to /etc/resolv.conf and so
|
||||||
on. */
|
on. */
|
||||||
|
@ -56,7 +56,7 @@ index 64b55ca6a..9b4e52b8e 100644
|
||||||
// Only use nss functions to resolve hosts and
|
// Only use nss functions to resolve hosts and
|
||||||
// services. Don’t use it for anything else that may
|
// services. Don’t use it for anything else that may
|
||||||
// be configured for this system. This limits the
|
// be configured for this system. This limits the
|
||||||
@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
|
@@ -2071,7 +2073,7 @@ void LocalDerivationGoal::runChild()
|
||||||
#include "sandbox-defaults.sb"
|
#include "sandbox-defaults.sb"
|
||||||
;
|
;
|
||||||
|
|
||||||
|
@ -66,11 +66,11 @@ index 64b55ca6a..9b4e52b8e 100644
|
||||||
#include "sandbox-network.sb"
|
#include "sandbox-network.sb"
|
||||||
;
|
;
|
||||||
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
|
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
|
||||||
index 0a05081c7..4c251718c 100644
|
index 86b86c01e..95b03aae8 100644
|
||||||
--- a/src/libstore/build/local-derivation-goal.hh
|
--- a/src/libstore/build/local-derivation-goal.hh
|
||||||
+++ b/src/libstore/build/local-derivation-goal.hh
|
+++ b/src/libstore/build/local-derivation-goal.hh
|
||||||
@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
@@ -82,6 +82,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
||||||
|
*/
|
||||||
Path chrootRootDir;
|
Path chrootRootDir;
|
||||||
|
|
||||||
+ bool networked;
|
+ bool networked;
|
||||||
|
|
|
@ -30,7 +30,7 @@ let
|
||||||
Set($OwnerEmail, '${cfg.ownerEmail}');
|
Set($OwnerEmail, '${cfg.ownerEmail}');
|
||||||
Set($MaxAttachmentSize, 15360000);
|
Set($MaxAttachmentSize, 15360000);
|
||||||
Set($CheckMoreMSMailHeaders, 1);
|
Set($CheckMoreMSMailHeaders, 1);
|
||||||
Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$');
|
Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
|
||||||
Set($LoopsToRTOwner, 0);
|
Set($LoopsToRTOwner, 0);
|
||||||
|
|
||||||
# System (Outgoing mail)
|
# System (Outgoing mail)
|
||||||
|
|
|
@ -57,7 +57,7 @@
|
||||||
};
|
};
|
||||||
esavkin = {
|
esavkin = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["plugdev" "dialout" "libvirtd"];
|
extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
|
||||||
];
|
];
|
||||||
|
|
|
@ -64,8 +64,8 @@ in
|
||||||
xournal
|
xournal
|
||||||
xsane
|
xsane
|
||||||
gtkwave unzip zip gnupg
|
gtkwave unzip zip gnupg
|
||||||
gnome3.gnome-tweaks
|
gnome-tweaks
|
||||||
gnome3.ghex
|
ghex
|
||||||
jq sublime3 rink qemu_kvm
|
jq sublime3 rink qemu_kvm
|
||||||
tmux screen gdb minicom picocom
|
tmux screen gdb minicom picocom
|
||||||
artiq.packages.x86_64-linux.openocd-bscanspi
|
artiq.packages.x86_64-linux.openocd-bscanspi
|
||||||
|
@ -129,17 +129,9 @@ in
|
||||||
nssmdns4 = true;
|
nssmdns4 = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable sound.
|
hardware.graphics.enable32Bit = true;
|
||||||
sound.enable = true;
|
|
||||||
hardware.pulseaudio = {
|
|
||||||
enable = true;
|
|
||||||
package = pkgs.pulseaudioFull;
|
|
||||||
};
|
|
||||||
|
|
||||||
hardware.opengl.driSupport32Bit = true;
|
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
|
||||||
hardware.pulseaudio.support32Bit = true;
|
|
||||||
|
|
||||||
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
|
|
||||||
|
|
||||||
# Enable the X11 windowing system.
|
# Enable the X11 windowing system.
|
||||||
services.xserver.enable = true;
|
services.xserver.enable = true;
|
||||||
|
|
Loading…
Reference in New Issue