14 changed files with 597 additions and 484 deletions
--- a/nixbld-etc-nixos/afws-module.nix
+++ b/nixbld-etc-nixos/afws-module.nix
@ -10,34 +10,16 @@ in
      default = false;
      description = "Enable AFWS server";
    };
-    logFile = mkOption {
-      type = types.str;
-      default = "/var/lib/afws/logs/afws.log";
-      description = "Path to the log file";
-    };
-    logBackupCount = mkOption {
-      type = types.int;
-      default = 30;
-      description = "Number of daily log files to keep";
-    };
  };

  config = mkIf config.services.afws.enable {
    systemd.services.afws = {
      description = "AFWS server";
      wantedBy = [ "multi-user.target" ];
-      preStart = ''
-        mkdir -p "$(dirname ${config.services.afws.logFile})"
-        chown afws:afws "$(dirname ${config.services.afws.logFile})"
-      '';
      serviceConfig = {
        User = "afws";
        Group = "afws";
-        ExecStart = ''
-          ${afws}/bin/afws_server \
-            --log-file ${config.services.afws.logFile} \
-            --log-backup-count ${toString config.services.afws.logBackupCount}
-        '';
+        ExecStart = "${afws}/bin/afws_server";
        ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
      };
      path = [ pkgs.nix pkgs.git ];
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@ -20,8 +20,8 @@ in
      ./afws-module.nix
      ./rt.nix
      (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/29916981e7b3b5782dc5085ad18490113f8ff63b/nixos-mailserver-nixos.tar.gz";
+        sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
      })
    ];

@ -491,7 +491,6 @@ in
    enable = true;
    radios.${netifWifi} = {
      band = "2g";
-      channel = 7;
      countryCode = "HK";
      networks.${netifWifi} = {
        ssid = "M-Labs";
@ -639,6 +638,7 @@ in
    SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
    '';

+  sound.enable = true;
  services.mpd.enable = true;
  services.mpd.musicDirectory = "/tank/sb-public/FLAC";
  services.mpd.network.listenAddress = "192.168.1.1";
@ -655,7 +655,7 @@ in
  users.extraUsers.root = {
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
    shell = pkgs.fish;
  };
@ -668,7 +668,7 @@ in
    extraGroups = ["lp" "scanner" "afws" "audio"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
    shell = pkgs.fish;
  };
@ -732,6 +732,7 @@ in
  users.extraUsers.nix = {
    isNormalUser = true;
  };
+  boot.kernel.sysctl."kernel.dmesg_restrict" = true;
  services.udev.packages = [ pkgs.sane-backends ];

  nix.settings.max-jobs = 10;
@ -754,7 +755,7 @@ in
      </runcommand>
      <runcommand>
        job = web:web:web-intl
-        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@5.78.86.156:/var/www/m-labs-intl.com/html/
      </runcommand>
      <runcommand>
        job = web:web:nmigen-docs
@ -936,27 +937,22 @@ in
    nix = super.nix.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
    });
-    hydra = super.hydra.overrideAttrs(oa: {
+    hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [
        ./hydra-conda.patch
        ./hydra-msys2.patch
+        ./hydra-restrictdist.patch
      ];
      hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
      doCheck = false;  # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
    });
-    mattermost = super.mattermost.overrideAttrs(oa: {
-      postInstall = oa.postInstall +
-        ''
-        sed -i.bak "s/FREE EDITION//g" $out/client/*.js $out/client/*.js.map
-        '';
-    });
    matterbridge = super.matterbridge.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
    });
  };

  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "sb@m-labs.hk";
+  security.acme.defaults.email = "sb" + "@m-labs.hk";

  # https://github.com/NixOS/nixpkgs/issues/106862
  systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
@ -986,7 +982,7 @@ in
            expires 60d;
          '';
        };
-        locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
+        locations."/nuc-netboot/".alias = "${import ./defenestrate}/";

        # legacy URLs, redirect to avoid breaking people's bookmarks
        locations."/gateware.html".extraConfig = ''
@ -1044,17 +1040,9 @@ in
      };
    in {
      "m-labs.hk" = mainWebsite;
-      "www.m-labs.hk" = {
-        addSSL = true;
-        enableACME = true;
-        globalRedirect = "m-labs.hk";
-      };
+      "www.m-labs.hk" = mainWebsite;
      "m-labs.ph" = mainWebsite;
-      "www.m-labs.ph" = {
-        addSSL = true;
-        enableACME = true;
-        globalRedirect = "m-labs.ph";
-      };
+      "www.m-labs.ph" = mainWebsite;
      "nixbld.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
@ -1201,7 +1189,7 @@ in
      "www.193thz.com" = {
        addSSL = true;
        enableACME = true;
-        globalRedirect = "193thz.com";
+        root = "/var/www/193thz";
      };
      "nmigen.net" = {
        addSSL = true;
@ -1211,7 +1199,7 @@ in
      "www.nmigen.net" = {
        addSSL = true;
        enableACME = true;
-        globalRedirect = "nmigen.net";
+        root = "${hydraWwwOutputs}/nmigen-docs";
      };
    };
  };
@ -1261,18 +1249,7 @@ in
      Restart = "on-failure";
      User = "rt";
      Group = "rt";
-      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
-    };
-  };
-  systemd.services.rt-fetchmail-intl = {
-    description = "Fetchmail for RT (intl)";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "dovecot2.service" ];
-    serviceConfig = {
-      Restart = "on-failure";
-      User = "rt";
-      Group = "rt";
-      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
+      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
    };
  };

--- a/nixbld-etc-nixos/flarum/composer.lock
+++ b/nixbld-etc-nixos/flarum/composer.lock
--- a/nixbld-etc-nixos/flarum/default.nix
+++ b/nixbld-etc-nixos/flarum/default.nix
@ -24,7 +24,7 @@ php.buildComposerProject (finalAttrs: {

  composerLock = ./composer.lock;
  composerStrictValidation = false;
-  vendorHash = "sha256-GLE5ZtzZmQ8YbitV6LG744QHoGxlj5TfC5wP2a3eFpU=";
+  vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";

  meta = with lib; {
    changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
--- a/nixbld-etc-nixos/gitea-home.tmpl
+++ b/nixbld-etc-nixos/gitea-home.tmpl
@ -15,7 +15,7 @@
 	<div class="ui stackable middle very relaxed page grid">
 		<div class="sixteen wide center column">
 			<p class="large">
-				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
+				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have.
 			</p>
 		</div>
 	</div>
--- a/nixbld-etc-nixos/gitea-signin.tmpl
+++ b/nixbld-etc-nixos/gitea-signin.tmpl
@ -4,7 +4,7 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="ui container column fluid">
 			{{template "user/auth/signin_inner" .}}
-			To get an account (also available to external contributors), simply write to sb@m-labs.hk.
+			To get an account (also available to external contributors), simply write to sb@m-***s.hk.
 		</div>
 	</div>
 </div>
--- a/nixbld-etc-nixos/hydra-restrictdist.patch
+++ b/nixbld-etc-nixos/hydra-restrictdist.patch
@ -0,0 +1,32 @@
+diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
+index a9b0d558..71869ba0 100644
+--- a/src/lib/Hydra/Controller/Root.pm
+++ b/src/lib/Hydra/Controller/Root.pm
+@@ -19,6 +19,11 @@ use Net::Prometheus;
+ # Put this controller at top-level.
+ __PACKAGE__->config->{namespace} = '';
+ 
+sub isRedistRestricted {
+  my ($path) = @_;
+
+  return index($path, "-RESTRICTDIST-") >= 0;
+}
+ 
+ sub noLoginNeeded {
+   my ($c) = @_;
+@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
+         $path = $Nix::Config::storeDir . "/$path";
+ 
+         gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
+ 
+         $c->stash->{current_view} = 'NixNAR';
+         $c->stash->{storePath} = $path;
+@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
+             setCacheHeaders($c, 60 * 60);
+             return;
+         }
+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
+ 
+         $c->stash->{storePath} = $path;
+         $c->forward('Hydra::View::NARInfo');
--- a/nixbld-etc-nixos/nix-networked-derivations.patch
+++ b/nixbld-etc-nixos/nix-networked-derivations.patch
@ -1,8 +1,8 @@
-diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
-index 2a09e3dd4..7dc03855f 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
-+++ b/src/libstore/unix/build/local-derivation-goal.cc
-@@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
+diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
+index 64b55ca6a..9b4e52b8e 100644
+--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
+@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
 
     assert(derivationType);
 
@ -11,7 +11,7 @@ index 2a09e3dd4..7dc03855f 100644
     /* Are we doing a chroot build? */
     {
         auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
+@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
         else if (settings.sandboxMode == smDisabled)
             useChroot = false;
         else if (settings.sandboxMode == smRelaxed)
@ -20,7 +20,7 @@ index 2a09e3dd4..7dc03855f 100644
     }
 
     auto & localStore = getLocalStore();
-@@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
                 "nogroup:x:65534:\n", sandboxGid()));
 
         /* Create /etc/hosts with localhost entry. */
@ -29,7 +29,7 @@ index 2a09e3dd4..7dc03855f 100644
             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
 
         /* Make the closure of the inputs available in the chroot,
-@@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
            us.
         */
 
@ -38,16 +38,16 @@ index 2a09e3dd4..7dc03855f 100644
             privateNetwork = true;
 
         userNamespaceSync.create();
-@@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
+@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
        to the builder is generally impure, but the output of
        fixed-output derivations is by definition pure (since we
        already know the cryptographic hash of the output). */
 -    if (!derivationType->isSandboxed()) {
 +    if (networked || !derivationType->isSandboxed()) {
-         auto & impureEnv = settings.impureEnv.get();
-         if (!impureEnv.empty())
-             experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
-@@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
+         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
+             env[i] = getEnv(i).value_or("");
+     }
+@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
             /* Fixed-output derivations typically need to access the
                network, so give them access to /etc/resolv.conf and so
                on. */
@ -56,21 +56,21 @@ index 2a09e3dd4..7dc03855f 100644
                 // Only use nss functions to resolve hosts and
                 // services. Don’t use it for anything else that may
                 // be configured for this system. This limits the
-@@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
-                 #include "sandbox-defaults.sb"
-                 ;
- 
-            if (!derivationType->isSandboxed())
-+            if (networked || !derivationType->isSandboxed())
-                 sandboxProfile +=
-                     #include "sandbox-network.sb"
+@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
+                     #include "sandbox-defaults.sb"
                     ;
-diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
-index bf25cf2a6..28f8c1e95 100644
--- a/src/libstore/unix/build/local-derivation-goal.hh
-+++ b/src/libstore/unix/build/local-derivation-goal.hh
-@@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
-      */
+ 
+-                if (!derivationType->isSandboxed())
+                if (networked || !derivationType->isSandboxed())
+                     sandboxProfile +=
+                         #include "sandbox-network.sb"
+                         ;
+diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
+index 0a05081c7..4c251718c 100644
+--- a/src/libstore/build/local-derivation-goal.hh
+++ b/src/libstore/build/local-derivation-goal.hh
+@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
+ 
     Path chrootRootDir;
 
 +    bool networked;
--- a/nixbld-etc-nixos/rt.nix
+++ b/nixbld-etc-nixos/rt.nix
@ -30,7 +30,7 @@ let
      Set($OwnerEmail, '${cfg.ownerEmail}');
      Set($MaxAttachmentSize, 15360000);
      Set($CheckMoreMSMailHeaders, 1);
-      Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
+      Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$');
      Set($LoopsToRTOwner, 0);

      # System (Outgoing mail)
--- a/nixops/common-users.nix
+++ b/nixops/common-users.nix
@ -4,7 +4,7 @@
  root = {
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
  };
  sb = {
@ -12,7 +12,7 @@
    extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
  };
  rj = {
@ -57,7 +57,7 @@
  };
  esavkin = {
    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
+    extraGroups = ["plugdev" "dialout" "libvirtd"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
    ];
@ -111,13 +111,6 @@
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
    ];
  };
-  abdul = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
-    ];
-  };

  dpn = {
    isNormalUser = true;
--- a/nixops/desktop.nix
+++ b/nixops/desktop.nix
@ -12,7 +12,6 @@ in

  boot.loader.systemd-boot.memtest86.enable = true;
  boot.loader.grub.memtest86.enable = true;
-  boot.kernel.sysctl."kernel.dmesg_restrict" = false;

  imports =
    [
@ -65,8 +64,8 @@ in
    xournal
    xsane
    gtkwave unzip zip gnupg
-    gnome-tweaks
-    ghex
+    gnome3.gnome-tweaks
+    gnome3.ghex
    jq sublime3 rink qemu_kvm
    tmux screen gdb minicom picocom
    artiq.packages.x86_64-linux.openocd-bscanspi
@ -130,9 +129,17 @@ in
    nssmdns4 = true;
  };

-  hardware.graphics.enable32Bit = true;
+  # Enable sound.
+  sound.enable = true;
+  hardware.pulseaudio = {
+    enable = true;
+    package = pkgs.pulseaudioFull;
+  };

-  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
+  hardware.opengl.driSupport32Bit = true;
+  hardware.pulseaudio.support32Bit = true;
+
+  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];

  # Enable the X11 windowing system.
  services.xserver.enable = true;
--- a/nixops/juno-hardware-configuration.nix
+++ b/nixops/juno-hardware-configuration.nix
@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/3dca09c8-f725-416a-9f89-b69297698ca9";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  nixpkgs.config.nvidia.acceptLicense = true;
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+  services.xserver.videoDrivers = [ "nvidia" ];
+  services.xserver.displayManager.gdm.wayland = false;
+
+  system.stateVersion = "23.05";
+}
--- a/nixops/nixops.nix
+++ b/nixops/nixops.nix
@ -13,6 +13,7 @@
  chiron = import ./desktop.nix { host = "chiron"; };
  old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
  franz = import ./desktop.nix { host = "franz"; };
+  juno = import ./desktop.nix { host = "juno"; };
  demeter = import ./desktop.nix { host = "demeter"; };
  vulcan = import ./desktop.nix { host = "vulcan"; };
  rc = import ./desktop.nix { host = "rc"; };
--- a/nixops/rpi.nix
+++ b/nixops/rpi.nix
@ -15,7 +15,6 @@ in
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
  boot.initrd.includeDefaultModules = false;
-  boot.kernel.sysctl."kernel.dmesg_restrict" = false;

  fileSystems = {
    "/" = {