m-labs-intl/60-tunnels.yaml

@@ -1,18 +0,0 @@
-network:
-   version: 2
-   renderer: networkd
-   ethernets:
-     eth0:
-       addresses:
-       - 5.78.86.156/32
-       - 2a01:4ff:1f0:83de::2/64
-       - 2a01:4ff:1f0:83de::3/64
-       - 2a01:4ff:1f0:83de::4/64
-   tunnels:
-     gre1:
-       mode: gre
-       local: 5.78.86.156
-       remote: 94.190.212.123
-       addresses:
-        - 10.47.3.0/31
-

m-labs-intl/gretun.service

@@ -1,14 +0,0 @@
-[Unit]
-Description=GRE tunnel to the main host
-After=network.target
-
-[Service]
-Type=simple
-User=root
-ExecStart=/root/gretun.sh
-ExecStop=/root/gretun_down.sh
-Restart=on-failure
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target

m-labs-intl/gretun.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-
-/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
-/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
-
-/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
-/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
-
-/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

m-labs-intl/gretun_down.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-
-/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
-/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
-
-/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
-/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
-
-/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

m-labs-intl/m-labs-intl.com

@@ -1,81 +0,0 @@
-upstream rfq_server {
-    server 127.0.0.1:5000;
-}
-
-server {
-    limit_conn addr 5;
-
-    root /var/www/m-labs-intl.com/html;
-    index index.html index.htm index.nginx-debian.html;
-
-    server_name m-labs-intl.com;
-
-    location / {
-        try_files $uri $uri/ =404;
-    }
-
-    listen [::]:443 ssl ipv6only=on; # managed by Certbot
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-}
-
-server {
-    server_name www.m-labs-intl.com;
-    return 301 https://m-labs-intl.com$request_uri;
-
-    listen [::]:443 ssl; # managed by Certbot
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-}
-
-server {
-    server_name hooks.m-labs-intl.com;
-    limit_conn addr 5;
-
-    location /rfq {
-        proxy_pass http://rfq_server/rfq;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_read_timeout 30;
-        proxy_connect_timeout 30;
-        proxy_send_timeout 30;
-    }
-
-    location / {
-        return 418;
-    }
-
-    listen [::]:443 ssl; # managed by Certbot
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-}
-
-server {
-    limit_conn addr 5;
-    if ($host = m-labs-intl.com) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-
-    if ($host = www.m-labs-intl.com) {
-        return 301 https://m-labs-intl.com$request_uri;
-    } # managed by Certbot
-
-
-    listen 80;
-    listen [::]:80;
-
-    server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
-    return 301 https://$host$request_uri;
-}

m-labs-intl/m-labs.hk.conf

@@ -1,34 +0,0 @@
-
-
-connections {
-  m_labs {
-    version = 2
-    encap = no
-    mobike = no
-    send_certreq = no
-    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
-    local_addrs = 5.78.86.156
-    remote_addrs = 94.190.212.123
-    local {
-      auth = pubkey
-      id = fqdn:m-labs-intl.com
-      pubkeys = m-labs-intl.com
-    }
-    remote {
-      auth = pubkey
-      id = fqdn:m-labs.hk
-      pubkeys = m-labs.hk
-    }
-    children {
-      con1 {
-        mode = transport
-        ah_proposals = sha256-curve25519,sha256-ecp256
-        esp_proposals =
-        local_ts = 5.78.86.156[gre]
-        remote_ts = 94.190.212.123[gre]
-        start_action = start
-        close_action = none
-      }
-    }
-  } 
-}

m-labs-intl/nginx.conf

@@ -1,65 +0,0 @@
-user www-data;
-worker_processes auto;
-pid /run/nginx.pid;
-error_log /var/log/nginx/error.log;
-include /etc/nginx/modules-enabled/*.conf;
-
-events {
-	worker_connections 768;
-	# multi_accept on;
-}
-
-http {
-
-	##
-	# Basic Settings
-	##
-
-	sendfile on;
-	tcp_nopush on;
-	types_hash_max_size 2048;
-	# server_tokens off;
-
-	server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	##
-	# SSL Settings
-	##
-
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
-	ssl_prefer_server_ciphers on;
-
-	# Rate limiting
-	limit_conn_zone $binary_remote_addr zone=addr:10m;
-
-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/access.log;
-
-	##
-	# Gzip Settings
-	##
-
-	gzip on;
-
-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
-	##
-	# Virtual Host Configs
-	##
-
-	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
-}
-

m-labs-intl/rfq.service

@@ -1,12 +0,0 @@
-[Unit]
-Description=RFQ service
-After=network.target
-
-[Service]
-Type=simple
-User=rfqserver
-ExecStart=/home/rfqserver/runrfq.sh
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target

m-labs-intl/runrfq.sh

@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-
-export FLASK_DEBUG=0
-export FLASK_MAIL_SERVER=mail.m-labs.hk
-export FLASK_MAIL_PORT=465
-export FLASK_MAIL_USE_SSL=True
-export FLASK_MAIL_USERNAME=sysop-intl@m-labs-intl.com
-export FLASK_MAIL_PASSWORD_FILE=/home/rfqserver/mail.secret
-export FLASK_MAIL_RECIPIENT=sales@m-labs.hk
-export FLASK_MAIL_SENDER=sysop-intl@m-labs-intl.com
-
-cd /home/rfqserver/web2019/server
-source venv/bin/activate
-python3 -m flask --app rfq run --port=5000

m-labs-intl/setup.md

@@ -1,99 +0,0 @@
-# Setup m-labs-intl.com server
-
-```shell
-# Install required packages
-apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
-  strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
-snap install --classic certbot
-ln -s /snap/bin/certbot /usr/bin/certbot
-
-# Set up networks (includes GRE)
-cp 60-tunnels.yaml /etc/netplan/
-netplan apply
-
-# set up IPsec-AH connection
-cp m-labs.hk.conf /etc/swanctl/conf.d/
-echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
-sysctl -p
-cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
-pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
-pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
-cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
-systemctl enable strongswan --now
-systemctl restart strongswan
-
-# Set up website
-cp m-labs-intl.com /etc/nginx/sites-available/
-cp nginx.conf /etc/nginx/
-ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
-systemctl enable nginx --now
-service nginx restart
-
-# Issue SSL certificate - website only, the mail is on the HK side
-certbot --nginx
-service nginx restart
-
-# Create a user for automatic website deployment from nixbld
-useradd -m zolaupd
-mkdir -p /var/www/m-labs-intl.com/html
-chown -R zolaupd /var/www/m-labs-intl.com/
-sudo -u zolaupd sh -c '
-  cd /home/zolaupd;
-  mkdir /home/zolaupd/.ssh;
-  echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
-  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
-  chmod 700 .ssh/
-  chmod 600 .ssh/authorized_keys
-  '
-
-# Create a user for RFQ hooks service
-useradd -m rfqserver
-cp runrfq.sh /home/rfqserver/
-cp mail.secret /home/rfqserver/
-chown rfqserver /home/rfqserver/runrfq.sh
-chmod +x /home/rfqserver/runrfq.sh
-chown rfqserver /home/rfqserver/mail.secret
-
-sudo -u rfqserver sh -c '
-  cd /home/rfqserver;
-  git clone https://git.m-labs.hk/M-Labs/web2019.git;
-  cd web2019;
-  python3 -m venv ./venv;
-  source venv/bin/activate;
-  pip install -r requirements.txt;
-'
-cp rfq.service /etc/systemd/system/
-
-# Automate port forwarding rules creation
-cp gretun.sh /root/gretun.sh
-cp gretun_down.sh /root/gretun_down.sh
-chmod u+x /root/gretun.sh
-chmod u+x /root/gretun_down.sh
-cp gretun.service /etc/systemd/system/
-
-# Enable custom services
-systemctl daemon-reload
-systemctl enable rfq.service --now
-systemctl enable gretun.service --now
-
-# Setup basic firewall rules  
-ufw default deny
-ufw default allow outgoing
-
-ufw allow from 94.190.212.123
-ufw allow from 2001:470:f891:1::/64
-ufw allow from 202.77.7.238
-ufw allow from 2001:470:18:390::2
-ufw allow "Nginx HTTP"
-ufw allow "Nginx HTTPS"
-ufw limit OpenSSH
-ufw allow 25/tcp
-ufw allow 587/tcp
-ufw limit 500,4500/udp
-
-ufw route allow in on gre1 out on eth0
-ufw allow from 10.47.3.0/31
-
-ufw show added
-ufw enable
-```

nixbld-etc-nixos/afws-module.nix

@@ -10,34 +10,16 @@ in
       default = false;
       description = "Enable AFWS server";
     };
-    logFile = mkOption {
-      type = types.str;
-      default = "/var/lib/afws/logs/afws.log";
-      description = "Path to the log file";
-    };
-    logBackupCount = mkOption {
-      type = types.int;
-      default = 30;
-      description = "Number of daily log files to keep";
-    };
   };
 
   config = mkIf config.services.afws.enable {
     systemd.services.afws = {
       description = "AFWS server";
       wantedBy = [ "multi-user.target" ];
-      preStart = ''
-        mkdir -p "$(dirname ${config.services.afws.logFile})"
-        chown afws:afws "$(dirname ${config.services.afws.logFile})"
-      '';
       serviceConfig = {
         User = "afws";
         Group = "afws";
-        ExecStart = ''
-          ${afws}/bin/afws_server \
-            --log-file ${config.services.afws.logFile} \
-            --log-backup-count ${toString config.services.afws.logBackupCount}
-        '';
+        ExecStart = "${afws}/bin/afws_server";
         ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
       };
       path = [ pkgs.nix pkgs.git ];

nixbld-etc-nixos/backup-module.nix

@@ -12,7 +12,6 @@ let
     "/var/lib/mattermost/data/2021*"
     "/var/lib/mattermost/data/2022*"
     "/var/lib/mattermost/data/2023*"
-    "/var/lib/mattermost/data/2024*"
   ];
   makeBackup = pkgs.writeScript "make-backup" ''
     #!${pkgs.bash}/bin/bash -p
@@ -27,11 +26,9 @@ let
     ${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
     ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
     ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
-    ${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
-    ${config.services.postgresql.package}/bin/pg_dump nextcloud > nextcloud.sql
 
     exec 6< /etc/nixos/secret/backup-passphrase
-    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /home/sb/backed /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql nextcloud.sql | \
+    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
         ${pkgs.bzip2}/bin/bzip2 | \
         ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
   '';

nixbld-etc-nixos/configuration.nix

@@ -6,9 +6,6 @@ let
   netifLan = "enp5s0f1";
   netifWifi = "wlp6s0";
   netifSit = "henet0";
-  netifUSA = "trump0";
-  netifAlt = "alt0";
-  netifAltVlan = "vlan0";
   hydraWwwOutputs = "/var/www/hydra-outputs";
 in
 {
@@ -20,8 +17,8 @@ in
       ./afws-module.nix
       ./rt.nix
       (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/63209b1def2c9fc891ad271f474a3464a5833294/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:05k4nj2cqz1c5zgqa0c6b8sp3807ps385qca74fgs6cdc415y3qw";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz";
+        sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv";
       })
     ];
 
@@ -53,7 +50,7 @@ in
 
   services.fail2ban.enable = true;
   services.fail2ban.ignoreIP = [ "94.190.212.123" "2001:470:18:390::2" ];
-  services.fail2ban.maxretry = 7;
+  services.fail2ban.maxretry = 9;
   services.fail2ban.bantime-increment.enable = true;
   services.fail2ban.jails.sshd = {
     settings = {
@@ -61,6 +58,18 @@ in
       action = "iptables-allports";
     };
   };
+  services.fail2ban.jails.nginx-botsearch = {
+    settings = {
+      filter = "nginx-botsearch";
+      action = "iptables-allports";
+    };
+  };
+  services.fail2ban.jails.nginx-limit-req = {
+    settings = {
+      filter = "nginx-limit-req";
+      action = "iptables-allports";
+    };
+  };
   services.fail2ban.jails.postfix = {
     settings = {
       filter = "postfix";
@@ -81,15 +90,6 @@ in
       allowedTCPPorts = [ 53 80 443 2222 7402 ];
       allowedUDPPorts = [ 53 67 500 4500 ];
       trustedInterfaces = [ netifLan ];
-      logRefusedConnections = false;
-      extraCommands = ''
-        iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
-        iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
-      '';
-      extraStopCommands = ''
-        iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
-        iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
-      '';
     };
     useDHCP = false;
     interfaces."${netifWan}".useDHCP = true;  # PCCW - always wants active DHCP lease or cuts you off
@@ -176,32 +176,11 @@ in
         iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP  # HP printer, wifi
         iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP  # HP printer, ethernet
         iptables -w -A FORWARD -j block-insecure-devices
-
-        iptables -w -N block-bots
-        iptables -w -A INPUT -j block-bots
-        iptables -w -A block-bots -s 47.80.0.0/13 -j DROP   # Alibaba Cloud
-        iptables -w -A block-bots -s 47.74.0.0/15 -j DROP
-        iptables -w -A block-bots -s 47.76.0.0/14 -j DROP
-        iptables -w -A block-bots -s 54.64.0.0/11 -j DROP   # Amazon
-
-        iptables -w -N pccw-sucks
-        iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
-        iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
-        iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
-        iptables -w -A FORWARD -j pccw-sucks
       '';
       extraStopCommands = ''
         iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
         iptables -w -F block-insecure-devices 2>/dev/null|| true
         iptables -w -X block-insecure-devices 2>/dev/null|| true
-
-        iptables -w -D INPUT -j block-bots 2>/dev/null|| true
-        iptables -w -F block-bots 2>/dev/null|| true
-        iptables -w -X block-bots 2>/dev/null|| true
-
-        iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
-        iptables -w -F pccw-sucks 2>/dev/null|| true
-        iptables -w -X pccw-sucks 2>/dev/null|| true
       '';
     };
     sits."${netifSit}" = {
@@ -214,37 +193,14 @@ in
       addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
       routes = [{ address = "::"; prefixLength = 0; }];
     };
-    greTunnels."${netifUSA}" = {
-      dev = netifWan;
-      remote = "5.78.86.156";
-      local = "94.190.212.123";
-      ttl = 255;
-      type = "tun";
-    };
-    greTunnels."${netifAlt}" = {
+    greTunnels.alt0 = {
       dev = netifWan;
       remote = "103.206.98.1";
       local = "94.190.212.123";
       ttl = 255;
       type = "tun";
     };
-    interfaces."${netifUSA}" = {
-      ipv4.addresses = [
-        {
-          address = "10.47.3.1";
-          prefixLength = 31;
-        }
-      ];
-      ipv4.routes = [
-        {
-          address = "0.0.0.0";
-          prefixLength = 0;
-          via = "10.47.3.0";
-          options.table = "3";
-        }
-      ];
-    };
-    interfaces."${netifAlt}" = {
+    interfaces.alt0 = {
       ipv4.addresses = [
         {
           address = "103.206.98.227";
@@ -261,12 +217,12 @@ in
       ];
     };
     vlans = {
-      "${netifAltVlan}" = {
+      vlan0 = {
         id = 2;
         interface = netifLan;
       };
     };
-    interfaces."${netifAltVlan}" = {
+    interfaces.vlan0 = {
       ipv4.addresses = [{
         address = "103.206.98.200";
         prefixLength = 29;
@@ -299,7 +255,7 @@ in
       id = "fqdn:igw0.hkg.as150788.net";
       pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
     };
-    children."${netifAlt}" = {
+    children.alt0 = {
       mode = "transport";
       ah_proposals = [ "sha256-curve25519" ];
       remote_ts = [ "103.206.98.1[gre]" ];
@@ -307,27 +263,6 @@ in
       start_action = "start";
     };
   };
-  services.strongswan-swanctl.swanctl.connections.usa = {
-    local_addrs = [ "94.190.212.123" ];
-    remote_addrs = [ "5.78.86.156" ];
-    local.main = {
-      auth = "pubkey";
-      id = "fqdn:m-labs.hk";
-      pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
-    };
-    remote.main = {
-      auth = "pubkey";
-      id = "fqdn:m-labs-intl.com";
-      pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
-    };
-    children."${netifUSA}" = {
-      mode = "transport";
-      ah_proposals = [ "sha256-curve25519" ];
-      remote_ts = [ "5.78.86.156[gre]" ];
-      local_ts = [ "94.190.212.123[gre]" ];
-      start_action = "start";
-    };
-  };
 
   systemd.services.network-custom-route-backup = {
     wantedBy = [ "network.target" ];
@@ -338,15 +273,6 @@ in
       ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
     };
   };
-  systemd.services.network-custom-route-usa = {
-    wantedBy = [ "network.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
-      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
-    };
-  };
   systemd.services.network-custom-route-alt = {
     wantedBy = [ "network.target" ];
     serviceConfig = {
@@ -357,15 +283,6 @@ in
     };
   };
 
-  systemd.services."network-addresses-${netifUSA}" = {
-    after = pkgs.lib.mkOverride 1 [ "network-pre.target" "${netifUSA}-netdev.service" "systemd-udevd.service" ];
-    requires = [ "systemd-udevd.service" ];
-  };
-  systemd.services."network-addresses-${netifAlt}" = {
-    after = pkgs.lib.mkOverride 1 [ "network-pre.target" "${netifAlt}-netdev.service" "systemd-udevd.service" ];
-    requires = [ "systemd-udevd.service" ];
-  };
-
   # https://kb.isc.org/docs/dnssec-key-and-signing-policy
   # chown named.named /etc/nixos/named
   services.bind = {
@@ -458,14 +375,10 @@ in
            notify explicit;
            also-notify {
              216.218.130.2;   # ns1.he.net
-             213.239.220.50;  # ns1.qnetp.net
-             88.198.32.245;   # new qnetp
            };
            '';
         slaves = [
           "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
-          "213.239.220.50" "2a01:4f8:a0:7041::1"  # ns1.qnetp.net
-          "88.198.32.245"                         # new qnetp
         ];
       };
       "200-29.98.206.103.in-addr.arpa" = {
@@ -499,7 +412,6 @@ in
     enable = true;
     radios.${netifWifi} = {
       band = "2g";
-      channel = 7;
       countryCode = "HK";
       networks.${netifWifi} = {
         ssid = "M-Labs";
@@ -550,7 +462,10 @@ in
         "/kasli-customer/192.168.1.75"
         "/stabilizer-customer/192.168.1.76"
 
-        "/fonts.gstatic.com/142.250.114.94"
+        # Google can't do DNS geolocation correctly and slows down websites of everyone using
+        # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
+        # cannot reach.
+        "/fonts.googleapis.com/142.250.207.74"
       ];
 
       dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
@@ -576,29 +491,13 @@ in
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
-    lm_sensors
-    acpi
-    usbutils
-    pciutils
+    wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal
+    irssi tmux usbutils imagemagick jq zip unzip
     iw
     nvme-cli
-    smartmontools
-    psmisc
-
-    wget
-    bind
-    whois
-
-    vim
-    git
-    file
-    imagemagick
-    jq
-
-    nixops_unstable_minimal
     borgbackup
+    bind
     waypipe
-
     (callPackage ./afws { inherit pkgs; })
     (callPackage ./labelprinter { inherit pkgs; })
   ];
@@ -614,9 +513,8 @@ in
   services.apcupsd.configText = ''
     UPSTYPE usb
     NISIP 127.0.0.1
-    BATTERYLEVEL 1
-    MINUTES 1
-    SELFTEST OFF
+    BATTERYLEVEL 10
+    MINUTES 5
   '';
 
   # Enable the OpenSSH daemon.
@@ -626,7 +524,6 @@ in
   services.openssh.settings.X11Forwarding = true;
   services.openssh.authorizedKeysInHomedir = false;
   programs.mosh.enable = true;
-  programs.tmux.enable = true;
 
   programs.fish.enable = true;
   programs.zsh.enable = true;
@@ -653,6 +550,7 @@ in
     SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
     '';
 
+  sound.enable = true;
   services.mpd.enable = true;
   services.mpd.musicDirectory = "/tank/sb-public/FLAC";
   services.mpd.network.listenAddress = "192.168.1.1";
@@ -662,30 +560,45 @@ in
     audio_output {
       type "alsa"
       name "alsa"
-      device "hw:2,0"
+      device "hw:1,1"
     }
     '';
 
   users.extraUsers.root = {
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
     ];
     shell = pkgs.fish;
   };
   # https://github.com/NixOS/nixpkgs/issues/155357
   security.sudo.enable = true;
 
-  # M-Labs HK
   users.extraUsers.sb = {
     isNormalUser = true;
     extraGroups = ["lp" "scanner" "afws" "audio"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
     ];
     shell = pkgs.fish;
   };
+  users.extraUsers.rj = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
+     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
+     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
+    ];
+  };
+  users.extraUsers.nkrackow = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
+    ];
+  };
   users.extraUsers.spaqin = {
     isNormalUser = true;
     extraGroups = ["lp" "afws"];
@@ -707,35 +620,6 @@ in
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
     ];
   };
-
-  # M-Labs PH
-  users.extraUsers.flo = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
-    ];
-  };
-
-  # QUARTIQ
-  users.extraUsers.rj = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
-     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
-     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
-    ];
-  };
-  users.extraUsers.eduardotenholder = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
-    ];
-  };
-
-  # HKUST
   users.extraUsers.derppening = {
     isNormalUser = true;
     openssh.authorizedKeys.keys = [
@@ -746,6 +630,7 @@ in
   users.extraUsers.nix = {
     isNormalUser = true;
   };
+  boot.kernel.sysctl."kernel.dmesg_restrict" = true;
   services.udev.packages = [ pkgs.sane-backends ];
 
   nix.settings.max-jobs = 10;
@@ -766,14 +651,6 @@ in
         job = web:web:web
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
       </runcommand>
-      <runcommand>
-        job = web:web:web-ph
-        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web-ph
-      </runcommand>
-      <runcommand>
-        job = web:web:web-intl
-        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
-      </runcommand>
       <runcommand>
         job = web:web:nmigen-docs
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
@@ -885,10 +762,6 @@ in
   services.gitea = {
     enable = true;
     appName = "M-Labs Git";
-    database = {
-      type = "postgres";
-      socket = "/run/postgresql";
-    };
     mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
     settings = {
       server = {
@@ -915,7 +788,6 @@ in
       service = {
         ENABLE_NOTIFY_MAIL = true;
         DISABLE_REGISTRATION = true;
-        REQUIRE_SIGNIN_VIEW = "expensive";
       };
 
       attachment = {
@@ -929,6 +801,7 @@ in
   };
   systemd.tmpfiles.rules = [
     "L+ '${config.services.gitea.stateDir}/custom/templates/home.tmpl' - - - - ${./gitea-home.tmpl}"
+    "L+ '${config.services.gitea.stateDir}/custom/templates/user/auth/signin.tmpl' - - - - ${./gitea-signin.tmpl}"
   ];
 
   services.mattermost = {
@@ -936,45 +809,32 @@ in
     siteUrl = "https://chat.m-labs.hk/";
     mutableConfig = true;
   };
+  services.postgresql.package = pkgs.postgresql_12;
   services.matterbridge = {
     enable = true;
     configPath = "/etc/nixos/secret/matterbridge.toml";
   };
-
-  services.postgresql = {
-    package = pkgs.postgresql_15;
-    settings.listen_addresses = pkgs.lib.mkForce "";
-    identMap =
-      ''
-      rt rt rt_user
-      '';
-  };
-
+ 
   nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
     nix = super.nix.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
     });
-    hydra = super.hydra.overrideAttrs(oa: {
+    hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [
         ./hydra-conda.patch
         ./hydra-msys2.patch
+        ./hydra-restrictdist.patch
       ];
       hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
       doCheck = false;  # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
     });
-    gitea = super.callPackage ./gitea/package.nix {};
-    mattermost = super.mattermost.overrideAttrs(oldAttrs: {
-      webapp = oldAttrs.webapp.overrideAttrs (webappAttrs: {
-        patches = webappAttrs.patches or [ ] ++ [ ./mattermost-remove-free-banner.patch ];
-      });
-    });
     matterbridge = super.matterbridge.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
     });
   };
 
   security.acme.acceptTerms = true;
-  security.acme.defaults.email = "sb@m-labs.hk";
+  security.acme.defaults.email = "sb" + "@m-labs.hk";
 
   # https://github.com/NixOS/nixpkgs/issues/106862
   systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
@@ -1004,7 +864,7 @@ in
             expires 60d;
           '';
         };
-        locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
+        locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
 
         # legacy URLs, redirect to avoid breaking people's bookmarks
         locations."/gateware.html".extraConfig = ''
@@ -1062,24 +922,9 @@ in
       };
     in {
       "m-labs.hk" = mainWebsite;
-      "www.m-labs.hk" = {
-        addSSL = true;
-        enableACME = true;
-        globalRedirect = "m-labs.hk";
-      };
-      "m-labs.ph" = {
-        root = "${hydraWwwOutputs}/web-ph";
-        forceSSL = true;
-        enableACME = true;
-        extraConfig = ''
-          error_page 404 /404.html;
-        '';
-      };
-      "www.m-labs.ph" = {
-        addSSL = true;
-        enableACME = true;
-        globalRedirect = "m-labs.ph";
-      };
+      "www.m-labs.hk" = mainWebsite;
+      "m-labs.ph" = mainWebsite;
+      "www.m-labs.ph" = mainWebsite;
       "nixbld.m-labs.hk" = {
         forceSSL = true;
         enableACME = true;
@@ -1180,6 +1025,15 @@ in
       "forum.m-labs.hk" = {
         forceSSL = true;
         enableACME = true;
+        root = "/var/www/flarum/public";
+        locations."~ \.php$".extraConfig = ''
+          fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
+          fastcgi_index index.php;
+        '';
+        extraConfig = ''
+          index index.php;
+          include /var/www/flarum/.nginx.conf;
+        '';
       };
       "perso.m-labs.hk" = {
         addSSL = true;
@@ -1226,7 +1080,7 @@ in
       "www.193thz.com" = {
         addSSL = true;
         enableACME = true;
-        globalRedirect = "193thz.com";
+        root = "/var/www/193thz";
       };
       "nmigen.net" = {
         addSSL = true;
@@ -1236,7 +1090,7 @@ in
       "www.nmigen.net" = {
         addSSL = true;
         enableACME = true;
-        globalRedirect = "nmigen.net";
+        root = "${hydraWwwOutputs}/nmigen-docs";
       };
     };
   };
@@ -1251,17 +1105,23 @@ in
       };
     };
   };
-
   services.mysql = {
     enable = true;
-    package = pkgs.lib.mkForce pkgs.mariadb;
-    ensureDatabases = pkgs.lib.mkForce [];
-    ensureUsers = pkgs.lib.mkForce [];
+    package = pkgs.mariadb;
   };
-  services.flarum = {
-    enable = true;
-    package = pkgs.callPackage ./flarum {};
-    domain = "forum.m-labs.hk";
+  services.phpfpm.pools.flarum = {
+    user = "nobody";
+    settings = {
+      "listen.owner" = "nginx";
+      "listen.group" = "nginx";
+      "listen.mode" = "0600";
+      "pm" = "dynamic";
+      "pm.max_children" = 5;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 1;
+      "pm.max_spare_servers" = 3;
+      "pm.max_requests" = 500;
+    };
   };
 
   services.rt = {
@@ -1286,18 +1146,7 @@ in
       Restart = "on-failure";
       User = "rt";
       Group = "rt";
-      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
-    };
-  };
-  systemd.services.rt-fetchmail-intl = {
-    description = "Fetchmail for RT (intl)";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "dovecot2.service" ];
-    serviceConfig = {
-      Restart = "on-failure";
-      User = "rt";
-      Group = "rt";
-      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
+      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
     };
   };
 
@@ -1305,52 +1154,29 @@ in
     enable = true;
     localDnsResolver = false;  # conflicts with dnsmasq
     fqdn = "mail.m-labs.hk";
-    domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ];
+    domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
     enablePop3 = true;
     enablePop3Ssl = true;
     certificateScheme = "acme-nginx";
+    rejectSender = [ "sapcloudsupport@alerts.ondemand.com" ];
   } // (import /etc/nixos/secret/email_settings.nix);
-  services.postfix = {
-    mapFiles."sender_transport" = builtins.toFile "sender_transport" ''
-        @m-labs-intl.com intltunnel:
-    '';
-    config = {
-      sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
-    };
-    masterConfig."intltunnel" = {
-      type = "unix";
-      command = "smtp";
-      args = [
-        "-o" "inet_interfaces=10.47.3.1"
-        "-o" "smtp_helo_name=mail.m-labs-intl.com"
-        "-o" "inet_protocols=ipv4"
-       ];
-    };
-  };
   services.roundcube = {
     enable = true;
     hostName = "mail.m-labs.hk";
-    # https://github.com/roundcube/roundcubemail/issues/5869
     extraConfig = ''
       $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
       $config['smtp_user'] = "%u";
       $config['smtp_pass'] = "%p";
-      $config['session_storage'] = "php";
     '';
   };
 
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud31;
-    extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps) forms deck groupfolders tasks;
-    };
+    package = pkgs.nextcloud29;
     hostName = "files.m-labs.hk";
     https = true;
     maxUploadSize = "2G";
     config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
-    config.dbtype = "pgsql";
-    config.dbhost = "/run/postgresql";
     settings.default_phone_region = "HK";
     settings.log_type = "file";
     phpOptions."opcache.interned_strings_buffer" = "12";

nixbld-etc-nixos/flarum/default.nix

@@ -1,38 +0,0 @@
-{
-  lib,
-  php,
-  fetchFromGitHub,
-  fetchpatch,
-}:
-
-php.buildComposerProject (finalAttrs: {
-  pname = "flarum";
-  version = "1.8.1";
-
-  src = fetchFromGitHub {
-    owner = "flarum";
-    repo = "flarum";
-    rev = "v${finalAttrs.version}";
-    hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
-  };
-
-  patches = [
-    # Add useful flarum extensions (polls, subscribed, upload, email-filter)
-    ./flarum-extensions.patch
-  ];
-
-  composerLock = ./composer.lock;
-  composerStrictValidation = false;
-  vendorHash = "sha256-S79nFpbLA1vJp8mKRVmQbdvO1LcUZThmgzQjVQDzmRM=";
-
-  meta = with lib; {
-    changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
-    description = "Flarum is a delightfully simple discussion platform for your website";
-    homepage = "https://github.com/flarum/flarum";
-    license = lib.licenses.mit;
-    maintainers = with maintainers; [
-      fsagbuya
-      jasonodoom
-    ];
-  };
-})

nixbld-etc-nixos/flarum/flarum-extensions.patch

@@ -1,17 +0,0 @@
-diff --git a/composer.json b/composer.json
-index c63b5f8..4bc00c1 100644
---- a/composer.json
-+++ b/composer.json
-@@ -37,7 +37,11 @@
-         "flarum/sticky": "*",
-         "flarum/subscriptions": "*",
-         "flarum/suspend": "*",
--        "flarum/tags": "*"
-+        "flarum/tags": "*",
-+        "fof/polls": "*",
-+        "fof/subscribed": "*",
-+        "fof/upload": "*",
-+        "nyu8/flarum-email-filter": "^1.0"
-     },
-     "config": {
-         "preferred-install": "dist",

nixbld-etc-nixos/gitea-home.tmpl

@@ -15,10 +15,7 @@
 	<div class="ui stackable middle very relaxed page grid">
 		<div class="sixteen wide center column">
 			<p class="large">
-				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
-			</p>
-			<p class="large">
-			  Due to excessive amounts of server resources being wasted by AI bots, <a href="https://github.com/go-gitea/gitea/pull/34024">many functionalities currently require sign-in</a>. You can always clone git repositories anonymously and access most of that functionality on your local machine. We apologize for the inconvenience and look forward to rolling out a less obtrusive solution when one becomes available.
+				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have.
 			</p>
 		</div>
 	</div>

nixbld-etc-nixos/gitea-signin.tmpl

@@ -0,0 +1,11 @@
+{{template "base/head" .}}
+<div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
+	{{template "user/auth/signin_navbar" .}}
+	<div class="ui middle very relaxed page grid">
+		<div class="ui container column fluid">
+			{{template "user/auth/signin_inner" .}}
+			To get an account (also available to external contributors), simply write to sb@m-***s.hk.
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}

nixbld-etc-nixos/gitea/allow-src.patch

@@ -1,13 +0,0 @@
-diff '--color=auto' -Naur gitea-1.23.7.orig/routers/common/blockexpensive.go gitea-1.23.7/routers/common/blockexpensive.go
---- gitea-1.23.7.orig/routers/common/blockexpensive.go	2025-04-20 21:42:28.210137661 +0100
-+++ gitea-1.23.7/routers/common/blockexpensive.go	2025-04-20 21:48:47.743843506 +0100
-@@ -45,9 +45,6 @@
- 		"/{username}/{reponame}/commit/",
- 		"/{username}/{reponame}/commits/",
- 		"/{username}/{reponame}/graph",
--		"/{username}/{reponame}/media/",
--		"/{username}/{reponame}/raw/",
--		"/{username}/{reponame}/src/",
- 
- 		// issue & PR related (no trailing slash)
- 		"/{username}/{reponame}/issues",

nixbld-etc-nixos/gitea/package.nix

@@ -1,120 +0,0 @@
-{
-  lib,
-  buildGoModule,
-  fetchFromGitHub,
-  makeWrapper,
-  git,
-  bash,
-  coreutils,
-  compressDrvWeb,
-  gitea,
-  gzip,
-  openssh,
-  sqliteSupport ? true,
-  nixosTests,
-  buildNpmPackage,
-}:
-
-let
-  frontend = buildNpmPackage {
-    pname = "gitea-frontend";
-    inherit (gitea) src version;
-
-    npmDepsHash = "sha256-5i3aB1QgH5NK5yDZySFlraVGU+Kh6J4Y2zvFqJX5kJs=";
-
-    # use webpack directly instead of 'make frontend' as the packages are already installed
-    buildPhase = ''
-      BROWSERSLIST_IGNORE_OLD_DATA=true npx webpack
-    '';
-
-    installPhase = ''
-      mkdir -p $out
-      cp -R public $out/
-    '';
-  };
-in
-buildGoModule rec {
-  pname = "gitea";
-  version = "1.23.7";
-
-  src = fetchFromGitHub {
-    owner = "go-gitea";
-    repo = "gitea";
-    tag = "v${gitea.version}";
-    hash = "sha256-pdmRujcLnQBIQXc26MPpoLbbV00KMaVHPY4xTsitaCA=";
-  };
-
-  proxyVendor = true;
-
-  vendorHash = "sha256-h9RnHv4weGfHwpmuEhQbsYDd5fKc439m0gF/BgDVIdA=";
-
-  outputs = [
-    "out"
-    "data"
-  ];
-
-  patches = [ ./static-root-path.patch ./allow-src.patch ];
-
-  # go-modules derivation doesn't provide $data
-  # so we need to wait until it is built, and then
-  # at that time we can then apply the substituteInPlace
-  overrideModAttrs = _: { postPatch = null; };
-
-  postPatch = ''
-    substituteInPlace modules/setting/server.go --subst-var data
-  '';
-
-  subPackages = [ "." ];
-
-  nativeBuildInputs = [ makeWrapper ];
-
-  tags = lib.optionals sqliteSupport [
-    "sqlite"
-    "sqlite_unlock_notify"
-  ];
-
-  ldflags = [
-    "-s"
-    "-w"
-    "-X main.Version=${version}"
-    "-X 'main.Tags=${lib.concatStringsSep " " tags}'"
-  ];
-
-  postInstall = ''
-    mkdir $data
-    ln -s ${frontend}/public $data/public
-    cp -R ./{templates,options} $data
-    mkdir -p $out
-    cp -R ./options/locale $out/locale
-
-    wrapProgram $out/bin/gitea \
-      --prefix PATH : ${
-        lib.makeBinPath [
-          bash
-          coreutils
-          git
-          gzip
-          openssh
-        ]
-      }
-  '';
-
-  passthru = {
-    data-compressed =
-      lib.warn "gitea.passthru.data-compressed is deprecated. Use \"compressDrvWeb gitea.data\"."
-        (compressDrvWeb gitea.data { });
-
-    tests = nixosTests.gitea;
-  };
-
-  meta = with lib; {
-    description = "Git with a cup of tea";
-    homepage = "https://about.gitea.com";
-    license = licenses.mit;
-    maintainers = with maintainers; [
-      techknowlogick
-      SuperSandro2000
-    ];
-    mainProgram = "gitea";
-  };
-}

nixbld-etc-nixos/gitea/static-root-path.patch

@@ -1,13 +0,0 @@
-diff --git a/modules/setting/server.go b/modules/setting/server.go
-index 183906268..fa02e8915 100644
---- a/modules/setting/server.go
-+++ b/modules/setting/server.go
-@@ -319,7 +319,7 @@ func loadServerFrom(rootCfg ConfigProvider) {
- 	OfflineMode = sec.Key("OFFLINE_MODE").MustBool()
- 	Log.DisableRouterLog = sec.Key("DISABLE_ROUTER_LOG").MustBool()
- 	if len(StaticRootPath) == 0 {
--		StaticRootPath = AppWorkPath
-+		StaticRootPath = "@data@"
- 	}
- 	StaticRootPath = sec.Key("STATIC_ROOT_PATH").MustString(StaticRootPath)
- 	StaticCacheTime = sec.Key("STATIC_CACHE_TIME").MustDuration(6 * time.Hour)

nixbld-etc-nixos/hydra-restrictdist.patch

@@ -0,0 +1,32 @@
+diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
+index a9b0d558..71869ba0 100644
+--- a/src/lib/Hydra/Controller/Root.pm
++++ b/src/lib/Hydra/Controller/Root.pm
+@@ -19,6 +19,11 @@ use Net::Prometheus;
+ # Put this controller at top-level.
+ __PACKAGE__->config->{namespace} = '';
+ 
++sub isRedistRestricted {
++  my ($path) = @_;
++
++  return index($path, "-RESTRICTDIST-") >= 0;
++}
+ 
+ sub noLoginNeeded {
+   my ($c) = @_;
+@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
+         $path = $Nix::Config::storeDir . "/$path";
+ 
+         gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
++        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
+ 
+         $c->stash->{current_view} = 'NixNAR';
+         $c->stash->{storePath} = $path;
+@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
+             setCacheHeaders($c, 60 * 60);
+             return;
+         }
++        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
+ 
+         $c->stash->{storePath} = $path;
+         $c->forward('Hydra::View::NARInfo');

nixbld-etc-nixos/mattermost-remove-free-banner.patch

@@ -1,210 +0,0 @@
-diff --git webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
-index 9af4fc7354..60ae3160e8 100644
---- webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
-+++ webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
-@@ -9,10 +9,6 @@ import Logo from 'components/common/svg_images_components/logo_dark_blue_svg';
- const ProductBrandingTeamEditionContainer = styled.div`
-     display: flex;
-     align-items: center;
--
--    > * + * {
--        margin-left: 8px;
--    }
- `;
- 
- const StyledLogo = styled(Logo)`
-@@ -21,23 +17,6 @@ const StyledLogo = styled(Logo)`
-     }
- `;
- 
--const Badge = styled.div`
--    display: flex;
--    align-self: center;
--    padding: 2px 6px;
--    position: relative;
--    top: 1px;
--    border-radius: var(--radius-s);
--    margin-left: 12px;
--    background: rgba(var(--sidebar-text-rgb), 0.08);
--    color: rgba(var(--sidebar-text-rgb), 0.75);
--    font-family: 'Open Sans', sans-serif;
--    font-size: 10px;
--    font-weight: 600;
--    letter-spacing: 0.025em;
--    line-height: 16px;
--`;
--
- const ProductBrandingTeamEdition = (): JSX.Element => {
-     return (
-         <ProductBrandingTeamEditionContainer tabIndex={0}>
-@@ -45,7 +24,6 @@ const ProductBrandingTeamEdition = (): JSX.Element => {
-                 width={116}
-                 height={20}
-             />
--            <Badge>{'FREE EDITION'}</Badge>
-         </ProductBrandingTeamEditionContainer>
-     );
- };
-diff --git webapp/channels/src/components/header_footer_route/header.scss webapp/channels/src/components/header_footer_route/header.scss
-index e7c76f9861..2841858f44 100644
---- webapp/channels/src/components/header_footer_route/header.scss
-+++ webapp/channels/src/components/header_footer_route/header.scss
-@@ -39,23 +39,6 @@
-                 width: 170px;
-                 fill: var(--center-channel-color);
-             }
--
--            .freeBadge {
--                position: relative;
--                top: 1px;
--                display: flex;
--                align-self: center;
--                padding: 2px 6px;
--                border-radius: var(--radius-s);
--                margin-left: 12px;
--                background: rgba(var(--center-channel-color-rgb), 0.08);
--                color: rgba(var(--center-channel-color-rgb), 0.75);
--                font-family: 'Open Sans', sans-serif;
--                font-size: 10px;
--                font-weight: 600;
--                letter-spacing: 0.025em;
--                line-height: 16px;
--            }
-         }
-     }
- 
-@@ -77,12 +60,6 @@
-             margin-top: 12px;
-         }
-     }
--
--    &.has-free-banner.has-custom-site-name {
--        .header-back-button {
--            bottom: -20px;
--        }
--    }
- }
- 
- @media screen and (max-width: 699px) {
-diff --git webapp/channels/src/components/header_footer_route/header.tsx webapp/channels/src/components/header_footer_route/header.tsx
-index 8cd1d8a624..55554fb0ad 100644
---- webapp/channels/src/components/header_footer_route/header.tsx
-+++ webapp/channels/src/components/header_footer_route/header.tsx
-@@ -25,33 +25,15 @@ const Header = ({alternateLink, backButtonURL, onBackButtonClick}: HeaderProps)
- 
-     const ariaLabel = SiteName || 'Mattermost';
- 
--    let freeBanner = null;
--    if (license.IsLicensed === 'false') {
--        freeBanner = <><Logo/><span className='freeBadge'>{'FREE EDITION'}</span></>;
--    }
--
-     let title: React.ReactNode = SiteName;
-     if (title === 'Mattermost') {
--        if (freeBanner) {
--            title = '';
--        } else {
--            title = <Logo/>;
--        }
-+        title = <Logo/>;
-     }
- 
-     return (
--        <div className={classNames('hfroute-header', {'has-free-banner': freeBanner, 'has-custom-site-name': title})}>
-+        <div className={classNames('hfroute-header', {'has-custom-site-name': title})}>
-             <div className='header-main'>
-                 <div>
--                    {freeBanner &&
--                        <Link
--                            className='header-logo-link'
--                            to='/'
--                            aria-label={ariaLabel}
--                        >
--                            {freeBanner}
--                        </Link>
--                    }
-                     {title &&
-                         <Link
-                             className='header-logo-link'
-diff --git webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
-index 35646539c4..fbdbb39710 100644
---- webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
-+++ webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
-@@ -1,42 +1,17 @@
- // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
- // See LICENSE.txt for license information.
- 
--import React from 'react';
--import {useIntl} from 'react-intl';
- import {useSelector} from 'react-redux';
--import styled from 'styled-components';
- 
- import {getLicense} from 'mattermost-redux/selectors/entities/general';
- 
--import ExternalLink from 'components/external_link';
--
--import {LicenseLinks} from 'utils/constants';
--
- import './menu_item.scss';
- 
--const FreeVersionBadge = styled.div`
--     position: relative;
--     top: 1px;
--     display: flex;
--     padding: 2px 6px;
--     border-radius: var(--radius-s);
--     margin-bottom: 6px;
--     background: rgba(var(--center-channel-color-rgb), 0.08);
--     color: rgba(var(--center-channel-color-rgb), 0.75);
--     font-family: 'Open Sans', sans-serif;
--     font-size: 10px;
--     font-weight: 600;
--     letter-spacing: 0.025em;
--     line-height: 16px;
--`;
--
- type Props = {
-     id: string;
- }
- 
- const MenuStartTrial = (props: Props): JSX.Element | null => {
--    const {formatMessage} = useIntl();
--
-     const license = useSelector(getLicense);
-     const isCurrentLicensed = license?.IsLicensed;
- 
-@@ -44,33 +19,7 @@ const MenuStartTrial = (props: Props): JSX.Element | null => {
-         return null;
-     }
- 
--    return (
--        <li
--            className={'MenuStartTrial'}
--            role='menuitem'
--            id={props.id}
--        >
--            <FreeVersionBadge>{'FREE EDITION'}</FreeVersionBadge>
--            <div className='editionText'>
--                {formatMessage(
--                    {
--                        id: 'navbar_dropdown.versionText',
--                        defaultMessage: 'This is the free <link>unsupported</link> edition of Mattermost.',
--                    },
--                    {
--                        link: (msg: React.ReactNode) => (
--                            <ExternalLink
--                                location='menu_start_trial.unsupported-link'
--                                href={LicenseLinks.UNSUPPORTED}
--                            >
--                                {msg}
--                            </ExternalLink>
--                        ),
--                    },
--                )}
--            </div>
--        </li>
--    );
-+    return null;
- };
- 
- export default MenuStartTrial;

nixbld-etc-nixos/named/m-labs-intl.com

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	ns.m-labs-intl.com. sb.m-labs.hk. (
-							2024101401
+							2024060601
 							7200
 							3600
 							86400
@@ -10,21 +10,11 @@ $TTL 7200
 
 						NS		ns.m-labs-intl.com.
 						NS		ns1.he.net.
-						NS		ns1.qnetp.net.
 
 						A		5.78.86.156
 						AAAA	2a01:4ff:1f0:83de::1
-						MX		10 mail.m-labs-intl.com.
-						TXT		"v=spf1 mx -all"
-						TXT		"google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
 
 ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2
 
-mail					A		5.78.86.156
-mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
-_dmarc					TXT		"v=DMARC1; p=none"
-
 www						CNAME	@
-hooks					CNAME	@

nixbld-etc-nixos/named/m-labs.hk

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
-							2024080501
+							2024060201
 							7200
 							3600
 							86400
@@ -43,7 +43,17 @@ files					CNAME	@
 docs					CNAME	@
 
 rpi-1					AAAA	2001:470:f891:1:dea6:32ff:fe8a:6a93
+rpi-2					AAAA	2001:470:f891:1:ba27:ebff:fef0:e9e6
 rpi-4					AAAA	2001:470:f891:1:dea6:32ff:fe14:fce9
+chiron					AAAA	2001:470:f891:1:7f02:9ebf:bee9:3dc7
+old-nixbld				AAAA	2001:470:f891:1:a07b:f49a:a4ef:aad9
+zeus					AAAA	2001:470:f891:1:4fd7:e70a:68bf:e9c1
+franz					AAAA	2001:470:f891:1:1b65:a743:2335:f5c6
+hera					AAAA	2001:470:f891:1:8b5e:404d:ef4e:9d92
+hestia					AAAA	2001:470:f891:1:881c:f409:a090:8401
+vulcan					AAAA	2001:470:f891:1:105d:3f15:bd53:c5ac
+
+aux						A		42.200.147.171
 
 router.alt				A		103.206.98.200
 stewardship1.alt		A		103.206.98.201

nixbld-etc-nixos/nix-networked-derivations.patch

@@ -1,8 +1,8 @@
-diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
-index 2a09e3dd4..7dc03855f 100644
---- a/src/libstore/unix/build/local-derivation-goal.cc
-+++ b/src/libstore/unix/build/local-derivation-goal.cc
-@@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
+diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
+index 64b55ca6a..9b4e52b8e 100644
+--- a/src/libstore/build/local-derivation-goal.cc
++++ b/src/libstore/build/local-derivation-goal.cc
+@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
  
      assert(derivationType);
  
@@ -11,7 +11,7 @@ index 2a09e3dd4..7dc03855f 100644
      /* Are we doing a chroot build? */
      {
          auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
+@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
          else if (settings.sandboxMode == smDisabled)
              useChroot = false;
          else if (settings.sandboxMode == smRelaxed)
@@ -20,7 +20,7 @@ index 2a09e3dd4..7dc03855f 100644
      }
  
      auto & localStore = getLocalStore();
-@@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
                  "nogroup:x:65534:\n", sandboxGid()));
  
          /* Create /etc/hosts with localhost entry. */
@@ -29,7 +29,7 @@ index 2a09e3dd4..7dc03855f 100644
              writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
  
          /* Make the closure of the inputs available in the chroot,
-@@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
             us.
          */
  
@@ -38,16 +38,16 @@ index 2a09e3dd4..7dc03855f 100644
              privateNetwork = true;
  
          userNamespaceSync.create();
-@@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
+@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
         to the builder is generally impure, but the output of
         fixed-output derivations is by definition pure (since we
         already know the cryptographic hash of the output). */
 -    if (!derivationType->isSandboxed()) {
 +    if (networked || !derivationType->isSandboxed()) {
-         auto & impureEnv = settings.impureEnv.get();
-         if (!impureEnv.empty())
-             experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
-@@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
+         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
+             env[i] = getEnv(i).value_or("");
+     }
+@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
              /* Fixed-output derivations typically need to access the
                 network, so give them access to /etc/resolv.conf and so
                 on. */
@@ -56,21 +56,21 @@ index 2a09e3dd4..7dc03855f 100644
                  // Only use nss functions to resolve hosts and
                  // services. Don’t use it for anything else that may
                  // be configured for this system. This limits the
-@@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
-                 #include "sandbox-defaults.sb"
-                 ;
- 
--            if (!derivationType->isSandboxed())
-+            if (networked || !derivationType->isSandboxed())
-                 sandboxProfile +=
-                     #include "sandbox-network.sb"
+@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
+                     #include "sandbox-defaults.sb"
                      ;
-diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
-index bf25cf2a6..28f8c1e95 100644
---- a/src/libstore/unix/build/local-derivation-goal.hh
-+++ b/src/libstore/unix/build/local-derivation-goal.hh
-@@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
-      */
+ 
+-                if (!derivationType->isSandboxed())
++                if (networked || !derivationType->isSandboxed())
+                     sandboxProfile +=
+                         #include "sandbox-network.sb"
+                         ;
+diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
+index 0a05081c7..4c251718c 100644
+--- a/src/libstore/build/local-derivation-goal.hh
++++ b/src/libstore/build/local-derivation-goal.hh
+@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
+ 
      Path chrootRootDir;
  
 +    bool networked;

nixbld-etc-nixos/rt.nix

@@ -19,9 +19,14 @@ let
       Set($Timezone, '${cfg.timeZone}');
 
       Set($DatabaseType, 'Pg');
-      Set($DatabaseHost, '/run/postgresql');
-      Set($DatabaseUser, 'rt');
+      Set($DatabaseHost, 'localhost');
+      Set($DatabaseUser, 'rt_user');
       Set($DatabaseName, 'rt5');
+      # Read database password from file
+      open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
+      my $dbpw = do { local $/; <$fh> };
+      $dbpw =~ s/^\s+|\s+$//g;
+      Set($DatabasePassword, $dbpw);
 
       # System (Logging)
       Set($LogToSTDERR, undef); # Don't log twice
@@ -30,7 +35,7 @@ let
       Set($OwnerEmail, '${cfg.ownerEmail}');
       Set($MaxAttachmentSize, 15360000);
       Set($CheckMoreMSMailHeaders, 1);
-      Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
+      Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$');
       Set($LoopsToRTOwner, 0);
 
       # System (Outgoing mail)
@@ -149,6 +154,13 @@ in {
       type = str;
     };
 
+    dbPasswordFile = mkOption {
+      description = "File containing the database password";
+      type = str;
+      default = "/etc/nixos/secret/rtpasswd";
+      internal = true;
+    };
+
     domain = mkOption {
       description = "Which domain RT is running on";
       type = str;
@@ -233,6 +245,8 @@ in {
 
           PrivateNetwork = false;
           MemoryDenyWriteExecute = false;
+
+          ReadOnlyPaths = [ cfg.dbPasswordFile ];
         };
 
         environment = {

nixops/avscan-module.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  avscan = pkgs.writeScript "avscan" ''
+    #!${pkgs.bash}/bin/bash
+
+    for user in $(cut -d":" -f1 /etc/passwd); do
+      if [ -d "/home/$user" ]; then
+          nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
+      fi
+    done
+  '';
+  cfg = config.services.avscan;
+in
+{
+  options.services.avscan = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable antivirus scan";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.clamav.updater.enable = true;
+    services.clamav.updater.interval = "daily";
+    services.clamav.updater.frequency = 1;
+
+    systemd.services.avscan = {
+      description = "Antivirus scan";
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+        ExecStart = "${avscan}";
+      };
+    };
+
+    systemd.timers.avscan = {
+      description = "Antivirus scan";
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnCalendar = "Mon *-*-* 13:00:00";
+    };
+  };
+}

nixops/common-users.nix

@@ -4,7 +4,7 @@
   root = {
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
     ];
   };
   sb = {
@@ -12,7 +12,7 @@
     extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
     ];
   };
   rj = {
@@ -55,6 +55,13 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMoGOV9HoFkm6S6zMfOc8ivUcGzKFxuqpmOXKQtg2nn5Kh6ByMuuAHFlvKISILBaWgXN8lPQN9VjLuXV93oG4Pe7u8EVw20IGbA6RZ4Pnnr1xQBESPbye+72taLvyQlxGA=="
     ];
   };
+  esavkin = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout" "libvirtd"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
+    ];
+  };
   flo = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
@@ -104,6 +111,13 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
     ];
   };
+  architeuthis = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMhLPEGWDUauFHjiVduBMJrIMKT8SvtTDHXDVudUZrhewQy08h4NEEyWmczP4WMeyugI/L/a+J+Vc8mImgqSoHw52823LVcnR9EKnJoqnwAHU/J+41vIWAN2LAryd4p9yg=="
+    ];
+  };
   abdul = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
@@ -111,21 +125,22 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
     ];
   };
-  ram = {
+  lyken = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
     openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCj+Mel4VIhr1nchiLhZ5YbuT9WhR5ItFhFq2QWE/h2j0Xh3UEfsT++z2I/RQ/q4Qp1EFVVBCVCnfhpdshCKAzElGf96ZhHASUE4yZv+3f+yFRVTFy8xBw2gNQE8o2vlfGq/v2SnKiqt21Y3j7zYgbSJwSSS7V3EKO++l09jjQeRV1mORwO3hDDKs+GU6RIcHcNUIrb35F08el9+IZjIQ1wehH2v8pyEQXXWSvgdGS2IOQEA4HRNg+MVg3X1i5r/YVy838jQn9neqG7PnSluXawVpNubBTwly5DzWlzhSUfeKRF+dsPv+dtyr0/JQ9B/guGXGs3ojgq2Gy4DTCo2FCm6bzZCu7nvbiEjq896KhX5YexJo6r4c34luDaTEXNf9H1oHchrQp4F7E/u0+r4YAK1N6GWUQOxTLge7abhZ1d43jVuY57vtpphw+Iouit0/XKqSOChrnazy2USfqm2xH08ZcWx/fdmBbyMhsI02378sBOwf6jFbxaSCVKXMRc5l7HBfxm6dv/C04q/P/H/6S7OscDvVB/ZTNPjMQhUE4E7McwfOga1B6O3YiPjEq0SoCp//zY5Q6ZlK+4U5eEoJj6GBnED3Xq7WcSw4pB5YlOPX1wB7gxJWlvfRaaRycDVG2I6/RJzkWfDJkW3z3YI8Cl7Y/ZwJhB1Tz9pa7qwJsS0w=="
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ88QJlh/+F/xwXQlPEmQVmtycb8FfabxCdeiP3gTHUCV8y4PLh3ubY+EsY+Xhy/GlOAPdX7KSpiII3dndYfwZWzorXVoPBhhPKEIumFBOinWfp5kRVzWOD61gCwsYoVBg=="
     ];
   };
-  newell = {
+  wanglm = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHZ2ziQDkzo4UrbQS1a9eiOfW8V2NTh7zjdDdVDYZa5"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNhRITe/qj/zvW2dZbXNmyJxLHPgJAynlWh6NCGGarJbkhj8c1UFLUo2Hv7xqGil4PZnPGru4WwHX0RhWS/I39UPzfVvuntRGenNqqpo2T9Ble80QCawpZ2c07w7FkVq7g=="
     ];
   };
 
+
   dpn = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];

nixops/desktop.nix

@@ -12,11 +12,11 @@ in
 
   boot.loader.systemd-boot.memtest86.enable = true;
   boot.loader.grub.memtest86.enable = true;
-  boot.kernel.sysctl."kernel.dmesg_restrict" = false;
 
   imports =
     [
       (./. + "/${host}-hardware-configuration.nix")
+      ./avscan-module.nix
     ];
   nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
     libp11 = super.libp11.override({ openssl = super.openssl_1_1; });
@@ -64,8 +64,8 @@ in
     xournal
     xsane
     gtkwave unzip zip gnupg
-    gnome-tweaks
-    ghex
+    gnome3.gnome-tweaks
+    gnome3.ghex
     jq sublime3 rink qemu_kvm
     tmux screen gdb minicom picocom
     artiq.packages.x86_64-linux.openocd-bscanspi
@@ -90,6 +90,8 @@ in
     setuid = true;
   };
 
+  services.avscan.enable = true;
+
   services.openssh.enable = true;
   services.openssh.authorizedKeysInHomedir = false;
   services.openssh.settings.PasswordAuthentication = false;
@@ -127,9 +129,17 @@ in
     nssmdns4 = true;
   };
 
-  hardware.graphics.enable32Bit = true;
+  # Enable sound.
+  sound.enable = true;
+  hardware.pulseaudio = {
+    enable = true;
+    package = pkgs.pulseaudioFull;
+  };
 
-  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
+  hardware.opengl.driSupport32Bit = true;
+  hardware.pulseaudio.support32Bit = true;
+
+  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
 
   # Enable the X11 windowing system.
   services.xserver.enable = true;

nixops/extra-udev.nix

@@ -24,6 +24,4 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660"
 # DSLogic
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
-# chinese Lattice USB-2B
-SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6010", MODE="0660", GROUP="plugdev"
 ''

nixops/juno-hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/3dca09c8-f725-416a-9f89-b69297698ca9";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  nixpkgs.config.nvidia.acceptLicense = true;
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
+  services.xserver.videoDrivers = [ "nvidia" ];
+  services.xserver.displayManager.gdm.wayland = false;
+
+  system.stateVersion = "23.05";
+}

nixops/nixops.nix

@@ -13,6 +13,7 @@
   chiron = import ./desktop.nix { host = "chiron"; };
   old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
   franz = import ./desktop.nix { host = "franz"; };
+  juno = import ./desktop.nix { host = "juno"; };
   demeter = import ./desktop.nix { host = "demeter"; };
   vulcan = import ./desktop.nix { host = "vulcan"; };
   rc = import ./desktop.nix { host = "rc"; };

nixops/rpi.nix

@@ -15,7 +15,6 @@ in
   boot.loader.generic-extlinux-compatible.enable = true;
   boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
   boot.initrd.includeDefaultModules = false;
-  boot.kernel.sysctl."kernel.dmesg_restrict" = false;
 
   fileSystems = {
     "/" = {

nixops/vulcan-hardware-configuration.nix

@@ -38,15 +38,4 @@
   hardware.cpu.intel.updateMicrocode = true;
   
   system.stateVersion = "23.05";
-
-  specialisation.virtualgpu = {
-    configuration = {
-      boot.kernelModules = [ "vfio_pci" "vfio" ];
-      boot.kernelParams = [ "intel_iommu=on" ];
-      boot.extraModprobeConfig =
-        ''
-        options vfio-pci ids=1002:67df,1002:aaf0
-        '';
-    };
-  };
 }

remote-ipsec.txt

@@ -1,49 +0,0 @@
-connections {
-  bypass-ipsec {
-    remote_addrs = 127.0.0.1
-    children {
-      bypass-isakmp-v4 {
-        local_ts = 0.0.0.0/0[udp/isakmp]
-        remote_ts = 0.0.0.0/0[udp/isakmp]
-        mode = pass
-        start_action = trap
-      }
-      bypass-isakmp-v6 {
-        local_ts = ::/0[udp/isakmp]
-        remote_ts = ::/0[udp/isakmp]
-        mode = pass
-        start_action = trap
-      }
-    }
-  }
-  m_labs {
-    version = 2
-    encap = no
-    mobike = no
-    send_certreq = no
-    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
-    local_addrs = 103.206.98.1
-    remote_addrs = 94.190.212.123
-    local {
-      auth = pubkey
-      id = fqdn:igw0.hkg.as150788.net
-      pubkeys = igw0.hkg.as150788.net
-    }
-    remote {
-      auth = pubkey
-      id = fqdn:m-labs.hk
-      pubkeys = m-labs.hk
-    }
-    children {
-      con1 {
-        mode = transport
-        ah_proposals = sha256-curve25519,sha256-ecp256
-        esp_proposals =
-        local_ts = 103.206.98.1[gre]
-        remote_ts = 94.190.212.123[gre]
-        start_action = none
-        close_action = none
-      }
-    }
-  }
-}