forked from M-Labs/it-infra
Compare commits
9 Commits
flarum_upd
...
master
Author | SHA1 | Date | |
---|---|---|---|
e4b6c68ae3 | |||
060c6bfe21 | |||
da74156ca8 | |||
9558882e2b | |||
9e74ec65bb | |||
1b51f86343 | |||
b088c11806 | |||
6510ba9a2d | |||
81cfe07acd |
@ -20,8 +20,8 @@ in
|
||||
./afws-module.nix
|
||||
./rt.nix
|
||||
(builtins.fetchTarball {
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/29916981e7b3b5782dc5085ad18490113f8ff63b/nixos-mailserver-nixos.tar.gz";
|
||||
sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
|
||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/nixos-mailserver-nixos.tar.gz";
|
||||
sha256 = "sha256:1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma";
|
||||
})
|
||||
];
|
||||
|
||||
@ -491,6 +491,7 @@ in
|
||||
enable = true;
|
||||
radios.${netifWifi} = {
|
||||
band = "2g";
|
||||
channel = 7;
|
||||
countryCode = "HK";
|
||||
networks.${netifWifi} = {
|
||||
ssid = "M-Labs";
|
||||
@ -638,7 +639,6 @@ in
|
||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
|
||||
'';
|
||||
|
||||
sound.enable = true;
|
||||
services.mpd.enable = true;
|
||||
services.mpd.musicDirectory = "/tank/sb-public/FLAC";
|
||||
services.mpd.network.listenAddress = "192.168.1.1";
|
||||
@ -732,7 +732,6 @@ in
|
||||
users.extraUsers.nix = {
|
||||
isNormalUser = true;
|
||||
};
|
||||
boot.kernel.sysctl."kernel.dmesg_restrict" = true;
|
||||
services.udev.packages = [ pkgs.sane-backends ];
|
||||
|
||||
nix.settings.max-jobs = 10;
|
||||
@ -937,22 +936,27 @@ in
|
||||
nix = super.nix.overrideAttrs(oa: {
|
||||
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
|
||||
});
|
||||
hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
|
||||
hydra = super.hydra.overrideAttrs(oa: {
|
||||
patches = oa.patches or [] ++ [
|
||||
./hydra-conda.patch
|
||||
./hydra-msys2.patch
|
||||
./hydra-restrictdist.patch
|
||||
];
|
||||
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
|
||||
doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
|
||||
});
|
||||
mattermost = super.mattermost.overrideAttrs(oa: {
|
||||
postInstall = oa.postInstall +
|
||||
''
|
||||
sed -i.bak "s/FREE EDITION//g" $out/client/*.js $out/client/*.js.map
|
||||
'';
|
||||
});
|
||||
matterbridge = super.matterbridge.overrideAttrs(oa: {
|
||||
patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
|
||||
});
|
||||
};
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "sb" + "@m-labs.hk";
|
||||
security.acme.defaults.email = "sb@m-labs.hk";
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/issues/106862
|
||||
systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
|
||||
@ -1040,9 +1044,17 @@ in
|
||||
};
|
||||
in {
|
||||
"m-labs.hk" = mainWebsite;
|
||||
"www.m-labs.hk" = mainWebsite;
|
||||
"www.m-labs.hk" = {
|
||||
addSSL = true;
|
||||
enableACME = true;
|
||||
globalRedirect = "m-labs.hk";
|
||||
};
|
||||
"m-labs.ph" = mainWebsite;
|
||||
"www.m-labs.ph" = mainWebsite;
|
||||
"www.m-labs.ph" = {
|
||||
addSSL = true;
|
||||
enableACME = true;
|
||||
globalRedirect = "m-labs.ph";
|
||||
};
|
||||
"nixbld.m-labs.hk" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
@ -1189,7 +1201,7 @@ in
|
||||
"www.193thz.com" = {
|
||||
addSSL = true;
|
||||
enableACME = true;
|
||||
root = "/var/www/193thz";
|
||||
globalRedirect = "193thz.com";
|
||||
};
|
||||
"nmigen.net" = {
|
||||
addSSL = true;
|
||||
@ -1199,7 +1211,7 @@ in
|
||||
"www.nmigen.net" = {
|
||||
addSSL = true;
|
||||
enableACME = true;
|
||||
root = "${hydraWwwOutputs}/nmigen-docs";
|
||||
globalRedirect = "nmigen.net";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -15,7 +15,7 @@
|
||||
<div class="ui stackable middle very relaxed page grid">
|
||||
<div class="sixteen wide center column">
|
||||
<p class="large">
|
||||
Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have.
|
||||
Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
@ -4,7 +4,7 @@
|
||||
<div class="ui middle very relaxed page grid">
|
||||
<div class="ui container column fluid">
|
||||
{{template "user/auth/signin_inner" .}}
|
||||
To get an account (also available to external contributors), simply write to sb@m-***s.hk.
|
||||
To get an account (also available to external contributors), simply write to sb@m-labs.hk.
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
@ -1,32 +0,0 @@
|
||||
diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
|
||||
index a9b0d558..71869ba0 100644
|
||||
--- a/src/lib/Hydra/Controller/Root.pm
|
||||
+++ b/src/lib/Hydra/Controller/Root.pm
|
||||
@@ -19,6 +19,11 @@ use Net::Prometheus;
|
||||
# Put this controller at top-level.
|
||||
__PACKAGE__->config->{namespace} = '';
|
||||
|
||||
+sub isRedistRestricted {
|
||||
+ my ($path) = @_;
|
||||
+
|
||||
+ return index($path, "-RESTRICTDIST-") >= 0;
|
||||
+}
|
||||
|
||||
sub noLoginNeeded {
|
||||
my ($c) = @_;
|
||||
@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
|
||||
$path = $Nix::Config::storeDir . "/$path";
|
||||
|
||||
gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
|
||||
+ notFound($c, "Redistribution restricted") if isRedistRestricted($path);
|
||||
|
||||
$c->stash->{current_view} = 'NixNAR';
|
||||
$c->stash->{storePath} = $path;
|
||||
@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
|
||||
setCacheHeaders($c, 60 * 60);
|
||||
return;
|
||||
}
|
||||
+ notFound($c, "Redistribution restricted") if isRedistRestricted($path);
|
||||
|
||||
$c->stash->{storePath} = $path;
|
||||
$c->forward('Hydra::View::NARInfo');
|
@ -1,8 +1,8 @@
|
||||
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
|
||||
index 763045a80..d7c5cc82e 100644
|
||||
--- a/src/libstore/build/local-derivation-goal.cc
|
||||
+++ b/src/libstore/build/local-derivation-goal.cc
|
||||
@@ -190,6 +190,8 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
|
||||
index 2a09e3dd4..7dc03855f 100644
|
||||
--- a/src/libstore/unix/build/local-derivation-goal.cc
|
||||
+++ b/src/libstore/unix/build/local-derivation-goal.cc
|
||||
@@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
|
||||
|
||||
assert(derivationType);
|
||||
|
||||
@ -11,7 +11,7 @@ index 763045a80..d7c5cc82e 100644
|
||||
/* Are we doing a chroot build? */
|
||||
{
|
||||
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
||||
@@ -207,7 +209,7 @@ void LocalDerivationGoal::tryLocalBuild()
|
||||
@@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
|
||||
else if (settings.sandboxMode == smDisabled)
|
||||
useChroot = false;
|
||||
else if (settings.sandboxMode == smRelaxed)
|
||||
@ -20,7 +20,7 @@ index 763045a80..d7c5cc82e 100644
|
||||
}
|
||||
|
||||
auto & localStore = getLocalStore();
|
||||
@@ -717,7 +719,7 @@ void LocalDerivationGoal::startBuilder()
|
||||
@@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
|
||||
"nogroup:x:65534:\n", sandboxGid()));
|
||||
|
||||
/* Create /etc/hosts with localhost entry. */
|
||||
@ -29,7 +29,7 @@ index 763045a80..d7c5cc82e 100644
|
||||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
||||
|
||||
/* Make the closure of the inputs available in the chroot,
|
||||
@@ -921,7 +923,7 @@ void LocalDerivationGoal::startBuilder()
|
||||
@@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
|
||||
us.
|
||||
*/
|
||||
|
||||
@ -38,16 +38,16 @@ index 763045a80..d7c5cc82e 100644
|
||||
privateNetwork = true;
|
||||
|
||||
userNamespaceSync.create();
|
||||
@@ -1160,7 +1162,7 @@ void LocalDerivationGoal::initEnv()
|
||||
@@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
|
||||
to the builder is generally impure, but the output of
|
||||
fixed-output derivations is by definition pure (since we
|
||||
already know the cryptographic hash of the output). */
|
||||
- if (!derivationType->isSandboxed()) {
|
||||
+ if (networked || !derivationType->isSandboxed()) {
|
||||
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
||||
env[i] = getEnv(i).value_or("");
|
||||
}
|
||||
@@ -1829,7 +1831,7 @@ void LocalDerivationGoal::runChild()
|
||||
auto & impureEnv = settings.impureEnv.get();
|
||||
if (!impureEnv.empty())
|
||||
experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
|
||||
@@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
|
||||
/* Fixed-output derivations typically need to access the
|
||||
network, so give them access to /etc/resolv.conf and so
|
||||
on. */
|
||||
@ -56,7 +56,7 @@ index 763045a80..d7c5cc82e 100644
|
||||
// Only use nss functions to resolve hosts and
|
||||
// services. Don’t use it for anything else that may
|
||||
// be configured for this system. This limits the
|
||||
@@ -2071,7 +2073,7 @@ void LocalDerivationGoal::runChild()
|
||||
@@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
|
||||
#include "sandbox-defaults.sb"
|
||||
;
|
||||
|
||||
@ -65,11 +65,11 @@ index 763045a80..d7c5cc82e 100644
|
||||
sandboxProfile +=
|
||||
#include "sandbox-network.sb"
|
||||
;
|
||||
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
|
||||
index 86b86c01e..95b03aae8 100644
|
||||
--- a/src/libstore/build/local-derivation-goal.hh
|
||||
+++ b/src/libstore/build/local-derivation-goal.hh
|
||||
@@ -82,6 +82,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
||||
diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
|
||||
index bf25cf2a6..28f8c1e95 100644
|
||||
--- a/src/libstore/unix/build/local-derivation-goal.hh
|
||||
+++ b/src/libstore/unix/build/local-derivation-goal.hh
|
||||
@@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
|
||||
*/
|
||||
Path chrootRootDir;
|
||||
|
||||
|
@ -111,6 +111,13 @@
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
|
||||
];
|
||||
};
|
||||
abdul = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
|
||||
];
|
||||
};
|
||||
|
||||
dpn = {
|
||||
isNormalUser = true;
|
||||
|
@ -12,6 +12,7 @@ in
|
||||
|
||||
boot.loader.systemd-boot.memtest86.enable = true;
|
||||
boot.loader.grub.memtest86.enable = true;
|
||||
boot.kernel.sysctl."kernel.dmesg_restrict" = false;
|
||||
|
||||
imports =
|
||||
[
|
||||
|
@ -15,6 +15,7 @@ in
|
||||
boot.loader.generic-extlinux-compatible.enable = true;
|
||||
boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
|
||||
boot.initrd.includeDefaultModules = false;
|
||||
boot.kernel.sysctl."kernel.dmesg_restrict" = false;
|
||||
|
||||
fileSystems = {
|
||||
"/" = {
|
||||
|
Loading…
Reference in New Issue
Block a user