diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix
index 0a0a180..2068e36 100644
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@@ -20,8 +20,8 @@ in
       ./afws-module.nix
       ./rt.nix
       (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/4966c0f63f04659015f064f2aa34b1893a16dfde/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:0bbv0hcwpm9vhvqnj51k84c3fx6x0vgv68yf0f8kdjvprpzxjdgk";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/008d78cc21959e33d0d31f375b88353a7d7121ae/nixos-mailserver-nixos.tar.gz";
+        sha256 = "sha256:0pnfyg4icsvrw390a227m8b1j5w8awicx5aza3d0fiyyzpnrpn5a";
       })
     ];
 
@@ -56,36 +56,36 @@ in
   services.fail2ban.ignoreIP = [ "94.190.212.123" "2001:470:18:390::2" ];
   services.fail2ban.maxretry = 9;
   services.fail2ban.bantime-increment.enable = true;
-  services.fail2ban.jails.sshd =
-    ''
-    enabled = true
-    filter = sshd
-    action = iptables-allports
-    '';
-  services.fail2ban.jails.nginx-botsearch =
-    ''
-    enabled = true
-    filter = nginx-botsearch
-    action = iptables-allports
-    '';
-  services.fail2ban.jails.nginx-limit-req =
-    ''
-    enabled = true
-    filter = nginx-limit-req
-    action = iptables-allports
-    '';
-  services.fail2ban.jails.postfix =
-    ''
-    enabled = true
-    filter = postfix
-    action = iptables-allports
-    '';
-  services.fail2ban.jails.dovecot =
-    ''
-    enabled = true
-    filter = dovecot
-    action = iptables-allports
-    '';
+  services.fail2ban.jails.sshd = {
+    settings = {
+      filter = "sshd";
+      action = "iptables-allports";
+    };
+  };
+  services.fail2ban.jails.nginx-botsearch = {
+    settings = {
+      filter = "nginx-botsearch";
+      action = "iptables-allports";
+    };
+  };
+  services.fail2ban.jails.nginx-limit-req = {
+    settings = {
+      filter = "nginx-limit-req";
+      action = "iptables-allports";
+    };
+  };
+  services.fail2ban.jails.postfix = {
+    settings = {
+      filter = "postfix";
+      action = "iptables-allports";
+    };
+  };
+  services.fail2ban.jails.dovecot = {
+    settings = {
+      filter = "dovecot";
+      action = "iptables-allports";
+    };
+  };
 
   networking = {
     hostName = "nixbld";
@@ -361,20 +361,17 @@ in
   };
 
   services.hostapd = {
-    enable        = true;
-    interface     = netifWifi;
-    hwMode        = "g";
-    ssid          = "M-Labs";
-    wpaPassphrase = (import /etc/nixos/secret/wifi_password.nix);
-    extraConfig   = ''
-      ieee80211d=1
-      country_code=HK
-      ieee80211n=1
-      wmm_enabled=1
-      auth_algs=1
-      wpa_key_mgmt=WPA-PSK
-      rsn_pairwise=CCMP
-    '';
+    enable = true;
+    radios.${netifWifi} = {
+      band = "2g";
+      countryCode = "HK";
+      networks.${netifWifi} = {
+        ssid = "M-Labs";
+        authentication.saePasswords = [
+          { password = (import /etc/nixos/secret/wifi_password.nix); }
+        ];
+      };
+    };
   };
   services.dnsmasq = {
     enable = true;
@@ -753,7 +750,7 @@ in
     siteUrl = "https://chat.m-labs.hk/";
     mutableConfig = true;
   };
-  services.postgresql.package = pkgs.postgresql_11;
+  services.postgresql.package = pkgs.postgresql_12;
   services.matterbridge = {
     enable = true;
     configPath = "/etc/nixos/secret/matterbridge.toml";
@@ -761,7 +758,7 @@ in
  
   nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
     nix = super.nix.overrideAttrs(oa: {
-      patches = oa.patches or [] ++ [ ./nix-28-networked-derivations.patch ];
+      patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
     });
     hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [
@@ -1115,12 +1112,12 @@ in
 
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud26;
+    package = pkgs.nextcloud27;
     hostName = "files.m-labs.hk";
     https = true;
-    enableBrokenCiphersForSSE = false;
     maxUploadSize = "2G";
     config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
+    config.defaultPhoneRegion = "HK";
   };
 
   services.hedgedoc = {
diff --git a/nixbld-etc-nixos/nix-28-networked-derivations.patch b/nixbld-etc-nixos/nix-networked-derivations.patch
similarity index 60%
rename from nixbld-etc-nixos/nix-28-networked-derivations.patch
rename to nixbld-etc-nixos/nix-networked-derivations.patch
index 5fb15be..80f3b96 100644
--- a/nixbld-etc-nixos/nix-28-networked-derivations.patch
+++ b/nixbld-etc-nixos/nix-networked-derivations.patch
@@ -1,80 +1,80 @@
 diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
-index 61ee5d7aa..f38684973 100644
+index 64b55ca6a..9b4e52b8e 100644
 --- a/src/libstore/build/local-derivation-goal.cc
 +++ b/src/libstore/build/local-derivation-goal.cc
-@@ -176,6 +176,8 @@ void LocalDerivationGoal::tryLocalBuild() {
-         return;
-     }
+@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
+ 
+     assert(derivationType);
  
 +    networked = parsedDrv->getBoolAttr("__networked");
 +
      /* Are we doing a chroot build? */
      {
          auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -193,7 +195,7 @@ void LocalDerivationGoal::tryLocalBuild() {
+@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
          else if (settings.sandboxMode == smDisabled)
              useChroot = false;
          else if (settings.sandboxMode == smRelaxed)
--            useChroot = derivationType.isSandboxed() && !noChroot;
-+            useChroot = !networked && derivationType.isSandboxed() && !noChroot;
+-            useChroot = derivationType->isSandboxed() && !noChroot;
++            useChroot = !networked && derivationType->isSandboxed() && !noChroot;
      }
  
      auto & localStore = getLocalStore();
-@@ -677,7 +679,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
                  "nogroup:x:65534:\n", sandboxGid()));
  
          /* Create /etc/hosts with localhost entry. */
--        if (derivationType.isSandboxed())
-+        if (!networked && derivationType.isSandboxed())
+-        if (derivationType->isSandboxed())
++        if (!networked && derivationType->isSandboxed())
              writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
  
          /* Make the closure of the inputs available in the chroot,
-@@ -884,7 +886,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
             us.
          */
  
--        if (derivationType.isSandboxed())
-+        if (!networked && derivationType.isSandboxed())
+-        if (derivationType->isSandboxed())
++        if (!networked && derivationType->isSandboxed())
              privateNetwork = true;
  
          userNamespaceSync.create();
-@@ -1179,7 +1181,7 @@ void LocalDerivationGoal::initEnv()
+@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
         to the builder is generally impure, but the output of
         fixed-output derivations is by definition pure (since we
         already know the cryptographic hash of the output). */
--    if (!derivationType.isSandboxed()) {
-+    if (networked || !derivationType.isSandboxed()) {
+-    if (!derivationType->isSandboxed()) {
++    if (networked || !derivationType->isSandboxed()) {
          for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
              env[i] = getEnv(i).value_or("");
      }
-@@ -1811,7 +1813,7 @@ void LocalDerivationGoal::runChild()
+@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
              /* Fixed-output derivations typically need to access the
                 network, so give them access to /etc/resolv.conf and so
                 on. */
--            if (!derivationType.isSandboxed()) {
-+            if (networked || !derivationType.isSandboxed()) {
+-            if (!derivationType->isSandboxed()) {
++            if (networked || !derivationType->isSandboxed()) {
                  // Only use nss functions to resolve hosts and
                  // services. Don’t use it for anything else that may
                  // be configured for this system. This limits the
-@@ -2059,7 +2061,7 @@ void LocalDerivationGoal::runChild()
+@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
                      #include "sandbox-defaults.sb"
                      ;
  
--                if (!derivationType.isSandboxed())
-+                if (networked || !derivationType.isSandboxed())
+-                if (!derivationType->isSandboxed())
++                if (networked || !derivationType->isSandboxed())
                      sandboxProfile +=
                          #include "sandbox-network.sb"
                          ;
 diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
-index 34c4e9187..c4c26fd6f 100644
+index 0a05081c7..4c251718c 100644
 --- a/src/libstore/build/local-derivation-goal.hh
 +++ b/src/libstore/build/local-derivation-goal.hh
-@@ -44,6 +44,8 @@ struct LocalDerivationGoal : public DerivationGoal
+@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
  
      Path chrootRootDir;
  
 +    bool networked;
 +
-     /* RAII object to delete the chroot directory. */
-     std::shared_ptr<AutoDelete> autoDelChroot;
- 
+     /**
+      * RAII object to delete the chroot directory.
+      */