Compare commits

..

13 Commits

Author SHA1 Message Date
1b0cc6544e Do not merge PH with main website
Signed-off-by: Egor Savkin <es@m-labs.hk>

# Conflicts:
#	nixbld-etc-nixos/configuration.nix
2025-01-09 11:00:08 +08:00
18bc04b419 nixbld: attempt to work around 'PHP Error: Invalid compose ID' roundcube bug 2025-01-08 22:11:32 +08:00
3f33c1c980 Revert "Use dedicated website folder for PH region"
This reverts commit 0b3fe57a93.
2025-01-08 10:32:29 +08:00
0b3fe57a93 Use dedicated website folder for PH region
Signed-off-by: Egor Savkin <es@m-labs.hk>
2025-01-07 12:34:26 +08:00
e4b6c68ae3 nixops: add back abdul 2024-12-18 18:19:29 +08:00
060c6bfe21 nixbld: unscramble email addresses for gitea 2024-12-04 21:21:36 +08:00
da74156ca8 Reduce websites duplication
Redirect www.* URLs to non-www.* with default 301 code in order to reduce number of copies of the websites in search engines

Signed-off-by: Egor Savkin <es@m-labs.hk>
2024-12-04 16:55:36 +08:00
9558882e2b dmesg_restrict is now default on NixOS 24.11 2024-12-04 12:33:07 +08:00
9e74ec65bb nixbld: hydra-restrictdist not needed anymore 2024-12-04 12:25:40 +08:00
1b51f86343 nixbld: patch correct hydra package 2024-12-04 12:25:23 +08:00
b088c11806 nixbld: reduce mattermost spam 2024-12-04 12:06:12 +08:00
6510ba9a2d nixbld: nixpkgs 24.11 2024-12-03 19:27:26 +08:00
81cfe07acd unscramble email 2024-12-03 17:41:25 +08:00
8 changed files with 67 additions and 65 deletions

View File

@ -20,8 +20,8 @@ in
./afws-module.nix ./afws-module.nix
./rt.nix ./rt.nix
(builtins.fetchTarball { (builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/29916981e7b3b5782dc5085ad18490113f8ff63b/nixos-mailserver-nixos.tar.gz"; url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/nixos-mailserver-nixos.tar.gz";
sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b"; sha256 = "sha256:1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma";
}) })
]; ];
@ -491,6 +491,7 @@ in
enable = true; enable = true;
radios.${netifWifi} = { radios.${netifWifi} = {
band = "2g"; band = "2g";
channel = 7;
countryCode = "HK"; countryCode = "HK";
networks.${netifWifi} = { networks.${netifWifi} = {
ssid = "M-Labs"; ssid = "M-Labs";
@ -638,7 +639,6 @@ in
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp" SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
''; '';
sound.enable = true;
services.mpd.enable = true; services.mpd.enable = true;
services.mpd.musicDirectory = "/tank/sb-public/FLAC"; services.mpd.musicDirectory = "/tank/sb-public/FLAC";
services.mpd.network.listenAddress = "192.168.1.1"; services.mpd.network.listenAddress = "192.168.1.1";
@ -732,7 +732,6 @@ in
users.extraUsers.nix = { users.extraUsers.nix = {
isNormalUser = true; isNormalUser = true;
}; };
boot.kernel.sysctl."kernel.dmesg_restrict" = true;
services.udev.packages = [ pkgs.sane-backends ]; services.udev.packages = [ pkgs.sane-backends ];
nix.settings.max-jobs = 10; nix.settings.max-jobs = 10;
@ -753,6 +752,10 @@ in
job = web:web:web job = web:web:web
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
</runcommand> </runcommand>
<runcommand>
job = web:web:web-ph
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web-ph
</runcommand>
<runcommand> <runcommand>
job = web:web:web-intl job = web:web:web-intl
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/ command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
@ -937,22 +940,27 @@ in
nix = super.nix.overrideAttrs(oa: { nix = super.nix.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ]; patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
}); });
hydra_unstable = super.hydra_unstable.overrideAttrs(oa: { hydra = super.hydra.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ patches = oa.patches or [] ++ [
./hydra-conda.patch ./hydra-conda.patch
./hydra-msys2.patch ./hydra-msys2.patch
./hydra-restrictdist.patch
]; ];
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ]; hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above. doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
}); });
mattermost = super.mattermost.overrideAttrs(oa: {
postInstall = oa.postInstall +
''
sed -i.bak "s/FREE EDITION//g" $out/client/*.js $out/client/*.js.map
'';
});
matterbridge = super.matterbridge.overrideAttrs(oa: { matterbridge = super.matterbridge.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ]; patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
}); });
}; };
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "sb" + "@m-labs.hk"; security.acme.defaults.email = "sb@m-labs.hk";
# https://github.com/NixOS/nixpkgs/issues/106862 # https://github.com/NixOS/nixpkgs/issues/106862
systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ]; systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
@ -1040,9 +1048,24 @@ in
}; };
in { in {
"m-labs.hk" = mainWebsite; "m-labs.hk" = mainWebsite;
"www.m-labs.hk" = mainWebsite; "www.m-labs.hk" = {
"m-labs.ph" = mainWebsite; addSSL = true;
"www.m-labs.ph" = mainWebsite; enableACME = true;
globalRedirect = "m-labs.hk";
};
"m-labs.ph" = {
root = "${hydraWwwOutputs}/web-ph";
forceSSL = true;
enableACME = true;
extraConfig = ''
error_page 404 /404.html;
'';
};
"www.m-labs.ph" = {
addSSL = true;
enableACME = true;
globalRedirect = "m-labs.ph";
};
"nixbld.m-labs.hk" = { "nixbld.m-labs.hk" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -1189,7 +1212,7 @@ in
"www.193thz.com" = { "www.193thz.com" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
root = "/var/www/193thz"; globalRedirect = "193thz.com";
}; };
"nmigen.net" = { "nmigen.net" = {
addSSL = true; addSSL = true;
@ -1199,7 +1222,7 @@ in
"www.nmigen.net" = { "www.nmigen.net" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
root = "${hydraWwwOutputs}/nmigen-docs"; globalRedirect = "nmigen.net";
}; };
}; };
}; };
@ -1293,10 +1316,12 @@ in
services.roundcube = { services.roundcube = {
enable = true; enable = true;
hostName = "mail.m-labs.hk"; hostName = "mail.m-labs.hk";
# https://github.com/roundcube/roundcubemail/issues/5869
extraConfig = '' extraConfig = ''
$config['smtp_server'] = "tls://${config.mailserver.fqdn}"; $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u"; $config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p"; $config['smtp_pass'] = "%p";
$config['session_storage'] = "php";
''; '';
}; };

View File

@ -15,7 +15,7 @@
<div class="ui stackable middle very relaxed page grid"> <div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column"> <div class="sixteen wide center column">
<p class="large"> <p class="large">
Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have. Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
</p> </p>
</div> </div>
</div> </div>

View File

@ -4,7 +4,7 @@
<div class="ui middle very relaxed page grid"> <div class="ui middle very relaxed page grid">
<div class="ui container column fluid"> <div class="ui container column fluid">
{{template "user/auth/signin_inner" .}} {{template "user/auth/signin_inner" .}}
To get an account (also available to external contributors), simply write to sb@m-***s.hk. To get an account (also available to external contributors), simply write to sb@m-labs.hk.
</div> </div>
</div> </div>
</div> </div>

View File

@ -1,32 +0,0 @@
diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
index a9b0d558..71869ba0 100644
--- a/src/lib/Hydra/Controller/Root.pm
+++ b/src/lib/Hydra/Controller/Root.pm
@@ -19,6 +19,11 @@ use Net::Prometheus;
# Put this controller at top-level.
__PACKAGE__->config->{namespace} = '';
+sub isRedistRestricted {
+ my ($path) = @_;
+
+ return index($path, "-RESTRICTDIST-") >= 0;
+}
sub noLoginNeeded {
my ($c) = @_;
@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
$path = $Nix::Config::storeDir . "/$path";
gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
+ notFound($c, "Redistribution restricted") if isRedistRestricted($path);
$c->stash->{current_view} = 'NixNAR';
$c->stash->{storePath} = $path;
@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
setCacheHeaders($c, 60 * 60);
return;
}
+ notFound($c, "Redistribution restricted") if isRedistRestricted($path);
$c->stash->{storePath} = $path;
$c->forward('Hydra::View::NARInfo');

View File

@ -1,8 +1,8 @@
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 763045a80..d7c5cc82e 100644 index 2a09e3dd4..7dc03855f 100644
--- a/src/libstore/build/local-derivation-goal.cc --- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -190,6 +190,8 @@ void LocalDerivationGoal::tryLocalBuild() @@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
assert(derivationType); assert(derivationType);
@ -11,7 +11,7 @@ index 763045a80..d7c5cc82e 100644
/* Are we doing a chroot build? */ /* Are we doing a chroot build? */
{ {
auto noChroot = parsedDrv->getBoolAttr("__noChroot"); auto noChroot = parsedDrv->getBoolAttr("__noChroot");
@@ -207,7 +209,7 @@ void LocalDerivationGoal::tryLocalBuild() @@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
else if (settings.sandboxMode == smDisabled) else if (settings.sandboxMode == smDisabled)
useChroot = false; useChroot = false;
else if (settings.sandboxMode == smRelaxed) else if (settings.sandboxMode == smRelaxed)
@ -20,7 +20,7 @@ index 763045a80..d7c5cc82e 100644
} }
auto & localStore = getLocalStore(); auto & localStore = getLocalStore();
@@ -717,7 +719,7 @@ void LocalDerivationGoal::startBuilder() @@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
"nogroup:x:65534:\n", sandboxGid())); "nogroup:x:65534:\n", sandboxGid()));
/* Create /etc/hosts with localhost entry. */ /* Create /etc/hosts with localhost entry. */
@ -29,7 +29,7 @@ index 763045a80..d7c5cc82e 100644
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n"); writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
/* Make the closure of the inputs available in the chroot, /* Make the closure of the inputs available in the chroot,
@@ -921,7 +923,7 @@ void LocalDerivationGoal::startBuilder() @@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
us. us.
*/ */
@ -38,16 +38,16 @@ index 763045a80..d7c5cc82e 100644
privateNetwork = true; privateNetwork = true;
userNamespaceSync.create(); userNamespaceSync.create();
@@ -1160,7 +1162,7 @@ void LocalDerivationGoal::initEnv() @@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
to the builder is generally impure, but the output of to the builder is generally impure, but the output of
fixed-output derivations is by definition pure (since we fixed-output derivations is by definition pure (since we
already know the cryptographic hash of the output). */ already know the cryptographic hash of the output). */
- if (!derivationType->isSandboxed()) { - if (!derivationType->isSandboxed()) {
+ if (networked || !derivationType->isSandboxed()) { + if (networked || !derivationType->isSandboxed()) {
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings())) auto & impureEnv = settings.impureEnv.get();
env[i] = getEnv(i).value_or(""); if (!impureEnv.empty())
} experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
@@ -1829,7 +1831,7 @@ void LocalDerivationGoal::runChild() @@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
/* Fixed-output derivations typically need to access the /* Fixed-output derivations typically need to access the
network, so give them access to /etc/resolv.conf and so network, so give them access to /etc/resolv.conf and so
on. */ on. */
@ -56,7 +56,7 @@ index 763045a80..d7c5cc82e 100644
// Only use nss functions to resolve hosts and // Only use nss functions to resolve hosts and
// services. Dont use it for anything else that may // services. Dont use it for anything else that may
// be configured for this system. This limits the // be configured for this system. This limits the
@@ -2071,7 +2073,7 @@ void LocalDerivationGoal::runChild() @@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
#include "sandbox-defaults.sb" #include "sandbox-defaults.sb"
; ;
@ -65,11 +65,11 @@ index 763045a80..d7c5cc82e 100644
sandboxProfile += sandboxProfile +=
#include "sandbox-network.sb" #include "sandbox-network.sb"
; ;
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
index 86b86c01e..95b03aae8 100644 index bf25cf2a6..28f8c1e95 100644
--- a/src/libstore/build/local-derivation-goal.hh --- a/src/libstore/unix/build/local-derivation-goal.hh
+++ b/src/libstore/build/local-derivation-goal.hh +++ b/src/libstore/unix/build/local-derivation-goal.hh
@@ -82,6 +82,8 @@ struct LocalDerivationGoal : public DerivationGoal @@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
*/ */
Path chrootRootDir; Path chrootRootDir;

View File

@ -111,6 +111,13 @@
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
]; ];
}; };
abdul = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
];
};
dpn = { dpn = {
isNormalUser = true; isNormalUser = true;

View File

@ -12,6 +12,7 @@ in
boot.loader.systemd-boot.memtest86.enable = true; boot.loader.systemd-boot.memtest86.enable = true;
boot.loader.grub.memtest86.enable = true; boot.loader.grub.memtest86.enable = true;
boot.kernel.sysctl."kernel.dmesg_restrict" = false;
imports = imports =
[ [

View File

@ -15,6 +15,7 @@ in
boot.loader.generic-extlinux-compatible.enable = true; boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208 boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
boot.initrd.includeDefaultModules = false; boot.initrd.includeDefaultModules = false;
boot.kernel.sysctl."kernel.dmesg_restrict" = false;
fileSystems = { fileSystems = {
"/" = { "/" = {