
1113 lines
37 KiB
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
netifWan = "enp4s0";
netifLan = "enp5s0f1";
netifWifi = "wlp6s0";
netifSit = "henet0";
hydraWwwOutputs = "/var/www/hydra-outputs";
imports =
(builtins.fetchTarball {
url = "";
sha256 = "sha256:0pnfyg4icsvrw390a227m8b1j5w8awicx5aza3d0fiyyzpnrpn5a";
boot.loader.grub.enable = true;
boot.loader.grub.copyKernels = true;
boot.loader.grub.device = "nodev";
boot.loader.grub.efiSupport = true;
boot.loader.efi.canTouchEfiVariables = true;
hardware.cpu.amd.updateMicrocode = true;
boot.supportedFilesystems = ["zfs"];
boot.kernelParams = ["zfs.l2arc_write_max=536870912"];
boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
services.zfs.autoScrub.enable = true;
services.zfs.autoScrub.interval = "monthly";
services.zfs.autoSnapshot.enable = true;
systemd.suppressedSystemUnits = [
services.fail2ban.enable = true;
services.fail2ban.ignoreIP = [ "" "2001:470:18:390::2" ];
services.fail2ban.maxretry = 9;
services.fail2ban.bantime-increment.enable = true;
services.fail2ban.jails.sshd = {
settings = {
filter = "sshd";
action = "iptables-allports";
services.fail2ban.jails.nginx-botsearch = {
settings = {
filter = "nginx-botsearch";
action = "iptables-allports";
services.fail2ban.jails.nginx-limit-req = {
settings = {
filter = "nginx-limit-req";
action = "iptables-allports";
services.fail2ban.jails.postfix = {
settings = {
filter = "postfix";
action = "iptables-allports";
services.fail2ban.jails.dovecot = {
settings = {
filter = "dovecot";
action = "iptables-allports";
networking = {
hostName = "nixbld";
hostId = "e423f012";
firewall = {
allowedTCPPorts = [ 53 80 443 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ];
trustedInterfaces = [ netifLan ];
interfaces."${netifWan}".useDHCP = true;
interfaces."${netifLan}" = {
ipv4.addresses = [{
address = "";
prefixLength = 24;
ipv6.addresses = [{
address = "2001:470:f891:1::";
prefixLength = 64;
# we just copy what matters here. Ugly but easier.
ipv4.routes = [
address = "";
prefixLength = 24;
options.table = "1";
interfaces."${netifWifi}" = {
ipv4.addresses = [{
address = "";
prefixLength = 24;
ipv6.addresses = [{
address = "2001:470:f891:2::";
prefixLength = 64;
nat = {
enable = true;
externalInterface = netifWan;
internalInterfaces = [ netifLan netifWifi ];
forwardPorts = [
{ sourcePort = 2201; destination = ""; proto = "tcp"; }
{ sourcePort = 2202; destination = ""; proto = "tcp"; }
{ sourcePort = 2203; destination = ""; proto = "tcp"; }
{ sourcePort = 2204; destination = ""; proto = "tcp"; }
extraCommands = ''
iptables -w -N block-lan-from-wifi
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
iptables -w -A FORWARD -j block-lan-from-wifi
iptables -w -N block-insecure-devices
iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP # keysight SA
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP # siglent scope
iptables -w -A block-insecure-devices -m mac --mac-source 00:0a:35:00:01:23 -j DROP # function generator
iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:21:f1:ee -j DROP # siglent scope #2
iptables -w -A block-insecure-devices -m mac --mac-source 00:19:af:5b:dd:58 -j DROP # power supply
iptables -w -A block-insecure-devices -m mac --mac-source 28:58:be:dc:66:1f -j DROP # hikvision low-cost 780nm laser viewer
iptables -w -A block-insecure-devices -m mac --mac-source bc:99:11:a4:d2:ac -j DROP # zyxel cloud switch
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
iptables -w -A FORWARD -j block-insecure-devices
extraStopCommands = ''
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
iptables -w -F block-insecure-devices 2>/dev/null|| true
iptables -w -X block-insecure-devices 2>/dev/null|| true
sits."${netifSit}" = {
dev = netifWan;
remote = "";
local = "";
ttl = 255;
interfaces."${netifSit}".ipv6 = {
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
routes = [{ address = "::"; prefixLength = 0; }];
greTunnels.alt0 = {
dev = netifWan;
remote = "";
local = "";
ttl = 255;
type = "tun";
interfaces.alt0 = {
ipv4.addresses = [
address = "";
prefixLength = 31;
ipv4.routes = [
address = "";
prefixLength = 0;
via = "";
options.table = "1";
vlans = {
vlan0 = {
id = 2;
interface = netifLan;
interfaces.vlan0 = {
ipv4.addresses = [{
address = "";
prefixLength = 29;
ipv4.routes = [
address = "";
prefixLength = 29;
options.table = "1";
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.${netifLan}.accept_dad" = "0";
boot.kernel.sysctl."net.ipv6.conf.${netifWifi}.accept_dad" = "0";
services.strongswan-swanctl.enable = true;
services.strongswan-swanctl.swanctl.connections.altnet = {
local_addrs = [ "" ];
remote_addrs = [ "" ];
local.main = {
auth = "pubkey";
id = "";
pubkeys = [ "/etc/swanctl/pubkey/" ];
remote.main = {
auth = "pubkey";
id = "";
pubkeys = [ "/etc/swanctl/pubkey/" ];
children.alt0 = {
mode = "transport";
ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "[gre]" ];
local_ts = [ "[gre]" ];
start_action = "start";
}; = {
wantedBy = [ "" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip rule add from table 1";
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
# chown named.named /etc/nixos/named
services.bind = {
enable = true;
listenOn = [ "" ];
listenOnIpv6 = [ "2001:470:18:390::2" ];
forwarders = [];
extraOptions = "listen-on-v6 port 5354 { ::1; };";
cacheNetworks = [ "::1/128" ];
directory = "/etc/nixos/named";
zones = {
"" = {
name = "";
master = true;
file = "/etc/nixos/named/";
extraConfig =
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {; #; #
slaves = [
"" "2a01:4f8:a0:7041::1" #
"" "2001:470:600::2" #
"" = {
name = "";
master = true;
file = "/etc/nixos/named/";
extraConfig =
notify explicit;
also-notify {; #
slaves = [
"" "2001:470:600::2" #
"" = {
name = "";
master = true;
file = "/etc/nixos/named/";
extraConfig =
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {; #
slaves = [
"" "2001:470:600::2" #
"" = {
name = "";
master = true;
file = "/etc/nixos/named/";
extraConfig =
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {; #
slaves = [
"" "2001:470:600::2" #
"" = {
name = "";
master = true;
file = "/etc/nixos/named/";
extraConfig =
dnssec-policy "default";
inline-signing yes;
notify explicit;
also-notify {; #
slaves = [
"" "2001:470:600::2" #
extraConfig = ''
zone "mil." IN {
type forward;
forward only;
forwarders {; };
services.hostapd = {
enable = true;
radios.${netifWifi} = {
band = "2g";
countryCode = "HK";
networks.${netifWifi} = {
ssid = "M-Labs";
authentication.saePasswords = [
{ password = (import /etc/nixos/secret/wifi_password.nix); }
services.dnsmasq = {
enable = true;
settings = {
server = ["::1#5354"];
interface = [ netifLan netifWifi ];
bind-interfaces = true;
dhcp-range = [
enable-ra = true;
no-resolv = true;
dhcp-host = [
# Static IPv4s to make Red Pitayas with factory firmware less annoying
# Static IPv4s to make port redirections work
address = [
# Static IP addresses for non-DHCP boards
# Google can't do DNS geolocation correctly and slows down websites of everyone using
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
# cannot reach.
dhcp-match = "set:ipxe,175"; #
dhcp-boot = [
enable-tftp = netifLan;
tftp-root = "${pkgs.ipxe}";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "de";
# Set your time zone.
time.timeZone = "Asia/Hong_Kong";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim git file lm_sensors acpi pciutils psmisc nixopsUnstable
irssi tmux usbutils imagemagick jq zip unzip
(callPackage ./afws { inherit pkgs; })
(callPackage ./labelprinter { inherit pkgs; })
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
services.apcupsd.enable = true;
services.apcupsd.configText = ''
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
services.openssh.settings.GatewayPorts = "clientspecified";
programs.mosh.enable = true; = true;
programs.zsh.enable = true;
# Enable CUPS to print documents.
services.avahi.enable = true;
services.avahi.allowInterfaces = [ netifLan ];
services.avahi.publish.enable = true;
services.avahi.publish.userServices = true;
nixpkgs.config.allowUnfree = true;
services.printing.enable = true;
services.printing.drivers = [ pkgs.hplipWithPlugin ];
services.printing.browsing = true;
services.printing.listenAddresses = [ "*:631" ];
services.printing.defaultShared = true;
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
services.saned.enable = true;
services.saned.extraConfig = "";
services.udev.extraRules =
# label printer
SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
users.extraUsers.root = {
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
shell =;
security.sudo.enable = true; = {
isNormalUser = true;
extraGroups = ["lp" "scanner" "afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
shell =;
users.extraUsers.rj = {
isNormalUser = true;
extraGroups = ["afws"];
users.extraUsers.nkrackow = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
users.extraUsers.spaqin = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
shell = pkgs.zsh;
users.extraUsers.therobs12 = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
users.extraUsers.morgan = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
users.extraUsers.derppening = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
users.extraUsers.nix = {
isNormalUser = true;
boot.kernel.sysctl."kernel.dmesg_restrict" = true;
services.udev.packages = [ pkgs.sane-backends ];
nix.settings.max-jobs = 4;
nix.settings.cores = 8;
nix.nrBuildUsers = 64;
services.hydra = {
enable = true;
hydraURL = "";
notificationSender = "";
minimumDiskFree = 15; # in GB
minimumDiskFreeEvaluator = 1;
extraConfig =
binary_cache_secret_key_file = /etc/nixos/secret/
max_output_size = 10000000000
job = web:web:web
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
job = web:web:nmigen-docs
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
job = artiq:sipyco:sipyco-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-html
job = artiq:sipyco:sipyco-manual-pdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-pdf
job = artiq:main-beta:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-beta
job = artiq:main-beta:artiq-manual-pdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf-beta
job = artiq:extra-beta:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta
job = artiq:main:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html
job = artiq:main:artiq-manual-pdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf
job = artiq:extra:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel
job = artiq:full-legacy:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy
job = artiq:full-legacy:artiq-manual-latexpdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf-legacy
job = artiq:full-legacy:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy
job = artiq:*:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON)
job = artiq:extra-beta:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
job = artiq:main-nac3:msys2-repos
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3
jobs = artiq:fast.*:extended-tests
inputs = artiqSrc
useShortContext = 1
authorization = token ${(import /etc/nixos/secret/github_tokens.nix).artiq}
sb=${(import /etc/nixos/secret/gitea_tokens.nix).artiq-zynq}
}; = {
description = "Set up a hydra-owned directory for build outputs";
wantedBy = [ "" ];
requiredBy = [ "hydra-queue-runner.service" ];
before = [ "hydra-queue-runner.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = [
"${pkgs.coreutils}/bin/mkdir -p ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives"
"${pkgs.coreutils}/bin/chown hydra-queue-runner:hydra ${hydraWwwOutputs} ${hydraWwwOutputs}/artiq-conda-channel-archives"
services.afws.enable = true;
nix.extraOptions = ''
secret-key-files = /etc/nixos/secret/
experimental-features = nix-command flakes
nix.settings.extra-sandbox-paths = ["/opt"];
nix.settings.substituters = pkgs.lib.mkForce [];
services.mlabs-backup.enable = true;
services.ghbackup.enable = true;
services.gitea = {
enable = true;
appName = "M-Labs Git";
mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
settings = {
server = {
ROOT_URL = "";
HTTP_PORT = 3001;
indexer = {
mailer = {
ENABLED = true;
HOST = "";
FROM = "";
USER = "";
service = {
attachment = {
log.LEVEL = "Warn";
session.COOKIE_SECURE = true;
systemd.tmpfiles.rules = [
"L+ '${}/custom/templates/home.tmpl' - - - - ${./gitea-home.tmpl}"
"L+ '${}/custom/templates/user/auth/signin.tmpl' - - - - ${./gitea-signin.tmpl}"
services.mattermost = {
enable = true;
siteUrl = "";
mutableConfig = true;
services.postgresql.package = pkgs.postgresql_12;
services.matterbridge = {
enable = true;
configPath = "/etc/nixos/secret/matterbridge.toml";
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
nix = super.nix.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
patches = oa.patches or [] ++ [
./hydra-hack-allowed-uris.patch # work around
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
doCheck = false; # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
matterbridge = super.matterbridge.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
security.acme.acceptTerms = true; = "sb" + "";
#"acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];"acme-fixperms".after = [ "bind.service" "dnsmasq.service" ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
virtualHosts = let
mainWebsite = {
addSSL = true;
enableACME = true;
root = "${hydraWwwOutputs}/web";
extraConfig = ''
error_page 404 /404.html;
locations."^~ /fonts/".extraConfig = ''
expires 60d;
locations."^~ /js/".extraConfig = ''
expires 60d;
locations."/MathJax/" = {
alias = "/var/www/MathJax/";
extraConfig = ''
expires 60d;
locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
# legacy URLs, redirect to avoid breaking people's bookmarks
locations."/gateware.html".extraConfig = ''
return 301 /gateware/migen/;
locations."/migen".extraConfig = ''
return 301 /gateware/migen/;
locations."/artiq".extraConfig = ''
return 301 /experiment-control/artiq/;
locations."/artiq/resources.html".extraConfig = ''
return 301 /experiment-control/resources/;
# autogenerated manuals
locations."/artiq/sipyco-manual/" = {
alias = "${hydraWwwOutputs}/sipyco-manual-html/";
locations."=/artiq/sipyco-manual.pdf" = {
alias = "${hydraWwwOutputs}/sipyco-manual-pdf/SiPyCo.pdf";
locations."/artiq/manual-beta/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html-beta/";
locations."=/artiq/manual-beta.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-pdf-beta/ARTIQ.pdf";
locations."/artiq/manual/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html/";
locations."=/artiq/manual.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf";
locations."/artiq/manual-legacy/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/share/doc/artiq-manual/html/";
locations."=/artiq/manual-legacy.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-latexpdf-legacy/share/doc/artiq-manual/ARTIQ.pdf";
# legacy content
locations."/migen/manual/" = {
alias = "/var/www/";
locations."/artiq/manual-release-4/" = {
alias = "/var/www/";
locations."/artiq/manual-release-3/" = {
alias = "/var/www/";
locations."/artiq/manual-release-2/" = {
alias = "/var/www/";
in {
"" = mainWebsite;
"" = mainWebsite;
"" = mainWebsite;
"" = mainWebsite;
"" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "";
"" = {
forceSSL = true;
enableACME = true;
locations."/artiq-beta/" = {
alias = "${hydraWwwOutputs}/artiq-msys2-repos-beta/";
extraConfig = ''
autoindex on;
locations."/artiq-nac3/" = {
alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/";
extraConfig = ''
autoindex on;
"" = {
forceSSL = true;
enableACME = true;
locations."/artiq-beta/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/";
extraConfig = ''
autoindex on;
index bogus_index_file;
locations."/artiq/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel/";
extraConfig = ''
autoindex on;
index bogus_index_file;
locations."/artiq-legacy/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-legacy/";
extraConfig = ''
autoindex on;
index bogus_index_file;
locations."/artiq-archives/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-archives/";
extraConfig = ''
autoindex on;
index bogus_index_file;
"" = {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3771";
proxyWebsockets = true;
extraConfig =
proxy_read_timeout 2h;
"" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "";
extraConfig = ''
client_max_body_size 300M;
"" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true;
"" = {
forceSSL = true;
enableACME = true;
locations."/mattermost-github".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:${}/uwsgi-mgi.sock;
locations."/rfq".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:${}/uwsgi-rfq.sock;
"" = {
forceSSL = true;
enableACME = true;
root = "/var/www/flarum/public";
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${};
fastcgi_index index.php;
extraConfig = ''
index index.php;
include /var/www/flarum/.nginx.conf;
"" = {
addSSL = true;
enableACME = true;
root = "/var/www/perso";
"" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "";
extraConfig = ''
client_max_body_size 100M;
locations."/REST/1.0/NoAuth" = {
proxyPass = "";
extraConfig = ''
client_max_body_size 100M;
deny all;
"" = {
forceSSL = true;
enableACME = true;
"" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:9825";
locations."/".proxyPass = "http://localhost:9825";
locations."/".proxyWebsockets = true;
"" = {
addSSL = true;
enableACME = true;
root = "/var/www/193thz";
"" = {
addSSL = true;
enableACME = true;
root = "/var/www/193thz";
"" = {
addSSL = true;
enableACME = true;
root = "${hydraWwwOutputs}/nmigen-docs";
"" = {
addSSL = true;
enableACME = true;
root = "${hydraWwwOutputs}/nmigen-docs";
services.uwsgi = {
enable = true;
plugins = [ "python3" ];
instance = {
type = "emperor";
vassals = {
mattermostgithub = import ./mattermost-github-integration/uwsgi-config.nix { inherit config pkgs; };
rfq = import ./rfq/uwsgi-config.nix { inherit config pkgs; };
services.mysql = {
enable = true;
package = pkgs.mariadb;
services.phpfpm.pools.flarum = {
user = "nobody";
settings = {
"listen.owner" = "nginx";
"" = "nginx";
"listen.mode" = "0600";
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
services.rt = {
enable = true;
package = pkgs.rt.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./rt-session.patch ];
organization = "M-Labs";
domain = "";
rtName = "Helpdesk";
ownerEmail = "sb" + "";
commentAddress = "helpdesk" + "";
correspondAddress = "helpdesk" + "";
sendmailPath = "${pkgs.msmtp}/bin/msmtp";
sendmailArguments = ["-t" "-C" "/etc/nixos/secret/rt_msmtp.conf"];
}; = {
description = "Fetchmail for RT";
wantedBy = [ "" ];
after = [ "dovecot2.service" ];
serviceConfig = {
Restart = "on-failure";
User = "rt";
Group = "rt";
ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
mailserver = {
enable = true;
localDnsResolver = false; # conflicts with dnsmasq
fqdn = "";
domains = [ "" "" "" "" ];
enablePop3 = true;
enablePop3Ssl = true;
certificateScheme = "acme-nginx";
} // (import /etc/nixos/secret/email_settings.nix);
services.roundcube = {
enable = true;
hostName = "";
extraConfig = ''
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
hostName = "";
https = true;
maxUploadSize = "2G";
config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
config.defaultPhoneRegion = "HK";
services.hedgedoc = {
enable = true;
settings = {
port = 9825;
domain = "";
protocolUseSSL = true;
allowEmailRegister = false;
allowAnonymous = false;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
system.stateVersion = "21.05";