nix-scripts/nixbld-etc-nixos/configuration.nix

668 lines
22 KiB
Nix
Raw Normal View History

2019-02-16 00:33:08 +08:00
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let
netifWan = "enp0s31f6";
netifLan = "enp3s0";
netifWifi = "wlp1s0";
2019-09-18 12:38:35 +08:00
netifSit = "henet0";
hydraWwwOutputs = "/var/www/hydra-outputs";
in
2019-02-16 00:33:08 +08:00
{
imports =
2019-09-13 12:48:51 +08:00
[
2019-02-16 00:33:08 +08:00
./hardware-configuration.nix
./homu/nixos-module.nix
2019-05-24 15:19:33 +08:00
./backup-module.nix
2019-09-13 12:48:51 +08:00
(builtins.fetchTarball {
2019-12-18 16:26:10 +08:00
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.3.0/nixos-mailserver-v2.3.0.tar.gz";
sha256 = "0lpz08qviccvpfws2nm83n7m2r8add2wvfg9bljx9yxx8107r919";
2019-09-13 12:48:51 +08:00
})
2019-02-16 00:33:08 +08:00
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.blacklistedKernelModules = ["iwlwifi"];
nixbld: lock Linux kernel version to 4.19.79 On newer kernel versions (somewhere before 4.19.89) the shitty iwlwifi driver would crash the machine every few days with a message like: Dec 25 12:22:25 nixbld kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000068 Dec 25 12:22:25 nixbld kernel: PGD 0 P4D 0 Dec 25 12:22:25 nixbld kernel: Oops: 0002 [#1] SMP PTI Dec 25 12:22:25 nixbld kernel: CPU: 2 PID: 15625 Comm: kworker/2:1 Not tainted 4.19.90 #1-NixOS Dec 25 12:22:25 nixbld kernel: Hardware name: EVGA INTERNATIONAL CO.,LTD Default string/121-KS-E375, BIOS 1.07 03/15/2018 Dec 25 12:22:25 nixbld kernel: Workqueue: events iwl_mvm_add_new_dqa_stream_wk [iwlmvm] Dec 25 12:22:25 nixbld kernel: RIP: 0010:iwl_trans_pcie_txq_enable+0x5b/0x460 [iwlwifi] Dec 25 12:22:25 nixbld kernel: Code: 63 c6 4c 8b ac c7 40 91 00 00 f0 48 0f ab 87 40 a1 00 00 73 0d 80 3d 6b 65 03 00 00 0f 84 cb 03 00 00 44 89 c7 e8 15 c7 14 ce <49> 89 45 68 4d 85 e4 0f 84 eb 02 00> Dec 25 12:22:25 nixbld kernel: RSP: 0018:ffffa47386937c30 EFLAGS: 00010202 Dec 25 12:22:25 nixbld kernel: RAX: 0000000000002710 RBX: 000000000000001f RCX: 0000000000000000 Dec 25 12:22:25 nixbld kernel: RDX: 3ffffffffffffffe RSI: 000000000000001f RDI: 0000000000002710 Dec 25 12:22:25 nixbld kernel: RBP: 0000000000000000 R08: 0000000000002710 R09: 0000000000000001 Dec 25 12:22:25 nixbld kernel: R10: 0000000000000004 R11: ffff916f0a199ff0 R12: 0000000000000000 Dec 25 12:22:25 nixbld kernel: R13: 0000000000000000 R14: 0000000000000000 R15: ffff916f08480018 Dec 25 12:22:25 nixbld kernel: FS: 0000000000000000(0000) GS:ffff916f36280000(0000) knlGS:0000000000000000 Dec 25 12:22:25 nixbld kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Dec 25 12:22:25 nixbld kernel: CR2: 0000000000000068 CR3: 0000000834e0a004 CR4: 00000000003606e0 Dec 25 12:22:25 nixbld kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 Dec 25 12:22:25 nixbld kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Dec 25 12:22:25 nixbld kernel: Call Trace: Dec 25 12:22:25 nixbld kernel: iwl_mvm_enable_txq+0x230/0x3b0 [iwlmvm] Dec 25 12:22:25 nixbld kernel: ? iwl_mvm_add_new_dqa_stream_wk+0x897/0x13b0 [iwlmvm] Dec 25 12:22:25 nixbld kernel: iwl_mvm_add_new_dqa_stream_wk+0x897/0x13b0 [iwlmvm] Dec 25 12:22:25 nixbld kernel: ? entry_SYSCALL_64_stage2+0xf/0x10 Dec 25 12:22:25 nixbld kernel: ? __switch_to_asm+0x41/0x70 Dec 25 12:22:25 nixbld kernel: ? __switch_to_asm+0x41/0x70 Dec 25 12:22:25 nixbld kernel: ? __switch_to_asm+0x41/0x70 Dec 25 12:22:25 nixbld kernel: ? __switch_to+0x8c/0x440 Dec 25 12:22:25 nixbld kernel: ? __switch_to_asm+0x41/0x70 Dec 25 12:22:25 nixbld kernel: ? __switch_to_asm+0x35/0x70 Dec 25 12:22:25 nixbld kernel: process_one_work+0x206/0x400 Dec 25 12:22:25 nixbld kernel: worker_thread+0x2d/0x3e0 Dec 25 12:22:25 nixbld kernel: ? process_one_work+0x400/0x400 Dec 25 12:22:25 nixbld kernel: kthread+0x112/0x130 Dec 25 12:22:25 nixbld kernel: ? kthread_bind+0x30/0x30 Dec 25 12:22:25 nixbld kernel: ret_from_fork+0x35/0x40
2019-12-25 14:38:08 +08:00
security.apparmor.enable = true;
2019-09-05 15:27:44 +08:00
networking = {
hostName = "nixbld";
firewall = {
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [ 53 67 ];
trustedInterfaces = [ netifLan ];
2019-09-05 15:27:44 +08:00
};
2019-10-16 13:48:13 +08:00
interfaces."${netifLan}" = {
ipv4.addresses = [{
address = "192.168.1.1";
prefixLength = 24;
}];
ipv6.addresses = [{
address = "2001:470:f821:1::";
prefixLength = 64;
}];
};
interfaces."${netifWifi}" = {
ipv4.addresses = [{
address = "192.168.12.1";
prefixLength = 24;
}];
ipv6.addresses = [{
address = "2001:470:f821:2::";
prefixLength = 64;
}];
};
2019-09-05 15:27:44 +08:00
nat = {
enable = true;
externalInterface = netifWan;
internalInterfaces = [ netifLan netifWifi ];
forwardPorts = [
{ sourcePort = 2201; destination = "192.168.1.201:22"; proto = "tcp"; }
{ sourcePort = 2202; destination = "192.168.1.202:22"; proto = "tcp"; }
{ sourcePort = 2203; destination = "192.168.1.203:22"; proto = "tcp"; }
{ sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
2020-05-25 16:31:04 +08:00
{ sourcePort = 2205; destination = "192.168.1.205:22"; proto = "tcp"; }
];
extraCommands = ''
iptables -w -N block-lan-from-wifi
iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
iptables -w -A FORWARD -j block-lan-from-wifi
'';
extraStopCommands = ''
iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
iptables -w -F block-lan-from-wifi 2>/dev/null|| true
iptables -w -X block-lan-from-wifi 2>/dev/null|| true
'';
2019-09-05 15:27:44 +08:00
};
2019-09-18 12:38:35 +08:00
sits."${netifSit}" = {
dev = netifWan;
remote = "216.218.221.6";
local = "42.200.147.171";
ttl = 255;
};
interfaces."${netifSit}".ipv6 = {
addresses = [{ address = "2001:470:18:629::2"; prefixLength = 64; }];
routes = [{ address = "::"; prefixLength = 0; }];
};
2019-09-05 15:27:44 +08:00
};
2019-10-16 13:48:13 +08:00
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
2019-09-05 15:27:44 +08:00
2020-06-13 13:58:26 +08:00
services.unbound = {
enable = true;
extraConfig =
''
server:
port: 5353
'';
};
2019-09-05 15:27:44 +08:00
services.hostapd = {
enable = true;
interface = netifWifi;
2019-09-05 15:27:44 +08:00
hwMode = "g";
ssid = "M-Labs";
wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix);
2019-12-19 11:47:38 +08:00
extraConfig = ''
ieee80211d=1
country_code=HK
ieee80211n=1
wmm_enabled=1
auth_algs=1
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
'';
2019-09-05 15:27:44 +08:00
};
services.dnsmasq = {
enable = true;
2020-06-13 13:58:26 +08:00
servers = ["::1#5353"];
2019-09-05 15:27:44 +08:00
extraConfig = ''
interface=${netifLan}
interface=${netifWifi}
2019-09-05 15:27:44 +08:00
bind-interfaces
dhcp-range=interface:${netifLan},192.168.1.81,192.168.1.254,24h
dhcp-range=interface:${netifWifi},192.168.12.10,192.168.12.254,24h
2019-10-16 13:48:13 +08:00
enable-ra
dhcp-range=interface:${netifLan},::,constructor:${netifLan},ra-names
dhcp-range=interface:${netifWifi},::,constructor:${netifWifi},ra-only
2020-06-13 13:58:26 +08:00
no-resolv
2020-04-04 18:03:48 +08:00
# Static IPv4s to make Red Pitayas less annoying
2020-03-17 13:25:46 +08:00
dhcp-host=rp-f05cc9,192.168.1.190
2020-04-04 18:03:48 +08:00
dhcp-host=rp-f0612e,192.168.1.191
# Static IPv4s to make port redirections work
dhcp-host=rpi-1,192.168.1.201
dhcp-host=rpi-2,192.168.1.202
dhcp-host=rpi-3,192.168.1.203
dhcp-host=rpi-4,192.168.1.204
2020-05-25 16:31:04 +08:00
dhcp-host=rpi-5,192.168.1.205
# Default IP addresses for ARTIQ boards
address=/thermostat/192.168.1.26
address=/kc705/192.168.1.50
address=/zc706/192.168.1.51
2020-04-11 22:10:20 +08:00
address=/zc706-2/192.168.1.52
address=/sayma/192.168.1.60
2020-05-29 15:45:20 +08:00
address=/metlino/192.168.1.65
address=/kasli/192.168.1.70
2019-10-31 11:14:20 +08:00
address=/kasli-customer/192.168.1.75
address=/stabilizer-customer/192.168.1.76
# uTCA MCH from NAT
address=/tschernobyl/192.168.1.80
2019-09-05 15:27:44 +08:00
'';
};
2019-02-16 00:33:08 +08:00
# Select internationalisation properties.
2020-04-20 14:21:48 +08:00
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "de";
2019-02-16 00:33:08 +08:00
};
# Set your time zone.
time.timeZone = "Asia/Hong_Kong";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
2020-06-17 12:23:37 +08:00
wget vim git file lm_sensors acpi pciutils psmisc telnet nixops
irssi tmux usbutils imagemagick jq zip unzip
2019-02-16 00:33:08 +08:00
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
2019-09-11 17:37:59 +08:00
services.apcupsd.enable = true;
services.apcupsd.configText = ''
UPSTYPE usb
NISIP 127.0.0.1
BATTERYLEVEL 10
MINUTES 5
'';
2019-02-16 00:33:08 +08:00
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.forwardX11 = true;
2020-06-15 16:55:14 +08:00
services.openssh.passwordAuthentication = false;
2019-04-18 19:48:58 +08:00
programs.mosh.enable = true;
2019-02-16 00:33:08 +08:00
2019-07-31 22:48:10 +08:00
programs.fish.enable = true;
2019-02-16 00:33:08 +08:00
# Enable CUPS to print documents.
services.avahi.enable = true;
services.avahi.interfaces = [ netifLan ];
2019-02-16 00:33:08 +08:00
services.avahi.publish.enable = true;
services.avahi.publish.userServices = true;
2019-09-18 15:38:07 +08:00
nixpkgs.config.allowUnfree = true;
2019-02-16 00:33:08 +08:00
services.printing.enable = true;
services.printing.drivers = [ pkgs.hplipWithPlugin ];
services.printing.browsing = true;
services.printing.listenAddresses = [ "*:631" ];
2019-02-16 00:33:08 +08:00
services.printing.defaultShared = true;
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
users.extraGroups.plugdev = { };
users.extraUsers.sb = {
isNormalUser = true;
2019-09-05 16:47:01 +08:00
extraGroups = ["wheel" "plugdev" "dialout" "lp" "scanner"];
2019-07-31 22:48:10 +08:00
shell = pkgs.fish;
2020-06-15 00:32:15 +08:00
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
];
2019-02-16 00:33:08 +08:00
};
2019-04-18 19:49:02 +08:00
users.extraUsers.rj = {
isNormalUser = true;
2019-09-05 16:47:01 +08:00
extraGroups = ["wheel" "plugdev" "dialout"];
2019-04-18 19:49:02 +08:00
};
2019-04-21 10:44:14 +08:00
users.extraUsers.astro = {
isNormalUser = true;
2019-09-05 16:47:01 +08:00
extraGroups = ["plugdev" "dialout"];
shell = pkgs.bashInteractive;
2019-04-21 10:44:14 +08:00
};
2019-04-08 23:45:30 +08:00
users.extraUsers.nix = {
isNormalUser = true;
};
2019-02-16 00:33:08 +08:00
security.sudo.wheelNeedsPassword = false;
2019-05-02 13:06:07 +08:00
security.hideProcessInformation = true;
boot.kernel.sysctl."kernel.dmesg_restrict" = true;
services.udev.packages = [ pkgs.sane-backends ];
2019-02-16 00:33:08 +08:00
2019-04-08 23:45:30 +08:00
nix.distributedBuilds = true;
2019-04-08 22:35:38 +08:00
nix.buildMachines = [
{
hostName = "localhost";
maxJobs = 4;
system = "x86_64-linux";
supportedFeatures = ["big-parallel"];
}
2019-04-08 23:45:30 +08:00
{
hostName = "rpi-3";
2019-04-08 23:45:30 +08:00
sshUser = "nix";
2019-04-14 18:35:01 +08:00
sshKey = "/etc/nixos/secret/nix_id_rsa";
2019-04-08 23:45:30 +08:00
maxJobs = 1;
system = "aarch64-linux";
}
2019-04-08 22:35:38 +08:00
];
2019-02-16 00:33:08 +08:00
services.hydra = {
enable = true;
2020-04-20 15:37:46 +08:00
package = pkgs.hydra-unstable;
useSubstitutes = true;
2019-02-16 00:33:08 +08:00
hydraURL = "https://nixbld.m-labs.hk";
notificationSender = "hydra@m-labs.hk";
2019-05-29 15:48:59 +08:00
minimumDiskFree = 15; # in GB
2019-02-16 00:33:08 +08:00
minimumDiskFreeEvaluator = 1;
2019-02-17 23:19:36 +08:00
extraConfig =
''
2019-02-16 00:33:08 +08:00
binary_cache_secret_key_file = /etc/nixos/secret/nixbld.m-labs.hk-1
max_output_size = 10000000000
2019-07-19 14:54:18 +08:00
<runcommand>
job = web:web:web
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
2019-07-19 14:54:18 +08:00
</runcommand>
2019-11-14 17:07:46 +08:00
2019-11-12 10:43:50 +08:00
<runcommand>
job = artiq:full:sipyco-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-html
</runcommand>
<runcommand>
job = artiq:full:sipyco-manual-latexpdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/sipyco-manual-latexpdf
</runcommand>
2019-11-14 17:07:46 +08:00
<runcommand>
2019-11-14 17:07:46 +08:00
job = artiq:full-beta:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-beta
</runcommand>
<runcommand>
2019-11-14 17:07:46 +08:00
job = artiq:full-beta:artiq-manual-latexpdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf-beta
</runcommand>
2019-07-18 00:20:05 +08:00
<runcommand>
2019-11-14 17:07:46 +08:00
job = artiq:full-beta:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta
2019-07-18 00:20:05 +08:00
</runcommand>
2019-11-14 17:07:46 +08:00
<runcommand>
job = artiq:full:artiq-manual-html
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html
</runcommand>
<runcommand>
job = artiq:full:artiq-manual-latexpdf
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf
</runcommand>
<runcommand>
job = artiq:full:conda-channel
command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel
</runcommand>
2019-02-17 23:19:36 +08:00
'';
2019-02-16 00:33:08 +08:00
};
systemd.services.hydra-www-outputs-init = {
description = "Set up a hydra-owned directory for build outputs";
wantedBy = [ "multi-user.target" ];
requiredBy = [ "hydra-queue-runner.service" ];
before = [ "hydra-queue-runner.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = [ "${pkgs.coreutils}/bin/mkdir -p ${hydraWwwOutputs}" "${pkgs.coreutils}/bin/chown hydra-queue-runner:hydra ${hydraWwwOutputs}" ];
};
};
2019-02-16 00:33:08 +08:00
nix.extraOptions = ''
secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
'';
nix.sandboxPaths = ["/opt"];
2019-05-24 10:26:59 +08:00
services.munin-node.enable = true;
services.munin-cron = {
enable = true;
hosts = ''
[${config.networking.hostName}]
address localhost
'';
};
2019-05-24 15:19:33 +08:00
services.mlabs-backup.enable = true;
2019-05-24 10:26:59 +08:00
2019-03-31 23:51:06 +08:00
services.gitea = {
2019-03-27 22:42:12 +08:00
enable = true;
2019-03-31 23:51:06 +08:00
httpPort = 3001;
rootUrl = "https://git.m-labs.hk/";
2019-04-01 10:55:59 +08:00
appName = "M-Labs Git";
cookieSecure = true;
disableRegistration = true;
mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
extraConfig =
''
[mailer]
ENABLED = true
HOST = ssl.serverraum.org:587
FROM = sysop@m-labs.hk
USER = sysop@m-labs.hk
2020-05-21 12:24:38 +08:00
[service]
ENABLE_NOTIFY_MAIL = true
[attachment]
ALLOWED_TYPES = */*
'';
2019-03-27 22:42:12 +08:00
};
2019-11-18 13:48:40 +08:00
systemd.tmpfiles.rules = [
"L+ '${config.services.gitea.stateDir}/custom/templates/home.tmpl' - - - - ${./gitea-home.tmpl}"
];
2019-03-27 22:42:12 +08:00
2019-04-01 00:12:46 +08:00
services.mattermost = {
enable = true;
siteUrl = "https://chat.m-labs.hk/";
mutableConfig = true;
};
services.matterbridge = {
enable = true;
configPath = "/etc/nixos/secret/matterbridge.toml";
2019-04-01 00:12:46 +08:00
};
nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
2020-04-20 15:37:46 +08:00
hydra-unstable = super.hydra-unstable.overrideAttrs(oa: {
2020-06-14 00:37:41 +08:00
patches = oa.patches or [] ++ [ ./hydra-conda.patch ./hydra-retry.patch ./hydra-unbreak-sysbuild.patch ];
2019-05-21 16:47:47 +08:00
hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
});
matterbridge = super.matterbridge.overrideAttrs(oa: {
patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
2019-05-21 16:47:47 +08:00
});
};
2019-04-01 00:12:46 +08:00
2020-04-20 14:21:48 +08:00
security.acme.acceptTerms = true;
security.acme.email = "sb" + "@m-labs.hk";
2019-04-01 19:47:47 +08:00
security.acme.certs = {
"nixbld.m-labs.hk" = {
group = "nginx";
user = "nginx";
2019-04-01 19:47:47 +08:00
webroot = "/var/lib/acme/acme-challenge";
extraDomains = {
2019-04-21 10:43:48 +08:00
"m-labs.hk" = null;
"www.m-labs.hk" = null;
2019-07-19 16:23:47 +08:00
"conda.m-labs.hk" = null;
2019-04-01 19:47:47 +08:00
"lab.m-labs.hk" = null;
"git.m-labs.hk" = null;
"chat.m-labs.hk" = null;
"hooks.m-labs.hk" = null;
2019-05-21 16:08:54 +08:00
"forum.m-labs.hk" = null;
2019-10-17 15:17:42 +08:00
"perso.m-labs.hk" = null;
2020-01-30 11:31:21 +08:00
"nmigen.org" = null;
"www.nmigen.org" = null;
2019-10-09 21:33:37 +08:00
"openhardware.hk" = null;
"git.openhardware.hk" = null;
2019-04-01 19:47:47 +08:00
};
};
};
2019-03-27 22:42:12 +08:00
services.nginx = {
enable = true;
recommendedProxySettings = true;
2019-07-27 11:27:28 +08:00
recommendedGzipSettings = true;
2019-07-19 14:54:18 +08:00
virtualHosts = let
mainWebsite = {
2019-04-21 10:43:48 +08:00
addSSL = true;
useACMEHost = "nixbld.m-labs.hk";
2019-07-19 15:57:35 +08:00
root = "${hydraWwwOutputs}/web";
2019-07-26 21:29:54 +08:00
extraConfig = ''
error_page 404 /404.html;
'';
2019-07-27 11:27:28 +08:00
locations."^~ /fonts/".extraConfig = ''
expires 60d;
'';
locations."^~ /js/".extraConfig = ''
expires 60d;
'';
locations."/MathJax/" = {
alias = "/var/www/MathJax/";
2019-07-27 11:27:28 +08:00
extraConfig = ''
expires 60d;
'';
2019-07-19 15:57:35 +08:00
};
2019-07-19 16:23:47 +08:00
# legacy URLs, redirect to avoid breaking people's bookmarks
locations."/gateware.html".extraConfig = ''
2019-07-18 23:25:35 +08:00
return 301 /gateware/migen/;
'';
locations."/migen".extraConfig = ''
return 301 /gateware/migen/;
'';
locations."/artiq".extraConfig = ''
return 301 /experiment-control/artiq/;
'';
locations."/artiq/resources.html".extraConfig = ''
return 301 /experiment-control/resources/;
'';
2019-07-19 16:23:47 +08:00
2019-11-12 10:43:50 +08:00
# autogenerated manuals
locations."/artiq/sipyco-manual/" = {
2019-11-12 18:34:03 +08:00
alias = "${hydraWwwOutputs}/sipyco-manual-html/share/doc/sipyco-manual/html/";
2019-11-12 10:43:50 +08:00
};
locations."=/artiq/sipyco-manual.pdf" = {
2019-11-12 18:34:03 +08:00
alias = "${hydraWwwOutputs}/sipyco-manual-latexpdf/share/doc/sipyco-manual/SiPyCo.pdf";
2019-11-12 10:43:50 +08:00
};
locations."/artiq/manual-beta/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html-beta/share/doc/artiq-manual/html/";
};
locations."=/artiq/manual-beta.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-latexpdf-beta/share/doc/artiq-manual/ARTIQ.pdf";
2019-07-18 00:20:05 +08:00
};
2019-11-14 17:07:46 +08:00
locations."/artiq/manual/" = {
alias = "${hydraWwwOutputs}/artiq-manual-html/share/doc/artiq-manual/html/";
};
locations."=/artiq/manual.pdf" = {
alias = "${hydraWwwOutputs}/artiq-manual-latexpdf/share/doc/artiq-manual/ARTIQ.pdf";
};
2019-07-19 16:23:47 +08:00
# legacy content
locations."/migen/manual/" = {
alias = "/var/www/m-labs.hk.old/migen/manual/";
2019-07-29 11:44:48 +08:00
};
locations."/artiq/manual-release-4/" = {
alias = "/var/www/m-labs.hk.old/artiq/manual-release-4/";
2019-07-22 19:32:18 +08:00
};
2019-11-17 09:33:31 +08:00
locations."/artiq/manual-release-3/" = {
alias = "/var/www/m-labs.hk.old/artiq/manual-release-3/";
};
2019-11-19 10:18:53 +08:00
locations."/artiq/manual-release-2/" = {
alias = "/var/www/m-labs.hk.old/artiq/manual-release-2/";
};
2019-04-21 10:43:48 +08:00
};
2019-07-19 14:54:18 +08:00
in {
"m-labs.hk" = mainWebsite;
"www.m-labs.hk" = mainWebsite;
"lab.m-labs.hk" = {
addSSL = true;
2019-04-01 19:47:47 +08:00
useACMEHost = "nixbld.m-labs.hk";
locations."/munin/".alias = "/var/www/munin/";
2019-06-24 18:54:44 +08:00
locations."/munin".extraConfig = ''
auth_basic "Munin";
auth_basic_user_file /etc/nixos/secret/muninpasswd;
'';
2019-05-02 13:54:21 +08:00
locations."/homu/".proxyPass = "http://127.0.0.1:54856/";
};
"nixbld.m-labs.hk" = {
forceSSL = true;
2019-04-01 19:47:47 +08:00
useACMEHost = "nixbld.m-labs.hk";
locations."/".proxyPass = "http://127.0.0.1:3000";
};
2019-07-19 16:23:47 +08:00
"conda.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
locations."/artiq-beta/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel-beta/";
2019-07-19 16:23:47 +08:00
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
2019-11-14 17:07:46 +08:00
locations."/artiq/" = {
alias = "${hydraWwwOutputs}/artiq-conda-channel/";
extraConfig = ''
autoindex on;
index bogus_index_file;
'';
};
2019-07-19 16:23:47 +08:00
};
2019-03-31 23:51:06 +08:00
"git.m-labs.hk" = {
forceSSL = true;
2019-04-01 19:47:47 +08:00
useACMEHost = "nixbld.m-labs.hk";
2019-03-31 23:51:06 +08:00
locations."/".proxyPass = "http://127.0.0.1:3001";
extraConfig = ''
client_max_body_size 300M;
'';
2019-03-27 22:42:12 +08:00
};
2019-04-01 00:12:46 +08:00
"chat.m-labs.hk" = {
forceSSL = true;
2019-04-01 19:47:47 +08:00
useACMEHost = "nixbld.m-labs.hk";
2019-04-01 00:12:46 +08:00
locations."/".proxyPass = "http://127.0.0.1:8065";
2019-04-02 00:50:02 +08:00
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyPass = "http://127.0.0.1:8065";
locations."~ /api/v[0-9]+/(users/)?websocket$".proxyWebsockets = true;
2019-04-01 00:12:46 +08:00
};
"hooks.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
2020-04-15 21:15:26 +08:00
locations."/mattermost-github".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-mgi.sock;
'';
locations."/rfq".extraConfig = ''
include ${pkgs.nginx}/conf/uwsgi_params;
2020-04-15 21:15:26 +08:00
uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-rfq.sock;
'';
};
2019-05-21 16:08:54 +08:00
"forum.m-labs.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
2019-10-17 14:36:49 +08:00
root = "/var/www/flarum/public";
locations."~ \.php$".extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
fastcgi_index index.php;
'';
extraConfig = ''
index index.php;
include /var/www/flarum/.nginx.conf;
'';
2019-05-21 16:08:54 +08:00
};
2019-10-17 15:17:42 +08:00
"perso.m-labs.hk" = {
addSSL = true;
useACMEHost = "nixbld.m-labs.hk";
root = "/var/www/perso";
};
2020-01-30 11:31:21 +08:00
"nmigen.org" = {
addSSL = true;
useACMEHost = "nixbld.m-labs.hk";
locations."/".extraConfig = ''
2020-04-29 16:20:04 +08:00
return 307 https://m-labs.hk/gateware/nmigen/;
2020-01-30 11:31:21 +08:00
'';
};
"www.nmigen.org" = {
addSSL = true;
useACMEHost = "nixbld.m-labs.hk";
locations."/".extraConfig = ''
2020-04-29 16:20:04 +08:00
return 307 https://m-labs.hk/gateware/nmigen/;
2020-01-30 11:31:21 +08:00
'';
};
2019-10-09 21:33:37 +08:00
"git.openhardware.hk" = {
forceSSL = true;
useACMEHost = "nixbld.m-labs.hk";
locations."/".proxyPass = "http://127.0.0.1:3002";
extraConfig = ''
client_max_body_size 300M;
'';
};
};
};
services.uwsgi = {
enable = true;
plugins = [ "python3" ];
instance = {
type = "emperor";
vassals = {
mattermostgithub = import ./mattermost-github-integration/uwsgi-config.nix { inherit config pkgs; };
2020-04-15 21:15:26 +08:00
rfq = import ./rfq/uwsgi-config.nix { inherit config pkgs; };
};
2019-03-27 22:42:12 +08:00
};
};
2019-05-21 16:08:54 +08:00
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
2019-09-17 17:22:43 +08:00
services.phpfpm.pools.flarum = {
user = "nobody";
settings = {
2019-09-18 14:23:14 +08:00
"listen.owner" = "nginx";
"listen.group" = "nginx";
"listen.mode" = "0600";
2019-09-17 17:22:43 +08:00
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
"pm.max_requests" = 500;
};
};
2019-03-27 22:42:12 +08:00
2019-05-02 13:54:21 +08:00
services.homu = {
enable = true;
config = "/etc/nixos/secret/homu.toml";
};
2019-09-13 12:48:51 +08:00
mailserver = {
enable = true;
localDnsResolver = false; # conflicts with dnsmasq
# Some mail servers do reverse DNS lookups to filter spam.
# Getting a proper reverse DNS record from ISP is difficult, so use whatever already exists.
fqdn = "42-200-147-171.static.imsbiz.com";
domains = [ "nmigen.org" ];
loginAccounts = (import /etc/nixos/secret/email_accounts.nix);
2019-09-13 12:48:51 +08:00
certificateScheme = 3;
};
security.acme.certs."${config.mailserver.fqdn}".extraDomains = {
"mail.nmigen.org" = null;
};
2019-10-09 21:33:37 +08:00
containers.openhardwarehk = {
autoStart = true;
config =
{ config, pkgs, ... }:
{
services.gitea = {
enable = true;
httpPort = 3002;
rootUrl = "https://git.openhardware.hk/";
appName = "Open Hardware HK";
cookieSecure = true;
disableRegistration = true;
extraConfig =
''
[attachment]
ALLOWED_TYPES = */*
'';
};
};
};
2019-02-16 00:33:08 +08:00
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "18.09"; # Did you read the comment?
}