nixops: typo

https://github.com/NixOS/nixpkgs/issues/316608

nixbld-etc-nixos/configuration.nix

@@ -1,11 +1,8 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
 { config, pkgs, ... }:
 
 let
   netifWan = "enp4s0";
+  netifWanBackup = "enp11s0";
   netifLan = "enp5s0f1";
   netifWifi = "wlp6s0";
   netifSit = "henet0";
@@ -20,8 +17,8 @@ in
       ./afws-module.nix
       ./rt.nix
       (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/008d78cc21959e33d0d31f375b88353a7d7121ae/nixos-mailserver-nixos.tar.gz";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:0pnfyg4icsvrw390a227m8b1j5w8awicx5aza3d0fiyyzpnrpn5a";
+        sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv";
       })
     ];
 
@@ -31,7 +28,7 @@ in
   boot.loader.grub.efiSupport = true;
   boot.loader.efi.canTouchEfiVariables = true;
   hardware.cpu.amd.updateMicrocode = true;
-  boot.supportedFilesystems = ["zfs"];
+  boot.supportedFilesystems.zfs = true;
   boot.kernelParams = ["zfs.l2arc_write_max=536870912"];
   boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
 
@@ -94,7 +91,22 @@ in
       allowedUDPPorts = [ 53 67 500 4500 ];
       trustedInterfaces = [ netifLan ];
     };
-    interfaces."${netifWan}".useDHCP = true;
+    useDHCP = false;
+    interfaces."${netifWan}".useDHCP = true;  # PCCW - always wants active DHCP lease or cuts you off
+    interfaces."${netifWanBackup}" = {        # HKBN - no DHCP with static IP service
+      ipv4.addresses = [{
+        address = "202.77.7.238";
+        prefixLength = 30;
+      }];
+      ipv4.routes = [
+        {
+          address = "0.0.0.0";
+          prefixLength = 0;
+          via = "202.77.7.237";
+          options.table = "2";
+        }
+      ];
+    };
     interfaces."${netifLan}" = {
       ipv4.addresses = [{
         address = "192.168.1.1";
@@ -112,6 +124,11 @@ in
           prefixLength = 24;
           options.table = "1";
         }
+        {
+          address = "192.168.1.0";
+          prefixLength = 24;
+          options.table = "2";
+        }
       ];
     };
     interfaces."${netifWifi}" = {
@@ -123,6 +140,19 @@ in
         address = "2001:470:f891:2::";
         prefixLength = 64;
       }];
+      # same hack as above
+      ipv4.routes = [
+        {
+          address = "192.168.12.0";
+          prefixLength = 24;
+          options.table = "1";
+        }
+        {
+          address = "192.168.12.0";
+          prefixLength = 24;
+          options.table = "2";
+        }
+      ];
     };
     nat = {
       enable = true;
@@ -135,11 +165,6 @@ in
         { sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
       ];
       extraCommands = ''
-        iptables -w -N block-lan-from-wifi
-        iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
-        iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
-        iptables -w -A FORWARD -j block-lan-from-wifi
-
         iptables -w -N block-insecure-devices
         iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP  # keysight SA
         iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP  # siglent scope
@@ -153,10 +178,6 @@ in
         iptables -w -A FORWARD -j block-insecure-devices
       '';
       extraStopCommands = ''
-        iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
-        iptables -w -F block-lan-from-wifi 2>/dev/null|| true
-        iptables -w -X block-lan-from-wifi 2>/dev/null|| true
-
         iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
         iptables -w -F block-insecure-devices 2>/dev/null|| true
         iptables -w -X block-insecure-devices 2>/dev/null|| true
@@ -243,12 +264,21 @@ in
     };
   };
 
-  systemd.services.custom-network-setup = {
+  systemd.services.network-custom-route-backup = {
     wantedBy = [ "network.target" ];
     serviceConfig = {
       Type = "oneshot";
       RemainAfterExit = true;
-      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.0/24 table 1";
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 202.77.7.238/30 table 2";
+      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
+    };
+  };
+  systemd.services.network-custom-route-alt = {
+    wantedBy = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.200/29 table 1";
       ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
     };
   };
@@ -276,11 +306,13 @@ in
            also-notify {
              213.239.220.50;  # ns1.qnetp.net
              216.218.130.2;   # ns1.he.net
+             88.198.32.245;   # new qnetp
            };
            '';
         slaves = [
           "213.239.220.50" "2a01:4f8:a0:7041::1"  # ns1.qnetp.net
           "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
+          "88.198.32.245"                         # new qnetp
         ];
       };
       "m-labs.ph" = {
@@ -442,7 +474,7 @@ in
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
-    wget vim git file lm_sensors acpi pciutils psmisc nixopsUnstable
+    wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal
     irssi tmux usbutils imagemagick jq zip unzip
     iw
     nvme-cli
@@ -472,6 +504,8 @@ in
   services.openssh.enable = true;
   services.openssh.settings.PasswordAuthentication = false;
   services.openssh.settings.GatewayPorts = "clientspecified";
+  services.openssh.settings.X11Forwarding = true;
+  services.openssh.authorizedKeysInHomedir = false;
   programs.mosh.enable = true;
 
   programs.fish.enable = true;
@@ -499,6 +533,20 @@ in
     SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
     '';
 
+  sound.enable = true;
+  services.mpd.enable = true;
+  services.mpd.musicDirectory = "/tank/sb-public/FLAC";
+  services.mpd.network.listenAddress = "192.168.1.1";
+  services.mpd.extraConfig =
+    ''
+    audio_output_format "192000:24:2"
+    audio_output {
+      type "alsa"
+      name "alsa"
+      device "hw:1,1"
+    }
+    '';
+
   users.extraUsers.root = {
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
@@ -511,7 +559,7 @@ in
 
   users.extraUsers.sb = {
     isNormalUser = true;
-    extraGroups = ["lp" "scanner" "afws"];
+    extraGroups = ["lp" "scanner" "afws" "audio"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
@@ -521,6 +569,11 @@ in
   users.extraUsers.rj = {
     isNormalUser = true;
     extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
+     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
+     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
+    ];
   };
   users.extraUsers.nkrackow = {
     isNormalUser = true;
@@ -529,30 +582,23 @@ in
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
     ];
   };
-  users.extraUsers.occheung = {
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig=="
-    ];
-  };
   users.extraUsers.spaqin = {
     isNormalUser = true;
-    extraGroups = ["lp" "scanner" "afws"];
+    extraGroups = ["lp" "afws"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
     ];
     shell = pkgs.zsh;
   };
-  users.extraUsers.esavkin = {
+  users.extraUsers.therobs12 = {
     isNormalUser = true;
     extraGroups = ["lp" "afws"];
     openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
     ];
   };
   users.extraUsers.morgan = {
     isNormalUser = true;
-    extraGroups = ["lp"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
     ];
@@ -563,12 +609,7 @@ in
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
     ];
   };
-  users.extraUsers.dpn = {
+
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGChLocYJi8XcSJkIjT2Olm3jPGjtRq5aORa5G9F3OqmjCfvav9Q5+2Mc64XqHtNTffnJuDe4gv+lVJatC0URvPs2HyxXmxRK0jgkkLSUsV2SYLlgMqHW3jsrdh6wKBmkg=="
-    ];
-  };
   users.extraUsers.nix = {
     isNormalUser = true;
   };
@@ -577,7 +618,6 @@ in
 
   nix.settings.max-jobs = 10;
   nix.nrBuildUsers = 64;
-  nix.settings.trusted-users = ["sb"];
   services.hydra = {
     enable = true;
     useSubstitutes = true;
@@ -714,7 +754,7 @@ in
 
       mailer = {
         ENABLED = true;
-        HOST = "mail.m-labs.hk:587";
+        SMTP_ADDR = "mail.m-labs.hk:587";
         FROM = "sysop@m-labs.hk";
         USER = "sysop@m-labs.hk";
       };
@@ -968,6 +1008,9 @@ in
         addSSL = true;
         enableACME = true;
         root = "/var/www/perso";
+        extraConfig = ''
+          autoindex on;
+        '';
       };
       "rt.m-labs.hk" = {
         forceSSL = true;
@@ -1097,12 +1140,14 @@ in
 
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud27;
+    package = pkgs.nextcloud29;
     hostName = "files.m-labs.hk";
     https = true;
     maxUploadSize = "2G";
     config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
-    config.defaultPhoneRegion = "HK";
+    settings.default_phone_region = "HK";
+    settings.log_type = "file";
+    phpOptions."opcache.interned_strings_buffer" = "12";
   };
 
   services.hedgedoc = {

nixbld-etc-nixos/named/193thz.com

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	ns.193thz.com. sb.m-labs.hk. (
-							2023121301
+							2024060201
 							7200
 							3600
 							86400
@@ -12,11 +12,12 @@ $TTL 7200
 						NS		ns1.he.net.
 
 						A		94.190.212.123
+						A		202.77.7.238
 						AAAA	2001:470:18:390::2
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 
 ns						A		94.190.212.123

nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
-							2024010901
+							2024060201
 							7200
 							3600
 							86400
@@ -10,7 +10,7 @@ $TTL 7200
 
 						NS		NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
 						NS		ns1.he.net.
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 200	PTR	router.alt.m-labs.hk.
 201	PTR	stewardship1.alt.m-labs.hk.

nixbld-etc-nixos/named/m-labs.hk

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
-							2024010901
+							2024060201
 							7200
 							3600
 							86400
@@ -13,14 +13,16 @@ $TTL 7200
 						NS		ns1.he.net.
 
 						A		94.190.212.123
+						A		202.77.7.238
 						AAAA	2001:470:18:390::2
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 
 mail					A		94.190.212.123
+mail					A		202.77.7.238
 mail					AAAA	2001:470:18:390::2
 mail._domainkey			TXT		"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
 _dmarc					TXT		"v=DMARC1; p=none"

nixbld-etc-nixos/named/m-labs.ph

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	ns1.m-labs.ph. sb.m-labs.hk. (
-							2024010901
+							2024060201
 							7200
 							3600
 							86400
@@ -12,11 +12,12 @@ $TTL 7200
 						NS		ns1.he.net.
 
 						A		94.190.212.123
+						A		202.77.7.238
 						AAAA	2001:470:18:390::2
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 ns1						A		94.190.212.123
 ns1						AAAA	2001:470:18:390::2

nixbld-etc-nixos/named/malloctech.fr

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	ns.malloctech.fr. sb.m-labs.hk. (
-							2024010901
+							2024060201
 							7200
 							3600
 							86400
@@ -14,7 +14,7 @@ $TTL 7200
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=LALF-fafTnmkL-18m3CzwFjSwEV1C7NeKexiNfMYsOw"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2

nixops/athena-hardware-configuration.nix

@@ -0,0 +1,45 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/89463254-b38d-45db-92b6-0f7d92a44f47";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/F84B-ACC5";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  system.stateVersion = "23.11";
+}

nixops/chiron-hardware-configuration.nix

@@ -18,6 +18,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/060C-8772";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/common-users.nix

@@ -78,14 +78,14 @@
   };
   linuswck = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
+    extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAFYwmik6/xY1vb9aKBOpKklKOwSJJ0PEgNwWNULghZGJ0g4CTk04LXLSMYBm1SW74df8YMgaE/eoidq6smN6hKIgo8s3qPQGZAi4UXffMs2ciqXNa/zZcCu3PyZvyksxA=="
     ];
   };
   morgan = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
+    extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
     ];
@@ -104,6 +104,42 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
     ];
   };
+  therobs12 = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
+    ];
+  };
+  architeuthis = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMhLPEGWDUauFHjiVduBMJrIMKT8SvtTDHXDVudUZrhewQy08h4NEEyWmczP4WMeyugI/L/a+J+Vc8mImgqSoHw52823LVcnR9EKnJoqnwAHU/J+41vIWAN2LAryd4p9yg=="
+    ];
+  };
+  abdul = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
+    ];
+  };
+  lyken = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ88QJlh/+F/xwXQlPEmQVmtycb8FfabxCdeiP3gTHUCV8y4PLh3ubY+EsY+Xhy/GlOAPdX7KSpiII3dndYfwZWzorXVoPBhhPKEIumFBOinWfp5kRVzWOD61gCwsYoVBg=="
+    ];
+  };
+  wanglm = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNhRITe/qj/zvW2dZbXNmyJxLHPgJAynlWh6NCGGarJbkhj8c1UFLUo2Hv7xqGil4PZnPGru4WwHX0RhWS/I39UPzfVvuntRGenNqqpo2T9Ble80QCawpZ2c07w7FkVq7g=="
+    ];
+  };
+
 
   dpn = {
     isNormalUser = true;

nixops/demeter-hardware-configuration.nix

@@ -21,6 +21,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/76A2-F01F";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/desktop.nix

@@ -10,6 +10,9 @@ in
   nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
   programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite";
 
+  boot.loader.systemd-boot.memtest86.enable = true;
+  boot.loader.grub.memtest86.enable = true;
+
   imports =
     [
       (./. + "/${host}-hardware-configuration.nix")
@@ -62,6 +65,7 @@ in
     xsane
     gtkwave unzip zip gnupg
     gnome3.gnome-tweaks
+    gnome3.ghex
     jq sublime3 rink qemu_kvm
     tmux screen gdb minicom picocom
     artiq.packages.x86_64-linux.openocd-bscanspi
@@ -89,6 +93,7 @@ in
   services.avscan.enable = true;
 
   services.openssh.enable = true;
+  services.openssh.authorizedKeysInHomedir = false;
   services.openssh.settings.PasswordAuthentication = false;
   services.openssh.extraConfig =
     ''
@@ -121,7 +126,7 @@ in
   };
   services.avahi = {
     enable = true;
-    nssmdns = true;
+    nssmdns4 = true;
   };
 
   # Enable sound.
@@ -134,16 +139,12 @@ in
   hardware.opengl.driSupport32Bit = true;
   hardware.pulseaudio.support32Bit = true;
 
-  i18n.inputMethod = {
-    enabled = "fcitx5";
-    fcitx5.addons = [ pkgs.fcitx5-table-extra pkgs.fcitx5-m17n ];
-  };
   fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
 
   # Enable the X11 windowing system.
   services.xserver.enable = true;
-  services.xserver.layout = "us";
+  services.xserver.xkb.layout = "us";
-  services.xserver.xkbOptions = "eurosign:e";
+  services.xserver.xkb.options = "eurosign:e";
 
   services.xserver.displayManager.gdm.enable = true;
   services.xserver.desktopManager.gnome.enable = true;

nixops/experimental-users.nix

@@ -1,4 +0,0 @@
-{ pkgs, ... }:
-
-{
-}

nixops/extra-udev.nix

@@ -21,4 +21,6 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="2109", ATTRS{idProduct}=="2812", MODE="0660"
 # LibreVNA
 SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
 SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
+# DSLogic
+SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
 ''

nixops/franz-hardware-configuration.nix

@@ -10,7 +10,6 @@
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelPackages = pkgs.linuxPackages_5_15;
   boot.kernelModules = [ "kvm-intel" ];
   boot.blacklistedKernelModules = [ "iwlwifi" ];
   boot.extraModulePackages = [ ];
@@ -24,6 +23,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/A33B-F001";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/hera-hardware-configuration.nix

@@ -18,6 +18,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/8C30-F6DC";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/hestia-hardware-configuration.nix

@@ -18,6 +18,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/E085-5F21";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/juno-hardware-configuration.nix

@@ -21,6 +21,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/4E51-B390";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/jupiter-hardware-configuration.nix

@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/315af039-6799-43ac-8999-7da69a6fbd1e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/45B7-790E";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  
+  system.stateVersion = "24.05";
+}

nixops/nixops.nix

@@ -6,8 +6,6 @@
   network.enableRollback = true;
 
   rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = true; };
-  rpi-2 = import ./rpi.nix { host = "rpi-2"; rpi4 = false; experimental-users = true; };
-  rpi-3 = import ./rpi.nix { host = "rpi-3"; rpi4 = true; };
   rpi-4 = import ./rpi.nix { host = "rpi-4"; rpi4 = true; };
   zeus = import ./desktop.nix { host = "zeus"; };
   hera = import ./desktop.nix { host = "hera"; };
@@ -17,4 +15,9 @@
   franz = import ./desktop.nix { host = "franz"; };
   juno = import ./desktop.nix { host = "juno"; };
   demeter = import ./desktop.nix { host = "demeter"; };
+  vulcan = import ./desktop.nix { host = "vulcan"; };
+  rc = import ./desktop.nix { host = "rc"; };
+  athena = import ./desktop.nix { host = "athena"; };
+  jupiter = import ./desktop.nix { host = "jupiter"; };
+  saturn = import ./desktop.nix { host = "saturn"; };
 }

nixops/old-nixbld-hardware-configuration.nix

@@ -21,6 +21,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/D0A3-DDAE";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

nixops/rc-hardware-configuration.nix

@@ -0,0 +1,50 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/348c924c-1d86-44ff-84af-2594f414e7d0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1BDC-44BB";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/opt" =
+    { device = "/dev/disk/by-uuid/cf0f51b6-7b95-4c74-9390-37dc4c86f32b";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  system.stateVersion = "23.11";
+}

nixops/rpi.nix

@@ -24,6 +24,7 @@ in
   };
 
   services.openssh.enable = true;
+  services.openssh.authorizedKeysInHomedir = false;
   services.openssh.settings.PasswordAuthentication = false;
   services.openssh.settings.GatewayPorts = "clientspecified";
   services.openssh.extraConfig =
@@ -34,15 +35,12 @@ in
 
   networking.hostName = host;
 
-  networking.firewall.allowedTCPPorts = if host == "rpi-2" then [ 6000 ] else [];
-
   time.timeZone = "Asia/Hong_Kong";
 
   users.extraGroups.plugdev = { };
   users.mutableUsers = false;
   users.defaultUserShell = pkgs.fish;
-  users.extraUsers = (import ./common-users.nix { inherit pkgs; }) //
+  users.extraUsers = (import ./common-users.nix { inherit pkgs; }) // {
-    (pkgs.lib.optionalAttrs experimental-users (import ./experimental-users.nix { inherit pkgs; })) // {
     nixbld = {
       isNormalUser = true;
       extraGroups = ["plugdev" "dialout"];

nixops/saturn-hardware-configuration.nix

@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/51d521ec-4807-4b71-8a89-116b89f72d2e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/877D-AF6A";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  
+  system.stateVersion = "24.05";
+}

nixops/vulcan-hardware-configuration.nix

@@ -0,0 +1,41 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/67168ae0-6448-4b40-b278-406290224b4f";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/8F4B-AD84";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  system.stateVersion = "23.05";
+}

nixops/zeus-hardware-configuration.nix

@@ -18,6 +18,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/91B4-E546";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];