Compare commits

...

246 Commits

Author SHA1 Message Date
Sebastien Bourdeauducq ec40a17f1c add alternate USB ID for LibreVNA 1 week ago
Sebastien Bourdeauducq 62897304cc update udev USB devices 1 week ago
Sebastien Bourdeauducq 68539bcb37 juno: nvidia license 2 weeks ago
Sebastien Bourdeauducq fc3434d3d7 desktop: NixOS 23.11 2 weeks ago
Sebastien Bourdeauducq e9801c8ca3 nixbld: fix hydra job name for msys2 nac3 packages 2 weeks ago
Sebastien Bourdeauducq 3cbd3f5bf3 nixbld: try ACME-CAA 3 weeks ago
Sebastien Bourdeauducq b62479ecc1 desktop: 32-bit compat 1 month ago
Sebastien Bourdeauducq 40b29da7bd desktop: openssl workaround 1 month ago
Sebastien Bourdeauducq 351229b866 update sb key 1 month ago
Sebastien Bourdeauducq b10f158a48 nixbld: update CPU microcode 2 months ago
Sebastien Bourdeauducq 68333e5616 nixbld: add DNS entries for nasty-gareth.alt 2 months ago
Sebastien Bourdeauducq 656d4e1901 nixbld: add derppening user 3 months ago
Sebastien Bourdeauducq 60fe5a91de nixbld: backup 193THz.com 3 months ago
Sebastien Bourdeauducq e5257122b1 nixbld: host 193thz.com 3 months ago
Sebastien Bourdeauducq a4ebfb23e4 nixops: add derppening user 3 months ago
Sebastien Bourdeauducq 522accf0a8 nixbld: fix sending email to altnet 3 months ago
Sebastien Bourdeauducq 6550ad5302 nixbld: debloat backups 3 months ago
Sebastien Bourdeauducq ccc08184e4 nixops: update permitted openssl version 4 months ago
Sebastien Bourdeauducq 4c9d96dae3 nixbld: add HP printer to firewall blocklist 4 months ago
Sebastien Bourdeauducq 9ebdb06699 nixbld: add dpn user 4 months ago
Sebastien Bourdeauducq 98072481e7 nixbld: add atse.alt.m-labs.hk 4 months ago
Sebastien Bourdeauducq 4247301a62 desktop: uninstall xpra 4 months ago
Sebastien Bourdeauducq a9ca6a4f7b desktop: uninstall tigervnc 4 months ago
Sebastien Bourdeauducq b247c38dc6 desktop: install gqrx 4 months ago
Sebastien Bourdeauducq 0bd10ba44c avscan: fix OnCalendar string 5 months ago
Sebastien Bourdeauducq 454130650f add clamav scan 5 months ago
Sebastien Bourdeauducq c89551c610 nixbld: open strongswan ports 5 months ago
Sebastien Bourdeauducq 6ec5e436a2 nixbld: fix altnet routing 5 months ago
Sebastien Bourdeauducq 4d17e7c293 add VLAN settings 5 months ago
Sebastien Bourdeauducq 39a6ea69f6 nixbld: altnet setup 5 months ago
Sebastien Bourdeauducq c2c7e67549 nixbld: block zyxel cloud switch 5 months ago
Sebastien Bourdeauducq 4c62ba7f9d nixbld: block hikvision device 5 months ago
Sebastien Bourdeauducq 257c2dc432 nixbld: fix mysql backup auth 5 months ago
Sebastien Bourdeauducq e2c2dbbeeb nixbld: autostart iPXE HTTP boot 5 months ago
Sebastien Bourdeauducq a9ee77b9e8 nixbld: serve iPXE on LAN 5 months ago
Sebastien Bourdeauducq 5034ca20ce nixops: remove den512 user 5 months ago
Sebastien Bourdeauducq a6cdeb134c nixops: add atse user 6 months ago
Sebastien Bourdeauducq c5cf50be9d nixops: remove twlaw user 6 months ago
Sebastien Bourdeauducq dbd20c6418 nixbld: update simple-nixos-mailserver 6 months ago
Sebastien Bourdeauducq 5b97509351 nixops: add demeter machine 6 months ago
Sebastien Bourdeauducq 31642415a2 nixops: add morgan user 6 months ago
Sebastien Bourdeauducq 10405dbcd5 nixops: add juno machine 6 months ago
Sebastien Bourdeauducq b810c84f6d nixops: update CPU microcodes 6 months ago
Sebastien Bourdeauducq 63a01abbc1 add Linus user 6 months ago
Sebastien Bourdeauducq 2227e816bc nixbld: update dnsmasq settings 6 months ago
Sebastien Bourdeauducq 6b35c751d8 nixbld: NixOS 23.05 compatibility 6 months ago
Sebastien Bourdeauducq 7177c0c66a nixops: fix openssl permitted package 6 months ago
Sebastien Bourdeauducq 5497d5d124 nixops: update users 6 months ago
Sebastien Bourdeauducq d21c31aae5 nixbld: add esavkin to lp group 6 months ago
Sebastien Bourdeauducq f5837877d2 nixbld: increase nextcloud max upload size 6 months ago
Sebastien Bourdeauducq 6b36d3280d nixops: nixos 23.05 SSH config 7 months ago
Sebastien Bourdeauducq 77ba57e8fa disable X11 forwarding (replaced with waypipe) 7 months ago
Sebastien Bourdeauducq c4918ac478 nixops: nixos 23.05 compat 7 months ago
Sebastien Bourdeauducq ffb286ba05 nixops: work around openssl3 pam_p11 breakage 7 months ago
Sebastien Bourdeauducq 2f704a7534 desktop: install waypipe 7 months ago
Sebastien Bourdeauducq 2813d2c8cd desktop: install xournal 8 months ago
Sebastien Bourdeauducq 5223d9fd89 afws: move more code into module file, use new reload mechanism 8 months ago
Sebastien Bourdeauducq 0640cfad04 nixbld: increase AFWS WebSocket timeout 8 months ago
Sebastien Bourdeauducq 6c6f11ed7d nixbld: set up ACME certificate for AFWS 8 months ago
Sebastien Bourdeauducq 0442916420 nixbld: afws websocket proxy settings 8 months ago
Sebastien Bourdeauducq c8c38f79c0 nixbld: set recommendedTlsSettings 8 months ago
Sebastien Bourdeauducq b7d9df794e nixbld: close legacy firewall ports 8 months ago
Sebastien Bourdeauducq 6507e3a679 vscode -> vscodium 8 months ago
Sebastien Bourdeauducq 933fa8bb84 add flo user 9 months ago
Sebastien Bourdeauducq 622cc04c5e remove aux config 9 months ago
Sebastien Bourdeauducq 6d31b77f0e add .ph site 9 months ago
Sebastien Bourdeauducq 253094dc13 nixops: remove rpi-server 9 months ago
Sebastien Bourdeauducq 488f5758a3 nixops: prefer LAN cache 9 months ago
Sebastien Bourdeauducq 66bdf4b939 nixops: remove topquark12 user 9 months ago
Sebastien Bourdeauducq ff37c5949e nixbld: add esavkin 9 months ago
Sebastien Bourdeauducq 22900dc926 nixops: remove creotech user 10 months ago
Sebastien Bourdeauducq 8ea7b06218 remove therobs12 user 10 months ago
Sebastien Bourdeauducq c9f774d011 nixbld: install labelprinter 10 months ago
Sebastien Bourdeauducq 28902ae068 nixops: fix gnome-keyring/ssh-agent conflict, install geary on desktops 10 months ago
Sebastien Bourdeauducq 5a6e269605 nixops: add users 10 months ago
Sebastien Bourdeauducq 1782a41ce6 nixops: remove wlph17 user 10 months ago
Sebastien Bourdeauducq 9babd68652 nixbld: give backupdl access to nextcloud 10 months ago
Sebastien Bourdeauducq b3f5f687aa nixbld: cleanup backupdl keys 10 months ago
Sebastien Bourdeauducq af27584100 nixbld: remove topquark12 user 10 months ago
Sebastien Bourdeauducq 4c7a2dfce3 nixbld: label printer permissions 10 months ago
Sebastien Bourdeauducq 30fa569bdc nixbld: block more insecure devices 10 months ago
Sebastien Bourdeauducq 9dee7c1888 nixbld: update backupdl key 10 months ago
Sebastien Bourdeauducq 0faa05aec3 nixbld: add back qnetp DNS 10 months ago
Sebastien Bourdeauducq 21a7d1c36e nixbld: update LAN AAAA records 10 months ago
Sebastien Bourdeauducq faff3a5eef nixbld: relocation 10 months ago
Sebastien Bourdeauducq 3210289ebf fix *.mil DNS lookups 10 months ago
Sebastien Bourdeauducq dd0ebf1c47 nixbld: move to he.net DNS 11 months ago
Sebastien Bourdeauducq 2c770e9929 nixbld: better workaround against crappy registrar without glue records
PCCW's static.imsbiz.com is wonky and not always available for all IPs, so stop using it.
11 months ago
Sebastien Bourdeauducq 06db9dd054 franz: intel_idle is still buggy 11 months ago
Sebastien Bourdeauducq fb54880765 nixbld: start rt-fetchmail after dovecot 11 months ago
Sebastien Bourdeauducq ea0b7d6dc7 nixbld: enable POP3 12 months ago
Sebastien Bourdeauducq 3b224c56aa nixbld: ignore local IP for fail2ban 12 months ago
Sebastien Bourdeauducq 755bfaf593 aux: fix plugdev group 12 months ago
Sebastien Bourdeauducq 162ad28a52 hydra: allow eval from duke gitlab 12 months ago
Sebastien Bourdeauducq 141f303a09 desktop: install jinja2 and latex 12 months ago
Sebastien Bourdeauducq a0f39a611c aux: add sb to plugdev 12 months ago
Sebastien Bourdeauducq 0052d22c9e aux: label printer permissions 1 year ago
Sebastien Bourdeauducq dbc9f4c68d remote setup 1 year ago
Sebastien Bourdeauducq f518eb1470 nixops: remove esavkin temp key 1 year ago
Sebastien Bourdeauducq 8f138ca016 nixops: add srayman89 user 1 year ago
Sebastien Bourdeauducq 15d99bc68b nixbld: persist DNSSEC private key
https://github.com/NixOS/nixpkgs/issues/204391
1 year ago
Sebastien Bourdeauducq 70a7ce5d30 nixbld: remove obsolete ssh key 1 year ago
Sebastien Bourdeauducq 2af492e37e nixbld: NixOS 22.11 1 year ago
Sebastien Bourdeauducq 3e0fb18e8c aux: update network driver 1 year ago
Sebastien Bourdeauducq 9930b9a6df nixops: nixos 22.11 1 year ago
Sebastien Bourdeauducq 530108554c nixops: remove obsolete config 1 year ago
Sebastien Bourdeauducq 31a877fdd3 aux: nixos 22.11 1 year ago
Sebastien Bourdeauducq bfeea65383 aux: scanning 1 year ago
Sebastien Bourdeauducq 88dd1a5fc4 nixbld: update therobs shell 1 year ago
Sebastien Bourdeauducq cecda7e28b nixbld: update users 1 year ago
Sebastien Bourdeauducq 2d9b7767a6 nixbld: enable aarch64-linux binfmt emulation 1 year ago
Sebastien Bourdeauducq a7450362ce aux: ipv6 1 year ago
Sebastien Bourdeauducq fb745a11e3 nixbld: new msys2 repos 1 year ago
Sebastien Bourdeauducq 150fac48bf nixops: remove yuk user 1 year ago
Sebastien Bourdeauducq 9624dec47a nixops: use wayland versions of thunderbird and firefox 1 year ago
Sebastien Bourdeauducq d061a3386c nixops: add wlph17 user 1 year ago
Sebastien Bourdeauducq e31c796266 simplify aarch64 nix remote builds 1 year ago
Sebastien Bourdeauducq 2448fe7d20 aux: use 192.168.1.x on LAN
match default ARTIQ core device IPs
1 year ago
Sebastien Bourdeauducq bc848547fd aux: chiron port redirect 1 year ago
Sebastien Bourdeauducq 0c8019516d nixbld: fix bind DNSSEC configuration for new version
https://gitlab.isc.org/isc-projects/bind9/-/issues/3554
1 year ago
Sebastien Bourdeauducq 98f8183f0a aux: block more devices 1 year ago
Sebastien Bourdeauducq bace5b59aa nixops: old-nixbld amd gpu 1 year ago
Sebastien Bourdeauducq 9868d51ec5 nixops: new old-nixbld hardware 1 year ago
Sebastien Bourdeauducq b9299a79a1 nixops: temporary ssh key for esavkin 1 year ago
Sebastien Bourdeauducq d2bfca1f25 nixbld: serve nmigen docs 1 year ago
Sebastien Bourdeauducq 74f56f7ccc aux: add backupdl 1 year ago
Sebastien Bourdeauducq a3edbfa316 aux: nix settings 1 year ago
Sebastien Bourdeauducq 50b7482100 aux: install nixops 1 year ago
Sebastien Bourdeauducq afcd0f8c0a aux: remove ssh reverse proxy 1 year ago
Sebastien Bourdeauducq 4ca9ef4e73 aux: block insecure devices 1 year ago
Sebastien Bourdeauducq 4f78630024 aux: new network card 1 year ago
Sebastien Bourdeauducq 9bc617a019 nixbld: fix munin auth 1 year ago
Sebastien Bourdeauducq 4b23f8d66f nixbld: update DNS zone 1 year ago
Sebastien Bourdeauducq 9216ef519e nixops: remove juno machine 1 year ago
Sebastien Bourdeauducq 97ba57fbcd aux: replace garbage r8169 driver from mainline kernel 1 year ago
Sebastien Bourdeauducq e2e4b0842a nixbld: add yuk account 1 year ago
Sebastien Bourdeauducq de8809f52a aux: fix printer sharing 1 year ago
Sebastien Bourdeauducq 0ce1e64d60 rpi-server: remove cups 1 year ago
Sebastien Bourdeauducq 47be5dc72e nixops: add esavkin user 1 year ago
Sebastien Bourdeauducq a815367e07 nixops: remove cnc machine 1 year ago
Sebastien Bourdeauducq dba987be15 aux: ssh reverse proxy
https://spoton.cz/index.php/2017/12/04/reverse-ssh-proxy-with-systemd/
1 year ago
Sebastien Bourdeauducq e15b25055b add aux router configuration 1 year ago
Sebastien Bourdeauducq 382c8bfaab nixbld: add aux key for backupdl 1 year ago
Sebastien Bourdeauducq ac022776e7 nixbld: SSH reverse proxy setup 1 year ago
Sebastien Bourdeauducq e9b02d0c72 nixbld: disable kk105 account 1 year ago
Sebastien Bourdeauducq e75b5959c2 nixops: install inkscape 1 year ago
Sebastien Bourdeauducq e29943f3f8 nixops: remove joplin 1 year ago
Sebastien Bourdeauducq f8e01cab2b nixops: install vscodevim 1 year ago
Sebastien Bourdeauducq 8f32828342 nixops: remove user accounts 1 year ago
Sebastien Bourdeauducq cd215e9e66 nixbld: backup hedgedoc 1 year ago
Sebastien Bourdeauducq 663e030aa8 nixbld: update named zone serial 1 year ago
Sebastien Bourdeauducq 365ec54358 nixbld: install hedgedoc 1 year ago
Sebastien Bourdeauducq 20175f7bc0 nixbld: rfc2181 forbids mx cname 1 year ago
Sebastien Bourdeauducq 66a517c64a add yuk user 1 year ago
Sebastien Bourdeauducq 05cf3524f0 nixops: remove z78078 user 1 year ago
Sebastien Bourdeauducq dc8db5fbee rfq: do not write email password to the Nix store 1 year ago
Sebastien Bourdeauducq dc08412ba2 update email settings 1 year ago
Sebastien Bourdeauducq 13bfee7be2 switch email server 1 year ago
Sebastien Bourdeauducq a517d429ab work around Google DNS geolocation fuckup 1 year ago
Sebastien Bourdeauducq 077e963d4a nixops: cnc reinstall 1 year ago
Sebastien Bourdeauducq 7dc4866314 nixbld: more email setup 1 year ago
Sebastien Bourdeauducq 5f7cb6113e nixbld: block siglent internet 1 year ago
Sebastien Bourdeauducq a147bb3883 nixbld: add topquark12 1 year ago
Sebastien Bourdeauducq 80ee7911cd nixbld: disable jitsi
Jitsi is bloated and overly complex, and the NixOS package is too limited.
https://discourse.nixos.org/t/setting-up-authentication-on-a-jitsi-server/17549
1 year ago
Sebastien Bourdeauducq 66d7dd6efe nixbld: enable more fail2ban filters 1 year ago
Sebastien Bourdeauducq 93a40ea87d nixbld: reduce gitea spamminess 1 year ago
Sebastien Bourdeauducq 96537e1fb7 rpi-ext: bind cups to localhost 1 year ago
Sebastien Bourdeauducq eb42f0718c nixops: wifi on rpi4 needs pkgs.linuxPackages_rpi4 1 year ago
Sebastien Bourdeauducq e5250c88fb nixbld: web/hydra setup for flakes in ARTIQ stable 1 year ago
Sebastien Bourdeauducq 276d651b96 nixops: use correct openocd package for rpi 1 year ago
Sebastien Bourdeauducq ef492c5710 rpi: hardware patch for fan 1 year ago
Sebastien Bourdeauducq 048863593a nixbld: remove obsolete ACME workaround 1 year ago
Sebastien Bourdeauducq 328a85c504 nixbld: install nextcloud 1 year ago
Sebastien Bourdeauducq 3ef19cbe93 nixbld: m-labs.hk DNS zone 1 year ago
Sebastien Bourdeauducq 6333165321 nixbld: setup email server for m-labs.hk 1 year ago
Sebastien Bourdeauducq 8bc44199fc nixbld: make bind CLI tools available 1 year ago
Sebastien Bourdeauducq 66a7a29b0a nixbld: do not create backups during ZFS scrubs 1 year ago
Sebastien Bourdeauducq cef6b7263a nixbld: backup mail 1 year ago
Sebastien Bourdeauducq 08ab958a76 nixbld: use semi-automatic DNSSEC 1 year ago
Sebastien Bourdeauducq 3909d7428d nixbld: DNS server (WIP) 1 year ago
Sebastien Bourdeauducq 70ad63ca56 nixbld: block internet access on insecure device 1 year ago
Sebastien Bourdeauducq 836d01b0c0 nixops: add z78078 user 1 year ago
Sebastien Bourdeauducq 6cb5c84a9b nixbld: enable mail server again 1 year ago
Sebastien Bourdeauducq 2df3b02f29 xc3sprog fixed 1 year ago
Sebastien Bourdeauducq 60e00349ee nixops: new disk in juno 1 year ago
Sebastien Bourdeauducq 7f599bdbc9 nixbld: remove gitea patch (merged upstream) 2 years ago
Sebastien Bourdeauducq ae5e85d611 nixbld: re-add networked derivations patch 2 years ago
Sebastien Bourdeauducq 429cbb0c8d add garywan user 2 years ago
Sebastien Bourdeauducq 964e7cfe99 nixops: disable ca-derivations
https://github.com/NixOS/nixpkgs/issues/174900
2 years ago
Sebastien Bourdeauducq a93565d9cc nixops: add wongwaiki user 2 years ago
Sebastien Bourdeauducq f5b533d2d5 nixops: install guake 2 years ago
Sebastien Bourdeauducq 3003183e25 nixops: use artiq flake for openocd 2 years ago
Sebastien Bourdeauducq 75987781f5 nixops: nixos 22.05 (WIP) 2 years ago
Sebastien Bourdeauducq 5f1ff14380 afws_module: fix nix command 2 years ago
Sebastien Bourdeauducq 5354daf585 nixbld: NixOS 22.05 2 years ago
Sebastien Bourdeauducq cb75072f15 nixbld: add kk105 2 years ago
Sebastien Bourdeauducq 84a22c0232 nixops: create kk105 account 2 years ago
Sebastien Bourdeauducq b2a2cdb963 nixops: adjust groups 2 years ago
Sebastien Bourdeauducq 708582f2f7 hera: remove libvirt bridge 2 years ago
Sebastien Bourdeauducq da3a82a52d nixbld: add spaqin 2 years ago
Sebastien Bourdeauducq aba22c34ca nixbld: add nkrackow 2 years ago
Sebastien Bourdeauducq 2f418aa01e remove user accounts 2 years ago
Sebastien Bourdeauducq a58a613418 nixbld: add .science tld 2 years ago
Sebastien Bourdeauducq 61c008ff43 nixbld: publish msys2 repos on web 2 years ago
Sebastien Bourdeauducq 7a14264be4 hydra: fix msys2 icon 2 years ago
Sebastien Bourdeauducq fd09cd0c00 nixops: add wylited account 2 years ago
Sebastien Bourdeauducq a8d28d2cbc hydra: add msys2 type 2 years ago
Sebastien Bourdeauducq e1e723ece5 nixbld: backup afws 2 years ago
Sebastien Bourdeauducq 28ca789aae nixbld: use flake output for beta conda channel 2 years ago
Sebastien Bourdeauducq 0c04f014d7 nixbld: use sipyco flake output for manual 2 years ago
Sebastien Bourdeauducq d4c36b8cfd nixbld: use ARTIQ flake output for manual 2 years ago
Sebastien Bourdeauducq 0b8aa97192 nixbld: run AFWS server 2 years ago
Sebastien Bourdeauducq 322d267caf hydra: update evalSettings.allowedUris 2 years ago
Sebastien Bourdeauducq a270418cfc nixbld: exclude new gitea archive location from backups 2 years ago
Sebastien Bourdeauducq c1fc3575b2 welcome back topquark12 2 years ago
Sebastien Bourdeauducq 38438ef25a add therobs12 to libvirtd 2 years ago
Sebastien Bourdeauducq c19dac833d update tom's key 2 years ago
Sebastien Bourdeauducq 2b1f416d90 nixops: newer kernel for NUC 2 years ago
Sebastien Bourdeauducq 995f8897a4 nixbld: work around hidden hydra sudo dependency 2 years ago
Sebastien Bourdeauducq 8e20a3df6e nixbld: update gitea templates 2 years ago
Sebastien Bourdeauducq e01a0c6802 nixops: fix spice-client-glib-usb-acl-helper 2 years ago
Sebastien Bourdeauducq 910506d3e4 nixbld: enable fail2ban 2 years ago
Sebastien Bourdeauducq ec7e9209f5 nixbld: improve root account security 2 years ago
Sebastien Bourdeauducq f8f816f723 nixops: remove harry account 2 years ago
Sebastien Bourdeauducq 9984369a50 nixops: upgrade hitl key to ssh-ed25519 (2) 2 years ago
Sebastien Bourdeauducq a2b6f63b34 nixops: upgrade hitl key to ssh-ed25519 2 years ago
Sebastien Bourdeauducq b70908f864 nixbld: restrict maxJobs again to avoid Vivado OOM 2 years ago
Sebastien Bourdeauducq 9013af9e92 nixops: use kernel 5.14 for nuc 2 years ago
Sebastien Bourdeauducq d46fde5bf2 nixops: nixos 21.11 WIP 2 years ago
Sebastien Bourdeauducq 5e8606a74e nixops: fix old-nixbld graphics driver 2 years ago
Sebastien Bourdeauducq a0cb49b59d nixbld: nixos 21.11 2 years ago
Sebastien Bourdeauducq 628e5fb9d7 nixbld: cleanup buildMachines 2 years ago
Sebastien Bourdeauducq e8527e496b nixbld: include rt in backups 2 years ago
Sebastien Bourdeauducq c5c22da2ba nixbld: update nixops 2 years ago
Sebastien Bourdeauducq 8114dcfb6d nixbld: remove memtest86 2 years ago
Sebastien Bourdeauducq 29830b0ae9 nixbld: more frequent backups 2 years ago
Sebastien Bourdeauducq 3e2061c47b nixbld: fix rt group 2 years ago
Sebastien Bourdeauducq f5ff63b74b nixbld: remove hkadmin 2 years ago
Sebastien Bourdeauducq ae6915ab44 nixbld: fix RT startup 2 years ago
Sebastien Bourdeauducq 813b4831c6 nixbld: cleanup 2 years ago
Sebastien Bourdeauducq c75cf3456b nixbld: improve backup
include Mattermost attachments
stop using expensive and insecure dropbox
2 years ago
Sebastien Bourdeauducq f8a30b55a8 nixops: update user shell 2 years ago
Sebastien Bourdeauducq 7342601788 nixbld: add occheung user 2 years ago
Sebastien Bourdeauducq 8ff694ca8d nixops: fix system.stateVersion 2 years ago
Sebastien Bourdeauducq f56cc392d7 nixops: install joplin 2 years ago
Harry Ho bcc5502ec6 rt: prevent text attachments from appearing inline on web interface 2 years ago

@ -0,0 +1,48 @@
{ config, pkgs, lib, ... }:
with lib;
let
afws = pkgs.callPackage ./afws { inherit pkgs; };
in
{
options.services.afws = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable AFWS server";
};
};
config = mkIf config.services.afws.enable {
systemd.services.afws = {
description = "AFWS server";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "afws";
Group = "afws";
ExecStart = "${afws}/bin/afws_server";
ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
};
path = [ pkgs.nix pkgs.git ];
};
security.acme.certs."afws.m-labs.hk".postRun =
''
mkdir -p /var/lib/afws/cert
cp cert.pem /var/lib/afws/cert
cp key.pem /var/lib/afws/cert
chown -R afws:afws /var/lib/afws/cert
'';
security.acme.certs."afws.m-labs.hk".reloadServices = [ "afws.service" ];
users.users.afws = {
name = "afws";
group = "afws";
description = "AFWS server user";
isSystemUser = true;
createHome = false;
home = "/var/lib/afws";
useDefaultShell = true;
};
users.extraGroups.afws = {};
};
}

@ -1,6 +1,17 @@
{ config, pkgs, lib, ... }:
with lib;
let
excludePaths = [
"/var/lib/gitea/repositories/*/*.git/archives"
"/var/lib/gitea/data/repo-archive"
"/var/lib/gitea/data/indexers"
"/var/vmail/m-labs.hk/js"
"/var/lib/afws/.cache"
"/var/lib/mattermost/data/2019*"
"/var/lib/mattermost/data/2020*"
"/var/lib/mattermost/data/2021*"
"/var/lib/mattermost/data/2022*"
];
makeBackup = pkgs.writeScript "make-backup" ''
#!${pkgs.bash}/bin/bash
@ -12,17 +23,19 @@ let
DBDUMPDIR=`mktemp -d`
pushd $DBDUMPDIR
${config.services.mysql.package}/bin/mysqldump --single-transaction flarum > flarum.sql
${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
${pkgs.sudo}/bin/sudo -u mattermost ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
${pkgs.sudo}/bin/sudo -u rt ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
${pkgs.gnutar}/bin/tar cf - --exclude "/var/lib/gitea/repositories/*/*.git/archives" /etc/nixos /var/lib/gitea flarum.sql mattermost.sql | \
${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
${pkgs.bzip2}/bin/bzip2 | \
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-file /etc/nixos/secret/backup-passphrase | \
${pkgs.rclone}/bin/rclone rcat --config /etc/nixos/secret/rclone.conf dropbox:$FILENAME
${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-file /etc/nixos/secret/backup-passphrase > /home/backupdl/$FILENAME
popd
rm -rf $DBDUMPDIR
chown backupdl.users /home/backupdl/$FILENAME
echo Backup done
'';
cfg = config.services.mlabs-backup;
@ -50,7 +63,7 @@ in
systemd.timers.mlabs-backup = {
description = "M-Labs backup";
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "weekly";
timerConfig.OnCalendar = "tuesday,friday *-*-* 08:00:00";
};
};
}

File diff suppressed because it is too large Load Diff

@ -3,7 +3,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div>
<img class="logo" width="220" height="220" src="{{StaticUrlPrefix}}/img/logo.svg"/>
<img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg"/>
</div>
<div class="hero">
<h1 class="ui icon header title">

@ -2,9 +2,9 @@
<div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
{{template "user/auth/signin_navbar" .}}
<div class="ui middle very relaxed page grid">
<div class="ui container column">
<div class="ui container column fluid">
{{template "user/auth/signin_inner" .}}
To get an account (also available to external contributors), simply write to sb@m-***s.hk.
To get an account (also available to external contributors), simply write to sb@m-***s.hk.
</div>
</div>
</div>

@ -6,7 +6,7 @@ index 934bf42e..48f2d248 100644
to the environment. */
evalSettings.restrictEval = true;
+ evalSettings.allowedUris = {"https://github.com/m-labs/misoc.git"};
+ evalSettings.allowedUris = {"https://github.com/m-labs/", "https://git.m-labs.hk/m-labs/", "https://gitlab.com/duke-artiq/"};
+
/* When building a flake, use pure evaluation (no access to
'getEnv', 'currentSystem' etc. */

@ -0,0 +1,122 @@
diff --git a/src/root/product-list.tt b/src/root/product-list.tt
index 4d545b3e..6049c2a6 100644
--- a/src/root/product-list.tt
+++ b/src/root/product-list.tt
@@ -162,6 +162,11 @@
<img src="[% c.uri_for("/static/images/iso.png") %]" alt="ISO" />
</td>
<td>ISO-9660 CD/DVD image</td>
+ [% CASE "msys2" %]
+ <td>
+ <img src="[% c.uri_for("/static/images/msys2.svg") %]" alt="MSYS2" width="32" height="32" />
+ </td>
+ <td>MSYS2 package</td>
[% CASE "binary-dist" %]
<td>
<img src="[% c.uri_for("/static/images/binary-dist.png") %]" alt="Binary distribution" />
diff --git a/src/root/static/images/msys2.svg b/src/root/static/images/msys2.svg
new file mode 100644
index 00000000..46baff50
--- /dev/null
+++ b/src/root/static/images/msys2.svg
@@ -0,0 +1,100 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+ width="36.777081mm"
+ height="36.777081mm"
+ viewBox="0 0 36.77708 36.777081"
+ version="1.1"
+ id="svg8"
+ inkscape:version="1.1.1 (3bf5ae0d25, 2021-09-20)"
+ sodipodi:docname="msys2_logo.svg"
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:dc="http://purl.org/dc/elements/1.1/">
+ <defs
+ id="defs2" />
+ <sodipodi:namedview
+ id="base"
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1.0"
+ inkscape:pageopacity="0.0"
+ inkscape:pageshadow="2"
+ inkscape:zoom="3.959798"
+ inkscape:cx="121.34457"
+ inkscape:cy="27.274119"
+ inkscape:document-units="mm"
+ inkscape:current-layer="layer1"
+ showgrid="false"
+ fit-margin-top="0"
+ fit-margin-left="0"
+ fit-margin-right="0"
+ fit-margin-bottom="0"
+ inkscape:window-width="2560"
+ inkscape:window-height="1371"
+ inkscape:window-x="0"
+ inkscape:window-y="32"
+ inkscape:window-maximized="1"
+ inkscape:pagecheckerboard="true" />
+ <metadata
+ id="metadata5">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ inkscape:label="Layer 1"
+ inkscape:groupmode="layer"
+ id="layer1"
+ transform="translate(-122.70998,-169.48973)">
+ <rect
+ style="fill:#894c84;fill-opacity:1;stroke-width:0"
+ id="rect946"
+ width="36.777081"
+ height="36.777081"
+ x="122.70998"
+ y="169.48973" />
+ <path
+ style="fill:#d35e64;fill-opacity:1;stroke-width:0.133635"
+ d="m 142.72948,201.89184 c -0.32408,-0.25492 -0.35455,-0.35395 -0.3187,-1.03567 l 0.0396,-0.75379 h 0.45908 c 0.44506,0 0.45934,0.0163 0.46772,0.53453 l 0.009,0.53454 0.70308,0.0405 c 0.53885,0.031 0.7217,-0.008 0.78281,-0.16735 0.15971,-0.41619 -0.10726,-0.89779 -0.98636,-1.77935 -0.49365,-0.49504 -1.03351,-1.07713 -1.19967,-1.29353 -0.38599,-0.50269 -0.40844,-1.38334 -0.0467,-1.83013 0.23417,-0.28918 0.35554,-0.31548 1.45595,-0.31548 1.36938,0 1.67817,0.15986 1.80376,0.93383 0.11523,0.71006 -0.0673,1.20433 -0.44479,1.20433 -0.26632,0 -0.34178,-0.0979 -0.46372,-0.60136 -0.13305,-0.54937 -0.1843,-0.60509 -0.59283,-0.64461 -0.24596,-0.0238 -0.58921,-0.008 -0.76279,0.036 -0.59536,0.14942 -0.37642,0.57816 0.95393,1.86806 l 1.26953,1.23092 v 0.90178 c 0,1.37811 -0.0436,1.41874 -1.52348,1.41874 -1.06598,0 -1.29877,-0.0409 -1.60514,-0.28187 z"
+ id="path3828"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#d35e64;fill-opacity:1;stroke-width:0.133635"
+ d="m 148.05027,204.08841 c 0.0471,-0.28134 0.11947,-1.05275 0.16076,-1.71424 0.0703,-1.12643 0.0353,-1.35529 -0.55133,-3.60814 -0.34453,-1.32299 -0.6573,-2.54073 -0.69504,-2.70611 -0.0594,-0.26014 -0.0147,-0.30067 0.33149,-0.30067 0.22006,0 0.46737,0.081 0.54957,0.18007 0.0822,0.099 0.30254,0.86578 0.48964,1.70385 0.41743,1.86975 0.45345,1.99148 0.58914,1.99148 0.15912,0 0.35622,-0.563 0.74822,-2.13717 0.38958,-1.56447 0.48518,-1.73823 0.9564,-1.73823 0.39274,0 0.46132,-0.43504 -0.70121,4.4477 -0.46869,1.96849 -0.93011,3.74249 -1.02539,3.94223 -0.11781,0.24694 -0.29559,0.37716 -0.55559,0.40696 -0.37406,0.0429 -0.38048,0.0327 -0.29666,-0.46773 z"
+ id="path3830"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#d35e64;fill-opacity:1;stroke-width:0.133635"
+ d="m 155.37958,199.87478 -0.001,1.04324 c 0,0 0.0415,0.99571 -0.10812,1.13694 -0.15218,0.14363 -0.72994,0.11875 -1.5324,0.11875 -1.39413,0 -1.4684,-0.0143 -1.66996,-0.32193 -0.14282,-0.21797 -0.19775,-0.55241 -0.17012,-1.03567 0.0397,-0.69411 0.0518,-0.71373 0.43989,-0.71373 0.2965,0 0.40947,0.0687 0.43951,0.26726 0.13121,0.86712 0.13264,0.86863 0.81803,0.86863 1.33065,0 1.18669,-0.7429 -0.41998,-2.16732 -0.98712,-0.87515 -1.3045,-1.34704 -1.30163,-1.93531 0.005,-1.02426 0.44219,-1.37639 1.70885,-1.37639 1.4449,0 1.89746,0.36739 1.89746,1.54037 0,0.85 -0.80733,1.01376 -0.94108,0.1909 -0.113,-0.69515 -0.21979,-0.79583 -0.84414,-0.79583 -0.59087,0 -0.88668,0.17572 -0.88861,0.52786 -5.3e-4,0.11392 0.5857,0.76291 1.30294,1.44221"
+ id="path3832"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="ccssccscsccsssscc" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path3826"
+ d="m 125.15872,195.23965 c -0.30592,-0.19939 -0.0836,-0.86189 0.8607,-2.56497 1.58255,-2.85415 5.22198,-10.62008 6.75854,-14.42159 0.91204,-2.25643 0.98557,-2.83541 0.41825,-3.29345 -0.30201,-0.24384 -0.34148,-0.33999 -0.22153,-0.53956 0.44174,-0.73497 2.98816,-1.05046 4.06353,-0.50346 1.1982,0.60947 1.74884,2.08184 2.47139,6.60826 0.57628,3.61017 1.00176,6.0369 1.0809,6.16495 0.21334,0.34519 0.63685,-0.49885 2.24466,-4.47355 2.25297,-5.56961 3.24559,-7.35862 4.41748,-7.9617 0.51912,-0.26714 0.89922,-0.34492 1.8995,-0.38866 1.60332,-0.0701 1.6509,-0.0327 1.64898,1.29653 -0.002,1.7237 -0.0807,1.96599 -0.76359,2.3662 -1.27599,0.74779 -2.16809,2.00702 -2.17,3.06305 -0.003,1.44987 1.07869,1.89961 2.0727,0.86208 0.20781,-0.2169 0.42671,-0.39436 0.48646,-0.39436 0.0597,0 0.10898,0.55626 0.10941,1.23612 5.2e-4,0.67987 0.0579,1.58514 0.12779,2.01171 0.14392,0.87871 0.16421,0.83597 -1.8354,3.86646 -1.11067,1.68327 -1.20806,1.92146 -0.90836,2.22164 0.18169,0.18198 0.60193,0.22609 2.48831,0.26119 l 2.26971,0.0422 0.55893,0.7403 c 0.68294,0.90455 0.72637,1.39945 0.1851,2.10909 -0.49391,0.64756 -1.48498,1.35585 -2.16303,1.54588 -0.98995,0.27744 -2.22523,-0.26803 -3.29926,-1.45686 -1.37797,-1.52525 -1.99486,-3.94203 -2.17991,-8.54021 -0.0642,-1.59436 -0.13883,-2.29481 -0.24099,-2.26075 -0.0814,0.0271 -0.99576,2.00431 -2.03189,4.39371 -3.28691,7.57995 -3.68415,8.28612 -4.54018,8.07127 -0.53578,-0.13448 -1.34919,-1.06203 -1.9102,-2.17825 -1.10951,-2.20757 -1.73511,-5.05031 -2.03723,-9.25721 -0.0871,-1.21273 -0.20858,-2.26094 -0.26996,-2.32935 -0.13588,-0.15144 -0.58442,0.82294 -2.08397,4.52711 -2.01481,4.97699 -2.79643,6.54288 -3.82036,7.65371 -0.87044,0.94432 -3.13721,1.88044 -3.68648,1.52243 z"
+ style="fill:#f9f9f9;stroke-width:0.133635" />
+ <g
+ id="g957"
+ transform="translate(36.843901,36.777081)"
+ style="fill:#999999">
+ <path
+ style="fill:#999999;fill-opacity:1;stroke-width:0.264583"
+ d="m 118.48002,154.38963 c -0.21263,-0.77937 -0.60053,-0.53763 -3.77862,-0.53763 -4.23812,0 -4.51001,0.21718 -2.65413,-2.44723 2.45703,-3.52744 3.4906,-5.92399 2.80851,-6.96499 -0.4719,-0.72022 -1.01247,-0.62449 -1.92709,0.34127 -0.84859,0.89603 -1.86894,0.41779 -1.86894,-0.95587 0,-2.01205 2.80561,-3.99992 5.38938,-3.9922 1.61399,0.005 2.43642,0.4039 3.21581,1.56044 1.12027,1.66236 0.73145,3.8557 -1.134,6.39695 -1.54383,2.10311 -0.73385,3.61259 0.95572,1.78109 1.46292,-1.68793 1.55952,0.86073 1.49098,1.70283 -0.2309,2.69619 -2.07701,4.65709 -2.49762,3.11534 z"
+ id="path961"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="sscccscccccs" />
+ </g>
+ </g>
+</svg>

@ -0,0 +1,27 @@
$TTL 7200
@ SOA ns1.193thz.com. sb.m-labs.hk. (
2023110901
7200
3600
86400
600)
NS ns.193thz.com.
NS ns1.he.net.
A 94.190.212.123
AAAA 2001:470:18:390::2
MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU"
CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
ns A 94.190.212.123
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9T0cONxGXeyETE0bJ6NJVGT58fVFrfb+WxQhMskCN/mJhODyDTkRCjzE8ZnKhZGjkFZNG+PoSZlW+kpSS1LvMwzQpMRaH4zAzIexffR0l7rJR1MuQiVMsfGWpO2SLEuN74L2qH8SUBHZjrRpeSaFxwQm+prIOzZe5wTZStt/6qQIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
www CNAME @

@ -0,0 +1,18 @@
$TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2023092801
7200
3600
86400
600)
NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
NS ns1.he.net.
200 PTR router.alt.m-labs.hk.
201 PTR stewardship1.alt.m-labs.hk.
202 PTR stewardship2.alt.m-labs.hk.
203 PTR atse.alt.m-labs.hk.
204 PTR nasty-gareth.alt.m-labs.hk.

@ -0,0 +1,59 @@
$TTL 7200
@ SOA NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
2023092801
7200
3600
86400
600)
NS NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
NS ns1.qnetp.net.
NS ns1.he.net.
A 94.190.212.123
AAAA 2001:470:18:390::2
MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8"
mail A 94.190.212.123
mail AAAA 2001:470:18:390::2
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
lab CNAME @
www CNAME @
nixbld CNAME @
msys2 CNAME @
conda CNAME @
afws CNAME @
git CNAME @
chat CNAME @
hooks CNAME @
forum CNAME @
perso CNAME @
rt CNAME @
files CNAME @
docs CNAME @
rpi-1 AAAA 2001:470:f891:1:dea6:32ff:fe8a:6a93
rpi-2 AAAA 2001:470:f891:1:ba27:ebff:fef0:e9e6
rpi-4 AAAA 2001:470:f891:1:dea6:32ff:fe14:fce9
chiron AAAA 2001:470:f891:1:7f02:9ebf:bee9:3dc7
old-nixbld AAAA 2001:470:f891:1:a07b:f49a:a4ef:aad9
zeus AAAA 2001:470:f891:1:4fd7:e70a:68bf:e9c1
franz AAAA 2001:470:f891:1:1b65:a743:2335:f5c6
hera AAAA 2001:470:f891:1:8b5e:404d:ef4e:9d92
hestia AAAA 2001:470:f891:1:881c:f409:a090:8401
vulcan AAAA 2001:470:f891:1:105d:3f15:bd53:c5ac
aux A 42.200.147.171
router.alt A 103.206.98.200
stewardship1.alt A 103.206.98.201
stewardship2.alt A 103.206.98.202
atse.alt A 103.206.98.203
nasty-gareth.alt A 103.206.98.204

@ -0,0 +1,26 @@
$TTL 7200
@ SOA ns1.m-labs.ph. sb.m-labs.hk. (
2023090301
7200
3600
86400
600)
NS ns1.m-labs.ph.
NS ns1.he.net.
A 94.190.212.123
AAAA 2001:470:18:390::2
MX 10 mail.m-labs.hk.
TXT "v=spf1 mx a:router.alt.m-labs.hk -all"
TXT "google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o"
ns1 A 94.190.212.123
ns1 AAAA 2001:470:18:390::2
mail._domainkey TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPUlkoA4Gucsin6P5LSohSOpPbpOELkbKDz9MmB4Zzj4QdcQNtMzU3Uis8WZwVXknQ/6URoDdTa4aR8+PwMi5fjKpLM8ZAnnHJHYebZPDRq6lQo3VGdaCu9NhdjYwFhvK9VRyhwI9i7DUptdLsu/OzbgTlCdWQTOr+MFEkYwmxLQIDAQAB"
_dmarc TXT "v=DMARC1; p=none"
www CNAME @

@ -0,0 +1,80 @@
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 61ee5d7aa..f38684973 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -176,6 +176,8 @@ void LocalDerivationGoal::tryLocalBuild() {
return;
}
+ networked = parsedDrv->getBoolAttr("__networked");
+
/* Are we doing a chroot build? */
{
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
@@ -193,7 +195,7 @@ void LocalDerivationGoal::tryLocalBuild() {
else if (settings.sandboxMode == smDisabled)
useChroot = false;
else if (settings.sandboxMode == smRelaxed)
- useChroot = derivationType.isSandboxed() && !noChroot;
+ useChroot = !networked && derivationType.isSandboxed() && !noChroot;
}
auto & localStore = getLocalStore();
@@ -677,7 +679,7 @@ void LocalDerivationGoal::startBuilder()
"nogroup:x:65534:\n", sandboxGid()));
/* Create /etc/hosts with localhost entry. */
- if (derivationType.isSandboxed())
+ if (!networked && derivationType.isSandboxed())
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
/* Make the closure of the inputs available in the chroot,
@@ -884,7 +886,7 @@ void LocalDerivationGoal::startBuilder()
us.
*/
- if (derivationType.isSandboxed())
+ if (!networked && derivationType.isSandboxed())
privateNetwork = true;
userNamespaceSync.create();
@@ -1179,7 +1181,7 @@ void LocalDerivationGoal::initEnv()
to the builder is generally impure, but the output of
fixed-output derivations is by definition pure (since we
already know the cryptographic hash of the output). */
- if (!derivationType.isSandboxed()) {
+ if (networked || !derivationType.isSandboxed()) {
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
env[i] = getEnv(i).value_or("");
}
@@ -1811,7 +1813,7 @@ void LocalDerivationGoal::runChild()
/* Fixed-output derivations typically need to access the
network, so give them access to /etc/resolv.conf and so
on. */
- if (!derivationType.isSandboxed()) {
+ if (networked || !derivationType.isSandboxed()) {
// Only use nss functions to resolve hosts and
// services. Dont use it for anything else that may
// be configured for this system. This limits the
@@ -2059,7 +2061,7 @@ void LocalDerivationGoal::runChild()
#include "sandbox-defaults.sb"
;
- if (!derivationType.isSandboxed())
+ if (networked || !derivationType.isSandboxed())
sandboxProfile +=
#include "sandbox-network.sb"
;
diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
index 34c4e9187..c4c26fd6f 100644
--- a/src/libstore/build/local-derivation-goal.hh
+++ b/src/libstore/build/local-derivation-goal.hh
@@ -44,6 +44,8 @@ struct LocalDerivationGoal : public DerivationGoal
Path chrootRootDir;
+ bool networked;
+
/* RAII object to delete the chroot directory. */
std::shared_ptr<AutoDelete> autoDelChroot;

@ -1,82 +0,0 @@
diff -Naur /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.cc nix3/src/libstore/build/local-derivation-goal.cc
--- /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.cc 1970-01-01 08:00:01.000000000 +0800
+++ nix3/src/libstore/build/local-derivation-goal.cc 2021-04-24 16:29:52.493166702 +0800
@@ -395,6 +395,8 @@
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
#endif
+ networked = parsedDrv->getBoolAttr("__networked");
+
/* Are we doing a chroot build? */
{
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
@@ -412,7 +414,7 @@
else if (settings.sandboxMode == smDisabled)
useChroot = false;
else if (settings.sandboxMode == smRelaxed)
- useChroot = !(derivationIsImpure(derivationType)) && !noChroot;
+ useChroot = !allowNetwork() && !(derivationIsImpure(derivationType)) && !noChroot;
}
auto & localStore = getLocalStore();
@@ -623,7 +625,7 @@
"nogroup:x:65534:\n", sandboxGid()));
/* Create /etc/hosts with localhost entry. */
- if (!(derivationIsImpure(derivationType)))
+ if (!allowNetwork() && !(derivationIsImpure(derivationType)))
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
/* Make the closure of the inputs available in the chroot,
@@ -810,7 +812,7 @@
us.
*/
- if (!(derivationIsImpure(derivationType)))
+ if (!allowNetwork() && !(derivationIsImpure(derivationType)))
privateNetwork = true;
userNamespaceSync.create();
@@ -1066,7 +1068,7 @@
to the builder is generally impure, but the output of
fixed-output derivations is by definition pure (since we
already know the cryptographic hash of the output). */
- if (derivationIsImpure(derivationType)) {
+ if (allowNetwork() || derivationIsImpure(derivationType)) {
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
env[i] = getEnv(i).value_or("");
}
@@ -1702,7 +1704,7 @@
/* Fixed-output derivations typically need to access the
network, so give them access to /etc/resolv.conf and so
on. */
- if (derivationIsImpure(derivationType)) {
+ if (allowNetwork() || derivationIsImpure(derivationType)) {
// Only use nss functions to resolve hosts and
// services. Dont use it for anything else that may
// be configured for this system. This limits the
@@ -1943,7 +1945,7 @@
sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
- if (derivationIsImpure(derivationType))
+ if (allowNetwork() || derivationIsImpure(derivationType))
sandboxProfile += "(import \"sandbox-network.sb\")\n";
/* Add the output paths we'll use at build-time to the chroot */
diff -Naur /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.hh nix3/src/libstore/build/local-derivation-goal.hh
--- /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.hh 1970-01-01 08:00:01.000000000 +0800
+++ nix3/src/libstore/build/local-derivation-goal.hh 2021-04-24 16:35:23.060968488 +0800
@@ -40,6 +40,12 @@
Path chrootRootDir;
+ bool networked;
+ bool allowNetwork()
+ {
+ return derivationIsFixed(drv->type()) || networked;
+ }
+
/* RAII object to delete the chroot directory. */
std::shared_ptr<AutoDelete> autoDelChroot;

@ -1,83 +0,0 @@
diff -Naur nix-2.3.10.orig/src/libstore/build.cc nix-2.3.10/src/libstore/build.cc
--- nix-2.3.10.orig/src/libstore/build.cc 1970-01-01 08:00:01.000000000 +0800
+++ nix-2.3.10/src/libstore/build.cc 2021-04-24 16:17:08.778875340 +0800
@@ -840,9 +840,16 @@
/* Whether this is a fixed-output derivation. */
bool fixedOutput;
+ bool networked;
+
/* Whether to run the build in a private network namespace. */
bool privateNetwork = false;
+ bool allowNetwork()
+ {
+ return fixedOutput || networked;
+ }
+
typedef void (DerivationGoal::*GoalState)();
GoalState state;
@@ -1181,6 +1188,8 @@
{
trace("have derivation");
+ fixedOutput = drv->isFixedOutput();
+
retrySubstitution = false;
for (auto & i : drv->outputs)
@@ -1197,6 +1206,8 @@
parsedDrv = std::make_unique<ParsedDerivation>(drvPath, *drv);
+ networked = parsedDrv->getBoolAttr("__networked");
+
/* We are first going to try to create the invalid output paths
through substitutes. If that doesn't work, we'll build
them. */
@@ -1932,7 +1943,7 @@
else if (settings.sandboxMode == smDisabled)
useChroot = false;
else if (settings.sandboxMode == smRelaxed)
- useChroot = !fixedOutput && !noChroot;
+ useChroot = !allowNetwork() && !noChroot;
}
if (worker.store.storeDir != worker.store.realStoreDir) {
@@ -2109,7 +2120,7 @@
"nogroup:x:65534:\n") % sandboxGid).str());
/* Create /etc/hosts with localhost entry. */
- if (!fixedOutput)
+ if (!allowNetwork())
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
/* Make the closure of the inputs available in the chroot,
@@ -2323,7 +2334,7 @@
us.
*/
- if (!fixedOutput)
+ if (!allowNetwork())
privateNetwork = true;
userNamespaceSync.create();
@@ -2534,7 +2545,7 @@
to the builder is generally impure, but the output of
fixed-output derivations is by definition pure (since we
already know the cryptographic hash of the output). */
- if (fixedOutput) {
+ if (allowNetwork()) {
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
env[i] = getEnv(i);
}
@@ -2823,7 +2834,7 @@
/* Fixed-output derivations typically need to access the
network, so give them access to /etc/resolv.conf and so
on. */
- if (fixedOutput) {
+ if (allowNetwork()) {
ss.push_back("/etc/resolv.conf");
// Only use nss functions to resolve hosts and

@ -14,6 +14,13 @@ from werkzeug.middleware.proxy_fix import ProxyFix
load_dotenv()
mail_password_file = getenv("FLASK_MAIL_PASSWORD_FILE")
if mail_password_file is not None:
with open(mail_password_file, "r") as f:
mail_password = f.read().strip()
else:
mail_password = None
app = Flask(__name__)
app.config.update(
DEBUG=getenv("FLASK_DEBUG") == "True",
@ -22,7 +29,7 @@ app.config.update(
MAIL_USE_SSL=getenv("FLASK_MAIL_USE_SSL"),
MAIL_DEBUG=False,
MAIL_USERNAME=getenv("FLASK_MAIL_USERNAME"),
MAIL_PASSWORD=getenv("FLASK_MAIL_PASSWORD"),
MAIL_PASSWORD=mail_password,
MAIL_RECIPIENT=getenv("FLASK_MAIL_RECIPIENT"),
MAIL_SENDER=getenv("FLASK_MAIL_SENDER")
)

@ -7,13 +7,13 @@ in {
pythonPackages = self: [ pkg ];
module = "rfq:app";
env = [
"FLASK_MAIL_SERVER=ssl.serverraum.org"
"FLASK_MAIL_SERVER=mail.m-labs.hk"
"FLASK_MAIL_PORT=465"
"FLASK_MAIL_USE_SSL=True"
"FLASK_MAIL_USERNAME=sales@m-labs.hk"
"FLASK_MAIL_PASSWORD=${import /etc/nixos/secret/sales_password.nix}"
"FLASK_MAIL_USERNAME=sysop@m-labs.hk"
"FLASK_MAIL_PASSWORD_FILE=/etc/nixos/secret/rfqpassword"
"FLASK_MAIL_RECIPIENT=sales@m-labs.hk"
"FLASK_MAIL_SENDER=sales@m-labs.hk"
"FLASK_MAIL_SENDER=sysop@m-labs.hk"
];
socket = "${config.services.uwsgi.runDir}/uwsgi-rfq.sock";
# allow access from nginx

@ -93,6 +93,7 @@ let
# Web Interface (Transaction display)
Set($MaxInlineBody, 0);
Set($SuppressInlineTextFiles, 1);
# Web Interface (Administrative interface)
Set($ShowRTPortal, 0);
@ -271,6 +272,7 @@ in {
LogsDirectory = "rt/";
};
after = [ "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
};
}
@ -298,6 +300,7 @@ in {
users.users.rt = {
isSystemUser = true;
group = "rt";
};
users.groups.rt = {};

@ -7,7 +7,5 @@
-rw------- 1 uwsgi uwsgi mattermost-github-integration.py
-rw------- 1 nginx nginx muninpasswd
-rw-rw---- 1 hydra hydra nixbld.m-labs.hk-1
-rw-rw---- 1 hydra hydra nix_id_rsa
-rw------- 1 root root rclone.conf
-rw------- 1 root root wifi_password.nix
-rw------- 1 sb users wifi_ext_password.nix

@ -1,27 +0,0 @@
{ lib, stdenv, fetchFromGitHub, makeWrapper }:
stdenv.mkDerivation rec {
pname = "any-nix-shell";
version = "1.2.1";
src = fetchFromGitHub {
owner = "haslersn";
repo = "any-nix-shell";
rev = "v${version}";
sha256 = "0q27rhjhh7k0qgcdcfm8ly5za6wm4rckh633d0sjz87faffkp90k";
};
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
mkdir -p $out/bin
cp -r bin $out
wrapProgram $out/bin/any-nix-shell --prefix PATH ":" $out/bin
'';
meta = with lib; {
description = "fish and zsh support for nix-shell";
license = licenses.mit;
homepage = "https://github.com/haslersn/any-nix-shell";
maintainers = with maintainers; [ haslersn ];
};
}

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
with lib;
let
avscan = pkgs.writeScript "avscan" ''
#!${pkgs.bash}/bin/bash
for user in $(cut -d":" -f1 /etc/passwd); do
if [ -d "/home/$user" ]; then
nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
fi
done
'';
cfg = config.services.avscan;
in
{
options.services.avscan = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable antivirus scan";
};
};
config = mkIf cfg.enable {
services.clamav.updater.enable = true;
services.clamav.updater.interval = "daily";
services.clamav.updater.frequency = 1;
systemd.services.avscan = {
description = "Antivirus scan";
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
ExecStart = "${avscan}";
};
};
systemd.timers.avscan = {
description = "Antivirus scan";
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "Mon *-*-* 13:00:00";
};
};
}