add missing file

Currently not working due to shitty ISP blocking port 25.

nixbld-etc-nixos/ghbackup-179.patch

@@ -1,61 +0,0 @@
-diff --git a/github_backup/github_backup.py b/github_backup/github_backup.py
-index 4ef8b7e..82cbdca 100644
---- a/github_backup/github_backup.py
-+++ b/github_backup/github_backup.py
-@@ -425,7 +425,7 @@ def get_github_repo_url(args, repository):
-     return repo_url
- 
- 
--def retrieve_data_gen(args, template, query_args=None, single_request=False):
-+def retrieve_data_gen(args, template, query_args=None, single_request=False, optional=False):
-     auth = get_auth(args, encode=not args.as_app)
-     query_args = get_query_args(query_args)
-     per_page = 100
-@@ -452,6 +452,11 @@ def retrieve_data_gen(args, template, query_args=None, single_request=False):
-         else:
-             read_error = False
- 
-+        # Requested data does not exist for this repository, but that was expected.
-+        # Generate an empty list.
-+        if status_code == 404 and optional:
-+            return
-+
-         # be gentle with API request limit and throttle requests if remaining requests getting low
-         limit_remaining = int(r.headers.get('x-ratelimit-remaining', 0))
-         if args.throttle_limit and limit_remaining <= args.throttle_limit:
-@@ -509,8 +514,8 @@ def retrieve_data_gen(args, template, query_args=None, single_request=False):
-             break
- 
- 
--def retrieve_data(args, template, query_args=None, single_request=False):
--    return list(retrieve_data_gen(args, template, query_args, single_request))
-+def retrieve_data(args, template, query_args=None, single_request=False, optional=False):
-+    return list(retrieve_data_gen(args, template, query_args, single_request, optional))
- 
- 
- def get_query_args(query_args=None):
-@@ -1011,7 +1016,8 @@ def backup_hooks(args, repo_cwd, repository, repos_template):
-                      'hooks',
-                      template,
-                      output_file,
--                     hook_cwd)
-+                     hook_cwd,
-+                     optional=not args.include_hooks)
-     except SystemExit:
-         log_info("Unable to read hooks, skipping")
- 
-@@ -1158,12 +1164,12 @@ def backup_account(args, output_directory):
-                      account_cwd)
- 
- 
--def _backup_data(args, name, template, output_file, output_directory):
-+def _backup_data(args, name, template, output_file, output_directory, optional=False):
-     skip_existing = args.skip_existing
-     if not skip_existing or not os.path.exists(output_file):
-         log_info('Retrieving {0} {1}'.format(args.user, name))
-         mkdir_p(output_directory)
--        data = retrieve_data(args, template)
-+        data = retrieve_data(args, template, optional=optional)
- 
-         log_info('Writing {0} {1} to disk'.format(len(data), name))
-         with codecs.open(output_file, 'w', encoding='utf-8') as f:

nixbld-etc-nixos/gitea-signin.tmpl

@@ -1,11 +0,0 @@
-{{template "base/head" .}}
-<div class="page-content user signin{{if .LinkAccountMode}} icon{{end}}">
-	{{template "user/auth/signin_navbar" .}}
-	<div class="ui middle very relaxed page grid">
-		<div class="ui container column fluid">
-			{{template "user/auth/signin_inner" .}}
-			To get an account (also available to external contributors), simply write to sb@m-***s.hk.
-		</div>
-	</div>
-</div>
-{{template "base/footer" .}}

nixbld-etc-nixos/hydra-restrictdist.patch

@@ -1,32 +0,0 @@
-diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
-index a9b0d558..71869ba0 100644
---- a/src/lib/Hydra/Controller/Root.pm
-+++ b/src/lib/Hydra/Controller/Root.pm
-@@ -19,6 +19,11 @@ use Net::Prometheus;
- # Put this controller at top-level.
- __PACKAGE__->config->{namespace} = '';
- 
-+sub isRedistRestricted {
-+  my ($path) = @_;
-+
-+  return index($path, "-RESTRICTDIST-") >= 0;
-+}
- 
- sub noLoginNeeded {
-   my ($c) = @_;
-@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
-         $path = $Nix::Config::storeDir . "/$path";
- 
-         gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
-+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
- 
-         $c->stash->{current_view} = 'NixNAR';
-         $c->stash->{storePath} = $path;
-@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
-             setCacheHeaders($c, 60 * 60);
-             return;
-         }
-+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
- 
-         $c->stash->{storePath} = $path;
-         $c->forward('Hydra::View::NARInfo');

nixbld-etc-nixos/matterbridge-disable-github.patch

@@ -1,15 +0,0 @@
-diff --git a/bridge/mattermost/helpers.go b/bridge/mattermost/helpers.go
-index 14b7469d..d9b77bdf 100644
---- a/bridge/mattermost/helpers.go
-+++ b/bridge/mattermost/helpers.go
-@@ -206,6 +206,10 @@ func (b *Bmattermost) skipMessage(message *matterclient.Message) bool {
- 		return true
- 	}
- 
-+	if message.Username == "github" {
-+		return true
-+	}
-+
- 	// if the message has reactions don't repost it (for now, until we can correlate reaction with message)
- 	if message.Post.HasReactions {
- 		return true

nixbld-etc-nixos/mattermost-github-integration/pkg.nix

@@ -1,32 +0,0 @@
-{ fetchFromGitHub, python3Packages }:
-with python3Packages;
-
-buildPythonPackage rec {
-  pname = "mattermost-github-integration";
-  version = "0.0.0-unstable";
-  src = fetchFromGitHub {
-    owner = "softdevteam";
-    repo = "mattermost-github-integration";
-    rev = "1124a0ff233b50ed6070cb84cfffd128ad219831";
-    sha256 = "1hfvjaxjhliy8sv9j3616fkdwd2jqhfsj9ai7ggx88zhxknrfx85";
-  };
-  propagatedBuildInputs = [
-    appdirs
-    click
-    flask
-    itsdangerous
-    jinja2
-    markupsafe
-    olefile
-    packaging
-    pillow
-    pyparsing
-    requests
-    six
-    werkzeug
-  ];
-  checkInputs = [
-    pytest
-  ];
-  doCheck = true;
-}

nixbld-etc-nixos/mattermost-github-integration/uwsgi-config.nix

@@ -1,15 +0,0 @@
-{ config, pkgs }:
-
-let
-  pkg = pkgs.callPackage ./pkg.nix {};
-in {
-  type = "normal";
-  pythonPackages = self: [ pkg ];
-  module = "mattermostgithub:app";
-  env = [
-    "MGI_CONFIG_FILE=${./../secret/mattermost-github-integration.py}"
-  ];
-  socket = "${config.services.uwsgi.runDir}/uwsgi-mgi.sock";
-  # allow access from nginx
-  chmod-socket = 666;
-}

nixbld-etc-nixos/nix-networked-derivations.patch

@@ -1,80 +0,0 @@
-diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
-index 64b55ca6a..9b4e52b8e 100644
---- a/src/libstore/build/local-derivation-goal.cc
-+++ b/src/libstore/build/local-derivation-goal.cc
-@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
- 
-     assert(derivationType);
- 
-+    networked = parsedDrv->getBoolAttr("__networked");
-+
-     /* Are we doing a chroot build? */
-     {
-         auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
-         else if (settings.sandboxMode == smDisabled)
-             useChroot = false;
-         else if (settings.sandboxMode == smRelaxed)
--            useChroot = derivationType->isSandboxed() && !noChroot;
-+            useChroot = !networked && derivationType->isSandboxed() && !noChroot;
-     }
- 
-     auto & localStore = getLocalStore();
-@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
-                 "nogroup:x:65534:\n", sandboxGid()));
- 
-         /* Create /etc/hosts with localhost entry. */
--        if (derivationType->isSandboxed())
-+        if (!networked && derivationType->isSandboxed())
-             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
- 
-         /* Make the closure of the inputs available in the chroot,
-@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
-            us.
-         */
- 
--        if (derivationType->isSandboxed())
-+        if (!networked && derivationType->isSandboxed())
-             privateNetwork = true;
- 
-         userNamespaceSync.create();
-@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
-        to the builder is generally impure, but the output of
-        fixed-output derivations is by definition pure (since we
-        already know the cryptographic hash of the output). */
--    if (!derivationType->isSandboxed()) {
-+    if (networked || !derivationType->isSandboxed()) {
-         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
-             env[i] = getEnv(i).value_or("");
-     }
-@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
-             /* Fixed-output derivations typically need to access the
-                network, so give them access to /etc/resolv.conf and so
-                on. */
--            if (!derivationType->isSandboxed()) {
-+            if (networked || !derivationType->isSandboxed()) {
-                 // Only use nss functions to resolve hosts and
-                 // services. Don’t use it for anything else that may
-                 // be configured for this system. This limits the
-@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
-                     #include "sandbox-defaults.sb"
-                     ;
- 
--                if (!derivationType->isSandboxed())
-+                if (networked || !derivationType->isSandboxed())
-                     sandboxProfile +=
-                         #include "sandbox-network.sb"
-                         ;
-diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
-index 0a05081c7..4c251718c 100644
---- a/src/libstore/build/local-derivation-goal.hh
-+++ b/src/libstore/build/local-derivation-goal.hh
-@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
- 
-     Path chrootRootDir;
- 
-+    bool networked;
-+
-     /**
-      * RAII object to delete the chroot directory.
-      */

nixops/athena-hardware-configuration.nix

@@ -8,7 +8,6 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];

nixops/avscan-module.nix

@@ -1,45 +0,0 @@
-{ config, pkgs, lib, ... }:
-with lib;
-let
-  avscan = pkgs.writeScript "avscan" ''
-    #!${pkgs.bash}/bin/bash
-
-    for user in $(cut -d":" -f1 /etc/passwd); do
-      if [ -d "/home/$user" ]; then
-          nice -15 ${pkgs.sudo}/bin/sudo -u $user ${pkgs.clamav}/bin/clamscan --recursive --quiet --infected /home/$user
-      fi
-    done
-  '';
-  cfg = config.services.avscan;
-in
-{
-  options.services.avscan = {
-    enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Enable antivirus scan";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.clamav.updater.enable = true;
-    services.clamav.updater.interval = "daily";
-    services.clamav.updater.frequency = 1;
-
-    systemd.services.avscan = {
-      description = "Antivirus scan";
-      serviceConfig = {
-        Type = "oneshot";
-        User = "root";
-        Group = "root";
-        ExecStart = "${avscan}";
-      };
-    };
-
-    systemd.timers.avscan = {
-      description = "Antivirus scan";
-      wantedBy = [ "timers.target" ];
-      timerConfig.OnCalendar = "Mon *-*-* 13:00:00";
-    };
-  };
-}

nixops/common-users.nix

@@ -4,7 +4,7 @@
   root = {
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFeXAcgndaFOUkhBdWMggb85Ee8TB34htk+NAZ8QeJHy5koASSlI7PArmsga51mEn7Gbl2FajTqawiy11kZeJtWxP1Xtyp3GG9q8wcg7ChRqrWK9dvptqbyPeDEwp2qt5A=="
     ];
   };
   sb = {
@@ -12,7 +12,7 @@
     extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFeXAcgndaFOUkhBdWMggb85Ee8TB34htk+NAZ8QeJHy5koASSlI7PArmsga51mEn7Gbl2FajTqawiy11kZeJtWxP1Xtyp3GG9q8wcg7ChRqrWK9dvptqbyPeDEwp2qt5A=="
     ];
   };
   rj = {
@@ -26,13 +26,6 @@
     ];
   };
 
-  guest = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPsv4UMEFV0UHeHdA9R3sC+qoMxrqhcuFqwqWMI4AF/lixwcbRyA8QKiu/7R22m2u6pp+Zk6hYqcxdgClI4uN2oQhVjJX6wEgfT94vC/67OKJI/NNVsR8G0lr0ufCo4Lbw=="
-    ];
-  };
   occheung = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
@@ -55,13 +48,6 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMoGOV9HoFkm6S6zMfOc8ivUcGzKFxuqpmOXKQtg2nn5Kh6ByMuuAHFlvKISILBaWgXN8lPQN9VjLuXV93oG4Pe7u8EVw20IGbA6RZ4Pnnr1xQBESPbye+72taLvyQlxGA=="
     ];
   };
-  esavkin = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout" "libvirtd"];
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
-    ];
-  };
   flo = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
@@ -71,7 +57,7 @@
   };
   srenblad = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
+    extraGroups = ["plugdev" "dialout" "wireshark"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLoMzO8XIkUTKUC0R05EmXn3V6gm2oMvXhh+j68G9TDBeb8x0WFkz16NPclsXdMcb2dFhtLmxUHwB5L4zWSuyYkqr0YRrtly3uwXe5Wnyz1ZAkxoq7YjQlanWSri11U8xw=="
     ];
@@ -92,7 +78,7 @@
   };
   atse = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
+    extraGroups = ["plugdev" "dialout" "wireshark"  "libvirtd"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJHMX1YDnBPQfZyGVtc93u4TIFWqnHEe6WB/eTeiOjFulitXzGfhsODZ08GzTi2+YKk7spRiPKNwRPTKFuW2PPe3Xig8b75qRMIeIVX3b7e0i6xP85eg4jdiz0LD2YGUHQ=="
     ];
@@ -111,12 +97,32 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
     ];
   };
-
-  dpn = {
+  ivan = {
     isNormalUser = true;
     extraGroups = ["plugdev" "dialout"];
     openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGChLocYJi8XcSJkIjT2Olm3jPGjtRq5aORa5G9F3OqmjCfvav9Q5+2Mc64XqHtNTffnJuDe4gv+lVJatC0URvPs2HyxXmxRK0jgkkLSUsV2SYLlgMqHW3jsrdh6wKBmkg=="
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFnFOkug5NqBZ4T0tt5mj5w1es/tXbygTr63VKAGS3otK0J8SHWdGyeew3gBgnq9VhPTTRCET35dTZYyVzJdIL9bkPHInqlTSgJB1iyPo58wUtZekuZOEzUaQ8hx1uf6tg=="
+    ];
+  };
+  dly = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOPxPaBdgYLh7AJipRol7iYgqNM3LKFXtJqD90U5+oUPE7/2fvhpKi+/LwIWXIQrqXYpnjKyUQ0Hm8VWSFUEI+4HRFmdPw2CjM1SxkM6y/zLKCjAqrMfEM5E2OFLE24RLw=="
+    ];
+  };
+  bukehu = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLNiJnenGCPInVAx927ywFRC8kTEokOOz1gQMQrO5ehzjkW61h73J292qhJusMhFZs5xNun6NkNOgWoqMTQZ+9Klv0+8+GtGFEgSddOXKHOwHcyg6Bue7WFLOiREIsSkyw=="
+    ];
+  };
+  rclovis = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpn64sg7f7j4ZLFruXV9Zxaaz46tURiep5g6SsZf5xe"
     ];
   };
 }

nixops/desktop.nix

@@ -12,61 +12,56 @@ in
 
   boot.loader.systemd-boot.memtest86.enable = true;
   boot.loader.grub.memtest86.enable = true;
+  boot.kernel.sysctl."kernel.dmesg_restrict" = false;
 
   imports =
     [
       (./. + "/${host}-hardware-configuration.nix")
-      ./avscan-module.nix
     ];
-  nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
-    libp11 = super.libp11.override({ openssl = super.openssl_1_1; });
-    pam_p11 = super.pam_p11.overrideAttrs(oa: {
-      patches = [];
+  nixpkgs.config.packageOverrides = super: {
+    pam_p11 = super.pam_p11.overrideAttrs (_: {
+      version = "0.6.0";
+      src = pkgs.fetchFromGitHub {
+        owner = "OpenSC";
+        repo = "pam_p11";
+        rev = "pam_p11-0.6.0";
+        sha256 = "sha256-u5GQCuRh+P8s6hfu1PEUZdBaGEKa/K4s4tEx9xBLEoY=";
+      };
+      patches = [ ]; # pam_p11/pull/22.patch is merged since 0.4.0
       postPatch = ''
         substituteInPlace src/match_openssh.c --replace \
           '"%s/.ssh/authorized_keys", pw->pw_dir)' \
           '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)'
         '';
     });
-    gnome = super.gnome // {
-       gnome-keyring = super.gnome.gnome-keyring.overrideAttrs(oa: {
-          configureFlags = oa.configureFlags ++ ["--disable-ssh-agent"];
-        });
-    };
   };
-  nixpkgs.config.permittedInsecurePackages = [
-    "openssl-1.1.1w"
-  ];
 
   boot.binfmt.emulatedSystems = [ "armv7l-linux" ];
 
   networking.hostName = host;
-  networking.firewall.allowedTCPPorts = [ 1883 ];
-  networking.firewall.allowedUDPPorts = [ 1883 ];
+  networking.firewall.enable = false;
 
   time.timeZone = "Asia/Hong_Kong";
 
   # List packages installed in system profile. To search, run:
   # $ nix search wget
-  nixpkgs.config.allowUnfree = true;
   environment.systemPackages = with pkgs; [
-    opensc yubikey-manager yubikey-manager-qt yubico-piv-tool
-    wget vim gitAndTools.gitFull sshfs
-    firefox
+    opensc
+    wget vim gitFull sshfs
     thunderbird
     chromium
+    librewolf
     usbutils pciutils uhubctl file lm_sensors audacious acpi
     gimp imagemagick
     (python3.withPackages(ps: with ps; [ numpy scipy matplotlib qtconsole regex jinja2 ]))
     texlive.combined.scheme-full
     mosh psmisc libreoffice-fresh
     inkscape
-    xournal
-    xsane
+    xournalpp
     gtkwave unzip zip gnupg
-    gnome3.gnome-tweaks
-    gnome3.ghex
-    jq sublime3 rink qemu_kvm
+    gnome-tweaks
+    ghex
+    jq rink qemu_kvm
     tmux screen gdb minicom picocom
     artiq.packages.x86_64-linux.openocd-bscanspi
     xc3sprog
@@ -74,6 +69,7 @@ in
     emacs bat ripgrep
     guake
     vscodium
+    gnome-builder
     waypipe
     virt-manager spice-gtk
     kicad
@@ -82,7 +78,6 @@ in
   programs.wireshark.enable = true;
   programs.wireshark.package = pkgs.wireshark;
   virtualisation.libvirtd.enable = true;
-  virtualisation.libvirtd.qemu.ovmf.enable = true;
   security.wrappers.spice-client-glib-usb-acl-helper = {
     source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper";
     owner = "root";
@@ -90,8 +85,6 @@ in
     setuid = true;
   };
 
-  services.avscan.enable = true;
-
   services.openssh.enable = true;
   services.openssh.authorizedKeysInHomedir = false;
   services.openssh.settings.PasswordAuthentication = false;
@@ -109,46 +102,36 @@ in
   programs.ssh.startAgent = true;
   programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
   security.pam.p11.enable = true;
+  services.gnome.gcr-ssh-agent.enable = pkgs.lib.mkForce false;
 
-  # Enable CUPS to print documents.
-  services.printing = {
-    enable = true;
-    extraConf =
-      ''
-      Browsing Off
-      BrowseLocalProtocols none
-      '';
-    browsedConf =
-      ''
-      BrowseRemoteProtocols none
-      BrowseProtocols none
-      '';
-  };
-  services.avahi = {
-    enable = true;
-    nssmdns4 = true;
+  services.printing.enable = true;
+  hardware.printers = {
+    ensurePrinters = [
+      {
+        name = "sprint";
+        deviceUri = "socket://192.168.1.1";
+        model = "raw";
+      }
+    ];
+    ensureDefaultPrinter = "sprint";
   };
 
-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio = {
-    enable = true;
-    package = pkgs.pulseaudioFull;
-  };
+  hardware.graphics.enable32Bit = true;
 
-  hardware.opengl.driSupport32Bit = true;
-  hardware.pulseaudio.support32Bit = true;
-
-  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
+  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-color-emoji pkgs.emacs-all-the-icons-fonts ];
 
   # Enable the X11 windowing system.
   services.xserver.enable = true;
   services.xserver.xkb.layout = "us";
   services.xserver.xkb.options = "eurosign:e";
 
-  services.xserver.displayManager.gdm.enable = true;
-  services.xserver.desktopManager.gnome.enable = true;
-  environment.gnome.excludePackages = [ pkgs.epiphany ];
+  services.displayManager.gdm.enable = true;
+  services.desktopManager.gnome.enable = true;
+
+  # https://github.com/NixOS/nixpkgs/issues/149812
+  environment.extraInit = ''
+    export XDG_DATA_DIRS="$XDG_DATA_DIRS:${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}"
+  '';
 
   systemd.suppressedSystemUnits = [
       "hibernate.target"

nixops/extra-udev.nix

@@ -24,4 +24,10 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660"
 # DSLogic
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
+# chinese Lattice USB-2B
+SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6010", MODE="0660", GROUP="plugdev"
+# ZWO ASI662MM
+SUBSYSTEM=="usb", ATTRS{idVendor}=="03c3", ATTRS{idProduct}=="662c", MODE="0660", GROUP="plugdev"
+
+SUBSYSTEM=="usbmon", GROUP="wireshark", MODE="0640"
 ''

nixops/helicon-hardware-configuration.nix

@@ -8,25 +8,19 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/348c924c-1d86-44ff-84af-2594f414e7d0";
+    { device = "/dev/disk/by-uuid/7cc35d00-1e76-48fa-a724-8b0fa82f557f";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/1BDC-44BB";
+    { device = "/dev/disk/by-uuid/C715-DE76";
       fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-  fileSystems."/opt" =
-    { device = "/dev/disk/by-uuid/cf0f51b6-7b95-4c74-9390-37dc4c86f32b";
-      fsType = "ext4";
     };
 
   swapDevices = [ ];
@@ -36,15 +30,14 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp89s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
-
   hardware.cpu.intel.updateMicrocode = true;
-
+  
   system.stateVersion = "23.11";
 }

nixops/hkg.nix

@@ -5,19 +5,18 @@
 
   network.enableRollback = true;
 
-  rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = true; };
-  rpi-4 = import ./rpi.nix { host = "rpi-4"; rpi4 = true; };
+  rpi-1 = import ./rpi.nix { host = "rpi-1"; lanIP = "192.168.1.201"; wanIP = "103.206.98.204"; };
+  rpi-4 = import ./rpi.nix { host = "rpi-4"; lanIP = "192.168.1.204"; wanIP = "103.206.98.205"; };
   zeus = import ./desktop.nix { host = "zeus"; };
   hera = import ./desktop.nix { host = "hera"; };
   hestia = import ./desktop.nix { host = "hestia"; };
   chiron = import ./desktop.nix { host = "chiron"; };
   old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
   franz = import ./desktop.nix { host = "franz"; };
-  juno = import ./desktop.nix { host = "juno"; };
   demeter = import ./desktop.nix { host = "demeter"; };
   vulcan = import ./desktop.nix { host = "vulcan"; };
-  rc = import ./desktop.nix { host = "rc"; };
   athena = import ./desktop.nix { host = "athena"; };
   jupiter = import ./desktop.nix { host = "jupiter"; };
   saturn = import ./desktop.nix { host = "saturn"; };
+  pluto = import ./desktop.nix { host = "pluto"; };
 }

nixops/mnl.nix

@@ -0,0 +1,10 @@
+{
+  network.storage.legacy = {
+     databasefile = "~/.nixops/deployments.nixops";
+  };
+
+  network.enableRollback = true;
+
+  helicon = import ./desktop.nix { host = "helicon"; };
+  trantor = import ./desktop.nix { host = "trantor"; };
+}

nixops/pluto-hardware-configuration.nix

@@ -8,16 +8,22 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/3dca09c8-f725-416a-9f89-b69297698ca9";
+    { device = "/dev/disk/by-uuid/3d08abf5-2144-4d76-a1af-e01694daeb66";
       fsType = "ext4";
     };
 
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/EB42-BC13";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
   swapDevices = [ ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@@ -25,18 +31,13 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = true;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-
-  nixpkgs.config.nvidia.acceptLicense = true;
-  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
-  services.xserver.videoDrivers = [ "nvidia" ];
-  services.xserver.displayManager.gdm.wayland = false;
-
-  system.stateVersion = "23.05";
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  
+  system.stateVersion = "25.05";
 }

nixops/rpi.nix

@@ -1,4 +1,4 @@
-{ host, rpi4, experimental-users ? false }:
+{ host, lanIP, wanIP }:
 
 { config, pkgs, ... }:
 let
@@ -13,8 +13,7 @@ in
 
   boot.loader.grub.enable = false;
   boot.loader.generic-extlinux-compatible.enable = true;
-  boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
-  boot.initrd.includeDefaultModules = false;
+  boot.kernel.sysctl."kernel.dmesg_restrict" = false;
 
   fileSystems = {
     "/" = {
@@ -34,6 +33,33 @@ in
   programs.mosh.enable = true;
 
   networking.hostName = host;
+  networking.firewall.enable = true;
+  networking.useDHCP = false;
+  networking.interfaces.end0 = {
+    ipv4.addresses = [
+      {
+        address = lanIP;
+        prefixLength = 24;
+      }
+      {
+        address = wanIP;
+        prefixLength = 29;
+      }
+    ];
+    ipv4.routes = [
+      {
+        address = "192.168.0.0";
+        prefixLength = 16;
+        via = "192.168.1.1";
+      }
+      {
+        address = "0.0.0.0";
+        prefixLength = 0;
+        via = "103.206.98.200";
+      }
+    ];
+  };
+  networking.nameservers = [ "192.168.1.1" ];
 
   time.timeZone = "Asia/Hong_Kong";
 
@@ -55,10 +81,12 @@ in
 
   documentation.enable = false;
   environment.systemPackages = with pkgs; [
-    psmisc wget vim git sshfs usbutils uhubctl lm_sensors file mosh tmux
-    artiq.packages.aarch64-linux.openocd-bscanspi
-    xc3sprog
-    screen gdb minicom picocom
+     psmisc
+     usbutils
+     lm_sensors
+     wget
+     vim
+     artiq.packages.aarch64-linux.openocd-bscanspi
   ];
   programs.zsh.enable = true;
   programs.fish.enable = true;

nixops/trantor-hardware-configuration.nix

@@ -0,0 +1,33 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5c24fd31-25f4-4c78-995c-dd6d2655627d";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/4647-5F3D";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  system.stateVersion = "25.11";
+}

nixops/vulcan-hardware-configuration.nix

@@ -38,4 +38,15 @@
   hardware.cpu.intel.updateMicrocode = true;
   
   system.stateVersion = "23.05";
+
+  specialisation.virtualgpu = {
+    configuration = {
+      boot.kernelModules = [ "vfio_pci" "vfio" ];
+      boot.kernelParams = [ "intel_iommu=on" ];
+      boot.extraModprobeConfig =
+        ''
+        options vfio-pci ids=1002:67df,1002:aaf0
+        '';
+    };
+  };
 }

nixops/zeus-hardware-configuration.nix

@@ -7,7 +7,7 @@
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ "kvm-intel" "usbmon" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =

servers/afws-module.nix

@@ -10,16 +10,34 @@ in
       default = false;
       description = "Enable AFWS server";
     };
+    logFile = mkOption {
+      type = types.str;
+      default = "/var/lib/afws/logs/afws.log";
+      description = "Path to the log file";
+    };
+    logBackupCount = mkOption {
+      type = types.int;
+      default = 30;
+      description = "Number of daily log files to keep";
+    };
   };
 
   config = mkIf config.services.afws.enable {
     systemd.services.afws = {
       description = "AFWS server";
       wantedBy = [ "multi-user.target" ];
+      preStart = ''
+        mkdir -p "$(dirname ${config.services.afws.logFile})"
+        chown afws:afws "$(dirname ${config.services.afws.logFile})"
+      '';
       serviceConfig = {
         User = "afws";
         Group = "afws";
-        ExecStart = "${afws}/bin/afws_server";
+        ExecStart = ''
+          ${afws}/bin/afws_server \
+            --log-file ${config.services.afws.logFile} \
+            --log-backup-count ${toString config.services.afws.logBackupCount}
+        '';
         ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
       };
       path = [ pkgs.nix pkgs.git ];

servers/backup-module.nix

@@ -12,6 +12,8 @@ let
     "/var/lib/mattermost/data/2021*"
     "/var/lib/mattermost/data/2022*"
     "/var/lib/mattermost/data/2023*"
+    "/var/lib/mattermost/data/2024*"
+    "/var/lib/mattermost/data/2025*"
   ];
   makeBackup = pkgs.writeScript "make-backup" ''
     #!${pkgs.bash}/bin/bash -p
@@ -27,9 +29,10 @@ let
     ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
     ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
     ${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
+    ${config.services.postgresql.package}/bin/pg_dump nextcloud > nextcloud.sql
 
     exec 6< /etc/nixos/secret/backup-passphrase
-    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
+    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /home/sb/backed /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql nextcloud.sql | \
         ${pkgs.bzip2}/bin/bzip2 | \
         ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
   '';

servers/fail2ban.nix

@@ -0,0 +1,24 @@
+{ config, ... }:
+{
+  services.fail2ban.enable = true;
+  services.fail2ban.maxretry = 7;
+  services.fail2ban.bantime-increment.enable = true;
+  services.fail2ban.jails.sshd = {
+    settings = {
+      filter = "sshd";
+      action = "iptables-allports";
+    };
+  };
+  services.fail2ban.jails.postfix = {
+    settings = {
+      filter = "postfix";
+      action = "iptables-allports";
+    };
+  };
+  services.fail2ban.jails.dovecot = {
+    settings = {
+      filter = "dovecot";
+      action = "iptables-allports";
+    };
+  };
+}

servers/flarum/default.nix

@@ -17,14 +17,14 @@ php.buildComposerProject (finalAttrs: {
   };
 
   patches = [
-    # Add useful extensions from https://github.com/FriendsOfFlarum
-    # Extensions included: fof/upload, fof/polls, fof/subscribed
-    ./fof-extensions.patch
+    # Add useful flarum extensions (polls, subscribed, upload, email-filter)
+    ./flarum-extensions.patch
+    ./flarum-captcha.patch
   ];
 
   composerLock = ./composer.lock;
   composerStrictValidation = false;
-  vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";
+  vendorHash = "sha256-/QvM6P6E9/4W5/d4f9qksv0LyFnx0NxBcmViOd54960=";
 
   meta = with lib; {
     changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";

servers/flarum/flarum-captcha.patch

@@ -0,0 +1,98 @@
+diff --git a/extend.php b/extend.php
+index 5d5eee4..e564985 100644
+--- a/extend.php
++++ b/extend.php
+@@ -8,7 +8,93 @@
+  */
+ 
+ use Flarum\Extend;
++use Flarum\Discussion\Event\Saving as DiscussionSaving;
++use Flarum\User\Event\Saving as UserSaving;
++use Flarum\Foundation\ValidationException;
++use Flarum\Frontend\Document;
++use Illuminate\Support\Arr;
++
++function validateCaptchaAnswer(array $data): void {
++    $attrs = Arr::get($data, 'attributes', []);
++    $answer = (int) Arr::get($attrs, 'captchaAnswer');
++    $expected = (int) Arr::get($attrs, 'captchaNum1') + (int) Arr::get($attrs, 'captchaNum2');
++    if ($answer !== $expected) {
++        throw new ValidationException(['captchaAnswer' => 'Incorrect CAPTCHA answer.']);
++    }
++}
+ 
+ return [
+     // Register extenders here to customize your forum!
++    (new Extend\Frontend('forum'))->content(function (Document $document) {
++        $document->foot[] = '<script>
++        (function() {
++            var c = flarum.core.compat;
++            var extend = c["common/extend"].extend, Stream = c["common/utils/Stream"];
++            var SignUpModal = c["forum/components/SignUpModal"];
++            var DiscussionComposer = c["forum/components/DiscussionComposer"];
++            var TextEditor = c["common/components/TextEditor"], app = c["forum/app"];
++            function rand() { return Math.floor(Math.random() * 9) + 1; }
++            var NUM1 = rand(), NUM2 = rand(), STYLE = "color:#536F90;font-weight:normal";
++
++            function label(a, b) { return [m("strong", "Anti-spam question: "), "What is " + a + " + " + b + "?"]; }
++
++            extend(SignUpModal.prototype, "oninit", function() {
++                this.captchaNum1 = NUM1; this.captchaNum2 = NUM2; this.captchaAnswer = Stream("");
++            });
++            extend(SignUpModal.prototype, "fields", function(items) {
++                items.add("captcha", m("div.Form-group", [
++                    m("label", { style: STYLE }, label(this.captchaNum1, this.captchaNum2)),
++                    m("input.FormControl", {
++                        type: "text", placeholder: "Answer",
++                        bidi: this.captchaAnswer, disabled: this.loading
++                    })
++                ]), -10);
++            });
++            extend(SignUpModal.prototype, "submitData", function(data) {
++                data.captchaAnswer = this.captchaAnswer();
++                data.captchaNum1 = this.captchaNum1; data.captchaNum2 = this.captchaNum2;
++            });
++
++            extend(DiscussionComposer.prototype, "oninit", function() {
++                if (!app.session.user) {
++                    var f = this.composer.fields;
++                    f.captchaNum1 = NUM1; f.captchaNum2 = NUM2;
++                    f.captchaAnswer = f.captchaAnswer || Stream("");
++                }
++            });
++            extend(TextEditor.prototype, "controlItems", function(items) {
++                var f = this.attrs.composer && this.attrs.composer.fields;
++                if (f && f.captchaAnswer && !app.session.user) {
++                    items.add("captcha", m("li", {
++                        style: "display:flex;align-items:center;gap:8px;margin-right:10px"
++                    }, [
++                        m("span", { style: STYLE }, label(f.captchaNum1, f.captchaNum2)),
++                        m("input.FormControl", {
++                            style: "width:80px;padding:4px 8px", type: "text",
++                            placeholder: "Answer", bidi: f.captchaAnswer, disabled: this.attrs.disabled
++                        })
++                    ]), 100);
++                }
++            });
++            extend(DiscussionComposer.prototype, "data", function(data) {
++                var f = this.composer.fields;
++                if (!app.session.user && f.captchaAnswer) {
++                    data.captchaAnswer = f.captchaAnswer();
++                    data.captchaNum1 = f.captchaNum1; data.captchaNum2 = f.captchaNum2;
++                }
++            });
++        })();
++        </script>';
++    }),
++
++    (new Extend\Event())->listen(DiscussionSaving::class,
++        function (DiscussionSaving $event) {
++            if ($event->actor->isGuest() && !$event->discussion->exists)
++                validateCaptchaAnswer($event->data);
++        }),
++
++    (new Extend\Event())->listen(UserSaving::class,
++        function (UserSaving $event) {
++            if (!$event->user->exists) validateCaptchaAnswer($event->data);
++        }),
+ ];

servers/flarum/flarum-extensions.patch

@@ -1,8 +1,8 @@
 diff --git a/composer.json b/composer.json
-index c63b5f8..5ad1186 100644
+index c63b5f8..bfb82ae 100644
 --- a/composer.json
 +++ b/composer.json
-@@ -37,7 +37,10 @@
+@@ -37,7 +37,12 @@
          "flarum/sticky": "*",
          "flarum/subscriptions": "*",
          "flarum/suspend": "*",
@@ -10,7 +10,9 @@ index c63b5f8..5ad1186 100644
 +        "flarum/tags": "*",
 +        "fof/polls": "*",
 +        "fof/subscribed": "*",
-+        "fof/upload": "*"
++        "fof/upload": "*",
++        "nyu8/flarum-email-filter": "^1.0",
++        "convo-extensions/flarum-ext-guest-posting": "*"
      },
      "config": {
          "preferred-install": "dist",

servers/gitea-home.tmpl

@@ -15,7 +15,10 @@
 	<div class="ui stackable middle very relaxed page grid">
 		<div class="sixteen wide center column">
 			<p class="large">
-				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have.
+				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="M-Labs/">M-Labs organization</a> where our main projects such as ARTIQ are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
+			</p>
+			<p class="large">
+			To quickly post a public issue report or other feedback or questions, you may use the <a href="https://forum.m-labs.hk">forum</a> (no registration required).
 			</p>
 		</div>
 	</div>

servers/github-backup-module.nix

@@ -1,26 +1,14 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
-  python-github-backup = pkgs.python3Packages.buildPythonApplication {
-    name = "python-github-backup";
-    src = pkgs.fetchFromGitHub {
-      owner = "josegonzalez";
-      repo = "python-github-backup";
-      rev = "18e78a4d66120961590836e63d1fa939e4d036f3";
-      sha256 = "1c5qxyv322z5zkx8mxdwdqrnjgqhk00aqcgwkn53b4xkfr2idkbn";
-    };
-    patches = [ ./ghbackup-179.patch ];
-    propagatedBuildInputs = [ pkgs.git ];
-  };
   token = (import /etc/nixos/secret/github_tokens.nix).backup;
   makeBackup = pkgs.writeScript "make-ghbackup" ''
     #!${pkgs.bash}/bin/bash
 
     set -e
 
-    ${python-github-backup}/bin/github-backup m-labs -t ${token} --all -i -o /var/lib/ghbackup/m-labs
-    ${python-github-backup}/bin/github-backup quartiq -t ${token} --all -i -o /var/lib/ghbackup/quartiq
-    ${python-github-backup}/bin/github-backup sinara-hw -t ${token} --all -i -o /var/lib/ghbackup/sinara-hw
+    ${pkgs.github-backup}/bin/github-backup quartiq -t ${token} --all -i -o /var/lib/ghbackup/quartiq
+    ${pkgs.github-backup}/bin/github-backup sinara-hw -t ${token} --all -i -o /var/lib/ghbackup/sinara-hw
 
     echo GitHub backup done
   '';

servers/humidor-configuration.nix

@@ -0,0 +1,368 @@
+{ config, lib, pkgs, ... }:
+
+let
+  netifWan = "eno1";
+  netifLan = "eno2";
+  netifWifi = "wlp3s0";
+  netifMLSI = "wgm0";
+in
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./fail2ban.nix
+      ./snm.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.copyKernels = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.grub.efiSupport = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.supportedFilesystems.zfs = true;
+
+  nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
+    nixops_unstable_minimal = super.nixops_unstable_minimal.overrideAttrs (oa: {
+        patches = oa.patches or [] ++ [
+          ./nixops-skip-unreachable-host.patch
+          ./nixops-fix-deprecated-pipes.patch
+        ];
+    });
+  };
+
+  networking.hostName = "humidor";
+  networking.hostId = "e423f013";
+
+  time.timeZone = "Asia/Manila";
+
+  networking.useDHCP = false;
+  networking.interfaces."${netifWan}" = {
+    ipv4.addresses = [
+      {
+        address = "27.49.56.174";
+        prefixLength = 26;
+      }
+    ];
+    ipv4.routes = [
+      {
+        address = "0.0.0.0";
+        prefixLength = 0;
+        via = "27.49.56.129";
+      }
+    ];
+  };
+
+  users.extraGroups.plugdev = { };
+  users.extraUsers.root = {
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFeXAcgndaFOUkhBdWMggb85Ee8TB34htk+NAZ8QeJHy5koASSlI7PArmsga51mEn7Gbl2FajTqawiy11kZeJtWxP1Xtyp3GG9q8wcg7ChRqrWK9dvptqbyPeDEwp2qt5A=="
+    ];
+    shell = pkgs.fish;
+  };
+  users.extraUsers.sb = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFeXAcgndaFOUkhBdWMggb85Ee8TB34htk+NAZ8QeJHy5koASSlI7PArmsga51mEn7Gbl2FajTqawiy11kZeJtWxP1Xtyp3GG9q8wcg7ChRqrWK9dvptqbyPeDEwp2qt5A=="
+    ];
+    shell = pkgs.fish;
+  };
+  users.extraUsers.morgan = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
+    ];
+    shell = pkgs.fish;
+  };
+  users.extraUsers.flo = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
+    ];
+    shell = pkgs.fish;
+  };
+  users.mutableUsers = false;
+
+  services.udev.extraRules =
+    ''
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6011", MODE="0660", GROUP="plugdev"
+    '';
+
+  hardware.bluetooth.enable = false;
+  systemd.coredump.enable = false;
+  security.sudo.enable = false;
+  security.wrappers = {
+    fusermount.setuid = lib.mkForce false;
+    fusermount3.setuid = lib.mkForce false;
+    mount.setuid = lib.mkForce false;
+    umount.setuid = lib.mkForce false;
+    newuidmap.setuid = lib.mkForce false;
+    newgidmap.setuid = lib.mkForce false;
+  };
+  services.dbus.implementation = "broker";
+  # crashes redis-rspamd
+  #environment.memoryAllocator.provider = "graphene-hardened";
+  boot.kernelPackages = pkgs.linuxPackages_hardened;
+  boot.kernelParams = [
+    "slab_nomerge"
+    "init_on_alloc=1"
+    "init_on_free=1"
+    "page_alloc.shuffel=1"
+    "pti=on"
+    "randomize_kstack_offset=on"
+    "vsyscall=none"
+    "debugfs=off"
+    "oops=panic"
+    "module.sig_enforce=1"
+  ];
+  boot.blacklistedKernelModules = [ "bluetooth" "btusb" "ov13858" "v4l2_fwnode" "v4l2_async" "thunderbolt" ];
+  networking.enableIPv6 = false;
+  boot.kernel.sysctl = {
+    "fs.suid_dumpable" = 0;
+    "kernel.kptr_restrict" = 2;
+    "kernel.unprivileged_bpf_disabled" = 1;
+    "dev.tty.ldisk_autoload" = 0;
+    "vm.unprivileged_userfaultfd" = 0;
+    "kernel.kexec_load_disabled" = 1;
+    "kernel.sysrq" = 4;
+    "kernel.unprivileged_userns_clone" = 1;
+    "kernel.perf_event_paranoid" = 3;
+
+    "net.ipv4.tcp_syncookies" = 1;
+    "net.ipv4.tcp_rfc1337" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    "net.ipv4.conf.all.rp_filter" = 1;
+
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+
+    "net.ipv4.conf.all.forwarding" = 0;
+    "net.ipv4.conf.default.accept_source_route" = 0;
+    "net.ipv4.conf.all.accept_source_route" = 0;
+
+    "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+
+    "kernel.yama.ptrace_scope" = 2;
+
+    "vm.mmap_rnd_bits" = 32;
+    "vm.mmap_rnd_compat_bits" = 16;
+
+    "fs.protected_symlinks" = 1;
+    "fs.protected_hardlinks" = 1;
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
+
+    "kernel.randomize_va_space" = 2;
+    "kernel.exec-shield" = 1;
+
+    "net.ipv4.tcp_fastopen" = 3;
+    "net.ipv4.tcp_congestion_control" = "bbr";
+    "net.core.default_qdisc" = "cake";
+  };
+
+  environment.systemPackages = with pkgs; [
+    lm_sensors
+    acpi
+    usbutils
+    pciutils
+    iw
+    nvme-cli
+    smartmontools
+    psmisc
+
+    wget
+    bind
+    whois
+    wireguard-tools
+
+    vim
+    git
+
+    nixops_unstable_minimal
+  ];
+
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.settings.GatewayPorts = "clientspecified";
+  services.openssh.settings.X11Forwarding = true;
+  services.openssh.authorizedKeysInHomedir = false;
+  programs.mosh.enable = true;
+  programs.tmux.enable = true;
+  programs.fish.enable = true;
+
+  services.hostapd = {
+    enable = true;
+    radios.${netifWifi} = {
+      band = "2g";
+      channel = 7;
+      countryCode = "PH";
+      networks.${netifWifi} = {
+        ssid = "MLSI";
+        authentication.mode = "wpa3-sae-transition";
+        authentication.saePasswordsFile = "/etc/nixos/secret/wifi_password";
+        authentication.wpaPasswordFile = "/etc/nixos/secret/wifi_password";
+      };
+    };
+  };
+  networking.nat = {
+    enable = true;
+    externalInterface = netifWan;
+    internalInterfaces = [ netifLan netifWifi ];
+  };
+  services.unbound = {
+    enable = true;
+    settings.server.port = 5353;
+  };
+  networking.interfaces."${netifLan}" = {
+    ipv4.addresses = [{
+      address = "192.168.5.1";
+      prefixLength = 24;
+    }];
+  };
+  networking.interfaces."${netifWifi}" = {
+    ipv4.addresses = [{
+      address = "192.168.4.1";
+      prefixLength = 24;
+    }];
+  };
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      server = [
+        "127.0.0.1#5353"
+        "/hkg.mlsi/192.168.1.1"
+      ];
+      interface = [ netifLan netifWifi ];
+      bind-interfaces = true;
+      dhcp-range = [
+        "interface:${netifLan},192.168.5.80,192.168.5.180,24h"
+        "interface:${netifWifi},192.168.4.80,192.168.4.180,24h"
+      ];
+      no-resolv = true;
+      no-hosts = true;
+      expand-hosts = true;
+      addn-hosts = builtins.toString (pkgs.writeText "hosts"
+        ''
+        192.168.4.1 humidor
+        '');
+      domain = "mnl.mlsi";
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 53 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 53 67 51820 ];
+  networking.firewall.logRefusedConnections = false;
+
+  networking.wireguard.interfaces = {
+    "${netifMLSI}" = {
+      ips = [ "10.47.4.2/24" ];
+      listenPort = 51820;
+      privateKeyFile = "/etc/nixos/secret/wg-client-key";
+      peers = [
+        {
+          publicKey = "GCQw3X26u8C/d3k9TackTp/uqLEvs5IcV2aYcE+TPlQ=";
+          allowedIPs = [ "10.47.4.0/24" "192.168.0.0/16" ];
+          endpoint = "94.190.212.123:51820";
+        }
+      ];
+    };
+  };
+
+  users.groups.webupload = {};
+  users.users.webupload = {
+    isNormalUser = true;  # rsync is unhappy with isSystemUser
+    group = "webupload";
+    createHome = true;
+    home = "/var/webupload";
+    homeMode = "755";
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfnQVqrxtbBNtdVLC052BGPhP6v+lR1Li5LkTLYURoD" ];
+  };
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "sb@m-labs.ph";
+  services.nginx = {
+    enable = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "m-labs.ph" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "/var/webupload/m-labs.ph";
+        locations."/rfq".extraConfig = ''
+          include ${pkgs.nginx}/conf/uwsgi_params;
+          uwsgi_param ORIGIN_DOMAIN "m-labs.ph";
+          uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-rfq.sock;
+        '';
+      };
+      "www.m-labs.ph" = {
+        addSSL = true;
+        enableACME = true;
+        globalRedirect = "m-labs.ph";
+      };
+      "git.m-labs.ph" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "https://git.m-labs.hk";
+          extraConfig = "proxy_set_header Host $proxy_host;";
+        };
+      };
+      "m-labs-intl.com" = {
+        forceSSL = true;
+        enableACME = true;
+        root = "/var/webupload/m-labs-intl.com";
+        locations."/rfq".extraConfig = ''
+          include ${pkgs.nginx}/conf/uwsgi_params;
+          uwsgi_param ORIGIN_DOMAIN "m-labs-intl.com";
+          uwsgi_pass unix:${config.services.uwsgi.runDir}/uwsgi-rfq.sock;
+        '';
+      };
+      "www.m-labs-intl.com" = {
+        addSSL = true;
+        enableACME = true;
+        globalRedirect = "m-labs-intl.com";
+      };
+      "git.m-labs-intl.com" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "https://git.m-labs.hk";
+          extraConfig = "proxy_set_header Host $proxy_host;";
+        };
+      };
+    };
+  };
+  services.uwsgi = {
+    enable = true;
+    plugins = [ "python3" ];
+    instance = {
+      type = "emperor";
+      vassals = {
+        rfq = import ./rfq/uwsgi-config.nix { inherit config pkgs; };
+      };
+    };
+  };
+
+  mailserver = {
+    enable = true;
+    stateVersion = 3;
+    localDnsResolver = false;  # conflicts with dnsmasq
+    fqdn = "mail.m-labs.ph";
+    domains = [ "m-labs-intl.com" ];
+    certificateScheme = "acme-nginx";
+  } // (import /etc/nixos/secret/email_settings_mnl.nix);
+
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
+  system.stateVersion = "25.11"; # Did you read the comment?
+}
+

servers/hydra-fix-product-name.patch

@@ -0,0 +1,13 @@
+diff --git a/src/hydra-queue-runner/build-result.cc b/src/hydra-queue-runner/build-result.cc
+index aa98acbb..70d6ce78 100644
+--- a/src/hydra-queue-runner/build-result.cc
++++ b/src/hydra-queue-runner/build-result.cc
+@@ -93,7 +93,7 @@ BuildOutput getBuildOutput(
+             if (file == narMembers.end()) continue;
+ 
+             product.name = product.path == store->printStorePath(output) ? "" : baseNameOf(product.path);
+-            if (!std::regex_match(product.name, std::regex("[a-zA-Z0-9.@:_ -]*")))
++            if (!std::regex_match(product.name, std::regex("[a-zA-Z0-9.@:_+ -]*")))
+                 product.name = "";
+ 
+             if (file->second.type == SourceAccessor::Type::tRegular) {

servers/mattermost-remove-free-banner.patch

@@ -0,0 +1,208 @@
+diff --git a/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx b/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
+index 2773ba5184..52e2c16c06 100644
+--- a/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
++++ b/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
+@@ -9,10 +9,6 @@ import Logo from 'components/common/svg_images_components/logo_dark_blue_svg';
+ const ProductBrandingTeamEditionContainer = styled.span`
+     display: flex;
+     align-items: center;
+-
+-    > * + * {
+-        margin-left: 8px;
+-    }
+ `;
+ 
+ const StyledLogo = styled(Logo)`
+@@ -21,21 +17,6 @@ const StyledLogo = styled(Logo)`
+     }
+ `;
+ 
+-const Badge = styled.span`
+-    display: flex;
+-    align-self: center;
+-    padding: 2px 6px;
+-    border-radius: var(--radius-s);
+-    margin-left: 12px;
+-    background: rgba(var(--sidebar-text-rgb), 0.08);
+-    color: rgba(var(--sidebar-text-rgb), 0.75);
+-    font-family: 'Open Sans', sans-serif;
+-    font-size: 10px;
+-    font-weight: 600;
+-    letter-spacing: 0.025em;
+-    line-height: 16px;
+-`;
+-
+ const ProductBrandingTeamEdition = (): JSX.Element => {
+     return (
+         <ProductBrandingTeamEditionContainer tabIndex={-1}>
+@@ -43,7 +24,6 @@ const ProductBrandingTeamEdition = (): JSX.Element => {
+                 width={116}
+                 height={20}
+             />
+-            <Badge>{'FREE EDITION'}</Badge>
+         </ProductBrandingTeamEditionContainer>
+     );
+ };
+diff --git a/channels/src/components/header_footer_route/header.scss b/channels/src/components/header_footer_route/header.scss
+index c2e6fbd187..6e6d01e872 100644
+--- a/channels/src/components/header_footer_route/header.scss
++++ b/channels/src/components/header_footer_route/header.scss
+@@ -45,23 +45,6 @@
+                 width: 170px;
+                 fill: var(--center-channel-color);
+             }
+-
+-            .freeBadge {
+-                position: relative;
+-                top: 1px;
+-                display: flex;
+-                align-self: center;
+-                padding: 2px 6px;
+-                border-radius: var(--radius-s);
+-                margin-left: 12px;
+-                background: rgba(var(--center-channel-color-rgb), 0.08);
+-                color: rgba(var(--center-channel-color-rgb), 0.75);
+-                font-family: 'Open Sans', sans-serif;
+-                font-size: 10px;
+-                font-weight: 600;
+-                letter-spacing: 0.025em;
+-                line-height: 16px;
+-            }
+         }
+     }
+ 
+@@ -83,12 +66,6 @@
+             margin-top: 12px;
+         }
+     }
+-
+-    &.has-free-banner.has-custom-site-name {
+-        .header-back-button {
+-            bottom: -20px;
+-        }
+-    }
+ }
+ 
+ @media screen and (max-width: 699px) {
+diff --git a/channels/src/components/header_footer_route/header.tsx b/channels/src/components/header_footer_route/header.tsx
+index 8cd1d8a624..55554fb0ad 100644
+--- a/channels/src/components/header_footer_route/header.tsx
++++ b/channels/src/components/header_footer_route/header.tsx
+@@ -25,33 +25,15 @@ const Header = ({alternateLink, backButtonURL, onBackButtonClick}: HeaderProps)
+ 
+     const ariaLabel = SiteName || 'Mattermost';
+ 
+-    let freeBanner = null;
+-    if (license.IsLicensed === 'false') {
+-        freeBanner = <><Logo/><span className='freeBadge'>{'FREE EDITION'}</span></>;
+-    }
+-
+     let title: React.ReactNode = SiteName;
+     if (title === 'Mattermost') {
+-        if (freeBanner) {
+-            title = '';
+-        } else {
+-            title = <Logo/>;
+-        }
++        title = <Logo/>;
+     }
+ 
+     return (
+-        <div className={classNames('hfroute-header', {'has-free-banner': freeBanner, 'has-custom-site-name': title})}>
++        <div className={classNames('hfroute-header', {'has-custom-site-name': title})}>
+             <div className='header-main'>
+                 <div>
+-                    {freeBanner &&
+-                        <Link
+-                            className='header-logo-link'
+-                            to='/'
+-                            aria-label={ariaLabel}
+-                        >
+-                            {freeBanner}
+-                        </Link>
+-                    }
+                     {title &&
+                         <Link
+                             className='header-logo-link'
+diff --git a/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx b/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
+index 35646539c4..fbdbb39710 100644
+--- a/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
++++ b/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
+@@ -1,42 +1,17 @@
+ // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+ // See LICENSE.txt for license information.
+ 
+-import React from 'react';
+-import {useIntl} from 'react-intl';
+ import {useSelector} from 'react-redux';
+-import styled from 'styled-components';
+ 
+ import {getLicense} from 'mattermost-redux/selectors/entities/general';
+ 
+-import ExternalLink from 'components/external_link';
+-
+-import {LicenseLinks} from 'utils/constants';
+-
+ import './menu_item.scss';
+ 
+-const FreeVersionBadge = styled.div`
+-     position: relative;
+-     top: 1px;
+-     display: flex;
+-     padding: 2px 6px;
+-     border-radius: var(--radius-s);
+-     margin-bottom: 6px;
+-     background: rgba(var(--center-channel-color-rgb), 0.08);
+-     color: rgba(var(--center-channel-color-rgb), 0.75);
+-     font-family: 'Open Sans', sans-serif;
+-     font-size: 10px;
+-     font-weight: 600;
+-     letter-spacing: 0.025em;
+-     line-height: 16px;
+-`;
+-
+ type Props = {
+     id: string;
+ }
+ 
+ const MenuStartTrial = (props: Props): JSX.Element | null => {
+-    const {formatMessage} = useIntl();
+-
+     const license = useSelector(getLicense);
+     const isCurrentLicensed = license?.IsLicensed;
+ 
+@@ -44,33 +19,7 @@ const MenuStartTrial = (props: Props): JSX.Element | null => {
+         return null;
+     }
+ 
+-    return (
+-        <li
+-            className={'MenuStartTrial'}
+-            role='menuitem'
+-            id={props.id}
+-        >
+-            <FreeVersionBadge>{'FREE EDITION'}</FreeVersionBadge>
+-            <div className='editionText'>
+-                {formatMessage(
+-                    {
+-                        id: 'navbar_dropdown.versionText',
+-                        defaultMessage: 'This is the free <link>unsupported</link> edition of Mattermost.',
+-                    },
+-                    {
+-                        link: (msg: React.ReactNode) => (
+-                            <ExternalLink
+-                                location='menu_start_trial.unsupported-link'
+-                                href={LicenseLinks.UNSUPPORTED}
+-                            >
+-                                {msg}
+-                            </ExternalLink>
+-                        ),
+-                    },
+-                )}
+-            </div>
+-        </li>
+-    );
++    return null;
+ };
+ 
+ export default MenuStartTrial;

servers/named/193thz.com

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	ns.193thz.com. sb.m-labs.hk. (
-							2024060201
+							2026012201
 							7200
 							3600
 							86400
@@ -13,7 +13,6 @@ $TTL 7200
 
 						A		94.190.212.123
 						A		202.77.7.238
-						AAAA	2001:470:18:390::2
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU"
@@ -21,9 +20,8 @@ $TTL 7200
 
 
 ns						A		94.190.212.123
-ns						AAAA	2001:470:18:390::2
 
 mail._domainkey			TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9T0cONxGXeyETE0bJ6NJVGT58fVFrfb+WxQhMskCN/mJhODyDTkRCjzE8ZnKhZGjkFZNG+PoSZlW+kpSS1LvMwzQpMRaH4zAzIexffR0l7rJR1MuQiVMsfGWpO2SLEuN74L2qH8SUBHZjrRpeSaFxwQm+prIOzZe5wTZStt/6qQIDAQAB"
-_dmarc					TXT	"v=DMARC1; p=none"
+_dmarc					TXT	"v=DMARC1; p=quarantine"
 
 www						CNAME	@

servers/named/200-29.98.206.103.in-addr.arpa

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
-							2024060201
+							2026010701
 							7200
 							3600
 							86400
@@ -16,5 +16,5 @@ $TTL 7200
 201	PTR	stewardship1.alt.m-labs.hk.
 202	PTR	stewardship2.alt.m-labs.hk.
 203	PTR	atse.alt.m-labs.hk.
-204	PTR	nasty-gareth.alt.m-labs.hk.
-205	PTR	zynq.alt.m-labs.hk.
+204	PTR	rpi-1.alt.m-labs.hk.
+205	PTR	rpi-4.alt.m-labs.hk.

servers/named/m-labs-intl.com

@@ -1,7 +1,7 @@
 $TTL 7200
 
-@						SOA	ns.m-labs-intl.com. sb.m-labs.hk. (
-							2024101401
+@						SOA	ns.m-labs-intl.com. sb.m-labs.ph. (
+							2026020805
 							7200
 							3600
 							86400
@@ -12,19 +12,17 @@ $TTL 7200
 						NS		ns1.he.net.
 						NS		ns1.qnetp.net.
 
-						A		5.78.86.156
-						AAAA	2a01:4ff:1f0:83de::1
+						A		27.49.56.174
 						MX		10 mail.m-labs-intl.com.
 						TXT		"v=spf1 mx -all"
 						TXT		"google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/3041725546"
 
 ns						A		94.190.212.123
-ns						AAAA	2001:470:18:390::2
 
 mail					A		5.78.86.156
 mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
-_dmarc					TXT		"v=DMARC1; p=none"
+_dmarc					TXT		"v=DMARC1; p=quarantine"
 
-www						CNAME	@
-hooks					CNAME	@
+www						CNAME @
+git						CNAME @

servers/named/m-labs.hk

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
-							2024080501
+							2026020801
 							7200
 							3600
 							86400
@@ -14,7 +14,6 @@ $TTL 7200
 
 						A		94.190.212.123
 						A		202.77.7.238
-						AAAA	2001:470:18:390::2
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8"
@@ -23,31 +22,25 @@ $TTL 7200
 
 mail					A		94.190.212.123
 mail					A		202.77.7.238
-mail					AAAA	2001:470:18:390::2
 mail._domainkey			TXT		"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
-_dmarc					TXT		"v=DMARC1; p=none"
+_dmarc					TXT		"v=DMARC1; p=quarantine"
 
-lab						CNAME	@
-www						CNAME	@
 nixbld					CNAME	@
+www						CNAME	@
 msys2					CNAME	@
 conda					CNAME	@
 afws					CNAME	@
 git						CNAME	@
 chat					CNAME	@
-hooks					CNAME	@
 forum					CNAME	@
 perso					CNAME	@
 rt						CNAME	@
 files					CNAME	@
-docs					CNAME	@
-
-rpi-1					AAAA	2001:470:f891:1:dea6:32ff:fe8a:6a93
-rpi-4					AAAA	2001:470:f891:1:dea6:32ff:fe14:fce9
 
 router.alt				A		103.206.98.200
 stewardship1.alt		A		103.206.98.201
 stewardship2.alt		A		103.206.98.202
 atse.alt				A		103.206.98.203
-nasty-gareth.alt		A		103.206.98.204
-zynq.alt				A		103.206.98.205
+atse.alt            CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/2877959276"
+rpi-1.alt		    A		103.206.98.204
+rpi-4.alt			A		103.206.98.205

servers/named/m-labs.ph

@@ -1,7 +1,7 @@
 $TTL 7200
 
-@						SOA	ns1.m-labs.ph. sb.m-labs.hk. (
-							2024060201
+@						SOA	ns1.m-labs.ph. sb.m-labs.ph. (
+							2026021401
 							7200
 							3600
 							86400
@@ -11,18 +11,18 @@ $TTL 7200
 						NS		ns1.m-labs.ph.
 						NS		ns1.he.net.
 
-						A		94.190.212.123
-						A		202.77.7.238
-						AAAA	2001:470:18:390::2
+						A		27.49.56.174
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/3041725546"
 
 ns1						A		94.190.212.123
-ns1						AAAA	2001:470:18:390::2
+mail          A   27.49.56.174
 
 mail._domainkey			TXT		"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPUlkoA4Gucsin6P5LSohSOpPbpOELkbKDz9MmB4Zzj4QdcQNtMzU3Uis8WZwVXknQ/6URoDdTa4aR8+PwMi5fjKpLM8ZAnnHJHYebZPDRq6lQo3VGdaCu9NhdjYwFhvK9VRyhwI9i7DUptdLsu/OzbgTlCdWQTOr+MFEkYwmxLQIDAQAB"
-_dmarc					TXT		"v=DMARC1; p=none"
+_dmarc					TXT		"v=DMARC1; p=quarantine"
 
+humidor						CNAME	@
 www						CNAME	@
+git						CNAME	@

servers/named/malloctech.fr

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	ns.malloctech.fr. sb.m-labs.hk. (
-							2024060201
+							2026012201
 							7200
 							3600
 							86400
@@ -17,7 +17,6 @@ $TTL 7200
 						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 ns						A		94.190.212.123
-ns						AAAA	2001:470:18:390::2
 
 mail._domainkey			TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+Op2B9cdVxwyweChOBJtk4LGkLUfxunI3a7sSL0aVnntfPWkKgY7zTL8iOJaqdt/DkkvOz++HEsn3AzleXsdibaTC9x6kgrMVgkrsYOKA4bWDLJiUfgq7vvRMdkw6rOqlJp9+faXKIKwtMG9Ckd1+rHBsaFwe7EE0coLbhGZaQQIDAQAB"
-_dmarc					TXT	"v=DMARC1; p=none"
+_dmarc					TXT	"v=DMARC1; p=quarantine"

servers/nix-networked-derivations.patch

@@ -0,0 +1,85 @@
+diff --git a/src/libstore/derivation-options.cc b/src/libstore/derivation-options.cc
+index 1acb9dc03..72e67abde 100644
+--- a/src/libstore/derivation-options.cc
++++ b/src/libstore/derivation-options.cc
+@@ -249,6 +249,7 @@ DerivationOptions::fromStructuredAttrs(const StringMap & env, const StructuredAt
+         .impureHostDeps = getStringSetAttr(env, parsed, "__impureHostDeps").value_or(defaults.impureHostDeps),
+         .impureEnvVars = getStringSetAttr(env, parsed, "impureEnvVars").value_or(defaults.impureEnvVars),
+         .allowLocalNetworking = getBoolAttr(env, parsed, "__darwinAllowLocalNetworking", defaults.allowLocalNetworking),
++        .networked = getBoolAttr(env, parsed, "__networked", defaults.networked),
+         .requiredSystemFeatures =
+             getStringSetAttr(env, parsed, "requiredSystemFeatures").value_or(defaults.requiredSystemFeatures),
+         .preferLocalBuild = getBoolAttr(env, parsed, "preferLocalBuild", defaults.preferLocalBuild),
+@@ -348,6 +349,7 @@ DerivationOptions adl_serializer<DerivationOptions>::from_json(const json & json
+         .impureHostDeps = getStringSet(valueAt(json, "impureHostDeps")),
+         .impureEnvVars = getStringSet(valueAt(json, "impureEnvVars")),
+         .allowLocalNetworking = getBoolean(valueAt(json, "allowLocalNetworking")),
++        .networked = getBoolean(valueAt(json, "networked")),
+ 
+         .requiredSystemFeatures = getStringSet(valueAt(json, "requiredSystemFeatures")),
+         .preferLocalBuild = getBoolean(valueAt(json, "preferLocalBuild")),
+@@ -380,6 +382,7 @@ void adl_serializer<DerivationOptions>::to_json(json & json, DerivationOptions o
+     json["impureHostDeps"] = o.impureHostDeps;
+     json["impureEnvVars"] = o.impureEnvVars;
+     json["allowLocalNetworking"] = o.allowLocalNetworking;
++    json["networked"] = o.networked;
+ 
+     json["requiredSystemFeatures"] = o.requiredSystemFeatures;
+     json["preferLocalBuild"] = o.preferLocalBuild;
+diff --git a/src/libstore/include/nix/store/derivation-options.hh b/src/libstore/include/nix/store/derivation-options.hh
+index 88694f730..95e004dcf 100644
+--- a/src/libstore/include/nix/store/derivation-options.hh
++++ b/src/libstore/include/nix/store/derivation-options.hh
+@@ -168,6 +168,8 @@ struct DerivationOptions
+      */
+     bool allowLocalNetworking = false;
+ 
++    bool networked = false;
++
+     /**
+      * env: requiredSystemFeatures
+      */
+diff --git a/src/libstore/unix/build/chroot-derivation-builder.cc b/src/libstore/unix/build/chroot-derivation-builder.cc
+index 887bb47f0..6070ef742 100644
+--- a/src/libstore/unix/build/chroot-derivation-builder.cc
++++ b/src/libstore/unix/build/chroot-derivation-builder.cc
+@@ -114,7 +114,7 @@ struct ChrootDerivationBuilder : virtual DerivationBuilderImpl
+                 sandboxGid()));
+ 
+         /* Create /etc/hosts with localhost entry. */
+-        if (derivationType.isSandboxed())
++        if (derivationType.isSandboxed() && !drvOptions.networked)
+             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
+ 
+         /* Make the closure of the inputs available in the chroot,
+diff --git a/src/libstore/unix/build/linux-derivation-builder.cc b/src/libstore/unix/build/linux-derivation-builder.cc
+index 0d9dc4a85..790ccf489 100644
+--- a/src/libstore/unix/build/linux-derivation-builder.cc
++++ b/src/libstore/unix/build/linux-derivation-builder.cc
+@@ -337,7 +337,7 @@ struct ChrootLinuxDerivationBuilder : ChrootDerivationBuilder, LinuxDerivationBu
+ 
+                 ProcessOptions options;
+                 options.cloneFlags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | CLONE_NEWUTS | CLONE_PARENT | SIGCHLD;
+-                if (derivationType.isSandboxed())
++                if (derivationType.isSandboxed() && !drvOptions.networked)
+                     options.cloneFlags |= CLONE_NEWNET;
+                 if (usingUserNamespace)
+                     options.cloneFlags |= CLONE_NEWUSER;
+@@ -431,7 +431,7 @@ struct ChrootLinuxDerivationBuilder : ChrootDerivationBuilder, LinuxDerivationBu
+ 
+         userNamespaceSync.readSide = -1;
+ 
+-        if (derivationType.isSandboxed()) {
++        if (derivationType.isSandboxed() && !drvOptions.networked) {
+ 
+             /* Initialise the loopback interface. */
+             AutoCloseFD fd(socket(PF_INET, SOCK_DGRAM, IPPROTO_IP));
+@@ -508,7 +508,7 @@ struct ChrootLinuxDerivationBuilder : ChrootDerivationBuilder, LinuxDerivationBu
+         /* Fixed-output derivations typically need to access the
+            network, so give them access to /etc/resolv.conf and so
+            on. */
+-        if (!derivationType.isSandboxed()) {
++        if (!derivationType.isSandboxed() || drvOptions.networked) {
+             // Only use nss functions to resolve hosts and
+             // services. Don’t use it for anything else that may
+             // be configured for this system. This limits the

servers/nixops-fix-deprecated-pipes.patch

@@ -0,0 +1,22 @@
+diff --git a/nixops/script_defs.py b/nixops/script_defs.py
+index 2f75e943..7268ca3a 100644
+--- a/nixops/script_defs.py
++++ b/nixops/script_defs.py
+@@ -22,7 +22,7 @@ import logging
+ import logging.handlers
+ import json
+ from tempfile import TemporaryDirectory
+-import pipes
++import shlex
+ from typing import Tuple, List, Optional, Union, Generator, Type, Set, Sequence
+ import nixops.ansi
+ 
+@@ -1117,7 +1117,7 @@ def op_edit(args: Namespace) -> None:
+         if not editor:
+             raise Exception("the $EDITOR environment variable is not set")
+         os.system(
+-            "$EDITOR " + " ".join([pipes.quote(x) for x in depl.network_expr.network])
++            "$EDITOR " + " ".join([shlex.quote(x) for x in depl.network_expr.network])
+         )
+ 
+ 

servers/nixops-skip-unreachable-host.patch

@@ -0,0 +1,267 @@
+diff --git a/nixops/deployment.py b/nixops/deployment.py
+index 42facaba..5be2ab03 100644
+--- a/nixops/deployment.py
++++ b/nixops/deployment.py
+@@ -38,6 +38,7 @@ from typing import (
+ import nixops.backends
+ import nixops.logger
+ import nixops.parallel
++from nixops.ssh_util import SSHConnectionFailed, SSHCommandFailed
+ from nixops.plugins.manager import (
+     DeploymentHooksManager,
+     MachineHooksManager,
+@@ -803,29 +804,60 @@ class Deployment:
+         include: List[str],
+         exclude: List[str],
+         max_concurrent_copy: int,
+-    ) -> None:
++        strict: bool = False,
++    ) -> List[str]:
+         """Copy the closure of each machine configuration to the corresponding machine."""
+ 
+-        def worker(m: nixops.backends.GenericMachineState) -> None:
++        def worker(m: nixops.backends.GenericMachineState) -> Optional[str]:
+             if not should_do(m, include, exclude):
+-                return
++                return None
+             m.logger.log("copying closure...")
+             m.new_toplevel = os.path.realpath(configs_path + "/" + m.name)
+             if not os.path.exists(m.new_toplevel):
+-                raise Exception("can't find closure of machine ‘{0}’".format(m.name))
+-            m.copy_closure_to(m.new_toplevel)
++                raise Exception("can't find closure of machine '{0}'".format(m.name))
++            try:
++                m.copy_closure_to(m.new_toplevel)
++            except Exception as e:
++                if not strict and any(exc in str(type(e)) for exc in ['SSHConnectionFailed', 'SSHCommandFailed', 'CommandFailed']):
++                    m.logger.warn("machine '{}' is unreachable, skipping".format(m.name))
++                    return m.name
++                raise
++            return None
+ 
+-        nixops.parallel.run_tasks(
++        res = nixops.parallel.run_tasks(
+             nr_workers=max_concurrent_copy,
+             tasks=iter(self.active_machines.values()),
+             worker_fun=worker,
+         )
+-        self.logger.log(
+-            ansi_success(
+-                "{0}> closures copied successfully".format(self.name or "unnamed"),
+-                outfile=self.logger._log_file,
+-            )
+-        )
++
++        skipped = [x for x in res if x is not None]
++
++        if strict and skipped:
++            raise Exception("unexpected machine failures: {0}".format(skipped))
++
++        if not strict and skipped:
++            skipped_list = ", ".join(["'{0}'".format(x) for x in skipped])
++            self.logger.log("skipped {0} unreachable machine(s): {1}".format(len(skipped), skipped_list))
++
++        successful_machines = [m.name for m in self.active_machines.values()
++                              if should_do(m, include, exclude) and m.name not in skipped]
++
++        if successful_machines:
++            success_msg = "{0}> closures copied successfully".format(self.name or "unnamed")
++            if not strict and skipped:
++                success_msg += " (skipped {0} unreachable machines)".format(len(skipped))
++            self.logger.log(ansi_success(success_msg, outfile=self.logger._log_file))
++        else:
++            if skipped:
++                self.logger.log("{0}> no closures copied (all {1} machine(s) unreachable)".format(
++                    self.name or "unnamed", len(skipped)))
++            else:
++                self.logger.log("{0}> no machines to process".format(self.name or "unnamed"))
++
++        return [
++            m.name for m in self.active_machines.values()
++            if should_do(m, include, exclude) and m.name not in skipped
++        ]
+ 
+     def activate_configs(  # noqa: C901
+         self,
+@@ -841,6 +873,7 @@ class Deployment:
+         test: bool,
+         boot: bool,
+         max_concurrent_activate: int,
++        strict: bool = False,
+     ) -> None:
+         """Activate the new configuration on a machine."""
+ 
+@@ -929,12 +962,16 @@ class Deployment:
+                 m.cur_configs_path = configs_path
+                 m.cur_toplevel = m.new_toplevel
+ 
+-            except Exception:
++            except Exception as e:
+                 # This thread shouldn't throw an exception because
+                 # that will cause NixOps to exit and interrupt
+                 # activation on the other machines.
+-                m.logger.error(traceback.format_exc())
+-                return m.name
++                if not strict and any(exc in str(type(e)) for exc in ['SSHConnectionFailed', 'SSHCommandFailed', 'CommandFailed']):
++                    m.logger.warn("machine '{}' is unreachable during activation, skipping".format(m.name))
++                    return m.name
++                else:
++                    m.logger.error(traceback.format_exc())
++                    return m.name
+             return None
+ 
+         res = nixops.parallel.run_tasks(
+@@ -944,13 +981,21 @@ class Deployment:
+         )
+         failed = [x for x in res if x is not None]
+         if failed != []:
+-            raise Exception(
+-                "activation of {0} of {1} machines failed (namely on {2})".format(
+-                    len(failed),
+-                    len(res),
+-                    ", ".join(["‘{0}’".format(x) for x in failed]),
++            if not strict:
++                self.logger.log(
++                    "activation failed on {0} machine(s): {1}".format(
++                        len(failed),
++                        ", ".join(["'{0}'".format(x) for x in failed]),
++                    )
++                )
++            else:
++                raise Exception(
++                    "activation of {0} of {1} machines failed (namely on {2})".format(
++                        len(failed),
++                        len(res),
++                        ", ".join(["'{0}'".format(x) for x in failed]),
++                    )
+                 )
+-            )
+ 
+     def _get_free_resource_index(self) -> int:
+         index = 0
+@@ -1144,6 +1189,7 @@ class Deployment:
+         always_activate: bool = False,
+         repair: bool = False,
+         dry_activate: bool = False,
++        strict: bool = False,
+     ) -> None:
+         """Perform the deployment defined by the deployment specification."""
+ 
+@@ -1286,20 +1332,30 @@ class Deployment:
+ 
+         # Copy the closures of the machine configurations to the
+         # target machines.
+-        self.copy_closures(
++        successful_copies = self.copy_closures(
+             self.configs_path,
+             include=include,
+             exclude=exclude,
+             max_concurrent_copy=max_concurrent_copy,
++            strict=strict,
+         )
+ 
+         if copy_only:
+             return
+ 
++        if include:
++            filtered_include = [machine for machine in include if machine in successful_copies]
++            if not filtered_include:
++                return
++        else:
++            if not successful_copies:
++                return
++            filtered_include = successful_copies
++
+         # Active the configurations.
+         self.activate_configs(
+             self.configs_path,
+-            include=include,
++            include=filtered_include,
+             exclude=exclude,
+             allow_reboot=allow_reboot,
+             force_reboot=force_reboot,
+@@ -1310,6 +1366,7 @@ class Deployment:
+             test=test,
+             boot=boot,
+             max_concurrent_activate=max_concurrent_activate,
++            strict=strict,
+         )
+ 
+         if dry_activate:
+@@ -1375,6 +1432,7 @@ class Deployment:
+         max_concurrent_copy: int = 5,
+         max_concurrent_activate: int = -1,
+         sync: bool = True,
++        strict: bool = False,
+     ) -> None:
+         if not self.rollback_enabled:
+             raise Exception(
+@@ -1419,16 +1477,28 @@ class Deployment:
+                 self.logger.log("machine ‘{0}’ is obsolete".format(m.name))
+                 m.obsolete = True
+ 
+-        self.copy_closures(
++        self.evaluate_active(include, exclude, kill_obsolete=False)
++
++        successful_copies = self.copy_closures(
+             self.configs_path,
+             include=include,
+             exclude=exclude,
+             max_concurrent_copy=max_concurrent_copy,
++            strict=strict,
+         )
+ 
++        if include:
++            filtered_include = [machine for machine in include if machine in successful_copies]
++            if not filtered_include:
++                return
++        else:
++            if not successful_copies:
++                return
++            filtered_include = successful_copies
++
+         self.activate_configs(
+             self.configs_path,
+-            include=include,
++            include=filtered_include,
+             exclude=exclude,
+             allow_reboot=allow_reboot,
+             force_reboot=force_reboot,
+@@ -1439,6 +1509,7 @@ class Deployment:
+             test=False,
+             boot=False,
+             max_concurrent_activate=max_concurrent_activate,
++            strict=strict,
+         )
+ 
+     def rollback(self, **kwargs: Any) -> None:
+diff --git a/nixops/script_defs.py b/nixops/script_defs.py
+index 2f75e943..554ae4f1 100644
+--- a/nixops/script_defs.py
++++ b/nixops/script_defs.py
+@@ -733,6 +733,7 @@ def op_deploy(args: Namespace) -> None:
+             repair=args.repair,
+             dry_activate=args.dry_activate,
+             max_concurrent_activate=args.max_concurrent_activate,
++            strict=args.strict,
+         )
+ 
+ 
+@@ -1100,6 +1101,7 @@ def op_rollback(args: Namespace) -> None:
+             max_concurrent_copy=args.max_concurrent_copy,
+             max_concurrent_activate=args.max_concurrent_activate,
+             sync=not args.no_sync,
++            strict=args.strict,
+         )
+ 
+ 
+@@ -1297,6 +1299,9 @@ def add_common_deployment_options(subparser: ArgumentParser) -> None:
+     subparser.add_argument(
+         "--no-sync", action="store_true", help="do not flush buffers to disk"
+     )
++    subparser.add_argument(
++        "--strict", action="store_true", default=False, help="fail deployment if any host is unreachable"
++    )
+ 
+ 
+ def error(msg: str) -> None:

servers/rfq/pkg.nix

@@ -5,5 +5,7 @@
 with python3Packages; buildPythonPackage rec {
   name = "rfq";
   src = ./src;
-  propagatedBuildInputs = [ flask flask_mail python-dotenv ];
+  propagatedBuildInputs = [ flask flask-mail python-dotenv ];
+  pyproject = true;
+  build-system = [ setuptools ];
 }

servers/rfq/src/rfq/__init__.py

@@ -10,6 +10,7 @@ from flask import request
 from flask_mail import Mail
 from flask_mail import Message
 from werkzeug.middleware.proxy_fix import ProxyFix
+from jinja2.utils import htmlsafe_json_dumps
 
 
 load_dotenv()
@@ -48,7 +49,7 @@ def after(response):
 @app.route("/rfq", methods=["POST"])
 def send_rfq():
     payload = request.json
-    payload = json.loads(json.htmlsafe_dumps(payload))
+    payload = json.loads(htmlsafe_json_dumps(payload))
 
     if payload is None:
         resp = jsonify(error="invalid data")
@@ -68,13 +69,14 @@ def send_rfq():
 
     sender = current_app.config["MAIL_SENDER"]
     recipient = current_app.config["MAIL_RECIPIENT"]
+    origin = request.environ.get("ORIGIN_DOMAIN", "unknown")
 
     msg = Message(
         "RFQ for Sinara hardware from {}".format(payload["email"]),
         sender=sender,
         recipients=[recipient, payload["email"]])
-    msg.body = ("From: {}\nConfiguration: {}\nNote: {}"
-        .format(payload["email"], payload["configuration"], payload["note"]))
+    msg.body = ("From: {}\nOrigin: {}\nConfiguration: {}\nNote: {}"
+        .format(payload["email"], origin, payload["configuration"], payload["note"]))
 
     with mail.connect() as conn:
         conn.send(msg)

servers/secret_permissions.txt

@@ -3,7 +3,6 @@
 -rw------- 1 root         root           gitea_tokens.nix
 -rw------- 1 root         root           github_tokens.nix
 -rw-rw---- 1 gitea        gitea          mailerpassword
--rw------- 1 matterbridge matterbridge   matterbridge.toml
 -rw------- 1 uwsgi        uwsgi          mattermost-github-integration.py
 -rw------- 1 nginx        nginx          muninpasswd
 -rw-rw---- 1 hydra        hydra          nixbld.m-labs.hk-1

servers/snm.nix

@@ -0,0 +1,4 @@
+import (builtins.fetchTarball {
+  url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/c5bd875089031f6f407877a66f2297d4124dafe2/nixos-mailserver-nixos.tar.gz";
+  sha256 = "sha256:0nmsrqnjdr68797sqxg54zrrdzdvxix3awc395fp0pvwj8hra4f3";
+})

servers/sprint.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }:
+{
+  users.users.sprint = {
+    isSystemUser = true;
+    createHome = false;
+    group = "lp";
+  };
+  
+  systemd.sockets.sprint = {
+    description = "Simple printing socket";
+    listenStreams = [ "192.168.1.1:9100" ];
+    socketConfig.Accept = true;
+    wantedBy = [ "sockets.target" ];
+  };
+  
+  systemd.services."sprint@" = let
+    sprint = pkgs.writeShellScript "sprint"
+      ''
+      set -e
+      cmdfile=$(mktemp /tmp/sprintcmd-XXXXXXXXX)
+      trap 'rm -f $cmdfile' EXIT
+      ${pkgs.ghostscript}/bin/gs -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pxlcolor -q -dDuplex -sOutputFile=$cmdfile -
+      ${pkgs.util-linux}/bin/flock /tmp/sprintlock cp $cmdfile /dev/usb/lp0 
+      '';
+  in {
+    description = "Simple printing";
+      serviceConfig = {
+        User = "sprint";
+        Group = "lp";
+        ExecStart = "${sprint}";
+        StandardInput = "socket";
+        StandardOutput = "journal";
+      };
+    };
+}