fsagbuya
/
it-infra
forked from M-Labs/it-infra
1
0
Fork 0
Code Pull Requests Activity

Compare commits

merge into: fsagbuya:master
Branches Tags
fsagbuya:master
fsagbuya:134-intl-com
fsagbuya:134-deploy
fsagbuya:134-intl-configuration
fsagbuya:force-ssl-main-website
M-Labs:enable-mail-proxy-and-tunnel
M-Labs:master
M-Labs:134-intl-configuration
M-Labs:disable-spf-from-vps
...
pull from: M-Labs:master
Branches Tags
M-Labs:enable-mail-proxy-and-tunnel
M-Labs:master
M-Labs:134-intl-configuration
M-Labs:disable-spf-from-vps
fsagbuya:master
fsagbuya:134-intl-com
fsagbuya:134-deploy
fsagbuya:134-intl-configuration
fsagbuya:force-ssl-main-website

23 Commits
master ... master

Author SHA1 Message Date
Sebastien Bourdeauducq aaf70f36df nixops: remove user accounts 2024-09-13 13:23:15 +08:00
Sébastien Bourdeauducq 4a288abe2b nixbld: keep automatic flarum DB migrations 2024-09-10 17:12:44 +08:00
Sébastien Bourdeauducq 246a375dfb add remote IPsec settings 2024-09-05 14:36:37 +08:00
Sébastien Bourdeauducq 635f90f0c7 nixbld/flarum: use nix 2024-08-31 17:27:16 +08:00
Sébastien Bourdeauducq 8a187ba5b9 nixbld: SIT can take larger packets 2024-08-29 18:55:52 +08:00
Sébastien Bourdeauducq 9383227c5b nixbld: consistent netif variables 2024-08-29 18:53:33 +08:00
Sébastien Bourdeauducq 233998b8f3 nixbld: work around tunnel bring-up race condition 2024-08-29 18:40:17 +08:00
Sébastien Bourdeauducq 90a6b84c09 nixbld: work around tunnel TCPMSS issues 2024-08-29 18:39:52 +08:00
Sébastien Bourdeauducq 23e1fa029a nixbld: upgrade postgresql 2024-08-25 11:06:19 +08:00
Egor Savkin 75035b387e Skip SPF for mails originating from intl 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-08-20 10:59:27 +08:00
Sébastien Bourdeauducq 4f48ea611a nixops: remove wanglm user 2024-08-19 11:18:06 +08:00
Sébastien Bourdeauducq 6dc8214102 nixbld/backup: include gitea DB dump 2024-08-17 18:26:46 +08:00
Sébastien Bourdeauducq a6b216bb87 nixbld/gitea: move to postgresql 2024-08-17 18:18:56 +08:00
Sébastien Bourdeauducq 6e21a95ba8 nixbld/named: add qnetp slave DNS for m-labs-intl.com 2024-08-15 19:52:42 +08:00
Sébastien Bourdeauducq d08186a27a nixbld/named: enable CAA for m-labs-intl.com 2024-08-14 11:52:25 +08:00
Sébastien Bourdeauducq 5d132565e6 nixbld/named: add hooks.m-labs-intl.com 2024-08-14 11:42:38 +08:00
Sébastien Bourdeauducq 97ca7ea3ce nixbld: mail setup for m-labs-intl.com WIP 2024-08-14 11:38:19 +08:00
Sébastien Bourdeauducq e24c167f8b Revert "nixbld: block SAP spam" 
Option seems to have no effect.

This reverts commit b769b47075.
 2024-08-14 10:58:49 +08:00
Egor Savkin 18194be5c3 nixbld: deploy web2019 to the intl domain 
Co-authored-by: Egor Savkin <es@m-labs.hk>
Co-committed-by: Egor Savkin <es@m-labs.hk>
 2024-08-14 10:54:52 +08:00
Sébastien Bourdeauducq 7781d6236e nixbld/rt: disable TCP 2024-08-11 12:19:15 +08:00
Sébastien Bourdeauducq 93e19c74e9 nixbld/rt: use psql peer authentication 2024-08-11 12:12:28 +08:00
Sébastien Bourdeauducq 4ccab3cf2b nixbld: remove outdated DNS records 2024-08-05 19:13:34 +08:00
Sebastien Bourdeauducq 69fe8c9866 nixbld: add flo user 2024-08-01 07:32:11 +08:00
10 changed files with 10058 additions and 90 deletions
Show Stats Expand all files Collapse all files

3
nixbld-etc-nixos/backup-module.nix
View File

@ -26,9 +26,10 @@ let
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql ${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
exec 6< /etc/nixos/secret/backup-passphrase exec 6< /etc/nixos/secret/backup-passphrase
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \ ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
${pkgs.bzip2}/bin/bzip2 | \ ${pkgs.bzip2}/bin/bzip2 | \
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6 ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
''; '';

93
nixbld-etc-nixos/configuration.nix
View File

@ -6,6 +6,8 @@ let
netifLan = "enp5s0f1"; netifLan = "enp5s0f1";
netifWifi = "wlp6s0"; netifWifi = "wlp6s0";
netifSit = "henet0"; netifSit = "henet0";
netifAlt = "alt0";
netifAltVlan = "vlan0";
hydraWwwOutputs = "/var/www/hydra-outputs"; hydraWwwOutputs = "/var/www/hydra-outputs";
in in
{ {
@ -176,11 +178,20 @@ in
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
iptables -w -A FORWARD -j block-insecure-devices iptables -w -A FORWARD -j block-insecure-devices
iptables -w -N pccw-sucks
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
iptables -w -A FORWARD -j pccw-sucks
''; '';
extraStopCommands = '' extraStopCommands = ''
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
iptables -w -F block-insecure-devices 2>/dev/null|| true iptables -w -F block-insecure-devices 2>/dev/null|| true
iptables -w -X block-insecure-devices 2>/dev/null|| true iptables -w -X block-insecure-devices 2>/dev/null|| true
iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
iptables -w -F pccw-sucks 2>/dev/null|| true
iptables -w -X pccw-sucks 2>/dev/null|| true
''; '';
}; };
sits."${netifSit}" = { sits."${netifSit}" = {
@ -193,14 +204,14 @@ in
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }]; addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
routes = [{ address = "::"; prefixLength = 0; }]; routes = [{ address = "::"; prefixLength = 0; }];
}; };
greTunnels.alt0 = { greTunnels."${netifAlt}" = {
dev = netifWan; dev = netifWan;
remote = "103.206.98.1"; remote = "103.206.98.1";
local = "94.190.212.123"; local = "94.190.212.123";
ttl = 255; ttl = 255;
type = "tun"; type = "tun";
}; };
interfaces.alt0 = { interfaces."${netifAlt}" = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "103.206.98.227"; address = "103.206.98.227";
@ -217,12 +228,12 @@ in
]; ];
}; };
vlans = { vlans = {
vlan0 = { "${netifAltVlan}" = {
id = 2; id = 2;
interface = netifLan; interface = netifLan;
}; };
}; };
interfaces.vlan0 = { interfaces."${netifAltVlan}" = {
ipv4.addresses = [{ ipv4.addresses = [{
address = "103.206.98.200"; address = "103.206.98.200";
prefixLength = 29; prefixLength = 29;
@ -255,7 +266,7 @@ in
id = "fqdn:igw0.hkg.as150788.net"; id = "fqdn:igw0.hkg.as150788.net";
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ]; pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
}; };
children.alt0 = { children."${netifAlt}" = {
mode = "transport"; mode = "transport";
ah_proposals = [ "sha256-curve25519" ]; ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "103.206.98.1[gre]" ]; remote_ts = [ "103.206.98.1[gre]" ];
@ -263,6 +274,11 @@ in
start_action = "start"; start_action = "start";
}; };
}; };
# prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070
systemd.services.strongswan-swanctl = {
after = [ "network-addresses-${netifAlt}.service" ];
requires = [ "network-addresses-${netifAlt}.service" ];
};
systemd.services.network-custom-route-backup = { systemd.services.network-custom-route-backup = {
wantedBy = [ "network.target" ]; wantedBy = [ "network.target" ];
@ -375,10 +391,14 @@ in
notify explicit; notify explicit;
also-notify { also-notify {
216.218.130.2; # ns1.he.net 216.218.130.2; # ns1.he.net
213.239.220.50; # ns1.qnetp.net
88.198.32.245; # new qnetp
}; };
''; '';
slaves = [ slaves = [
"216.218.133.2" "2001:470:600::2" # slave.dns.he.net "216.218.133.2" "2001:470:600::2" # slave.dns.he.net
"213.239.220.50" "2a01:4f8:a0:7041::1" # ns1.qnetp.net
"88.198.32.245" # new qnetp
]; ];
}; };
"200-29.98.206.103.in-addr.arpa" = { "200-29.98.206.103.in-addr.arpa" = {
@ -620,6 +640,13 @@ in
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
]; ];
}; };
users.extraUsers.flo = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
];
};
users.extraUsers.derppening = { users.extraUsers.derppening = {
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
@ -651,6 +678,10 @@ in
job = web:web:web job = web:web:web
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
</runcommand> </runcommand>
<runcommand>
job = web:web:web-intl
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@5.78.86.156:/var/www/m-labs-intl.com/html/
</runcommand>
<runcommand> <runcommand>
job = web:web:nmigen-docs job = web:web:nmigen-docs
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
@ -762,6 +793,10 @@ in
services.gitea = { services.gitea = {
enable = true; enable = true;
appName = "M-Labs Git"; appName = "M-Labs Git";
database = {
type = "postgres";
socket = "/run/postgresql";
};
mailerPasswordFile = "/etc/nixos/secret/mailerpassword"; mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
settings = { settings = {
server = { server = {
@ -809,12 +844,20 @@ in
siteUrl = "https://chat.m-labs.hk/"; siteUrl = "https://chat.m-labs.hk/";
mutableConfig = true; mutableConfig = true;
}; };
services.postgresql.package = pkgs.postgresql_12;
services.matterbridge = { services.matterbridge = {
enable = true; enable = true;
configPath = "/etc/nixos/secret/matterbridge.toml"; configPath = "/etc/nixos/secret/matterbridge.toml";
}; };
services.postgresql = {
package = pkgs.postgresql_15;
settings.listen_addresses = pkgs.lib.mkForce "";
identMap =
''
rt rt rt_user
'';
};
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in { nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
nix = super.nix.overrideAttrs(oa: { nix = super.nix.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ]; patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
@ -1025,15 +1068,6 @@ in
"forum.m-labs.hk" = { "forum.m-labs.hk" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
root = "/var/www/flarum/public";
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
fastcgi_index index.php;
'';
extraConfig = ''
index index.php;
include /var/www/flarum/.nginx.conf;
'';
}; };
"perso.m-labs.hk" = { "perso.m-labs.hk" = {
addSSL = true; addSSL = true;
@ -1105,23 +1139,18 @@ in
}; };
}; };
}; };
services.mysql = { services.mysql = {
enable = true; enable = true;
package = pkgs.mariadb; package = pkgs.lib.mkForce pkgs.mariadb;
ensureDatabases = pkgs.lib.mkForce [];
ensureUsers = pkgs.lib.mkForce [];
}; };
services.phpfpm.pools.flarum = { services.flarum = {
user = "nobody"; enable = true;
settings = { package = pkgs.callPackage ./flarum {};
"listen.owner" = "nginx"; domain = "forum.m-labs.hk";
"listen.group" = "nginx"; createDatabaseLocally = true;
"listen.mode" = "0600";
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
}; };
services.rt = { services.rt = {
@ -1154,11 +1183,11 @@ in
enable = true; enable = true;
localDnsResolver = false; # conflicts with dnsmasq localDnsResolver = false; # conflicts with dnsmasq
fqdn = "mail.m-labs.hk"; fqdn = "mail.m-labs.hk";
domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ]; domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ];
enablePop3 = true; enablePop3 = true;
enablePop3Ssl = true; enablePop3Ssl = true;
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
rejectSender = [ "sapcloudsupport@alerts.ondemand.com" ]; policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
} // (import /etc/nixos/secret/email_settings.nix); } // (import /etc/nixos/secret/email_settings.nix);
services.roundcube = { services.roundcube = {
enable = true; enable = true;

9876
nixbld-etc-nixos/flarum/composer.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

39
nixbld-etc-nixos/flarum/default.nix Normal file
View File

@ -0,0 +1,39 @@
{
lib,
php,
fetchFromGitHub,
fetchpatch,
}:
php.buildComposerProject (finalAttrs: {
pname = "flarum";
version = "1.8.1";
src = fetchFromGitHub {
owner = "flarum";
repo = "flarum";
rev = "v${finalAttrs.version}";
hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
};
patches = [
# Add useful extensions from https://github.com/FriendsOfFlarum
# Extensions included: fof/upload, fof/polls, fof/subscribed
./fof-extensions.patch
];
composerLock = ./composer.lock;
composerStrictValidation = false;
vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";
meta = with lib; {
changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
description = "Flarum is a delightfully simple discussion platform for your website";
homepage = "https://github.com/flarum/flarum";
license = lib.licenses.mit;
maintainers = with maintainers; [
fsagbuya
jasonodoom
];
};
})

16
nixbld-etc-nixos/flarum/fof-extensions.patch Normal file
View File

@ -0,0 +1,16 @@
diff --git a/composer.json b/composer.json
index c63b5f8..5ad1186 100644
--- a/composer.json
+++ b/composer.json
@@ -37,7 +37,10 @@
"flarum/sticky": "*",
"flarum/subscriptions": "*",
"flarum/suspend": "*",
- "flarum/tags": "*"
+ "flarum/tags": "*",
+ "fof/polls": "*",
+ "fof/subscribed": "*",
+ "fof/upload": "*"
},
"config": {
"preferred-install": "dist",

13
nixbld-etc-nixos/named/m-labs-intl.com
View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. ( @ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
2024060601 2024081503
7200 7200
3600 3600
86400 86400
@ -10,11 +10,22 @@ $TTL 7200
NS ns.m-labs-intl.com. NS ns.m-labs-intl.com.
NS ns1.he.net. NS ns1.he.net.
NS ns1.qnetp.net.
A 5.78.86.156 A 5.78.86.156
AAAA 2a01:4ff:1f0:83de::1 AAAA 2a01:4ff:1f0:83de::1
MX 10 mail.m-labs-intl.com.
TXT "v=spf1 mx -all"
TXT "google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
ns A 94.190.212.123 ns A 94.190.212.123
ns AAAA 2001:470:18:390::2 ns AAAA 2001:470:18:390::2
mail A 5.78.86.156
mail AAAA 2a01:4ff:1f0:83de::1
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
www CNAME @ www CNAME @
hooks CNAME @

12
nixbld-etc-nixos/named/m-labs.hk
View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. ( @ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2024060201 2024080501
7200 7200
3600 3600
86400 86400
@ -43,17 +43,7 @@ files CNAME @
docs CNAME @ docs CNAME @
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93 rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
rpi-2 AAAA 2001:470:f891:1:ba27:ebff:fef0:e9e6
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9 rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
chiron AAAA 2001:470:f891:1:7f02:9ebf:bee9:3dc7
old-nixbld AAAA 2001:470:f891:1:a07b:f49a:a4ef:aad9
zeus AAAA 2001:470:f891:1:4fd7:e70a:68bf:e9c1
franz AAAA 2001:470:f891:1:1b65:a743:2335:f5c6
hera AAAA 2001:470:f891:1:8b5e:404d:ef4e:9d92
hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
aux A 42.200.147.171
router.alt A 103.206.98.200 router.alt A 103.206.98.200
stewardship1.alt A 103.206.98.201 stewardship1.alt A 103.206.98.201

18
nixbld-etc-nixos/rt.nix
View File

@ -19,14 +19,9 @@ let
Set($Timezone, '${cfg.timeZone}'); Set($Timezone, '${cfg.timeZone}');
Set($DatabaseType, 'Pg'); Set($DatabaseType, 'Pg');
Set($DatabaseHost, 'localhost'); Set($DatabaseHost, '/run/postgresql');
Set($DatabaseUser, 'rt_user'); Set($DatabaseUser, 'rt');
Set($DatabaseName, 'rt5'); Set($DatabaseName, 'rt5');
# Read database password from file
open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
my $dbpw = do { local $/; <$fh> };
$dbpw =~ s/^\s+|\s+$//g;
Set($DatabasePassword, $dbpw);
# System (Logging) # System (Logging)
Set($LogToSTDERR, undef); # Don't log twice Set($LogToSTDERR, undef); # Don't log twice
@ -154,13 +149,6 @@ in {
type = str; type = str;
}; };
dbPasswordFile = mkOption {
description = "File containing the database password";
type = str;
default = "/etc/nixos/secret/rtpasswd";
internal = true;
};
domain = mkOption { domain = mkOption {
description = "Which domain RT is running on"; description = "Which domain RT is running on";
type = str; type = str;
@ -245,8 +233,6 @@ in {
PrivateNetwork = false; PrivateNetwork = false;
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = false;
ReadOnlyPaths = [ cfg.dbPasswordFile ];
}; };
environment = { environment = {

29
nixops/common-users.nix
View File

@ -111,35 +111,6 @@
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg==" "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
]; ];
}; };
architeuthis = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMhLPEGWDUauFHjiVduBMJrIMKT8SvtTDHXDVudUZrhewQy08h4NEEyWmczP4WMeyugI/L/a+J+Vc8mImgqSoHw52823LVcnR9EKnJoqnwAHU/J+41vIWAN2LAryd4p9yg=="
];
};
abdul = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
];
};
lyken = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ88QJlh/+F/xwXQlPEmQVmtycb8FfabxCdeiP3gTHUCV8y4PLh3ubY+EsY+Xhy/GlOAPdX7KSpiII3dndYfwZWzorXVoPBhhPKEIumFBOinWfp5kRVzWOD61gCwsYoVBg=="
];
};
wanglm = {
isNormalUser = true;
extraGroups = ["plugdev" "dialout"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNhRITe/qj/zvW2dZbXNmyJxLHPgJAynlWh6NCGGarJbkhj8c1UFLUo2Hv7xqGil4PZnPGru4WwHX0RhWS/I39UPzfVvuntRGenNqqpo2T9Ble80QCawpZ2c07w7FkVq7g=="
];
};
dpn = { dpn = {
isNormalUser = true; isNormalUser = true;

49
remote-ipsec.txt Normal file
View File

@ -0,0 +1,49 @@
connections {
bypass-ipsec {
remote_addrs = 127.0.0.1
children {
bypass-isakmp-v4 {
local_ts = 0.0.0.0/0[udp/isakmp]
remote_ts = 0.0.0.0/0[udp/isakmp]
mode = pass
start_action = trap
}
bypass-isakmp-v6 {
local_ts = ::/0[udp/isakmp]
remote_ts = ::/0[udp/isakmp]
mode = pass
start_action = trap
}
}
}
m_labs {
version = 2
encap = no
mobike = no
send_certreq = no
proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
local_addrs = 103.206.98.1
remote_addrs = 94.190.212.123
local {
auth = pubkey
id = fqdn:igw0.hkg.as150788.net
pubkeys = igw0.hkg.as150788.net
}
remote {
auth = pubkey
id = fqdn:m-labs.hk
pubkeys = m-labs.hk
}
children {
con1 {
mode = transport
ah_proposals = sha256-curve25519,sha256-ecp256
esp_proposals =
local_ts = 103.206.98.1[gre]
remote_ts = 94.190.212.123[gre]
start_action = none
close_action = none
}
}
}
}