forked from M-Labs/it-infra
Compare commits
77 Commits
force-ssl-
...
master
|
@ -26,9 +26,10 @@ let
|
||||||
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
|
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
|
||||||
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
|
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
|
||||||
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
|
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
|
||||||
|
${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
|
||||||
|
|
||||||
exec 6< /etc/nixos/secret/backup-passphrase
|
exec 6< /etc/nixos/secret/backup-passphrase
|
||||||
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
|
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
|
||||||
${pkgs.bzip2}/bin/bzip2 | \
|
${pkgs.bzip2}/bin/bzip2 | \
|
||||||
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
|
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -1,14 +1,13 @@
|
||||||
# Edit this configuration file to define what should be installed on
|
|
||||||
# your system. Help is available in the configuration.nix(5) man page
|
|
||||||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
netifWan = "enp4s0";
|
netifWan = "enp4s0";
|
||||||
|
netifWanBackup = "enp11s0";
|
||||||
netifLan = "enp5s0f1";
|
netifLan = "enp5s0f1";
|
||||||
netifWifi = "wlp6s0";
|
netifWifi = "wlp6s0";
|
||||||
netifSit = "henet0";
|
netifSit = "henet0";
|
||||||
|
netifAlt = "alt0";
|
||||||
|
netifAltVlan = "vlan0";
|
||||||
hydraWwwOutputs = "/var/www/hydra-outputs";
|
hydraWwwOutputs = "/var/www/hydra-outputs";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -20,8 +19,8 @@ in
|
||||||
./afws-module.nix
|
./afws-module.nix
|
||||||
./rt.nix
|
./rt.nix
|
||||||
(builtins.fetchTarball {
|
(builtins.fetchTarball {
|
||||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/008d78cc21959e33d0d31f375b88353a7d7121ae/nixos-mailserver-nixos.tar.gz";
|
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz";
|
||||||
sha256 = "sha256:0pnfyg4icsvrw390a227m8b1j5w8awicx5aza3d0fiyyzpnrpn5a";
|
sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv";
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -31,7 +30,7 @@ in
|
||||||
boot.loader.grub.efiSupport = true;
|
boot.loader.grub.efiSupport = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
hardware.cpu.amd.updateMicrocode = true;
|
hardware.cpu.amd.updateMicrocode = true;
|
||||||
boot.supportedFilesystems = ["zfs"];
|
boot.supportedFilesystems.zfs = true;
|
||||||
boot.kernelParams = ["zfs.l2arc_write_max=536870912"];
|
boot.kernelParams = ["zfs.l2arc_write_max=536870912"];
|
||||||
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
|
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
|
||||||
|
|
||||||
|
@ -90,11 +89,26 @@ in
|
||||||
hostName = "nixbld";
|
hostName = "nixbld";
|
||||||
hostId = "e423f012";
|
hostId = "e423f012";
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [ 53 80 443 7402 ];
|
allowedTCPPorts = [ 53 80 443 2222 7402 ];
|
||||||
allowedUDPPorts = [ 53 67 500 4500 ];
|
allowedUDPPorts = [ 53 67 500 4500 ];
|
||||||
trustedInterfaces = [ netifLan ];
|
trustedInterfaces = [ netifLan ];
|
||||||
};
|
};
|
||||||
interfaces."${netifWan}".useDHCP = true;
|
useDHCP = false;
|
||||||
|
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
|
||||||
|
interfaces."${netifWanBackup}" = { # HKBN - no DHCP with static IP service
|
||||||
|
ipv4.addresses = [{
|
||||||
|
address = "202.77.7.238";
|
||||||
|
prefixLength = 30;
|
||||||
|
}];
|
||||||
|
ipv4.routes = [
|
||||||
|
{
|
||||||
|
address = "0.0.0.0";
|
||||||
|
prefixLength = 0;
|
||||||
|
via = "202.77.7.237";
|
||||||
|
options.table = "2";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
interfaces."${netifLan}" = {
|
interfaces."${netifLan}" = {
|
||||||
ipv4.addresses = [{
|
ipv4.addresses = [{
|
||||||
address = "192.168.1.1";
|
address = "192.168.1.1";
|
||||||
|
@ -112,6 +126,11 @@ in
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
options.table = "1";
|
options.table = "1";
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
address = "192.168.1.0";
|
||||||
|
prefixLength = 24;
|
||||||
|
options.table = "2";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
interfaces."${netifWifi}" = {
|
interfaces."${netifWifi}" = {
|
||||||
|
@ -123,6 +142,19 @@ in
|
||||||
address = "2001:470:f891:2::";
|
address = "2001:470:f891:2::";
|
||||||
prefixLength = 64;
|
prefixLength = 64;
|
||||||
}];
|
}];
|
||||||
|
# same hack as above
|
||||||
|
ipv4.routes = [
|
||||||
|
{
|
||||||
|
address = "192.168.12.0";
|
||||||
|
prefixLength = 24;
|
||||||
|
options.table = "1";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
address = "192.168.12.0";
|
||||||
|
prefixLength = 24;
|
||||||
|
options.table = "2";
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
nat = {
|
nat = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -135,11 +167,6 @@ in
|
||||||
{ sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
|
{ sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
|
||||||
];
|
];
|
||||||
extraCommands = ''
|
extraCommands = ''
|
||||||
iptables -w -N block-lan-from-wifi
|
|
||||||
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
|
|
||||||
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
|
|
||||||
iptables -w -A FORWARD -j block-lan-from-wifi
|
|
||||||
|
|
||||||
iptables -w -N block-insecure-devices
|
iptables -w -N block-insecure-devices
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
|
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
|
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
|
||||||
|
@ -151,15 +178,20 @@ in
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
|
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
|
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
|
||||||
iptables -w -A FORWARD -j block-insecure-devices
|
iptables -w -A FORWARD -j block-insecure-devices
|
||||||
|
|
||||||
|
iptables -w -N pccw-sucks
|
||||||
|
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
|
||||||
|
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||||
|
iptables -w -A FORWARD -j pccw-sucks
|
||||||
'';
|
'';
|
||||||
extraStopCommands = ''
|
extraStopCommands = ''
|
||||||
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
|
|
||||||
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
|
|
||||||
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
|
|
||||||
|
|
||||||
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
||||||
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
||||||
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
||||||
|
|
||||||
|
iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
|
||||||
|
iptables -w -F pccw-sucks 2>/dev/null|| true
|
||||||
|
iptables -w -X pccw-sucks 2>/dev/null|| true
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sits."${netifSit}" = {
|
sits."${netifSit}" = {
|
||||||
|
@ -172,14 +204,14 @@ in
|
||||||
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
||||||
routes = [{ address = "::"; prefixLength = 0; }];
|
routes = [{ address = "::"; prefixLength = 0; }];
|
||||||
};
|
};
|
||||||
greTunnels.alt0 = {
|
greTunnels."${netifAlt}" = {
|
||||||
dev = netifWan;
|
dev = netifWan;
|
||||||
remote = "103.206.98.1";
|
remote = "103.206.98.1";
|
||||||
local = "94.190.212.123";
|
local = "94.190.212.123";
|
||||||
ttl = 255;
|
ttl = 255;
|
||||||
type = "tun";
|
type = "tun";
|
||||||
};
|
};
|
||||||
interfaces.alt0 = {
|
interfaces."${netifAlt}" = {
|
||||||
ipv4.addresses = [
|
ipv4.addresses = [
|
||||||
{
|
{
|
||||||
address = "103.206.98.227";
|
address = "103.206.98.227";
|
||||||
|
@ -196,12 +228,12 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
vlans = {
|
vlans = {
|
||||||
vlan0 = {
|
"${netifAltVlan}" = {
|
||||||
id = 2;
|
id = 2;
|
||||||
interface = netifLan;
|
interface = netifLan;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
interfaces.vlan0 = {
|
interfaces."${netifAltVlan}" = {
|
||||||
ipv4.addresses = [{
|
ipv4.addresses = [{
|
||||||
address = "103.206.98.200";
|
address = "103.206.98.200";
|
||||||
prefixLength = 29;
|
prefixLength = 29;
|
||||||
|
@ -234,7 +266,7 @@ in
|
||||||
id = "fqdn:igw0.hkg.as150788.net";
|
id = "fqdn:igw0.hkg.as150788.net";
|
||||||
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
||||||
};
|
};
|
||||||
children.alt0 = {
|
children."${netifAlt}" = {
|
||||||
mode = "transport";
|
mode = "transport";
|
||||||
ah_proposals = [ "sha256-curve25519" ];
|
ah_proposals = [ "sha256-curve25519" ];
|
||||||
remote_ts = [ "103.206.98.1[gre]" ];
|
remote_ts = [ "103.206.98.1[gre]" ];
|
||||||
|
@ -242,13 +274,27 @@ in
|
||||||
start_action = "start";
|
start_action = "start";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
# prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070
|
||||||
|
systemd.services.strongswan-swanctl = {
|
||||||
|
after = [ "network-addresses-${netifAlt}.service" ];
|
||||||
|
requires = [ "network-addresses-${netifAlt}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.custom-network-setup = {
|
systemd.services.network-custom-route-backup = {
|
||||||
wantedBy = [ "network.target" ];
|
wantedBy = [ "network.target" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.0/24 table 1";
|
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 202.77.7.238/30 table 2";
|
||||||
|
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services.network-custom-route-alt = {
|
||||||
|
wantedBy = [ "network.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.200/29 table 1";
|
||||||
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
|
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -276,11 +322,13 @@ in
|
||||||
also-notify {
|
also-notify {
|
||||||
213.239.220.50; # ns1.qnetp.net
|
213.239.220.50; # ns1.qnetp.net
|
||||||
216.218.130.2; # ns1.he.net
|
216.218.130.2; # ns1.he.net
|
||||||
|
88.198.32.245; # new qnetp
|
||||||
};
|
};
|
||||||
'';
|
'';
|
||||||
slaves = [
|
slaves = [
|
||||||
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
|
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
|
||||||
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
||||||
|
"88.198.32.245" # new qnetp
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"m-labs.ph" = {
|
"m-labs.ph" = {
|
||||||
|
@ -332,6 +380,27 @@ in
|
||||||
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
"m-labs-intl.com" = {
|
||||||
|
name = "m-labs-intl.com";
|
||||||
|
master = true;
|
||||||
|
file = "/etc/nixos/named/m-labs-intl.com";
|
||||||
|
extraConfig =
|
||||||
|
''
|
||||||
|
dnssec-policy "default";
|
||||||
|
inline-signing yes;
|
||||||
|
notify explicit;
|
||||||
|
also-notify {
|
||||||
|
216.218.130.2; # ns1.he.net
|
||||||
|
213.239.220.50; # ns1.qnetp.net
|
||||||
|
88.198.32.245; # new qnetp
|
||||||
|
};
|
||||||
|
'';
|
||||||
|
slaves = [
|
||||||
|
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net
|
||||||
|
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
|
||||||
|
"88.198.32.245" # new qnetp
|
||||||
|
];
|
||||||
|
};
|
||||||
"200-29.98.206.103.in-addr.arpa" = {
|
"200-29.98.206.103.in-addr.arpa" = {
|
||||||
name = "200-29.98.206.103.in-addr.arpa";
|
name = "200-29.98.206.103.in-addr.arpa";
|
||||||
master = true;
|
master = true;
|
||||||
|
@ -442,7 +511,7 @@ in
|
||||||
# List packages installed in system profile. To search, run:
|
# List packages installed in system profile. To search, run:
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
wget vim git file lm_sensors acpi pciutils psmisc nixopsUnstable
|
wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal
|
||||||
irssi tmux usbutils imagemagick jq zip unzip
|
irssi tmux usbutils imagemagick jq zip unzip
|
||||||
iw
|
iw
|
||||||
nvme-cli
|
nvme-cli
|
||||||
|
@ -472,6 +541,8 @@ in
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
services.openssh.settings.PasswordAuthentication = false;
|
services.openssh.settings.PasswordAuthentication = false;
|
||||||
services.openssh.settings.GatewayPorts = "clientspecified";
|
services.openssh.settings.GatewayPorts = "clientspecified";
|
||||||
|
services.openssh.settings.X11Forwarding = true;
|
||||||
|
services.openssh.authorizedKeysInHomedir = false;
|
||||||
programs.mosh.enable = true;
|
programs.mosh.enable = true;
|
||||||
|
|
||||||
programs.fish.enable = true;
|
programs.fish.enable = true;
|
||||||
|
@ -499,6 +570,20 @@ in
|
||||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
sound.enable = true;
|
||||||
|
services.mpd.enable = true;
|
||||||
|
services.mpd.musicDirectory = "/tank/sb-public/FLAC";
|
||||||
|
services.mpd.network.listenAddress = "192.168.1.1";
|
||||||
|
services.mpd.extraConfig =
|
||||||
|
''
|
||||||
|
audio_output_format "192000:24:2"
|
||||||
|
audio_output {
|
||||||
|
type "alsa"
|
||||||
|
name "alsa"
|
||||||
|
device "hw:1,1"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
users.extraUsers.root = {
|
users.extraUsers.root = {
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
|
||||||
|
@ -511,7 +596,7 @@ in
|
||||||
|
|
||||||
users.extraUsers.sb = {
|
users.extraUsers.sb = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["lp" "scanner" "afws"];
|
extraGroups = ["lp" "scanner" "afws" "audio"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
||||||
|
@ -521,6 +606,11 @@ in
|
||||||
users.extraUsers.rj = {
|
users.extraUsers.rj = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["afws"];
|
extraGroups = ["afws"];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
|
||||||
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
users.extraUsers.nkrackow = {
|
users.extraUsers.nkrackow = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
|
@ -529,46 +619,41 @@ in
|
||||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
users.extraUsers.occheung = {
|
|
||||||
isNormalUser = true;
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig=="
|
|
||||||
];
|
|
||||||
};
|
|
||||||
users.extraUsers.spaqin = {
|
users.extraUsers.spaqin = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["lp" "scanner" "afws"];
|
extraGroups = ["lp" "afws"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
|
||||||
];
|
];
|
||||||
shell = pkgs.zsh;
|
shell = pkgs.zsh;
|
||||||
};
|
};
|
||||||
users.extraUsers.esavkin = {
|
users.extraUsers.therobs12 = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["lp" "afws"];
|
extraGroups = ["lp" "afws"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
users.extraUsers.morgan = {
|
users.extraUsers.morgan = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["lp"];
|
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
users.extraUsers.flo = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = ["afws"];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
|
||||||
|
];
|
||||||
|
};
|
||||||
users.extraUsers.derppening = {
|
users.extraUsers.derppening = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
users.extraUsers.dpn = {
|
|
||||||
isNormalUser = true;
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGChLocYJi8XcSJkIjT2Olm3jPGjtRq5aORa5G9F3OqmjCfvav9Q5+2Mc64XqHtNTffnJuDe4gv+lVJatC0URvPs2HyxXmxRK0jgkkLSUsV2SYLlgMqHW3jsrdh6wKBmkg=="
|
|
||||||
];
|
|
||||||
};
|
|
||||||
users.extraUsers.nix = {
|
users.extraUsers.nix = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
};
|
};
|
||||||
|
@ -577,7 +662,6 @@ in
|
||||||
|
|
||||||
nix.settings.max-jobs = 10;
|
nix.settings.max-jobs = 10;
|
||||||
nix.nrBuildUsers = 64;
|
nix.nrBuildUsers = 64;
|
||||||
nix.settings.trusted-users = ["sb"];
|
|
||||||
services.hydra = {
|
services.hydra = {
|
||||||
enable = true;
|
enable = true;
|
||||||
useSubstitutes = true;
|
useSubstitutes = true;
|
||||||
|
@ -594,6 +678,10 @@ in
|
||||||
job = web:web:web
|
job = web:web:web
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
|
||||||
</runcommand>
|
</runcommand>
|
||||||
|
<runcommand>
|
||||||
|
job = web:web:web-intl
|
||||||
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@5.78.86.156:/var/www/m-labs-intl.com/html/
|
||||||
|
</runcommand>
|
||||||
<runcommand>
|
<runcommand>
|
||||||
job = web:web:nmigen-docs
|
job = web:web:nmigen-docs
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
|
||||||
|
@ -620,6 +708,10 @@ in
|
||||||
job = artiq:extra-beta:conda-channel
|
job = artiq:extra-beta:conda-channel
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta
|
||||||
</runcommand>
|
</runcommand>
|
||||||
|
<runcommand>
|
||||||
|
job = artiq:extra-beta:msys2-repos
|
||||||
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
|
||||||
|
</runcommand>
|
||||||
|
|
||||||
<runcommand>
|
<runcommand>
|
||||||
job = artiq:main:artiq-manual-html
|
job = artiq:main:artiq-manual-html
|
||||||
|
@ -633,17 +725,21 @@ in
|
||||||
job = artiq:extra:conda-channel
|
job = artiq:extra:conda-channel
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel
|
||||||
</runcommand>
|
</runcommand>
|
||||||
|
<runcommand>
|
||||||
|
job = artiq:extra:msys2-repos
|
||||||
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos
|
||||||
|
</runcommand>
|
||||||
|
|
||||||
<runcommand>
|
<runcommand>
|
||||||
job = artiq:full-legacy:artiq-manual-html
|
job = artiq:main-legacy:artiq-manual-html
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy
|
||||||
</runcommand>
|
</runcommand>
|
||||||
<runcommand>
|
<runcommand>
|
||||||
job = artiq:full-legacy:artiq-manual-latexpdf
|
job = artiq:main-legacy:artiq-manual-pdf
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf-legacy
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf-legacy
|
||||||
</runcommand>
|
</runcommand>
|
||||||
<runcommand>
|
<runcommand>
|
||||||
job = artiq:full-legacy:conda-channel
|
job = artiq:extra-legacy:conda-channel
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy
|
||||||
</runcommand>
|
</runcommand>
|
||||||
|
|
||||||
|
@ -652,11 +748,6 @@ in
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON)
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON)
|
||||||
</runcommand>
|
</runcommand>
|
||||||
|
|
||||||
<runcommand>
|
|
||||||
job = artiq:extra-beta:msys2-repos
|
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
|
|
||||||
</runcommand>
|
|
||||||
|
|
||||||
<runcommand>
|
<runcommand>
|
||||||
job = artiq:main-nac3:msys2-repos
|
job = artiq:main-nac3:msys2-repos
|
||||||
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3
|
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3
|
||||||
|
@ -693,6 +784,7 @@ in
|
||||||
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
|
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
|
||||||
experimental-features = nix-command flakes
|
experimental-features = nix-command flakes
|
||||||
'';
|
'';
|
||||||
|
nix.settings.allowed-uris = "github: gitlab: git+https://"; # https://github.com/NixOS/nix/issues/5039
|
||||||
nix.settings.extra-sandbox-paths = ["/opt"];
|
nix.settings.extra-sandbox-paths = ["/opt"];
|
||||||
|
|
||||||
services.mlabs-backup.enable = true;
|
services.mlabs-backup.enable = true;
|
||||||
|
@ -701,11 +793,19 @@ in
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
appName = "M-Labs Git";
|
appName = "M-Labs Git";
|
||||||
|
database = {
|
||||||
|
type = "postgres";
|
||||||
|
socket = "/run/postgresql";
|
||||||
|
};
|
||||||
mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
|
mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
|
||||||
settings = {
|
settings = {
|
||||||
server = {
|
server = {
|
||||||
ROOT_URL = "https://git.m-labs.hk/";
|
ROOT_URL = "https://git.m-labs.hk/";
|
||||||
HTTP_PORT = 3001;
|
HTTP_PORT = 3001;
|
||||||
|
DISABLE_SSH = false;
|
||||||
|
SSH_CREATE_AUTHORIZED_KEYS_FILE = false;
|
||||||
|
START_SSH_SERVER = true;
|
||||||
|
SSH_PORT = 2222;
|
||||||
};
|
};
|
||||||
|
|
||||||
indexer = {
|
indexer = {
|
||||||
|
@ -714,7 +814,8 @@ in
|
||||||
|
|
||||||
mailer = {
|
mailer = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
HOST = "mail.m-labs.hk:587";
|
SMTP_ADDR = "mail.m-labs.hk";
|
||||||
|
SMTP_PORT = "587";
|
||||||
FROM = "sysop@m-labs.hk";
|
FROM = "sysop@m-labs.hk";
|
||||||
USER = "sysop@m-labs.hk";
|
USER = "sysop@m-labs.hk";
|
||||||
};
|
};
|
||||||
|
@ -743,12 +844,20 @@ in
|
||||||
siteUrl = "https://chat.m-labs.hk/";
|
siteUrl = "https://chat.m-labs.hk/";
|
||||||
mutableConfig = true;
|
mutableConfig = true;
|
||||||
};
|
};
|
||||||
services.postgresql.package = pkgs.postgresql_12;
|
|
||||||
services.matterbridge = {
|
services.matterbridge = {
|
||||||
enable = true;
|
enable = true;
|
||||||
configPath = "/etc/nixos/secret/matterbridge.toml";
|
configPath = "/etc/nixos/secret/matterbridge.toml";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
package = pkgs.postgresql_15;
|
||||||
|
settings.listen_addresses = pkgs.lib.mkForce "";
|
||||||
|
identMap =
|
||||||
|
''
|
||||||
|
rt rt rt_user
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
|
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
|
||||||
nix = super.nix.overrideAttrs(oa: {
|
nix = super.nix.overrideAttrs(oa: {
|
||||||
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
|
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
|
||||||
|
@ -758,7 +867,6 @@ in
|
||||||
./hydra-conda.patch
|
./hydra-conda.patch
|
||||||
./hydra-msys2.patch
|
./hydra-msys2.patch
|
||||||
./hydra-restrictdist.patch
|
./hydra-restrictdist.patch
|
||||||
./hydra-hack-allowed-uris.patch # work around https://github.com/NixOS/nix/issues/5039
|
|
||||||
];
|
];
|
||||||
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
|
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
|
||||||
doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
|
doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
|
||||||
|
@ -781,7 +889,7 @@ in
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
virtualHosts = let
|
virtualHosts = let
|
||||||
mainWebsite = {
|
mainWebsite = {
|
||||||
forceSSL = true;
|
addSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
root = "${hydraWwwOutputs}/web";
|
root = "${hydraWwwOutputs}/web";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -835,10 +943,10 @@ in
|
||||||
alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf";
|
alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf";
|
||||||
};
|
};
|
||||||
locations."/artiq/manual-legacy/" = {
|
locations."/artiq/manual-legacy/" = {
|
||||||
alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/share/doc/artiq-manual/html/";
|
alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/";
|
||||||
};
|
};
|
||||||
locations."=/artiq/manual-legacy.pdf" = {
|
locations."=/artiq/manual-legacy.pdf" = {
|
||||||
alias = "${hydraWwwOutputs}/artiq-manual-latexpdf-legacy/share/doc/artiq-manual/ARTIQ.pdf";
|
alias = "${hydraWwwOutputs}/artiq-manual-pdf-legacy/ARTIQ.pdf";
|
||||||
};
|
};
|
||||||
|
|
||||||
# legacy content
|
# legacy content
|
||||||
|
@ -874,6 +982,12 @@ in
|
||||||
autoindex on;
|
autoindex on;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
locations."/artiq/" = {
|
||||||
|
alias = "${hydraWwwOutputs}/artiq-msys2-repos/";
|
||||||
|
extraConfig = ''
|
||||||
|
autoindex on;
|
||||||
|
'';
|
||||||
|
};
|
||||||
locations."/artiq-nac3/" = {
|
locations."/artiq-nac3/" = {
|
||||||
alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/";
|
alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -954,20 +1068,14 @@ in
|
||||||
"forum.m-labs.hk" = {
|
"forum.m-labs.hk" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
root = "/var/www/flarum/public";
|
|
||||||
locations."~ \.php$".extraConfig = ''
|
|
||||||
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
|
|
||||||
fastcgi_index index.php;
|
|
||||||
'';
|
|
||||||
extraConfig = ''
|
|
||||||
index index.php;
|
|
||||||
include /var/www/flarum/.nginx.conf;
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
"perso.m-labs.hk" = {
|
"perso.m-labs.hk" = {
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
root = "/var/www/perso";
|
root = "/var/www/perso";
|
||||||
|
extraConfig = ''
|
||||||
|
autoindex on;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
"rt.m-labs.hk" = {
|
"rt.m-labs.hk" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -1031,23 +1139,18 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.mysql = {
|
services.mysql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.mariadb;
|
package = pkgs.lib.mkForce pkgs.mariadb;
|
||||||
};
|
ensureDatabases = pkgs.lib.mkForce [];
|
||||||
services.phpfpm.pools.flarum = {
|
ensureUsers = pkgs.lib.mkForce [];
|
||||||
user = "nobody";
|
|
||||||
settings = {
|
|
||||||
"listen.owner" = "nginx";
|
|
||||||
"listen.group" = "nginx";
|
|
||||||
"listen.mode" = "0600";
|
|
||||||
"pm" = "dynamic";
|
|
||||||
"pm.max_children" = 5;
|
|
||||||
"pm.start_servers" = 2;
|
|
||||||
"pm.min_spare_servers" = 1;
|
|
||||||
"pm.max_spare_servers" = 3;
|
|
||||||
"pm.max_requests" = 500;
|
|
||||||
};
|
};
|
||||||
|
services.flarum = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.callPackage ./flarum {};
|
||||||
|
domain = "forum.m-labs.hk";
|
||||||
|
createDatabaseLocally = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.rt = {
|
services.rt = {
|
||||||
|
@ -1080,10 +1183,11 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
localDnsResolver = false; # conflicts with dnsmasq
|
localDnsResolver = false; # conflicts with dnsmasq
|
||||||
fqdn = "mail.m-labs.hk";
|
fqdn = "mail.m-labs.hk";
|
||||||
domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
|
domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ];
|
||||||
enablePop3 = true;
|
enablePop3 = true;
|
||||||
enablePop3Ssl = true;
|
enablePop3Ssl = true;
|
||||||
certificateScheme = "acme-nginx";
|
certificateScheme = "acme-nginx";
|
||||||
|
policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
|
||||||
} // (import /etc/nixos/secret/email_settings.nix);
|
} // (import /etc/nixos/secret/email_settings.nix);
|
||||||
services.roundcube = {
|
services.roundcube = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -1097,12 +1201,14 @@ in
|
||||||
|
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nextcloud27;
|
package = pkgs.nextcloud29;
|
||||||
hostName = "files.m-labs.hk";
|
hostName = "files.m-labs.hk";
|
||||||
https = true;
|
https = true;
|
||||||
maxUploadSize = "2G";
|
maxUploadSize = "2G";
|
||||||
config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
|
config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
|
||||||
config.defaultPhoneRegion = "HK";
|
settings.default_phone_region = "HK";
|
||||||
|
settings.log_type = "file";
|
||||||
|
phpOptions."opcache.interned_strings_buffer" = "12";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.hedgedoc = {
|
services.hedgedoc = {
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,39 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
php,
|
||||||
|
fetchFromGitHub,
|
||||||
|
fetchpatch,
|
||||||
|
}:
|
||||||
|
|
||||||
|
php.buildComposerProject (finalAttrs: {
|
||||||
|
pname = "flarum";
|
||||||
|
version = "1.8.1";
|
||||||
|
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "flarum";
|
||||||
|
repo = "flarum";
|
||||||
|
rev = "v${finalAttrs.version}";
|
||||||
|
hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
|
||||||
|
};
|
||||||
|
|
||||||
|
patches = [
|
||||||
|
# Add useful extensions from https://github.com/FriendsOfFlarum
|
||||||
|
# Extensions included: fof/upload, fof/polls, fof/subscribed
|
||||||
|
./fof-extensions.patch
|
||||||
|
];
|
||||||
|
|
||||||
|
composerLock = ./composer.lock;
|
||||||
|
composerStrictValidation = false;
|
||||||
|
vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
|
||||||
|
description = "Flarum is a delightfully simple discussion platform for your website";
|
||||||
|
homepage = "https://github.com/flarum/flarum";
|
||||||
|
license = lib.licenses.mit;
|
||||||
|
maintainers = with maintainers; [
|
||||||
|
fsagbuya
|
||||||
|
jasonodoom
|
||||||
|
];
|
||||||
|
};
|
||||||
|
})
|
|
@ -0,0 +1,16 @@
|
||||||
|
diff --git a/composer.json b/composer.json
|
||||||
|
index c63b5f8..5ad1186 100644
|
||||||
|
--- a/composer.json
|
||||||
|
+++ b/composer.json
|
||||||
|
@@ -37,7 +37,10 @@
|
||||||
|
"flarum/sticky": "*",
|
||||||
|
"flarum/subscriptions": "*",
|
||||||
|
"flarum/suspend": "*",
|
||||||
|
- "flarum/tags": "*"
|
||||||
|
+ "flarum/tags": "*",
|
||||||
|
+ "fof/polls": "*",
|
||||||
|
+ "fof/subscribed": "*",
|
||||||
|
+ "fof/upload": "*"
|
||||||
|
},
|
||||||
|
"config": {
|
||||||
|
"preferred-install": "dist",
|
|
@ -1,13 +0,0 @@
|
||||||
diff --git a/src/hydra-eval-jobs/hydra-eval-jobs.cc b/src/hydra-eval-jobs/hydra-eval-jobs.cc
|
|
||||||
index 934bf42e..48f2d248 100644
|
|
||||||
--- a/src/hydra-eval-jobs/hydra-eval-jobs.cc
|
|
||||||
+++ b/src/hydra-eval-jobs/hydra-eval-jobs.cc
|
|
||||||
@@ -281,6 +281,8 @@ int main(int argc, char * * argv)
|
|
||||||
to the environment. */
|
|
||||||
evalSettings.restrictEval = true;
|
|
||||||
|
|
||||||
+ evalSettings.allowedUris = {"https://github.com/m-labs/", "https://git.m-labs.hk/m-labs/", "https://gitlab.com/duke-artiq/"};
|
|
||||||
+
|
|
||||||
/* When building a flake, use pure evaluation (no access to
|
|
||||||
'getEnv', 'currentSystem' etc. */
|
|
||||||
evalSettings.pureEval = myArgs.flake;
|
|
|
@ -1,7 +1,7 @@
|
||||||
$TTL 7200
|
$TTL 7200
|
||||||
|
|
||||||
@ SOA ns.193thz.com. sb.m-labs.hk. (
|
@ SOA ns.193thz.com. sb.m-labs.hk. (
|
||||||
2023121301
|
2024060201
|
||||||
7200
|
7200
|
||||||
3600
|
3600
|
||||||
86400
|
86400
|
||||||
|
@ -12,11 +12,12 @@ $TTL 7200
|
||||||
NS ns1.he.net.
|
NS ns1.he.net.
|
||||||
|
|
||||||
A 94.190.212.123
|
A 94.190.212.123
|
||||||
|
A 202.77.7.238
|
||||||
AAAA 2001:470:18:390::2
|
AAAA 2001:470:18:390::2
|
||||||
MX 10 mail.m-labs.hk.
|
MX 10 mail.m-labs.hk.
|
||||||
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
||||||
TXT "google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU"
|
TXT "google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU"
|
||||||
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
|
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
|
||||||
|
|
||||||
|
|
||||||
ns A 94.190.212.123
|
ns A 94.190.212.123
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
$TTL 7200
|
$TTL 7200
|
||||||
|
|
||||||
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
||||||
2024010901
|
2024060201
|
||||||
7200
|
7200
|
||||||
3600
|
3600
|
||||||
86400
|
86400
|
||||||
|
@ -10,7 +10,7 @@ $TTL 7200
|
||||||
|
|
||||||
NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
|
||||||
NS ns1.he.net.
|
NS ns1.he.net.
|
||||||
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
|
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
|
||||||
|
|
||||||
200 PTR router.alt.m-labs.hk.
|
200 PTR router.alt.m-labs.hk.
|
||||||
201 PTR stewardship1.alt.m-labs.hk.
|
201 PTR stewardship1.alt.m-labs.hk.
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
$TTL 7200
|
||||||
|
|
||||||
|
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
|
||||||
|
2024081503
|
||||||
|
7200
|
||||||
|
3600
|
||||||
|
86400
|
||||||
|
600)
|
||||||
|
|
||||||
|
|
||||||
|
NS ns.m-labs-intl.com.
|
||||||
|
NS ns1.he.net.
|
||||||
|
NS ns1.qnetp.net.
|
||||||
|
|
||||||
|
A 5.78.86.156
|
||||||
|
AAAA 2a01:4ff:1f0:83de::1
|
||||||
|
MX 10 mail.m-labs-intl.com.
|
||||||
|
TXT "v=spf1 mx -all"
|
||||||
|
TXT "google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
|
||||||
|
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
|
||||||
|
|
||||||
|
ns A 94.190.212.123
|
||||||
|
ns AAAA 2001:470:18:390::2
|
||||||
|
|
||||||
|
mail A 5.78.86.156
|
||||||
|
mail AAAA 2a01:4ff:1f0:83de::1
|
||||||
|
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
|
||||||
|
_dmarc TXT "v=DMARC1; p=none"
|
||||||
|
|
||||||
|
www CNAME @
|
||||||
|
hooks CNAME @
|
|
@ -1,7 +1,7 @@
|
||||||
$TTL 7200
|
$TTL 7200
|
||||||
|
|
||||||
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
|
||||||
2024010901
|
2024080501
|
||||||
7200
|
7200
|
||||||
3600
|
3600
|
||||||
86400
|
86400
|
||||||
|
@ -13,14 +13,16 @@ $TTL 7200
|
||||||
NS ns1.he.net.
|
NS ns1.he.net.
|
||||||
|
|
||||||
A 94.190.212.123
|
A 94.190.212.123
|
||||||
|
A 202.77.7.238
|
||||||
AAAA 2001:470:18:390::2
|
AAAA 2001:470:18:390::2
|
||||||
MX 10 mail.m-labs.hk.
|
MX 10 mail.m-labs.hk.
|
||||||
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
||||||
TXT "google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8"
|
TXT "google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8"
|
||||||
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
|
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
|
||||||
|
|
||||||
|
|
||||||
mail A 94.190.212.123
|
mail A 94.190.212.123
|
||||||
|
mail A 202.77.7.238
|
||||||
mail AAAA 2001:470:18:390::2
|
mail AAAA 2001:470:18:390::2
|
||||||
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
|
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
|
||||||
_dmarc TXT "v=DMARC1; p=none"
|
_dmarc TXT "v=DMARC1; p=none"
|
||||||
|
@ -41,17 +43,7 @@ files CNAME @
|
||||||
docs CNAME @
|
docs CNAME @
|
||||||
|
|
||||||
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
|
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
|
||||||
rpi-2 AAAA 2001:470:f891:1:ba27:ebff:fef0:e9e6
|
|
||||||
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
|
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
|
||||||
chiron AAAA 2001:470:f891:1:7f02:9ebf:bee9:3dc7
|
|
||||||
old-nixbld AAAA 2001:470:f891:1:a07b:f49a:a4ef:aad9
|
|
||||||
zeus AAAA 2001:470:f891:1:4fd7:e70a:68bf:e9c1
|
|
||||||
franz AAAA 2001:470:f891:1:1b65:a743:2335:f5c6
|
|
||||||
hera AAAA 2001:470:f891:1:8b5e:404d:ef4e:9d92
|
|
||||||
hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
|
|
||||||
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
|
|
||||||
|
|
||||||
aux A 42.200.147.171
|
|
||||||
|
|
||||||
router.alt A 103.206.98.200
|
router.alt A 103.206.98.200
|
||||||
stewardship1.alt A 103.206.98.201
|
stewardship1.alt A 103.206.98.201
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
$TTL 7200
|
$TTL 7200
|
||||||
|
|
||||||
@ SOA ns1.m-labs.ph. sb.m-labs.hk. (
|
@ SOA ns1.m-labs.ph. sb.m-labs.hk. (
|
||||||
2024010901
|
2024060201
|
||||||
7200
|
7200
|
||||||
3600
|
3600
|
||||||
86400
|
86400
|
||||||
|
@ -12,11 +12,12 @@ $TTL 7200
|
||||||
NS ns1.he.net.
|
NS ns1.he.net.
|
||||||
|
|
||||||
A 94.190.212.123
|
A 94.190.212.123
|
||||||
|
A 202.77.7.238
|
||||||
AAAA 2001:470:18:390::2
|
AAAA 2001:470:18:390::2
|
||||||
MX 10 mail.m-labs.hk.
|
MX 10 mail.m-labs.hk.
|
||||||
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
||||||
TXT "google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o"
|
TXT "google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o"
|
||||||
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
|
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
|
||||||
|
|
||||||
ns1 A 94.190.212.123
|
ns1 A 94.190.212.123
|
||||||
ns1 AAAA 2001:470:18:390::2
|
ns1 AAAA 2001:470:18:390::2
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
$TTL 7200
|
$TTL 7200
|
||||||
|
|
||||||
@ SOA ns.malloctech.fr. sb.m-labs.hk. (
|
@ SOA ns.malloctech.fr. sb.m-labs.hk. (
|
||||||
2024010901
|
2024060201
|
||||||
7200
|
7200
|
||||||
3600
|
3600
|
||||||
86400
|
86400
|
||||||
|
@ -14,7 +14,7 @@ $TTL 7200
|
||||||
MX 10 mail.m-labs.hk.
|
MX 10 mail.m-labs.hk.
|
||||||
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
|
||||||
TXT "google-site-verification=LALF-fafTnmkL-18m3CzwFjSwEV1C7NeKexiNfMYsOw"
|
TXT "google-site-verification=LALF-fafTnmkL-18m3CzwFjSwEV1C7NeKexiNfMYsOw"
|
||||||
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
|
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
|
||||||
|
|
||||||
ns A 94.190.212.123
|
ns A 94.190.212.123
|
||||||
ns AAAA 2001:470:18:390::2
|
ns AAAA 2001:470:18:390::2
|
||||||
|
|
|
@ -19,14 +19,9 @@ let
|
||||||
Set($Timezone, '${cfg.timeZone}');
|
Set($Timezone, '${cfg.timeZone}');
|
||||||
|
|
||||||
Set($DatabaseType, 'Pg');
|
Set($DatabaseType, 'Pg');
|
||||||
Set($DatabaseHost, 'localhost');
|
Set($DatabaseHost, '/run/postgresql');
|
||||||
Set($DatabaseUser, 'rt_user');
|
Set($DatabaseUser, 'rt');
|
||||||
Set($DatabaseName, 'rt5');
|
Set($DatabaseName, 'rt5');
|
||||||
# Read database password from file
|
|
||||||
open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
|
|
||||||
my $dbpw = do { local $/; <$fh> };
|
|
||||||
$dbpw =~ s/^\s+|\s+$//g;
|
|
||||||
Set($DatabasePassword, $dbpw);
|
|
||||||
|
|
||||||
# System (Logging)
|
# System (Logging)
|
||||||
Set($LogToSTDERR, undef); # Don't log twice
|
Set($LogToSTDERR, undef); # Don't log twice
|
||||||
|
@ -154,13 +149,6 @@ in {
|
||||||
type = str;
|
type = str;
|
||||||
};
|
};
|
||||||
|
|
||||||
dbPasswordFile = mkOption {
|
|
||||||
description = "File containing the database password";
|
|
||||||
type = str;
|
|
||||||
default = "/etc/nixos/secret/rtpasswd";
|
|
||||||
internal = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = mkOption {
|
domain = mkOption {
|
||||||
description = "Which domain RT is running on";
|
description = "Which domain RT is running on";
|
||||||
type = str;
|
type = str;
|
||||||
|
@ -245,8 +233,6 @@ in {
|
||||||
|
|
||||||
PrivateNetwork = false;
|
PrivateNetwork = false;
|
||||||
MemoryDenyWriteExecute = false;
|
MemoryDenyWriteExecute = false;
|
||||||
|
|
||||||
ReadOnlyPaths = [ cfg.dbPasswordFile ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
|
|
|
@ -0,0 +1,45 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/89463254-b38d-45db-92b6-0f7d92a44f47";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/F84B-ACC5";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
|
||||||
|
system.stateVersion = "23.11";
|
||||||
|
}
|
|
@ -18,6 +18,7 @@
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/060C-8772";
|
{ device = "/dev/disk/by-uuid/060C-8772";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
|
@ -78,14 +78,14 @@
|
||||||
};
|
};
|
||||||
linuswck = {
|
linuswck = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["plugdev" "dialout"];
|
extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAFYwmik6/xY1vb9aKBOpKklKOwSJJ0PEgNwWNULghZGJ0g4CTk04LXLSMYBm1SW74df8YMgaE/eoidq6smN6hKIgo8s3qPQGZAi4UXffMs2ciqXNa/zZcCu3PyZvyksxA=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAFYwmik6/xY1vb9aKBOpKklKOwSJJ0PEgNwWNULghZGJ0g4CTk04LXLSMYBm1SW74df8YMgaE/eoidq6smN6hKIgo8s3qPQGZAi4UXffMs2ciqXNa/zZcCu3PyZvyksxA=="
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
morgan = {
|
morgan = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["plugdev" "dialout"];
|
extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
|
||||||
];
|
];
|
||||||
|
@ -104,6 +104,13 @@
|
||||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
therobs12 = {
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = ["plugdev" "dialout"];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
dpn = {
|
dpn = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
|
|
|
@ -21,6 +21,7 @@
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/76A2-F01F";
|
{ device = "/dev/disk/by-uuid/76A2-F01F";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
|
@ -10,6 +10,9 @@ in
|
||||||
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
|
nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
|
||||||
programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite";
|
programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite";
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.memtest86.enable = true;
|
||||||
|
boot.loader.grub.memtest86.enable = true;
|
||||||
|
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
(./. + "/${host}-hardware-configuration.nix")
|
(./. + "/${host}-hardware-configuration.nix")
|
||||||
|
@ -62,6 +65,7 @@ in
|
||||||
xsane
|
xsane
|
||||||
gtkwave unzip zip gnupg
|
gtkwave unzip zip gnupg
|
||||||
gnome3.gnome-tweaks
|
gnome3.gnome-tweaks
|
||||||
|
gnome3.ghex
|
||||||
jq sublime3 rink qemu_kvm
|
jq sublime3 rink qemu_kvm
|
||||||
tmux screen gdb minicom picocom
|
tmux screen gdb minicom picocom
|
||||||
artiq.packages.x86_64-linux.openocd-bscanspi
|
artiq.packages.x86_64-linux.openocd-bscanspi
|
||||||
|
@ -89,6 +93,7 @@ in
|
||||||
services.avscan.enable = true;
|
services.avscan.enable = true;
|
||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
services.openssh.authorizedKeysInHomedir = false;
|
||||||
services.openssh.settings.PasswordAuthentication = false;
|
services.openssh.settings.PasswordAuthentication = false;
|
||||||
services.openssh.extraConfig =
|
services.openssh.extraConfig =
|
||||||
''
|
''
|
||||||
|
@ -121,7 +126,7 @@ in
|
||||||
};
|
};
|
||||||
services.avahi = {
|
services.avahi = {
|
||||||
enable = true;
|
enable = true;
|
||||||
nssmdns = true;
|
nssmdns4 = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable sound.
|
# Enable sound.
|
||||||
|
@ -134,16 +139,12 @@ in
|
||||||
hardware.opengl.driSupport32Bit = true;
|
hardware.opengl.driSupport32Bit = true;
|
||||||
hardware.pulseaudio.support32Bit = true;
|
hardware.pulseaudio.support32Bit = true;
|
||||||
|
|
||||||
i18n.inputMethod = {
|
|
||||||
enabled = "fcitx5";
|
|
||||||
fcitx5.addons = [ pkgs.fcitx5-table-extra pkgs.fcitx5-m17n ];
|
|
||||||
};
|
|
||||||
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
|
fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
|
||||||
|
|
||||||
# Enable the X11 windowing system.
|
# Enable the X11 windowing system.
|
||||||
services.xserver.enable = true;
|
services.xserver.enable = true;
|
||||||
services.xserver.layout = "us";
|
services.xserver.xkb.layout = "us";
|
||||||
services.xserver.xkbOptions = "eurosign:e";
|
services.xserver.xkb.options = "eurosign:e";
|
||||||
|
|
||||||
services.xserver.displayManager.gdm.enable = true;
|
services.xserver.displayManager.gdm.enable = true;
|
||||||
services.xserver.desktopManager.gnome.enable = true;
|
services.xserver.desktopManager.gnome.enable = true;
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
{ pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
}
|
|
|
@ -21,4 +21,7 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="2109", ATTRS{idProduct}=="2812", MODE="0660"
|
||||||
# LibreVNA
|
# LibreVNA
|
||||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
|
||||||
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
|
||||||
|
# DSLogic
|
||||||
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
|
||||||
|
SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
|
||||||
''
|
''
|
||||||
|
|
|
@ -10,7 +10,6 @@
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [ ];
|
||||||
boot.kernelPackages = pkgs.linuxPackages_5_15;
|
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
boot.blacklistedKernelModules = [ "iwlwifi" ];
|
boot.blacklistedKernelModules = [ "iwlwifi" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
@ -24,6 +23,7 @@
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/A33B-F001";
|
{ device = "/dev/disk/by-uuid/A33B-F001";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/8C30-F6DC";
|
{ device = "/dev/disk/by-uuid/8C30-F6DC";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/E085-5F21";
|
{ device = "/dev/disk/by-uuid/E085-5F21";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
|
@ -8,9 +8,9 @@
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
|
boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [ ];
|
||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
|
@ -18,11 +18,6 @@
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
|
||||||
{ device = "/dev/disk/by-uuid/4E51-B390";
|
|
||||||
fsType = "vfat";
|
|
||||||
};
|
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
@ -30,13 +25,13 @@
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
networking.useDHCP = lib.mkDefault true;
|
networking.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
# networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.intel.updateMicrocode = true;
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.grub.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.grub.device = "/dev/sda";
|
||||||
|
|
||||||
nixpkgs.config.nvidia.acceptLicense = true;
|
nixpkgs.config.nvidia.acceptLicense = true;
|
||||||
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
|
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/315af039-6799-43ac-8999-7da69a6fbd1e";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/45B7-790E";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
}
|
|
@ -6,8 +6,6 @@
|
||||||
network.enableRollback = true;
|
network.enableRollback = true;
|
||||||
|
|
||||||
rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = true; };
|
rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = true; };
|
||||||
rpi-2 = import ./rpi.nix { host = "rpi-2"; rpi4 = false; experimental-users = true; };
|
|
||||||
rpi-3 = import ./rpi.nix { host = "rpi-3"; rpi4 = true; };
|
|
||||||
rpi-4 = import ./rpi.nix { host = "rpi-4"; rpi4 = true; };
|
rpi-4 = import ./rpi.nix { host = "rpi-4"; rpi4 = true; };
|
||||||
zeus = import ./desktop.nix { host = "zeus"; };
|
zeus = import ./desktop.nix { host = "zeus"; };
|
||||||
hera = import ./desktop.nix { host = "hera"; };
|
hera = import ./desktop.nix { host = "hera"; };
|
||||||
|
@ -17,4 +15,9 @@
|
||||||
franz = import ./desktop.nix { host = "franz"; };
|
franz = import ./desktop.nix { host = "franz"; };
|
||||||
juno = import ./desktop.nix { host = "juno"; };
|
juno = import ./desktop.nix { host = "juno"; };
|
||||||
demeter = import ./desktop.nix { host = "demeter"; };
|
demeter = import ./desktop.nix { host = "demeter"; };
|
||||||
|
vulcan = import ./desktop.nix { host = "vulcan"; };
|
||||||
|
rc = import ./desktop.nix { host = "rc"; };
|
||||||
|
athena = import ./desktop.nix { host = "athena"; };
|
||||||
|
jupiter = import ./desktop.nix { host = "jupiter"; };
|
||||||
|
saturn = import ./desktop.nix { host = "saturn"; };
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,6 +21,7 @@
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/D0A3-DDAE";
|
{ device = "/dev/disk/by-uuid/D0A3-DDAE";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/348c924c-1d86-44ff-84af-2594f414e7d0";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/1BDC-44BB";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/opt" =
|
||||||
|
{ device = "/dev/disk/by-uuid/cf0f51b6-7b95-4c74-9390-37dc4c86f32b";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
|
||||||
|
system.stateVersion = "23.11";
|
||||||
|
}
|
|
@ -24,6 +24,7 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
services.openssh.authorizedKeysInHomedir = false;
|
||||||
services.openssh.settings.PasswordAuthentication = false;
|
services.openssh.settings.PasswordAuthentication = false;
|
||||||
services.openssh.settings.GatewayPorts = "clientspecified";
|
services.openssh.settings.GatewayPorts = "clientspecified";
|
||||||
services.openssh.extraConfig =
|
services.openssh.extraConfig =
|
||||||
|
@ -34,15 +35,12 @@ in
|
||||||
|
|
||||||
networking.hostName = host;
|
networking.hostName = host;
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = if host == "rpi-2" then [ 6000 ] else [];
|
|
||||||
|
|
||||||
time.timeZone = "Asia/Hong_Kong";
|
time.timeZone = "Asia/Hong_Kong";
|
||||||
|
|
||||||
users.extraGroups.plugdev = { };
|
users.extraGroups.plugdev = { };
|
||||||
users.mutableUsers = false;
|
users.mutableUsers = false;
|
||||||
users.defaultUserShell = pkgs.fish;
|
users.defaultUserShell = pkgs.fish;
|
||||||
users.extraUsers = (import ./common-users.nix { inherit pkgs; }) //
|
users.extraUsers = (import ./common-users.nix { inherit pkgs; }) // {
|
||||||
(pkgs.lib.optionalAttrs experimental-users (import ./experimental-users.nix { inherit pkgs; })) // {
|
|
||||||
nixbld = {
|
nixbld = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["plugdev" "dialout"];
|
extraGroups = ["plugdev" "dialout"];
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/51d521ec-4807-4b71-8a89-116b89f72d2e";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/877D-AF6A";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
system.stateVersion = "24.05";
|
||||||
|
}
|
|
@ -0,0 +1,41 @@
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/67168ae0-6448-4b40-b278-406290224b4f";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/8F4B-AD84";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
|
|
||||||
|
system.stateVersion = "23.05";
|
||||||
|
}
|
|
@ -18,6 +18,7 @@
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/91B4-E546";
|
{ device = "/dev/disk/by-uuid/91B4-E546";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
connections {
|
||||||
|
bypass-ipsec {
|
||||||
|
remote_addrs = 127.0.0.1
|
||||||
|
children {
|
||||||
|
bypass-isakmp-v4 {
|
||||||
|
local_ts = 0.0.0.0/0[udp/isakmp]
|
||||||
|
remote_ts = 0.0.0.0/0[udp/isakmp]
|
||||||
|
mode = pass
|
||||||
|
start_action = trap
|
||||||
|
}
|
||||||
|
bypass-isakmp-v6 {
|
||||||
|
local_ts = ::/0[udp/isakmp]
|
||||||
|
remote_ts = ::/0[udp/isakmp]
|
||||||
|
mode = pass
|
||||||
|
start_action = trap
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
m_labs {
|
||||||
|
version = 2
|
||||||
|
encap = no
|
||||||
|
mobike = no
|
||||||
|
send_certreq = no
|
||||||
|
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
|
||||||
|
local_addrs = 103.206.98.1
|
||||||
|
remote_addrs = 94.190.212.123
|
||||||
|
local {
|
||||||
|
auth = pubkey
|
||||||
|
id = fqdn:igw0.hkg.as150788.net
|
||||||
|
pubkeys = igw0.hkg.as150788.net
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = pubkey
|
||||||
|
id = fqdn:m-labs.hk
|
||||||
|
pubkeys = m-labs.hk
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
con1 {
|
||||||
|
mode = transport
|
||||||
|
ah_proposals = sha256-curve25519,sha256-ecp256
|
||||||
|
esp_proposals =
|
||||||
|
local_ts = 103.206.98.1[gre]
|
||||||
|
remote_ts = 94.190.212.123[gre]
|
||||||
|
start_action = none
|
||||||
|
close_action = none
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue