add alternate USB ID for LibreVNA

PCCW's static.imsbiz.com is wonky and not always available for all IPs, so stop using it.

nixbld-etc-nixos/afws-module.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  afws = pkgs.callPackage ./afws { inherit pkgs; };
+in
+{
+  options.services.afws = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable AFWS server";
+    };
+  };
+
+  config = mkIf config.services.afws.enable {
+    systemd.services.afws = {
+      description = "AFWS server";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        User = "afws";
+        Group = "afws";
+        ExecStart = "${afws}/bin/afws_server";
+        ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
+      };
+      path = [ pkgs.nix pkgs.git ];
+    };
+
+    security.acme.certs."afws.m-labs.hk".postRun =
+      ''
+      mkdir -p /var/lib/afws/cert
+      cp cert.pem /var/lib/afws/cert
+      cp key.pem /var/lib/afws/cert
+      chown -R afws:afws /var/lib/afws/cert
+      '';
+    security.acme.certs."afws.m-labs.hk".reloadServices = [ "afws.service" ];
+
+    users.users.afws = {
+      name = "afws";
+      group = "afws";
+      description = "AFWS server user";
+      isSystemUser = true;
+      createHome = false;
+      home = "/var/lib/afws";
+      useDefaultShell = true;
+    };
+    users.extraGroups.afws = {};
+  };
+}

nixbld-etc-nixos/backup-module.nix

@@ -1,6 +1,17 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
+  excludePaths = [
+    "/var/lib/gitea/repositories/*/*.git/archives"
+    "/var/lib/gitea/data/repo-archive"
+    "/var/lib/gitea/data/indexers"
+    "/var/vmail/m-labs.hk/js"
+    "/var/lib/afws/.cache"
+    "/var/lib/mattermost/data/2019*"
+    "/var/lib/mattermost/data/2020*"
+    "/var/lib/mattermost/data/2021*"
+    "/var/lib/mattermost/data/2022*"
+  ];
   makeBackup = pkgs.writeScript "make-backup" ''
     #!${pkgs.bash}/bin/bash
 
@@ -12,17 +23,19 @@ let
     DBDUMPDIR=`mktemp -d`
     pushd $DBDUMPDIR
 
-    ${config.services.mysql.package}/bin/mysqldump --single-transaction flarum > flarum.sql
+    ${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
     ${pkgs.sudo}/bin/sudo -u mattermost ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
+    ${pkgs.sudo}/bin/sudo -u rt ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
 
-    ${pkgs.gnutar}/bin/tar cf - --exclude "/var/lib/gitea/repositories/*/*.git/archives" /etc/nixos /var/lib/gitea flarum.sql mattermost.sql | \
+    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
         ${pkgs.bzip2}/bin/bzip2 | \
-        ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-file /etc/nixos/secret/backup-passphrase | \
-        ${pkgs.rclone}/bin/rclone rcat --config /etc/nixos/secret/rclone.conf dropbox:$FILENAME
+        ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-file /etc/nixos/secret/backup-passphrase > /home/backupdl/$FILENAME
 
     popd
     rm -rf $DBDUMPDIR
 
+    chown backupdl.users /home/backupdl/$FILENAME
+
     echo Backup done
   '';
   cfg = config.services.mlabs-backup;
@@ -50,7 +63,7 @@ in
     systemd.timers.mlabs-backup = {
       description = "M-Labs backup";
       wantedBy = [ "timers.target" ];
-      timerConfig.OnCalendar = "weekly";
+      timerConfig.OnCalendar = "tuesday,friday *-*-* 08:00:00";
     };
   };
 }

nixbld-etc-nixos/gitea-home.tmpl

@@ -3,7 +3,7 @@
 	<div class="ui stackable middle very relaxed page grid">
 		<div class="sixteen wide center aligned centered column">
 			<div>
-				<img class="logo" width="220" height="220" src="{{StaticUrlPrefix}}/img/logo.svg"/>
+				<img class="logo" width="220" height="220" src="{{AssetUrlPrefix}}/img/logo.svg"/>
 			</div>
 			<div class="hero">
 				<h1 class="ui icon header title">

nixbld-etc-nixos/gitea-signin.tmpl

@@ -2,9 +2,9 @@
 <div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
 	{{template "user/auth/signin_navbar" .}}
 	<div class="ui middle very relaxed page grid">
-		<div class="ui container column">
+		<div class="ui container column fluid">
 			{{template "user/auth/signin_inner" .}}
-	        To get an account (also available to external contributors), simply write to sb@m-***s.hk.
+			To get an account (also available to external contributors), simply write to sb@m-***s.hk.
 		</div>
 	</div>
 </div>

nixbld-etc-nixos/hydra-hack-allowed-uris.patch

@@ -6,7 +6,7 @@ index 934bf42e..48f2d248 100644
             to the environment. */
          evalSettings.restrictEval = true;
  
-+        evalSettings.allowedUris = {"https://github.com/m-labs/misoc.git"};
++        evalSettings.allowedUris = {"https://github.com/m-labs/", "https://git.m-labs.hk/m-labs/", "https://gitlab.com/duke-artiq/"};
 +
          /* When building a flake, use pure evaluation (no access to
             'getEnv', 'currentSystem' etc. */

nixbld-etc-nixos/hydra-msys2.patch

@@ -0,0 +1,122 @@
+diff --git a/src/root/product-list.tt b/src/root/product-list.tt
+index 4d545b3e..6049c2a6 100644
+--- a/src/root/product-list.tt
++++ b/src/root/product-list.tt
+@@ -162,6 +162,11 @@
+             <img src="[% c.uri_for("/static/images/iso.png") %]" alt="ISO" />
+           </td>
+           <td>ISO-9660 CD/DVD image</td>
++        [% CASE "msys2" %]
++          <td>
++            <img src="[% c.uri_for("/static/images/msys2.svg") %]" alt="MSYS2" width="32" height="32" />
++          </td>
++          <td>MSYS2 package</td>
+         [% CASE "binary-dist" %]
+           <td>
+             <img src="[% c.uri_for("/static/images/binary-dist.png") %]" alt="Binary distribution" />
+diff --git a/src/root/static/images/msys2.svg b/src/root/static/images/msys2.svg
+new file mode 100644
+index 00000000..46baff50
+--- /dev/null
++++ b/src/root/static/images/msys2.svg
+@@ -0,0 +1,100 @@
++<?xml version="1.0" encoding="UTF-8" standalone="no"?>
++<!-- Created with Inkscape (http://www.inkscape.org/) -->
++
++<svg
++   width="36.777081mm"
++   height="36.777081mm"
++   viewBox="0 0 36.77708 36.777081"
++   version="1.1"
++   id="svg8"
++   inkscape:version="1.1.1 (3bf5ae0d25, 2021-09-20)"
++   sodipodi:docname="msys2_logo.svg"
++   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
++   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
++   xmlns="http://www.w3.org/2000/svg"
++   xmlns:svg="http://www.w3.org/2000/svg"
++   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
++   xmlns:cc="http://creativecommons.org/ns#"
++   xmlns:dc="http://purl.org/dc/elements/1.1/">
++  <defs
++     id="defs2" />
++  <sodipodi:namedview
++     id="base"
++     pagecolor="#ffffff"
++     bordercolor="#666666"
++     borderopacity="1.0"
++     inkscape:pageopacity="0.0"
++     inkscape:pageshadow="2"
++     inkscape:zoom="3.959798"
++     inkscape:cx="121.34457"
++     inkscape:cy="27.274119"
++     inkscape:document-units="mm"
++     inkscape:current-layer="layer1"
++     showgrid="false"
++     fit-margin-top="0"
++     fit-margin-left="0"
++     fit-margin-right="0"
++     fit-margin-bottom="0"
++     inkscape:window-width="2560"
++     inkscape:window-height="1371"
++     inkscape:window-x="0"
++     inkscape:window-y="32"
++     inkscape:window-maximized="1"
++     inkscape:pagecheckerboard="true" />
++  <metadata
++     id="metadata5">
++    <rdf:RDF>
++      <cc:Work
++         rdf:about="">
++        <dc:format>image/svg+xml</dc:format>
++        <dc:type
++           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
++      </cc:Work>
++    </rdf:RDF>
++  </metadata>
++  <g
++     inkscape:label="Layer 1"
++     inkscape:groupmode="layer"
++     id="layer1"
++     transform="translate(-122.70998,-169.48973)">
++    <rect
++       style="fill:#894c84;fill-opacity:1;stroke-width:0"
++       id="rect946"
++       width="36.777081"
++       height="36.777081"
++       x="122.70998"
++       y="169.48973" />
++    <path
++       style="fill:#d35e64;fill-opacity:1;stroke-width:0.133635"
++       d="m 142.72948,201.89184 c -0.32408,-0.25492 -0.35455,-0.35395 -0.3187,-1.03567 l 0.0396,-0.75379 h 0.45908 c 0.44506,0 0.45934,0.0163 0.46772,0.53453 l 0.009,0.53454 0.70308,0.0405 c 0.53885,0.031 0.7217,-0.008 0.78281,-0.16735 0.15971,-0.41619 -0.10726,-0.89779 -0.98636,-1.77935 -0.49365,-0.49504 -1.03351,-1.07713 -1.19967,-1.29353 -0.38599,-0.50269 -0.40844,-1.38334 -0.0467,-1.83013 0.23417,-0.28918 0.35554,-0.31548 1.45595,-0.31548 1.36938,0 1.67817,0.15986 1.80376,0.93383 0.11523,0.71006 -0.0673,1.20433 -0.44479,1.20433 -0.26632,0 -0.34178,-0.0979 -0.46372,-0.60136 -0.13305,-0.54937 -0.1843,-0.60509 -0.59283,-0.64461 -0.24596,-0.0238 -0.58921,-0.008 -0.76279,0.036 -0.59536,0.14942 -0.37642,0.57816 0.95393,1.86806 l 1.26953,1.23092 v 0.90178 c 0,1.37811 -0.0436,1.41874 -1.52348,1.41874 -1.06598,0 -1.29877,-0.0409 -1.60514,-0.28187 z"
++       id="path3828"
++       inkscape:connector-curvature="0" />
++    <path
++       style="fill:#d35e64;fill-opacity:1;stroke-width:0.133635"
++       d="m 148.05027,204.08841 c 0.0471,-0.28134 0.11947,-1.05275 0.16076,-1.71424 0.0703,-1.12643 0.0353,-1.35529 -0.55133,-3.60814 -0.34453,-1.32299 -0.6573,-2.54073 -0.69504,-2.70611 -0.0594,-0.26014 -0.0147,-0.30067 0.33149,-0.30067 0.22006,0 0.46737,0.081 0.54957,0.18007 0.0822,0.099 0.30254,0.86578 0.48964,1.70385 0.41743,1.86975 0.45345,1.99148 0.58914,1.99148 0.15912,0 0.35622,-0.563 0.74822,-2.13717 0.38958,-1.56447 0.48518,-1.73823 0.9564,-1.73823 0.39274,0 0.46132,-0.43504 -0.70121,4.4477 -0.46869,1.96849 -0.93011,3.74249 -1.02539,3.94223 -0.11781,0.24694 -0.29559,0.37716 -0.55559,0.40696 -0.37406,0.0429 -0.38048,0.0327 -0.29666,-0.46773 z"
++       id="path3830"
++       inkscape:connector-curvature="0" />
++    <path
++       style="fill:#d35e64;fill-opacity:1;stroke-width:0.133635"
++       d="m 155.37958,199.87478 -0.001,1.04324 c 0,0 0.0415,0.99571 -0.10812,1.13694 -0.15218,0.14363 -0.72994,0.11875 -1.5324,0.11875 -1.39413,0 -1.4684,-0.0143 -1.66996,-0.32193 -0.14282,-0.21797 -0.19775,-0.55241 -0.17012,-1.03567 0.0397,-0.69411 0.0518,-0.71373 0.43989,-0.71373 0.2965,0 0.40947,0.0687 0.43951,0.26726 0.13121,0.86712 0.13264,0.86863 0.81803,0.86863 1.33065,0 1.18669,-0.7429 -0.41998,-2.16732 -0.98712,-0.87515 -1.3045,-1.34704 -1.30163,-1.93531 0.005,-1.02426 0.44219,-1.37639 1.70885,-1.37639 1.4449,0 1.89746,0.36739 1.89746,1.54037 0,0.85 -0.80733,1.01376 -0.94108,0.1909 -0.113,-0.69515 -0.21979,-0.79583 -0.84414,-0.79583 -0.59087,0 -0.88668,0.17572 -0.88861,0.52786 -5.3e-4,0.11392 0.5857,0.76291 1.30294,1.44221"
++       id="path3832"
++       inkscape:connector-curvature="0"
++       sodipodi:nodetypes="ccssccscsccsssscc" />
++    <path
++       inkscape:connector-curvature="0"
++       id="path3826"
++       d="m 125.15872,195.23965 c -0.30592,-0.19939 -0.0836,-0.86189 0.8607,-2.56497 1.58255,-2.85415 5.22198,-10.62008 6.75854,-14.42159 0.91204,-2.25643 0.98557,-2.83541 0.41825,-3.29345 -0.30201,-0.24384 -0.34148,-0.33999 -0.22153,-0.53956 0.44174,-0.73497 2.98816,-1.05046 4.06353,-0.50346 1.1982,0.60947 1.74884,2.08184 2.47139,6.60826 0.57628,3.61017 1.00176,6.0369 1.0809,6.16495 0.21334,0.34519 0.63685,-0.49885 2.24466,-4.47355 2.25297,-5.56961 3.24559,-7.35862 4.41748,-7.9617 0.51912,-0.26714 0.89922,-0.34492 1.8995,-0.38866 1.60332,-0.0701 1.6509,-0.0327 1.64898,1.29653 -0.002,1.7237 -0.0807,1.96599 -0.76359,2.3662 -1.27599,0.74779 -2.16809,2.00702 -2.17,3.06305 -0.003,1.44987 1.07869,1.89961 2.0727,0.86208 0.20781,-0.2169 0.42671,-0.39436 0.48646,-0.39436 0.0597,0 0.10898,0.55626 0.10941,1.23612 5.2e-4,0.67987 0.0579,1.58514 0.12779,2.01171 0.14392,0.87871 0.16421,0.83597 -1.8354,3.86646 -1.11067,1.68327 -1.20806,1.92146 -0.90836,2.22164 0.18169,0.18198 0.60193,0.22609 2.48831,0.26119 l 2.26971,0.0422 0.55893,0.7403 c 0.68294,0.90455 0.72637,1.39945 0.1851,2.10909 -0.49391,0.64756 -1.48498,1.35585 -2.16303,1.54588 -0.98995,0.27744 -2.22523,-0.26803 -3.29926,-1.45686 -1.37797,-1.52525 -1.99486,-3.94203 -2.17991,-8.54021 -0.0642,-1.59436 -0.13883,-2.29481 -0.24099,-2.26075 -0.0814,0.0271 -0.99576,2.00431 -2.03189,4.39371 -3.28691,7.57995 -3.68415,8.28612 -4.54018,8.07127 -0.53578,-0.13448 -1.34919,-1.06203 -1.9102,-2.17825 -1.10951,-2.20757 -1.73511,-5.05031 -2.03723,-9.25721 -0.0871,-1.21273 -0.20858,-2.26094 -0.26996,-2.32935 -0.13588,-0.15144 -0.58442,0.82294 -2.08397,4.52711 -2.01481,4.97699 -2.79643,6.54288 -3.82036,7.65371 -0.87044,0.94432 -3.13721,1.88044 -3.68648,1.52243 z"
++       style="fill:#f9f9f9;stroke-width:0.133635" />
++    <g
++       id="g957"
++       transform="translate(36.843901,36.777081)"
++       style="fill:#999999">
++      <path
++         style="fill:#999999;fill-opacity:1;stroke-width:0.264583"
++         d="m 118.48002,154.38963 c -0.21263,-0.77937 -0.60053,-0.53763 -3.77862,-0.53763 -4.23812,0 -4.51001,0.21718 -2.65413,-2.44723 2.45703,-3.52744 3.4906,-5.92399 2.80851,-6.96499 -0.4719,-0.72022 -1.01247,-0.62449 -1.92709,0.34127 -0.84859,0.89603 -1.86894,0.41779 -1.86894,-0.95587 0,-2.01205 2.80561,-3.99992 5.38938,-3.9922 1.61399,0.005 2.43642,0.4039 3.21581,1.56044 1.12027,1.66236 0.73145,3.8557 -1.134,6.39695 -1.54383,2.10311 -0.73385,3.61259 0.95572,1.78109 1.46292,-1.68793 1.55952,0.86073 1.49098,1.70283 -0.2309,2.69619 -2.07701,4.65709 -2.49762,3.11534 z"
++         id="path961"
++         inkscape:connector-curvature="0"
++         sodipodi:nodetypes="sscccscccccs" />
++    </g>
++  </g>
++</svg>

nixbld-etc-nixos/named/193thz.com

@@ -0,0 +1,27 @@
+$TTL 7200
+
+@						SOA	ns1.193thz.com. sb.m-labs.hk. (
+							2023110901
+							7200
+							3600
+							86400
+							600)
+
+
+						NS		ns.193thz.com.
+						NS		ns1.he.net.
+
+						A		94.190.212.123
+						AAAA	2001:470:18:390::2
+						MX		10 mail.m-labs.hk.
+						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
+						TXT		"google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+
+
+ns						A		94.190.212.123
+
+mail._domainkey			TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9T0cONxGXeyETE0bJ6NJVGT58fVFrfb+WxQhMskCN/mJhODyDTkRCjzE8ZnKhZGjkFZNG+PoSZlW+kpSS1LvMwzQpMRaH4zAzIexffR0l7rJR1MuQiVMsfGWpO2SLEuN74L2qH8SUBHZjrRpeSaFxwQm+prIOzZe5wTZStt/6qQIDAQAB"
+_dmarc					TXT	"v=DMARC1; p=none"
+
+www						CNAME	@

nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa

@@ -0,0 +1,18 @@
+$TTL 7200
+
+@						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
+							2023092801
+							7200
+							3600
+							86400
+							600)
+
+
+						NS		NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
+						NS		ns1.he.net.
+
+200	PTR	router.alt.m-labs.hk.
+201	PTR	stewardship1.alt.m-labs.hk.
+202	PTR	stewardship2.alt.m-labs.hk.
+203	PTR	atse.alt.m-labs.hk.
+204	PTR	nasty-gareth.alt.m-labs.hk.

nixbld-etc-nixos/named/m-labs.hk

@@ -0,0 +1,59 @@
+$TTL 7200
+
+@						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
+							2023092801
+							7200
+							3600
+							86400
+							600)
+
+
+						NS		NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
+						NS		ns1.qnetp.net.
+						NS		ns1.he.net.
+
+						A		94.190.212.123
+						AAAA	2001:470:18:390::2
+						MX		10 mail.m-labs.hk.
+						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
+						TXT		"google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8"
+
+
+mail					A		94.190.212.123
+mail					AAAA	2001:470:18:390::2
+mail._domainkey			TXT		"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
+_dmarc					TXT		"v=DMARC1; p=none"
+
+lab						CNAME	@
+www						CNAME	@
+nixbld					CNAME	@
+msys2					CNAME	@
+conda					CNAME	@
+afws					CNAME	@
+git						CNAME	@
+chat					CNAME	@
+hooks					CNAME	@
+forum					CNAME	@
+perso					CNAME	@
+rt						CNAME	@
+files					CNAME	@
+docs					CNAME	@
+
+rpi-1					AAAA	2001:470:f891:1:dea6:32ff:fe8a:6a93
+rpi-2					AAAA	2001:470:f891:1:ba27:ebff:fef0:e9e6
+rpi-4					AAAA	2001:470:f891:1:dea6:32ff:fe14:fce9
+chiron					AAAA	2001:470:f891:1:7f02:9ebf:bee9:3dc7
+old-nixbld				AAAA	2001:470:f891:1:a07b:f49a:a4ef:aad9
+zeus					AAAA	2001:470:f891:1:4fd7:e70a:68bf:e9c1
+franz					AAAA	2001:470:f891:1:1b65:a743:2335:f5c6
+hera					AAAA	2001:470:f891:1:8b5e:404d:ef4e:9d92
+hestia					AAAA	2001:470:f891:1:881c:f409:a090:8401
+vulcan					AAAA	2001:470:f891:1:105d:3f15:bd53:c5ac
+
+aux						A		42.200.147.171
+
+router.alt				A		103.206.98.200
+stewardship1.alt		A		103.206.98.201
+stewardship2.alt		A		103.206.98.202
+atse.alt				A		103.206.98.203
+nasty-gareth.alt		A		103.206.98.204

nixbld-etc-nixos/named/m-labs.ph

@@ -0,0 +1,26 @@
+$TTL 7200
+
+@						SOA	ns1.m-labs.ph. sb.m-labs.hk. (
+							2023090301
+							7200
+							3600
+							86400
+							600)
+
+
+						NS		ns1.m-labs.ph.
+						NS		ns1.he.net.
+
+						A		94.190.212.123
+						AAAA	2001:470:18:390::2
+						MX		10 mail.m-labs.hk.
+						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
+						TXT		"google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o"
+
+ns1						A		94.190.212.123
+ns1						AAAA	2001:470:18:390::2
+
+mail._domainkey			TXT		"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPUlkoA4Gucsin6P5LSohSOpPbpOELkbKDz9MmB4Zzj4QdcQNtMzU3Uis8WZwVXknQ/6URoDdTa4aR8+PwMi5fjKpLM8ZAnnHJHYebZPDRq6lQo3VGdaCu9NhdjYwFhvK9VRyhwI9i7DUptdLsu/OzbgTlCdWQTOr+MFEkYwmxLQIDAQAB"
+_dmarc					TXT		"v=DMARC1; p=none"
+
+www						CNAME	@

nixbld-etc-nixos/nix-28-networked-derivations.patch

@@ -0,0 +1,80 @@
+diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
+index 61ee5d7aa..f38684973 100644
+--- a/src/libstore/build/local-derivation-goal.cc
++++ b/src/libstore/build/local-derivation-goal.cc
+@@ -176,6 +176,8 @@ void LocalDerivationGoal::tryLocalBuild() {
+         return;
+     }
+ 
++    networked = parsedDrv->getBoolAttr("__networked");
++
+     /* Are we doing a chroot build? */
+     {
+         auto noChroot = parsedDrv->getBoolAttr("__noChroot");
+@@ -193,7 +195,7 @@ void LocalDerivationGoal::tryLocalBuild() {
+         else if (settings.sandboxMode == smDisabled)
+             useChroot = false;
+         else if (settings.sandboxMode == smRelaxed)
+-            useChroot = derivationType.isSandboxed() && !noChroot;
++            useChroot = !networked && derivationType.isSandboxed() && !noChroot;
+     }
+ 
+     auto & localStore = getLocalStore();
+@@ -677,7 +679,7 @@ void LocalDerivationGoal::startBuilder()
+                 "nogroup:x:65534:\n", sandboxGid()));
+ 
+         /* Create /etc/hosts with localhost entry. */
+-        if (derivationType.isSandboxed())
++        if (!networked && derivationType.isSandboxed())
+             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
+ 
+         /* Make the closure of the inputs available in the chroot,
+@@ -884,7 +886,7 @@ void LocalDerivationGoal::startBuilder()
+            us.
+         */
+ 
+-        if (derivationType.isSandboxed())
++        if (!networked && derivationType.isSandboxed())
+             privateNetwork = true;
+ 
+         userNamespaceSync.create();
+@@ -1179,7 +1181,7 @@ void LocalDerivationGoal::initEnv()
+        to the builder is generally impure, but the output of
+        fixed-output derivations is by definition pure (since we
+        already know the cryptographic hash of the output). */
+-    if (!derivationType.isSandboxed()) {
++    if (networked || !derivationType.isSandboxed()) {
+         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
+             env[i] = getEnv(i).value_or("");
+     }
+@@ -1811,7 +1813,7 @@ void LocalDerivationGoal::runChild()
+             /* Fixed-output derivations typically need to access the
+                network, so give them access to /etc/resolv.conf and so
+                on. */
+-            if (!derivationType.isSandboxed()) {
++            if (networked || !derivationType.isSandboxed()) {
+                 // Only use nss functions to resolve hosts and
+                 // services. Don’t use it for anything else that may
+                 // be configured for this system. This limits the
+@@ -2059,7 +2061,7 @@ void LocalDerivationGoal::runChild()
+                     #include "sandbox-defaults.sb"
+                     ;
+ 
+-                if (!derivationType.isSandboxed())
++                if (networked || !derivationType.isSandboxed())
+                     sandboxProfile +=
+                         #include "sandbox-network.sb"
+                         ;
+diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
+index 34c4e9187..c4c26fd6f 100644
+--- a/src/libstore/build/local-derivation-goal.hh
++++ b/src/libstore/build/local-derivation-goal.hh
+@@ -44,6 +44,8 @@ struct LocalDerivationGoal : public DerivationGoal
+ 
+     Path chrootRootDir;
+ 
++    bool networked;
++
+     /* RAII object to delete the chroot directory. */
+     std::shared_ptr<AutoDelete> autoDelChroot;
+ 

nixbld-etc-nixos/nix-3-networked-derivations.patch

@@ -1,82 +0,0 @@
-diff -Naur /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.cc nix3/src/libstore/build/local-derivation-goal.cc
---- /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.cc	1970-01-01 08:00:01.000000000 +0800
-+++ nix3/src/libstore/build/local-derivation-goal.cc	2021-04-24 16:29:52.493166702 +0800
-@@ -395,6 +395,8 @@
-     additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
- #endif
- 
-+    networked = parsedDrv->getBoolAttr("__networked");
-+
-     /* Are we doing a chroot build? */
-     {
-         auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -412,7 +414,7 @@
-         else if (settings.sandboxMode == smDisabled)
-             useChroot = false;
-         else if (settings.sandboxMode == smRelaxed)
--            useChroot = !(derivationIsImpure(derivationType)) && !noChroot;
-+            useChroot = !allowNetwork() && !(derivationIsImpure(derivationType)) && !noChroot;
-     }
- 
-     auto & localStore = getLocalStore();
-@@ -623,7 +625,7 @@
-                 "nogroup:x:65534:\n", sandboxGid()));
- 
-         /* Create /etc/hosts with localhost entry. */
--        if (!(derivationIsImpure(derivationType)))
-+        if (!allowNetwork() && !(derivationIsImpure(derivationType)))
-             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
- 
-         /* Make the closure of the inputs available in the chroot,
-@@ -810,7 +812,7 @@
-            us.
-         */
- 
--        if (!(derivationIsImpure(derivationType)))
-+        if (!allowNetwork() && !(derivationIsImpure(derivationType)))
-             privateNetwork = true;
- 
-         userNamespaceSync.create();
-@@ -1066,7 +1068,7 @@
-        to the builder is generally impure, but the output of
-        fixed-output derivations is by definition pure (since we
-        already know the cryptographic hash of the output). */
--    if (derivationIsImpure(derivationType)) {
-+    if (allowNetwork() || derivationIsImpure(derivationType)) {
-         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
-             env[i] = getEnv(i).value_or("");
-     }
-@@ -1702,7 +1704,7 @@
-             /* Fixed-output derivations typically need to access the
-                network, so give them access to /etc/resolv.conf and so
-                on. */
--            if (derivationIsImpure(derivationType)) {
-+            if (allowNetwork() || derivationIsImpure(derivationType)) {
-                 // Only use nss functions to resolve hosts and
-                 // services. Don’t use it for anything else that may
-                 // be configured for this system. This limits the
-@@ -1943,7 +1945,7 @@
- 
-                 sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
- 
--                if (derivationIsImpure(derivationType))
-+                if (allowNetwork() || derivationIsImpure(derivationType))
-                     sandboxProfile += "(import \"sandbox-network.sb\")\n";
- 
-                 /* Add the output paths we'll use at build-time to the chroot */
-diff -Naur /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.hh nix3/src/libstore/build/local-derivation-goal.hh
---- /nix/store/32wd1lrf55ymaz1aysrqffpxfgkwl6m4-source/src/libstore/build/local-derivation-goal.hh	1970-01-01 08:00:01.000000000 +0800
-+++ nix3/src/libstore/build/local-derivation-goal.hh	2021-04-24 16:35:23.060968488 +0800
-@@ -40,6 +40,12 @@
- 
-     Path chrootRootDir;
- 
-+    bool networked;
-+    bool allowNetwork()
-+    {
-+        return derivationIsFixed(drv->type()) || networked;
-+    }
-+
-     /* RAII object to delete the chroot directory. */
-     std::shared_ptr<AutoDelete> autoDelChroot;
- 

nixbld-etc-nixos/nix-networked-derivations.diff

@@ -1,83 +0,0 @@
-diff -Naur nix-2.3.10.orig/src/libstore/build.cc nix-2.3.10/src/libstore/build.cc
---- nix-2.3.10.orig/src/libstore/build.cc	1970-01-01 08:00:01.000000000 +0800
-+++ nix-2.3.10/src/libstore/build.cc	2021-04-24 16:17:08.778875340 +0800
-@@ -840,9 +840,16 @@
-     /* Whether this is a fixed-output derivation. */
-     bool fixedOutput;
- 
-+    bool networked;
-+
-     /* Whether to run the build in a private network namespace. */
-     bool privateNetwork = false;
- 
-+    bool allowNetwork()
-+    {
-+        return fixedOutput || networked;
-+    }
-+
-     typedef void (DerivationGoal::*GoalState)();
-     GoalState state;
- 
-@@ -1181,6 +1188,8 @@
- {
-     trace("have derivation");
- 
-+    fixedOutput = drv->isFixedOutput();
-+
-     retrySubstitution = false;
- 
-     for (auto & i : drv->outputs)
-@@ -1197,6 +1206,8 @@
- 
-     parsedDrv = std::make_unique<ParsedDerivation>(drvPath, *drv);
- 
-+    networked = parsedDrv->getBoolAttr("__networked");
-+
-     /* We are first going to try to create the invalid output paths
-        through substitutes.  If that doesn't work, we'll build
-        them. */
-@@ -1932,7 +1943,7 @@
-         else if (settings.sandboxMode == smDisabled)
-             useChroot = false;
-         else if (settings.sandboxMode == smRelaxed)
--            useChroot = !fixedOutput && !noChroot;
-+            useChroot = !allowNetwork() && !noChroot;
-     }
- 
-     if (worker.store.storeDir != worker.store.realStoreDir) {
-@@ -2109,7 +2120,7 @@
-                 "nogroup:x:65534:\n") % sandboxGid).str());
- 
-         /* Create /etc/hosts with localhost entry. */
--        if (!fixedOutput)
-+        if (!allowNetwork())
-             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
- 
-         /* Make the closure of the inputs available in the chroot,
-@@ -2323,7 +2334,7 @@
-            us.
-         */
- 
--        if (!fixedOutput)
-+        if (!allowNetwork())
-             privateNetwork = true;
- 
-         userNamespaceSync.create();
-@@ -2534,7 +2545,7 @@
-        to the builder is generally impure, but the output of
-        fixed-output derivations is by definition pure (since we
-        already know the cryptographic hash of the output). */
--    if (fixedOutput) {
-+    if (allowNetwork()) {
-         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
-             env[i] = getEnv(i);
-     }
-@@ -2823,7 +2834,7 @@
-             /* Fixed-output derivations typically need to access the
-                network, so give them access to /etc/resolv.conf and so
-                on. */
--            if (fixedOutput) {
-+            if (allowNetwork()) {
-                 ss.push_back("/etc/resolv.conf");
- 
-                 // Only use nss functions to resolve hosts and

nixbld-etc-nixos/rfq/src/rfq/__init__.py

@@ -14,6 +14,13 @@ from werkzeug.middleware.proxy_fix import ProxyFix
 
 load_dotenv()
 
+mail_password_file = getenv("FLASK_MAIL_PASSWORD_FILE")
+if mail_password_file is not None:
+    with open(mail_password_file, "r") as f:
+        mail_password = f.read().strip()
+else:
+    mail_password = None
+
 app = Flask(__name__)
 app.config.update(
     DEBUG=getenv("FLASK_DEBUG") == "True",
@@ -22,7 +29,7 @@ app.config.update(
     MAIL_USE_SSL=getenv("FLASK_MAIL_USE_SSL"),
     MAIL_DEBUG=False,
     MAIL_USERNAME=getenv("FLASK_MAIL_USERNAME"),
-    MAIL_PASSWORD=getenv("FLASK_MAIL_PASSWORD"),
+    MAIL_PASSWORD=mail_password,
     MAIL_RECIPIENT=getenv("FLASK_MAIL_RECIPIENT"),
     MAIL_SENDER=getenv("FLASK_MAIL_SENDER")
 )

nixbld-etc-nixos/rfq/uwsgi-config.nix

@@ -7,13 +7,13 @@ in {
   pythonPackages = self: [ pkg ];
   module = "rfq:app";
   env = [
-    "FLASK_MAIL_SERVER=ssl.serverraum.org"
+    "FLASK_MAIL_SERVER=mail.m-labs.hk"
     "FLASK_MAIL_PORT=465"
     "FLASK_MAIL_USE_SSL=True"
-    "FLASK_MAIL_USERNAME=sales@m-labs.hk"
-    "FLASK_MAIL_PASSWORD=${import /etc/nixos/secret/sales_password.nix}"
+    "FLASK_MAIL_USERNAME=sysop@m-labs.hk"
+    "FLASK_MAIL_PASSWORD_FILE=/etc/nixos/secret/rfqpassword"
     "FLASK_MAIL_RECIPIENT=sales@m-labs.hk"
-    "FLASK_MAIL_SENDER=sales@m-labs.hk"
+    "FLASK_MAIL_SENDER=sysop@m-labs.hk"
   ];
   socket = "${config.services.uwsgi.runDir}/uwsgi-rfq.sock";
   # allow access from nginx

nixbld-etc-nixos/rt.nix

@@ -93,6 +93,7 @@ let
 
       # Web Interface (Transaction display)
       Set($MaxInlineBody, 0);
+      Set($SuppressInlineTextFiles, 1);
 
       # Web Interface (Administrative interface)
       Set($ShowRTPortal, 0);
@@ -271,6 +272,7 @@ in {
             LogsDirectory = "rt/";
           };
 
+          after = [ "postgresql.service" ];
           wantedBy = [ "multi-user.target" ];
         };
       }
@@ -298,6 +300,7 @@ in {
 
     users.users.rt = {
       isSystemUser = true;
+      group = "rt";
     };
     users.groups.rt = {};
 

nixbld-etc-nixos/secret_permissions.txt

@@ -7,7 +7,5 @@
 -rw------- 1 uwsgi        uwsgi          mattermost-github-integration.py
 -rw------- 1 nginx        nginx          muninpasswd
 -rw-rw---- 1 hydra        hydra          nixbld.m-labs.hk-1
--rw-rw---- 1 hydra        hydra          nix_id_rsa
--rw------- 1 root         root           rclone.conf
 -rw------- 1 root         root           wifi_password.nix
 -rw------- 1 sb           users          wifi_ext_password.nix

nixops/any-nix-shell.nix

@@ -1,27 +0,0 @@
-{ lib, stdenv, fetchFromGitHub, makeWrapper }:
-
-stdenv.mkDerivation rec {
-  pname = "any-nix-shell";
-  version = "1.2.1";
-
-  src = fetchFromGitHub {
-    owner = "haslersn";
-    repo = "any-nix-shell";
-    rev = "v${version}";
-    sha256 = "0q27rhjhh7k0qgcdcfm8ly5za6wm4rckh633d0sjz87faffkp90k";
-  };
-
-  nativeBuildInputs = [ makeWrapper ];
-  installPhase = ''
-    mkdir -p $out/bin
-    cp -r bin $out
-    wrapProgram $out/bin/any-nix-shell --prefix PATH ":" $out/bin
-  '';
-
-  meta = with lib; {
-    description = "fish and zsh support for nix-shell";
-    license = licenses.mit;
-    homepage = "https://github.com/haslersn/any-nix-shell";
-    maintainers = with maintainers; [ haslersn ];
-  };
-}

nixops/avscan-module.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  avscan = pkgs.writeScript "avscan" ''
+    #!${pkgs.bash}/bin/bash
+
+    for user in $(cut -d":" -f1 /etc/passwd); do
+      if [ -d "/home/$user" ]; then
+          nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
+      fi
+    done
+  '';
+  cfg = config.services.avscan;
+in
+{
+  options.services.avscan = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable antivirus scan";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.clamav.updater.enable = true;
+    services.clamav.updater.interval = "daily";
+    services.clamav.updater.frequency = 1;
+
+    systemd.services.avscan = {
+      description = "Antivirus scan";
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+        ExecStart = "${avscan}";
+      };
+    };
+
+    systemd.timers.avscan = {
+      description = "Antivirus scan";
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnCalendar = "Mon *-*-* 13:00:00";
+    };
+  };
+}

nixops/chiron-hardware-configuration.nix

@@ -22,9 +22,13 @@
 
</