diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..b2be92b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+result
diff --git a/README b/README
index 24d732a..5165501 100644
--- a/README
+++ b/README
@@ -1,10 +1,16 @@
+On build device:
+* nix-build
+* (for LAN builds) nix-build --arg mlabs true
+
+On target device:
 * Enter BIOS, disable secure boot, enable UEFI PXE network boot
 * sudo auto-install
 * sudo reboot
 * Run memtest86
 * Copy device database to ~/artiq
-* Set timezone
+* Set timezone and kb layout
 * Comment out openssh.authorizedKeys.keys
-* sudo nixos-rebuild boot
-* sudo nix-collect-garbage -d
 * history clear
+
+On build device:
+* cat sealoff.sh | ssh rabi@artiq "sudo sh"
diff --git a/default.nix b/default.nix
index 4ce3499..094fb85 100644
--- a/default.nix
+++ b/default.nix
@@ -33,7 +33,7 @@ let
     parted /dev/nvme0n1 -- mkpart primary 512MiB 100%
     parted /dev/nvme0n1 -- mkpart ESP fat32 1MiB 512MiB
     parted /dev/nvme0n1 -- set 2 esp on
-    mkfs.ext4 -L nixos /dev/nvme0n1p1
+    mkfs.btrfs -f -L nixos /dev/nvme0n1p1
     mkfs.fat -F 32 -n boot /dev/nvme0n1p2
     mount /dev/disk/by-label/nixos /mnt
     mkdir -p /mnt/boot
@@ -43,17 +43,26 @@ let
     nixos-install --no-root-password --flake /mnt/etc/nixos#artiq
     ''; 
 
-  customModule = {
-    environment.systemPackages = [ autoInstall pkgs.git ];
-    nix.settings.trusted-public-keys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
-    nix.settings.substituters = ["https://nixbld.m-labs.hk?priority=10"];
-  };
+  customModule = mlabs:
+    let storeUrl = "https://nixbld.m-labs.hk" + (if mlabs then "?priority=10" else "");
+    in
+      {
+        system.stateVersion = "24.05";
+        environment.systemPackages = [ autoInstall pkgs.git ];
+        documentation.info.enable = false; # https://github.com/NixOS/nixpkgs/issues/124215
+        documentation.man.enable = false;
+        nix.settings.trusted-public-keys = ["nixbld.m-labs.hk-1:5aSRVA5b320xbNvu30tqxVPXpld73bhtOeH6uAjRyHc="];
+        nix.settings.substituters = [ storeUrl ];
+      };
 
 in
-  makeNetboot {
-    modules = [
-      <nixpkgs/nixos/modules/installer/netboot/netboot-minimal.nix>
-      customModule
-    ];
-    system = "x86_64-linux";
-  }
+  { mlabs ? false }:
+    let module = customModule mlabs;
+    in
+      makeNetboot {
+        modules = [
+          <nixpkgs/nixos/modules/installer/netboot/netboot-minimal.nix>
+          module
+        ];
+        system = "x86_64-linux";
+      }
diff --git a/final/configuration.nix b/final/configuration.nix
index c522199..fe5e163 100644
--- a/final/configuration.nix
+++ b/final/configuration.nix
@@ -32,7 +32,7 @@
   console.keyMap = "us";
   i18n.defaultLocale = "en_US.UTF-8";
 
-  time.timeZone = "Asia/Hong_Kong";
+  time.timeZone = "UTC";
 
   nixpkgs.config.allowUnfree = true;
   environment.systemPackages = with pkgs; [
@@ -84,11 +84,11 @@
   hardware.pulseaudio.package = pkgs.pulseaudioFull;
 
   services.xserver.enable = true;
-  services.xserver.layout = "us";
+  services.xserver.xkb.layout = "us";
 
   services.xserver.displayManager.gdm.enable = true;
-  services.xserver.displayManager.autoLogin.enable = true;
-  services.xserver.displayManager.autoLogin.user = "rabi";
+  services.displayManager.autoLogin.enable = true;
+  services.displayManager.autoLogin.user = "rabi";
   # https://github.com/NixOS/nixpkgs/issues/103746
   systemd.services."getty@tty1".enable = false;
   systemd.services."autovt@tty1".enable = false;
@@ -106,8 +106,16 @@
     extraGroups = ["networkmanager" "wheel" "plugdev" "dialout" "wireshark"];
     initialPassword = "rabi";
     openssh.authorizedKeys.keys = [
+      # m-labs
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
+      # m-labs
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      # quartiq rj
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ=="
+      # quartiq rj
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY"
+      # quartiq pk
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
     ];
   };
   security.sudo.wheelNeedsPassword = false;
diff --git a/sealoff.sh b/sealoff.sh
new file mode 100644
index 0000000..48ae35b
--- /dev/null
+++ b/sealoff.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+nixos-rebuild boot
+nix-collect-garbage -d