Remove imap and pop3 ports proxy

Signed-off-by: Egor Savkin <es@m-labs.hk>
Add configuration for the m-labs-intl
2024-06-19 15:46:47 +08:00 · 2024-06-19 15:33:22 +08:00
25 changed files with 285 additions and 10450 deletions
--- a/m-labs-intl/60-tunnels.yaml
+++ b/m-labs-intl/60-tunnels.yaml
@ -1,18 +0,0 @@
-network:
-   version: 2
-   renderer: networkd
-   ethernets:
-     eth0:
-       addresses:
-       - 5.78.86.156/32
-       - 2a01:4ff:1f0:83de::2/64
-       - 2a01:4ff:1f0:83de::3/64
-       - 2a01:4ff:1f0:83de::4/64
-   tunnels:
-     gre1:
-       mode: gre
-       local: 5.78.86.156
-       remote: 94.190.212.123
-       addresses:
-        - 10.47.3.0/31
-
--- a/m-labs-intl/gretun.service
+++ b/m-labs-intl/gretun.service
@ -1,14 +0,0 @@
-[Unit]
-Description=GRE tunnel to the main host
-After=network.target
-
-[Service]
-Type=simple
-User=root
-ExecStart=/root/gretun.sh
-ExecStop=/root/gretun_down.sh
-Restart=on-failure
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target
--- a/m-labs-intl/gretun.sh
+++ b/m-labs-intl/gretun.sh
@ -1,10 +0,0 @@
-#!/bin/bash
-
-/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
-/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
-
-/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
-/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
-
-/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
--- a/m-labs-intl/gretun_down.sh
+++ b/m-labs-intl/gretun_down.sh
@ -1,10 +0,0 @@
-#!/bin/bash
-
-/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
-/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
-
-/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
-/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
-
-/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
--- a/m-labs-intl/m-labs-intl.com
+++ b/m-labs-intl/m-labs-intl.com
@ -3,15 +3,13 @@ upstream rfq_server {
 }

 server {
-    limit_conn addr 5;
-
    root /var/www/m-labs-intl.com/html;
    index index.html index.htm index.nginx-debian.html;

-    server_name m-labs-intl.com;
+    server_name m-labs-intl.com www.m-labs-intl.com;

    location / {
-        try_files $uri $uri/ =404;
+            try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
@ -22,21 +20,8 @@ server {
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }

-server {
-    server_name www.m-labs-intl.com;
-    return 301 https://m-labs-intl.com$request_uri;
-
-    listen [::]:443 ssl; # managed by Certbot
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-}
-
 server {
    server_name hooks.m-labs-intl.com;
-    limit_conn addr 5;

    location /rfq {
        proxy_pass http://rfq_server/rfq;
@ -50,10 +35,9 @@ server {
    }

    location / {
-        return 418;
+        return 404;
    }

-    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
@ -62,20 +46,15 @@ server {
 }

 server {
-    limit_conn addr 5;
-    if ($host = m-labs-intl.com) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-
    if ($host = www.m-labs-intl.com) {
-        return 301 https://m-labs-intl.com$request_uri;
+        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

-    server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
+    server_name m-labs-intl.com www.m-labs-intl.com;
    return 301 https://$host$request_uri;
+    #return 404; # managed by Certbot
 }
--- a/m-labs-intl/m-labs.hk.conf
+++ b/m-labs-intl/m-labs.hk.conf
@ -1,34 +0,0 @@
-
-
-connections {
-  m_labs {
-    version = 2
-    encap = no
-    mobike = no
-    send_certreq = no
-    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
-    local_addrs = 5.78.86.156
-    remote_addrs = 94.190.212.123
-    local {
-      auth = pubkey
-      id = fqdn:m-labs-intl.com
-      pubkeys = m-labs-intl.com
-    }
-    remote {
-      auth = pubkey
-      id = fqdn:m-labs.hk
-      pubkeys = m-labs.hk
-    }
-    children {
-      con1 {
-        mode = transport
-        ah_proposals = sha256-curve25519,sha256-ecp256
-        esp_proposals =
-        local_ts = 5.78.86.156[gre]
-        remote_ts = 94.190.212.123[gre]
-        start_action = start
-        close_action = none
-      }
-    }
-  } 
-}
--- a/m-labs-intl/nginx.conf
+++ b/m-labs-intl/nginx.conf
@ -33,9 +33,6 @@ http {
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
 	ssl_prefer_server_ciphers on;

-	# Rate limiting
-	limit_conn_zone $binary_remote_addr zone=addr:10m;
-
 	##
 	# Logging Settings
 	##
@ -63,3 +60,28 @@ http {
 	include /etc/nginx/sites-enabled/*;
 }

+
+stream {
+    # Upstream mail servers
+    upstream smtp_backend {
+        server mail.m-labs.hk:25;
+    }
+
+    upstream submission_backend {
+        server mail.m-labs.hk:587;
+    }
+
+    # SMTP
+    server {
+        listen 25;
+        proxy_pass smtp_backend;
+        proxy_protocol on;
+    }
+
+    # Submission (Authenticated SMTP)
+    server {
+        listen 587;
+        proxy_pass submission_backend;
+        proxy_protocol on;
+    }
+}
--- a/m-labs-intl/setup.md
+++ b/m-labs-intl/setup.md
@ -1,99 +0,0 @@
-# Setup m-labs-intl.com server
-
-```shell
-# Install required packages
-apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
-  strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
-snap install --classic certbot
-ln -s /snap/bin/certbot /usr/bin/certbot
-
-# Set up networks (includes GRE)
-cp 60-tunnels.yaml /etc/netplan/
-netplan apply
-
-# set up IPsec-AH connection
-cp m-labs.hk.conf /etc/swanctl/conf.d/
-echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
-sysctl -p
-cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
-pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
-pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
-cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
-systemctl enable strongswan --now
-systemctl restart strongswan
-
-# Set up website
-cp m-labs-intl.com /etc/nginx/sites-available/
-cp nginx.conf /etc/nginx/
-ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
-systemctl enable nginx --now
-service nginx restart
-
-# Issue SSL certificate - website only, the mail is on the HK side
-certbot --nginx
-service nginx restart
-
-# Create a user for automatic website deployment from nixbld
-useradd -m zolaupd
-mkdir -p /var/www/m-labs-intl.com/html
-chown -R zolaupd /var/www/m-labs-intl.com/
-sudo -u zolaupd sh -c '
-  cd /home/zolaupd;
-  mkdir /home/zolaupd/.ssh;
-  echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
-  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
-  chmod 700 .ssh/
-  chmod 600 .ssh/authorized_keys
-  '
-
-# Create a user for RFQ hooks service
-useradd -m rfqserver
-cp runrfq.sh /home/rfqserver/
-cp mail.secret /home/rfqserver/
-chown rfqserver /home/rfqserver/runrfq.sh
-chmod +x /home/rfqserver/runrfq.sh
-chown rfqserver /home/rfqserver/mail.secret
-
-sudo -u rfqserver sh -c '
-  cd /home/rfqserver;
-  git clone https://git.m-labs.hk/M-Labs/web2019.git;
-  cd web2019;
-  python3 -m venv ./venv;
-  source venv/bin/activate;
-  pip install -r requirements.txt;
-'
-cp rfq.service /etc/systemd/system/
-
-# Automate port forwarding rules creation
-cp gretun.sh /root/gretun.sh
-cp gretun_down.sh /root/gretun_down.sh
-chmod u+x /root/gretun.sh
-chmod u+x /root/gretun_down.sh
-cp gretun.service /etc/systemd/system/
-
-# Enable custom services
-systemctl daemon-reload
-systemctl enable rfq.service --now
-systemctl enable gretun.service --now
-
-# Setup basic firewall rules  
-ufw default deny
-ufw default allow outgoing
-
-ufw allow from 94.190.212.123
-ufw allow from 2001:470:f891:1::/64
-ufw allow from 202.77.7.238
-ufw allow from 2001:470:18:390::2
-ufw allow "Nginx HTTP"
-ufw allow "Nginx HTTPS"
-ufw limit OpenSSH
-ufw allow 25/tcp
-ufw allow 587/tcp
-ufw limit 500,4500/udp
-
-ufw route allow in on gre1 out on eth0
-ufw allow from 10.47.3.0/31
-
-ufw show added
-ufw enable
-```
--- a/m-labs-intl/setup.sh
+++ b/m-labs-intl/setup.sh
@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+apt install git nginx-full python3 python3.12-venv python3-pip
+snap install --classic certbot
+ln -s /snap/bin/certbot /usr/bin/certbot
+useradd -m rfqserver
+useradd -m zolaupd
+
+cp m-labs-intl.com /etc/nginx/sites-available/
+cp nginx.conf /etc/nginx/
+ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
+
+mkdir -p /var/www/m-labs-intl.com/html
+chown -R zolaupd /var/www/m-labs-intl.com/
+
+cp runrfq.sh /home/rfqserver/
+cp mail.secret /home/rfqserver/
+chown rfqserver /home/rfqserver/runrfq.sh
+chmod +x /home/rfqserver/runrfq.sh
+chown rfqserver /home/rfqserver/mail.secret
+
+
+sudo -u zolaupd sh -c '
+  cd /home/zolaupd;
+  mkdir /home/zolaupd/.ssh;
+  echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
+  chmod 700 .ssh/
+  chmod 600 .ssh/authorized_keys
+  '
+
+sudo -u rfqserver sh -c '
+  cd /home/rfqserver;
+  git clone https://git.m-labs.hk/M-Labs/web2019.git;
+  cd web2019;
+  python3 -m venv ./venv;
+  source venv/bin/activate;
+  pip install -r requirements.txt;
+'
+
+cp rfq.service /etc/systemd/system/
+
+systemctl daemon-reload
+systemctl enable rfq.service
+systemctl start rfq.service
+
+service nginx restart
+
+certbot --nginx
+
+service nginx restart
--- a/nixbld-etc-nixos/afws-module.nix
+++ b/nixbld-etc-nixos/afws-module.nix
@ -10,34 +10,16 @@ in
      default = false;
      description = "Enable AFWS server";
    };
-    logFile = mkOption {
-      type = types.str;
-      default = "/var/lib/afws/logs/afws.log";
-      description = "Path to the log file";
-    };
-    logBackupCount = mkOption {
-      type = types.int;
-      default = 30;
-      description = "Number of daily log files to keep";
-    };
  };

  config = mkIf config.services.afws.enable {
    systemd.services.afws = {
      description = "AFWS server";
      wantedBy = [ "multi-user.target" ];
-      preStart = ''
-        mkdir -p "$(dirname ${config.services.afws.logFile})"
-        chown afws:afws "$(dirname ${config.services.afws.logFile})"
-      '';
      serviceConfig = {
        User = "afws";
        Group = "afws";
-        ExecStart = ''
-          ${afws}/bin/afws_server \
-            --log-file ${config.services.afws.logFile} \
-            --log-backup-count ${toString config.services.afws.logBackupCount}
-        '';
+        ExecStart = "${afws}/bin/afws_server";
        ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
      };
      path = [ pkgs.nix pkgs.git ];
--- a/nixbld-etc-nixos/backup-module.nix
+++ b/nixbld-etc-nixos/backup-module.nix
@ -26,10 +26,9 @@ let
    ${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
    ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
    ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
-    ${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql

    exec 6< /etc/nixos/secret/backup-passphrase
-    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
+    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
        ${pkgs.bzip2}/bin/bzip2 | \
        ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
  '';
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@ -6,9 +6,6 @@ let
  netifLan = "enp5s0f1";
  netifWifi = "wlp6s0";
  netifSit = "henet0";
-  netifUSA = "trump0";
-  netifAlt = "alt0";
-  netifAltVlan = "vlan0";
  hydraWwwOutputs = "/var/www/hydra-outputs";
 in
 {
@ -20,8 +17,8 @@ in
      ./afws-module.nix
      ./rt.nix
      (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/29916981e7b3b5782dc5085ad18490113f8ff63b/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz";
+        sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv";
      })
    ];

@ -93,15 +90,6 @@ in
      allowedTCPPorts = [ 53 80 443 2222 7402 ];
      allowedUDPPorts = [ 53 67 500 4500 ];
      trustedInterfaces = [ netifLan ];
-      logRefusedConnections = false;
-      extraCommands = ''
-        iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
-        iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
-      '';
-      extraStopCommands = ''
-        iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
-        iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
-      '';
    };
    useDHCP = false;
    interfaces."${netifWan}".useDHCP = true;  # PCCW - always wants active DHCP lease or cuts you off
@ -188,21 +176,11 @@ in
        iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP  # HP printer, wifi
        iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP  # HP printer, ethernet
        iptables -w -A FORWARD -j block-insecure-devices
-
-        iptables -w -N pccw-sucks
-        iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
-        iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
-        iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
-        iptables -w -A FORWARD -j pccw-sucks
      '';
      extraStopCommands = ''
        iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
        iptables -w -F block-insecure-devices 2>/dev/null|| true
        iptables -w -X block-insecure-devices 2>/dev/null|| true
-
-        iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
-        iptables -w -F pccw-sucks 2>/dev/null|| true
-        iptables -w -X pccw-sucks 2>/dev/null|| true
      '';
    };
    sits."${netifSit}" = {
@ -215,37 +193,14 @@ in
      addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
      routes = [{ address = "::"; prefixLength = 0; }];
    };
-    greTunnels."${netifUSA}" = {
-      dev = netifWan;
-      remote = "5.78.86.156";
-      local = "94.190.212.123";
-      ttl = 255;
-      type = "tun";
-    };
-    greTunnels."${netifAlt}" = {
+    greTunnels.alt0 = {
      dev = netifWan;
      remote = "103.206.98.1";
      local = "94.190.212.123";
      ttl = 255;
      type = "tun";
    };
-    interfaces."${netifUSA}" = {
-      ipv4.addresses = [
-        {
-          address = "10.47.3.1";
-          prefixLength = 31;
-        }
-      ];
-      ipv4.routes = [
-        {
-          address = "0.0.0.0";
-          prefixLength = 0;
-          via = "10.47.3.0";
-          options.table = "3";
-        }
-      ];
-    };
-    interfaces."${netifAlt}" = {
+    interfaces.alt0 = {
      ipv4.addresses = [
        {
          address = "103.206.98.227";
@ -262,12 +217,12 @@ in
      ];
    };
    vlans = {
-      "${netifAltVlan}" = {
+      vlan0 = {
        id = 2;
        interface = netifLan;
      };
    };
-    interfaces."${netifAltVlan}" = {
+    interfaces.vlan0 = {
      ipv4.addresses = [{
        address = "103.206.98.200";
        prefixLength = 29;
@ -300,7 +255,7 @@ in
      id = "fqdn:igw0.hkg.as150788.net";
      pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
    };
-    children."${netifAlt}" = {
+    children.alt0 = {
      mode = "transport";
      ah_proposals = [ "sha256-curve25519" ];
      remote_ts = [ "103.206.98.1[gre]" ];
@ -308,27 +263,6 @@ in
      start_action = "start";
    };
  };
-  services.strongswan-swanctl.swanctl.connections.usa = {
-    local_addrs = [ "94.190.212.123" ];
-    remote_addrs = [ "5.78.86.156" ];
-    local.main = {
-      auth = "pubkey";
-      id = "fqdn:m-labs.hk";
-      pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
-    };
-    remote.main = {
-      auth = "pubkey";
-      id = "fqdn:m-labs-intl.com";
-      pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
-    };
-    children."${netifUSA}" = {
-      mode = "transport";
-      ah_proposals = [ "sha256-curve25519" ];
-      remote_ts = [ "5.78.86.156[gre]" ];
-      local_ts = [ "94.190.212.123[gre]" ];
-      start_action = "start";
-    };
-  };

  systemd.services.network-custom-route-backup = {
    wantedBy = [ "network.target" ];
@ -339,15 +273,6 @@ in
      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
    };
  };
-  systemd.services.network-custom-route-usa = {
-    wantedBy = [ "network.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
-      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
-    };
-  };
  systemd.services.network-custom-route-alt = {
    wantedBy = [ "network.target" ];
    serviceConfig = {
@ -450,14 +375,10 @@ in
           notify explicit;
           also-notify {
             216.218.130.2;   # ns1.he.net
-             213.239.220.50;  # ns1.qnetp.net
-             88.198.32.245;   # new qnetp
           };
           '';
        slaves = [
          "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
-          "213.239.220.50" "2a01:4f8:a0:7041::1"  # ns1.qnetp.net
-          "88.198.32.245"                         # new qnetp
        ];
      };
      "200-29.98.206.103.in-addr.arpa" = {
@ -540,6 +461,11 @@ in
        "/kasli/192.168.1.70"
        "/kasli-customer/192.168.1.75"
        "/stabilizer-customer/192.168.1.76"
+
+        # Google can't do DNS geolocation correctly and slows down websites of everyone using
+        # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
+        # cannot reach.
+        "/fonts.googleapis.com/142.250.207.74"
      ];

      dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
@ -565,23 +491,10 @@ in
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
-    lm_sensors
-    acpi
-    usbutils
-    pciutils
+    wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal
+    irssi tmux usbutils imagemagick jq zip unzip
    iw
    nvme-cli
-    smartmontools
-    psmisc
-
-    wget
-    vim
-    git
-    file
-    imagemagick
-    jq
-
-    nixops_unstable_minimal
    borgbackup
    bind
    waypipe
@ -611,7 +524,6 @@ in
  services.openssh.settings.X11Forwarding = true;
  services.openssh.authorizedKeysInHomedir = false;
  programs.mosh.enable = true;
-  programs.tmux.enable = true;

  programs.fish.enable = true;
  programs.zsh.enable = true;
@ -655,23 +567,38 @@ in
  users.extraUsers.root = {
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
    shell = pkgs.fish;
  };
  # https://github.com/NixOS/nixpkgs/issues/155357
  security.sudo.enable = true;

-  # M-Labs HK
  users.extraUsers.sb = {
    isNormalUser = true;
    extraGroups = ["lp" "scanner" "afws" "audio"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
    shell = pkgs.fish;
  };
+  users.extraUsers.rj = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
+     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
+     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
+    ];
+  };
+  users.extraUsers.nkrackow = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
+    ];
+  };
  users.extraUsers.spaqin = {
    isNormalUser = true;
    extraGroups = ["lp" "afws"];
@ -693,35 +620,6 @@ in
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
    ];
  };
-
-  # M-Labs PH
-  users.extraUsers.flo = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
-    ];
-  };
-
-  # QUARTIQ
-  users.extraUsers.rj = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
-     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
-     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
-    ];
-  };
-  users.extraUsers.eduardotenholder = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
-    ];
-  };
-
-  # HKUST
  users.extraUsers.derppening = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = [
@ -753,10 +651,6 @@ in
        job = web:web:web
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
      </runcommand>
-      <runcommand>
-        job = web:web:web-intl
-        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
-      </runcommand>
      <runcommand>
        job = web:web:nmigen-docs
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
@ -868,10 +762,6 @@ in
  services.gitea = {
    enable = true;
    appName = "M-Labs Git";
-    database = {
-      type = "postgres";
-      socket = "/run/postgresql";
-    };
    mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
    settings = {
      server = {
@ -919,20 +809,12 @@ in
    siteUrl = "https://chat.m-labs.hk/";
    mutableConfig = true;
  };
+  services.postgresql.package = pkgs.postgresql_12;
  services.matterbridge = {
    enable = true;
    configPath = "/etc/nixos/secret/matterbridge.toml";
  };
-
-  services.postgresql = {
-    package = pkgs.postgresql_15;
-    settings.listen_addresses = pkgs.lib.mkForce "";
-    identMap =
-      ''
-      rt rt rt_user
-      '';
-  };
-
+ 
  nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
    nix = super.nix.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
@ -982,7 +864,7 @@ in
            expires 60d;
          '';
        };
-        locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
+        locations."/nuc-netboot/".alias = "${import ./defenestrate}/";

        # legacy URLs, redirect to avoid breaking people's bookmarks
        locations."/gateware.html".extraConfig = ''
@ -1143,6 +1025,15 @@ in
      "forum.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
+        root = "/var/www/flarum/public";
+        locations."~ \.php$".extraConfig = ''
+          fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
+          fastcgi_index index.php;
+        '';
+        extraConfig = ''
+          index index.php;
+          include /var/www/flarum/.nginx.conf;
+        '';
      };
      "perso.m-labs.hk" = {
        addSSL = true;
@ -1214,17 +1105,23 @@ in
      };
    };
  };
-
  services.mysql = {
    enable = true;
-    package = pkgs.lib.mkForce pkgs.mariadb;
-    ensureDatabases = pkgs.lib.mkForce [];
-    ensureUsers = pkgs.lib.mkForce [];
+    package = pkgs.mariadb;
  };
-  services.flarum = {
-    enable = true;
-    package = pkgs.callPackage ./flarum {};
-    domain = "forum.m-labs.hk";
+  services.phpfpm.pools.flarum = {
+    user = "nobody";
+    settings = {
+      "listen.owner" = "nginx";
+      "listen.group" = "nginx";
+      "listen.mode" = "0600";
+      "pm" = "dynamic";
+      "pm.max_children" = 5;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 1;
+      "pm.max_spare_servers" = 3;
+      "pm.max_requests" = 500;
+    };
  };

  services.rt = {
@ -1249,18 +1146,7 @@ in
      Restart = "on-failure";
      User = "rt";
      Group = "rt";
-      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
-    };
-  };
-  systemd.services.rt-fetchmail-intl = {
-    description = "Fetchmail for RT (intl)";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "dovecot2.service" ];
-    serviceConfig = {
-      Restart = "on-failure";
-      User = "rt";
-      Group = "rt";
-      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
+      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
    };
  };

@ -1268,28 +1154,11 @@ in
    enable = true;
    localDnsResolver = false;  # conflicts with dnsmasq
    fqdn = "mail.m-labs.hk";
-    domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ];
+    domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
    enablePop3 = true;
    enablePop3Ssl = true;
    certificateScheme = "acme-nginx";
  } // (import /etc/nixos/secret/email_settings.nix);
-  services.postfix = {
-    mapFiles."sender_transport" = builtins.toFile "sender_transport" ''
-        @m-labs-intl.com intltunnel:
-    '';
-    config = {
-      sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
-    };
-    masterConfig."intltunnel" = {
-      type = "unix";
-      command = "smtp";
-      args = [
-        "-o" "inet_interfaces=10.47.3.1"
-        "-o" "smtp_helo_name=mail.m-labs-intl.com"
-        "-o" "inet_protocols=ipv4"
-       ];
-    };
-  };
  services.roundcube = {
    enable = true;
    hostName = "mail.m-labs.hk";
@ -1302,8 +1171,7 @@ in

  services.nextcloud = {
    enable = true;
-    package = pkgs.nextcloud30;
-    extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
+    package = pkgs.nextcloud29;
    hostName = "files.m-labs.hk";
    https = true;
    maxUploadSize = "2G";
--- a/nixbld-etc-nixos/flarum/composer.lock
+++ b/nixbld-etc-nixos/flarum/composer.lock
--- a/nixbld-etc-nixos/flarum/default.nix
+++ b/nixbld-etc-nixos/flarum/default.nix
@ -1,39 +0,0 @@
-{
-  lib,
-  php,
-  fetchFromGitHub,
-  fetchpatch,
-}:
-
-php.buildComposerProject (finalAttrs: {
-  pname = "flarum";
-  version = "1.8.1";
-
-  src = fetchFromGitHub {
-    owner = "flarum";
-    repo = "flarum";
-    rev = "v${finalAttrs.version}";
-    hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
-  };
-
-  patches = [
-    # Add useful extensions from https://github.com/FriendsOfFlarum
-    # Extensions included: fof/upload, fof/polls, fof/subscribed
-    ./fof-extensions.patch
-  ];
-
-  composerLock = ./composer.lock;
-  composerStrictValidation = false;
-  vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";
-
-  meta = with lib; {
-    changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
-    description = "Flarum is a delightfully simple discussion platform for your website";
-    homepage = "https://github.com/flarum/flarum";
-    license = lib.licenses.mit;
-    maintainers = with maintainers; [
-      fsagbuya
-      jasonodoom
-    ];
-  };
-})
--- a/nixbld-etc-nixos/flarum/fof-extensions.patch
+++ b/nixbld-etc-nixos/flarum/fof-extensions.patch
@ -1,16 +0,0 @@
-diff --git a/composer.json b/composer.json
-index c63b5f8..5ad1186 100644
--- a/composer.json
-+++ b/composer.json
-@@ -37,7 +37,10 @@
-         "flarum/sticky": "*",
-         "flarum/subscriptions": "*",
-         "flarum/suspend": "*",
-        "flarum/tags": "*"
-+        "flarum/tags": "*",
-+        "fof/polls": "*",
-+        "fof/subscribed": "*",
-+        "fof/upload": "*"
-     },
-     "config": {
-         "preferred-install": "dist",
--- a/nixbld-etc-nixos/named/m-labs-intl.com
+++ b/nixbld-etc-nixos/named/m-labs-intl.com
@ -1,7 +1,7 @@
 $TTL 7200

@						SOA	ns.m-labs-intl.com. sb.m-labs.hk. (
-							2024101401
+							2024060601
 							7200
 							3600
 							86400
@ -10,21 +10,11 @@ $TTL 7200

 						NS		ns.m-labs-intl.com.
 						NS		ns1.he.net.
-						NS		ns1.qnetp.net.

 						A		5.78.86.156
 						AAAA	2a01:4ff:1f0:83de::1
-						MX		10 mail.m-labs-intl.com.
-						TXT		"v=spf1 mx -all"
-						TXT		"google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"

 ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2

-mail					A		5.78.86.156
-mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
-_dmarc					TXT		"v=DMARC1; p=none"
-
 www						CNAME	@
-hooks					CNAME	@
--- a/nixbld-etc-nixos/named/m-labs.hk
+++ b/nixbld-etc-nixos/named/m-labs.hk
@ -1,7 +1,7 @@
 $TTL 7200

@						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
-							2024080501
+							2024060201
 							7200
 							3600
 							86400
@ -43,7 +43,17 @@ files					CNAME	@
 docs					CNAME	@

 rpi-1					AAAA	2001:470:f891:1:dea6:32ff:fe8a:6a93
+rpi-2					AAAA	2001:470:f891:1:ba27:ebff:fef0:e9e6
 rpi-4					AAAA	2001:470:f891:1:dea6:32ff:fe14:fce9
+chiron					AAAA	2001:470:f891:1:7f02:9ebf:bee9:3dc7
+old-nixbld				AAAA	2001:470:f891:1:a07b:f49a:a4ef:aad9
+zeus					AAAA	2001:470:f891:1:4fd7:e70a:68bf:e9c1
+franz					AAAA	2001:470:f891:1:1b65:a743:2335:f5c6
+hera					AAAA	2001:470:f891:1:8b5e:404d:ef4e:9d92
+hestia					AAAA	2001:470:f891:1:881c:f409:a090:8401
+vulcan					AAAA	2001:470:f891:1:105d:3f15:bd53:c5ac
+
+aux						A		42.200.147.171

 router.alt				A		103.206.98.200
 stewardship1.alt		A		103.206.98.201
--- a/nixbld-etc-nixos/nix-networked-derivations.patch
+++ b/nixbld-etc-nixos/nix-networked-derivations.patch
@ -1,8 +1,8 @@
 diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
-index 763045a80..d7c5cc82e 100644
+index 64b55ca6a..9b4e52b8e 100644
 --- a/src/libstore/build/local-derivation-goal.cc
 +++ b/src/libstore/build/local-derivation-goal.cc
-@@ -190,6 +190,8 @@ void LocalDerivationGoal::tryLocalBuild()
+@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
 
     assert(derivationType);
 
@ -11,7 +11,7 @@ index 763045a80..d7c5cc82e 100644
     /* Are we doing a chroot build? */
     {
         auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -207,7 +209,7 @@ void LocalDerivationGoal::tryLocalBuild()
+@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
         else if (settings.sandboxMode == smDisabled)
             useChroot = false;
         else if (settings.sandboxMode == smRelaxed)
@ -20,7 +20,7 @@ index 763045a80..d7c5cc82e 100644
     }
 
     auto & localStore = getLocalStore();
-@@ -717,7 +719,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
                 "nogroup:x:65534:\n", sandboxGid()));
 
         /* Create /etc/hosts with localhost entry. */
@ -29,7 +29,7 @@ index 763045a80..d7c5cc82e 100644
             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
 
         /* Make the closure of the inputs available in the chroot,
-@@ -921,7 +923,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
            us.
         */
 
@ -38,7 +38,7 @@ index 763045a80..d7c5cc82e 100644
             privateNetwork = true;
 
         userNamespaceSync.create();
-@@ -1160,7 +1162,7 @@ void LocalDerivationGoal::initEnv()
+@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
        to the builder is generally impure, but the output of
        fixed-output derivations is by definition pure (since we
        already know the cryptographic hash of the output). */
@ -47,7 +47,7 @@ index 763045a80..d7c5cc82e 100644
         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
             env[i] = getEnv(i).value_or("");
     }
-@@ -1829,7 +1831,7 @@ void LocalDerivationGoal::runChild()
+@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
             /* Fixed-output derivations typically need to access the
                network, so give them access to /etc/resolv.conf and so
                on. */
@ -56,21 +56,21 @@ index 763045a80..d7c5cc82e 100644
                 // Only use nss functions to resolve hosts and
                 // services. Don’t use it for anything else that may
                 // be configured for this system. This limits the
-@@ -2071,7 +2073,7 @@ void LocalDerivationGoal::runChild()
-                 #include "sandbox-defaults.sb"
-                 ;
- 
-            if (!derivationType->isSandboxed())
-+            if (networked || !derivationType->isSandboxed())
-                 sandboxProfile +=
-                     #include "sandbox-network.sb"
+@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
+                     #include "sandbox-defaults.sb"
                     ;
+ 
+-                if (!derivationType->isSandboxed())
+                if (networked || !derivationType->isSandboxed())
+                     sandboxProfile +=
+                         #include "sandbox-network.sb"
+                         ;
 diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
-index 86b86c01e..95b03aae8 100644
+index 0a05081c7..4c251718c 100644
 --- a/src/libstore/build/local-derivation-goal.hh
 +++ b/src/libstore/build/local-derivation-goal.hh
-@@ -82,6 +82,8 @@ struct LocalDerivationGoal : public DerivationGoal
-      */
+@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
+ 
     Path chrootRootDir;
 
 +    bool networked;
--- a/nixbld-etc-nixos/rt.nix
+++ b/nixbld-etc-nixos/rt.nix
@ -19,9 +19,14 @@ let
      Set($Timezone, '${cfg.timeZone}');

      Set($DatabaseType, 'Pg');
-      Set($DatabaseHost, '/run/postgresql');
-      Set($DatabaseUser, 'rt');
+      Set($DatabaseHost, 'localhost');
+      Set($DatabaseUser, 'rt_user');
      Set($DatabaseName, 'rt5');
+      # Read database password from file
+      open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
+      my $dbpw = do { local $/; <$fh> };
+      $dbpw =~ s/^\s+|\s+$//g;
+      Set($DatabasePassword, $dbpw);

      # System (Logging)
      Set($LogToSTDERR, undef); # Don't log twice
@ -30,7 +35,7 @@ let
      Set($OwnerEmail, '${cfg.ownerEmail}');
      Set($MaxAttachmentSize, 15360000);
      Set($CheckMoreMSMailHeaders, 1);
-      Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
+      Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$');
      Set($LoopsToRTOwner, 0);

      # System (Outgoing mail)
@ -149,6 +154,13 @@ in {
      type = str;
    };

+    dbPasswordFile = mkOption {
+      description = "File containing the database password";
+      type = str;
+      default = "/etc/nixos/secret/rtpasswd";
+      internal = true;
+    };
+
    domain = mkOption {
      description = "Which domain RT is running on";
      type = str;
@ -233,6 +245,8 @@ in {

          PrivateNetwork = false;
          MemoryDenyWriteExecute = false;
+
+          ReadOnlyPaths = [ cfg.dbPasswordFile ];
        };

        environment = {
--- a/nixops/common-users.nix
+++ b/nixops/common-users.nix
@ -4,7 +4,7 @@
  root = {
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
  };
  sb = {
@ -12,7 +12,7 @@
    extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
    ];
  };
  rj = {
@ -57,7 +57,7 @@
  };
  esavkin = {
    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
+    extraGroups = ["plugdev" "dialout" "libvirtd"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
    ];
@ -111,6 +111,35 @@
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
    ];
  };
+  architeuthis = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMhLPEGWDUauFHjiVduBMJrIMKT8SvtTDHXDVudUZrhewQy08h4NEEyWmczP4WMeyugI/L/a+J+Vc8mImgqSoHw52823LVcnR9EKnJoqnwAHU/J+41vIWAN2LAryd4p9yg=="
+    ];
+  };
+  abdul = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
+    ];
+  };
+  lyken = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ88QJlh/+F/xwXQlPEmQVmtycb8FfabxCdeiP3gTHUCV8y4PLh3ubY+EsY+Xhy/GlOAPdX7KSpiII3dndYfwZWzorXVoPBhhPKEIumFBOinWfp5kRVzWOD61gCwsYoVBg=="
+    ];
+  };
+  wanglm = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNhRITe/qj/zvW2dZbXNmyJxLHPgJAynlWh6NCGGarJbkhj8c1UFLUo2Hv7xqGil4PZnPGru4WwHX0RhWS/I39UPzfVvuntRGenNqqpo2T9Ble80QCawpZ2c07w7FkVq7g=="
+    ];
+  };
+

  dpn = {
    isNormalUser = true;
--- a/nixops/desktop.nix
+++ b/nixops/desktop.nix
@ -64,8 +64,8 @@ in
    xournal
    xsane
    gtkwave unzip zip gnupg
-    gnome-tweaks
-    ghex
+    gnome3.gnome-tweaks
+    gnome3.ghex
    jq sublime3 rink qemu_kvm
    tmux screen gdb minicom picocom
    artiq.packages.x86_64-linux.openocd-bscanspi
@ -129,9 +129,17 @@ in
    nssmdns4 = true;
  };

-  hardware.graphics.enable32Bit = true;
+  # Enable sound.
+  sound.enable = true;
+  hardware.pulseaudio = {
+    enable = true;
+    package = pkgs.pulseaudioFull;
+  };

-  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
+  hardware.opengl.driSupport32Bit = true;
+  hardware.pulseaudio.support32Bit = true;
+
+  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];

  # Enable the X11 windowing system.
  services.xserver.enable = true;
--- a/nixops/extra-udev.nix
+++ b/nixops/extra-udev.nix
@ -23,5 +23,4 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660"
 SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
 # DSLogic
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
-SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
 ''
--- a/nixops/juno-hardware-configuration.nix
+++ b/nixops/juno-hardware-configuration.nix
@ -0,0 +1,48 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/3dca09c8-f725-416a-9f89-b69297698ca9";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/4E51-B390";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  nixpkgs.config.nvidia.acceptLicense = true;
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+  services.xserver.videoDrivers = [ "nvidia" ];
+  services.xserver.displayManager.gdm.wayland = false;
+
+  system.stateVersion = "23.05";
+}
--- a/nixops/nixops.nix
+++ b/nixops/nixops.nix
@ -13,6 +13,7 @@
  chiron = import ./desktop.nix { host = "chiron"; };
  old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
  franz = import ./desktop.nix { host = "franz"; };
+  juno = import ./desktop.nix { host = "juno"; };
  demeter = import ./desktop.nix { host = "demeter"; };
  vulcan = import ./desktop.nix { host = "vulcan"; };
  rc = import ./desktop.nix { host = "rc"; };
--- a/remote-ipsec.txt
+++ b/remote-ipsec.txt
@ -1,49 +0,0 @@
-connections {
-  bypass-ipsec {
-    remote_addrs = 127.0.0.1
-    children {
-      bypass-isakmp-v4 {
-        local_ts = 0.0.0.0/0[udp/isakmp]
-        remote_ts = 0.0.0.0/0[udp/isakmp]
-        mode = pass
-        start_action = trap
-      }
-      bypass-isakmp-v6 {
-        local_ts = ::/0[udp/isakmp]
-        remote_ts = ::/0[udp/isakmp]
-        mode = pass
-        start_action = trap
-      }
-    }
-  }
-  m_labs {
-    version = 2
-    encap = no
-    mobike = no
-    send_certreq = no
-    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
-    local_addrs = 103.206.98.1
-    remote_addrs = 94.190.212.123
-    local {
-      auth = pubkey
-      id = fqdn:igw0.hkg.as150788.net
-      pubkeys = igw0.hkg.as150788.net
-    }
-    remote {
-      auth = pubkey
-      id = fqdn:m-labs.hk
-      pubkeys = m-labs.hk
-    }
-    children {
-      con1 {
-        mode = transport
-        ah_proposals = sha256-curve25519,sha256-ecp256
-        esp_proposals =
-        local_ts = 103.206.98.1[gre]
-        remote_ts = 94.190.212.123[gre]
-        start_action = none
-        close_action = none
-      }
-    }
-  }
-}
Author	SHA1	Message	Date
Egor Savkin	5054b6618e	Remove imap and pop3 ports proxy Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-06-19 15:46:47 +08:00
Egor Savkin	6955d4317b	Add configuration for the m-labs-intl Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-06-19 15:33:22 +08:00