nixops: add ram user

This patch adds explicit requirements for network addresses services to run after and only when udevd service is running. Also depend on virt netdev creation service instead of device

Signed-off-by: Egor Savkin <es@m-labs.hk>

nixbld-etc-nixos/afws-module.nix

@@ -10,16 +10,34 @@ in
       default = false;
       description = "Enable AFWS server";
     };
+    logFile = mkOption {
+      type = types.str;
+      default = "/var/lib/afws/logs/afws.log";
+      description = "Path to the log file";
+    };
+    logBackupCount = mkOption {
+      type = types.int;
+      default = 30;
+      description = "Number of daily log files to keep";
+    };
   };
 
   config = mkIf config.services.afws.enable {
     systemd.services.afws = {
       description = "AFWS server";
       wantedBy = [ "multi-user.target" ];
+      preStart = ''
+        mkdir -p "$(dirname ${config.services.afws.logFile})"
+        chown afws:afws "$(dirname ${config.services.afws.logFile})"
+      '';
       serviceConfig = {
         User = "afws";
         Group = "afws";
-        ExecStart = "${afws}/bin/afws_server";
+        ExecStart = ''
+          ${afws}/bin/afws_server \
+            --log-file ${config.services.afws.logFile} \
+            --log-backup-count ${toString config.services.afws.logBackupCount}
+        '';
         ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
       };
       path = [ pkgs.nix pkgs.git ];

nixbld-etc-nixos/configuration.nix

@@ -20,8 +20,8 @@ in
       ./afws-module.nix
       ./rt.nix
       (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/29916981e7b3b5782dc5085ad18490113f8ff63b/nixos-mailserver-nixos.tar.gz";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
+        sha256 = "sha256:1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma";
       })
     ];
 
@@ -358,6 +358,15 @@ in
     };
   };
 
+  systemd.services."network-addresses-${netifUSA}" = {
+    after = pkgs.lib.mkOverride 1 [ "network-pre.target" "${netifUSA}-netdev.service" "systemd-udevd.service" ];
+    requires = [ "systemd-udevd.service" ];
+  };
+  systemd.services."network-addresses-${netifAlt}" = {
+    after = pkgs.lib.mkOverride 1 [ "network-pre.target" "${netifAlt}-netdev.service" "systemd-udevd.service" ];
+    requires = [ "systemd-udevd.service" ];
+  };
+
   # https://kb.isc.org/docs/dnssec-key-and-signing-policy
   # chown named.named /etc/nixos/named
   services.bind = {
@@ -491,6 +500,7 @@ in
     enable = true;
     radios.${netifWifi} = {
       band = "2g";
+      channel = 7;
       countryCode = "HK";
       networks.${netifWifi} = {
         ssid = "M-Labs";
@@ -540,6 +550,8 @@ in
         "/kasli/192.168.1.70"
         "/kasli-customer/192.168.1.75"
         "/stabilizer-customer/192.168.1.76"
+
+        "/fonts.gstatic.com/142.250.114.94"
       ];
 
       dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
@@ -638,7 +650,6 @@ in
     SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
     '';
 
-  sound.enable = true;
   services.mpd.enable = true;
   services.mpd.musicDirectory = "/tank/sb-public/FLAC";
   services.mpd.network.listenAddress = "192.168.1.1";
@@ -648,14 +659,14 @@ in
     audio_output {
       type "alsa"
       name "alsa"
-      device "hw:1,1"
+      device "hw:2,0"
     }
     '';
 
   users.extraUsers.root = {
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
     ];
     shell = pkgs.fish;
   };
@@ -668,7 +679,7 @@ in
     extraGroups = ["lp" "scanner" "afws" "audio"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
     ];
     shell = pkgs.fish;
   };
@@ -732,7 +743,6 @@ in
   users.extraUsers.nix = {
     isNormalUser = true;
   };
-  boot.kernel.sysctl."kernel.dmesg_restrict" = true;
   services.udev.packages = [ pkgs.sane-backends ];
 
   nix.settings.max-jobs = 10;
@@ -753,6 +763,10 @@ in
         job = web:web:web
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
       </runcommand>
+      <runcommand>
+        job = web:web:web-ph
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web-ph
+      </runcommand>
       <runcommand>
         job = web:web:web-intl
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
@@ -937,22 +951,26 @@ in
     nix = super.nix.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
     });
-    hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
+    hydra = super.hydra.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [
         ./hydra-conda.patch
         ./hydra-msys2.patch
-        ./hydra-restrictdist.patch
       ];
       hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
       doCheck = false;  # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
     });
+    mattermost = super.mattermost.overrideAttrs(oldAttrs: {
+      webapp = oldAttrs.webapp.overrideAttrs (webappAttrs: {
+        patches = webappAttrs.patches or [ ] ++ [ ./mattermost-remove-free-banner.patch ];
+      });
+    });
     matterbridge = super.matterbridge.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
     });
   };
 
   security.acme.acceptTerms = true;
-  security.acme.defaults.email = "sb" + "@m-labs.hk";
+  security.acme.defaults.email = "sb@m-labs.hk";
 
   # https://github.com/NixOS/nixpkgs/issues/106862
   systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
@@ -982,7 +1000,7 @@ in
             expires 60d;
           '';
         };
-        locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
+        locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
 
         # legacy URLs, redirect to avoid breaking people's bookmarks
         locations."/gateware.html".extraConfig = ''
@@ -1040,9 +1058,24 @@ in
       };
     in {
       "m-labs.hk" = mainWebsite;
-      "www.m-labs.hk" = mainWebsite;
+      "www.m-labs.hk" = {
-      "m-labs.ph" = mainWebsite;
+        addSSL = true;
-      "www.m-labs.ph" = mainWebsite;
+        enableACME = true;
+        globalRedirect = "m-labs.hk";
+      };
+      "m-labs.ph" = {
+        root = "${hydraWwwOutputs}/web-ph";
+        forceSSL = true;
+        enableACME = true;
+        extraConfig = ''
+          error_page 404 /404.html;
+        '';
+      };
+      "www.m-labs.ph" = {
+        addSSL = true;
+        enableACME = true;
+        globalRedirect = "m-labs.ph";
+      };
       "nixbld.m-labs.hk" = {
         forceSSL = true;
         enableACME = true;
@@ -1189,7 +1222,7 @@ in
       "www.193thz.com" = {
         addSSL = true;
         enableACME = true;
-        root = "/var/www/193thz";
+        globalRedirect = "193thz.com";
       };
       "nmigen.net" = {
         addSSL = true;
@@ -1199,7 +1232,7 @@ in
       "www.nmigen.net" = {
         addSSL = true;
         enableACME = true;
-        root = "${hydraWwwOutputs}/nmigen-docs";
+        globalRedirect = "nmigen.net";
       };
     };
   };
@@ -1293,10 +1326,12 @@ in
   services.roundcube = {
     enable = true;
     hostName = "mail.m-labs.hk";
+    # https://github.com/roundcube/roundcubemail/issues/5869
     extraConfig = ''
       $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
       $config['smtp_user'] = "%u";
       $config['smtp_pass'] = "%p";
+      $config['session_storage'] = "php";
     '';
   };
 

nixbld-etc-nixos/flarum/default.nix

@@ -17,14 +17,13 @@ php.buildComposerProject (finalAttrs: {
   };
 
   patches = [
-    # Add useful extensions from https://github.com/FriendsOfFlarum
+    # Add useful flarum extensions (polls, subscribed, upload, email-filter)
-    # Extensions included: fof/upload, fof/polls, fof/subscribed
+    ./flarum-extensions.patch
-    ./fof-extensions.patch
   ];
 
   composerLock = ./composer.lock;
   composerStrictValidation = false;
-  vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";
+  vendorHash = "sha256-rWvIKiQVyfvUprYfm/+Jdq+DO5qymyWp+Xh0c0nY2Cw=";
 
   meta = with lib; {
     changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";

nixbld-etc-nixos/flarum/flarum-extensions.patch

@@ -1,8 +1,8 @@
 diff --git a/composer.json b/composer.json
-index c63b5f8..5ad1186 100644
+index c63b5f8..4bc00c1 100644
 --- a/composer.json
 +++ b/composer.json
-@@ -37,7 +37,10 @@
+@@ -37,7 +37,11 @@
          "flarum/sticky": "*",
          "flarum/subscriptions": "*",
          "flarum/suspend": "*",
@@ -10,7 +10,8 @@ index c63b5f8..5ad1186 100644
 +        "flarum/tags": "*",
 +        "fof/polls": "*",
 +        "fof/subscribed": "*",
-+        "fof/upload": "*"
++        "fof/upload": "*",
++        "nyu8/flarum-email-filter": "^1.0"
      },
      "config": {
          "preferred-install": "dist",

nixbld-etc-nixos/gitea-home.tmpl

@@ -15,7 +15,7 @@
 	<div class="ui stackable middle very relaxed page grid">
 		<div class="sixteen wide center column">
 			<p class="large">
-				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have.
+				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
 			</p>
 		</div>
 	</div>

nixbld-etc-nixos/gitea-signin.tmpl

@@ -4,7 +4,7 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="ui container column fluid">
 			{{template "user/auth/signin_inner" .}}
-			To get an account (also available to external contributors), simply write to sb@m-***s.hk.
+			To get an account (also available to external contributors), simply write to sb@m-labs.hk.
 		</div>
 	</div>
 </div>

nixbld-etc-nixos/hydra-restrictdist.patch

@@ -1,32 +0,0 @@
-diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
-index a9b0d558..71869ba0 100644
---- a/src/lib/Hydra/Controller/Root.pm
-+++ b/src/lib/Hydra/Controller/Root.pm
-@@ -19,6 +19,11 @@ use Net::Prometheus;
- # Put this controller at top-level.
- __PACKAGE__->config->{namespace} = '';
- 
-+sub isRedistRestricted {
-+  my ($path) = @_;
-+
-+  return index($path, "-RESTRICTDIST-") >= 0;
-+}
- 
- sub noLoginNeeded {
-   my ($c) = @_;
-@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
-         $path = $Nix::Config::storeDir . "/$path";
- 
-         gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
-+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
- 
-         $c->stash->{current_view} = 'NixNAR';
-         $c->stash->{storePath} = $path;
-@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
-             setCacheHeaders($c, 60 * 60);
-             return;
-         }
-+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
- 
-         $c->stash->{storePath} = $path;
-         $c->forward('Hydra::View::NARInfo');

nixbld-etc-nixos/mattermost-remove-free-banner.patch

@@ -0,0 +1,210 @@
+diff --git webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
+index 9af4fc7354..60ae3160e8 100644
+--- webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
++++ webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
+@@ -9,10 +9,6 @@ import Logo from 'components/common/svg_images_components/logo_dark_blue_svg';
+ const ProductBrandingTeamEditionContainer = styled.div`
+     display: flex;
+     align-items: center;
+-
+-    > * + * {
+-        margin-left: 8px;
+-    }
+ `;
+ 
+ const StyledLogo = styled(Logo)`
+@@ -21,23 +17,6 @@ const StyledLogo = styled(Logo)`
+     }
+ `;
+ 
+-const Badge = styled.div`
+-    display: flex;
+-    align-self: center;
+-    padding: 2px 6px;
+-    position: relative;
+-    top: 1px;
+-    border-radius: var(--radius-s);
+-    margin-left: 12px;
+-    background: rgba(var(--sidebar-text-rgb), 0.08);
+-    color: rgba(var(--sidebar-text-rgb), 0.75);
+-    font-family: 'Open Sans', sans-serif;
+-    font-size: 10px;
+-    font-weight: 600;
+-    letter-spacing: 0.025em;
+-    line-height: 16px;
+-`;
+-
+ const ProductBrandingTeamEdition = (): JSX.Element => {
+     return (
+         <ProductBrandingTeamEditionContainer tabIndex={0}>
+@@ -45,7 +24,6 @@ const ProductBrandingTeamEdition = (): JSX.Element => {
+                 width={116}
+                 height={20}
+             />
+-            <Badge>{'FREE EDITION'}</Badge>
+         </ProductBrandingTeamEditionContainer>
+     );
+ };
+diff --git webapp/channels/src/components/header_footer_route/header.scss webapp/channels/src/components/header_footer_route/header.scss
+index e7c76f9861..2841858f44 100644
+--- webapp/channels/src/components/header_footer_route/header.scss
++++ webapp/channels/src/components/header_footer_route/header.scss
+@@ -39,23 +39,6 @@
+                 width: 170px;
+                 fill: var(--center-channel-color);
+             }
+-
+-            .freeBadge {
+-                position: relative;
+-                top: 1px;
+-                display: flex;
+-                align-self: center;
+-                padding: 2px 6px;
+-                border-radius: var(--radius-s);
+-                margin-left: 12px;
+-                background: rgba(var(--center-channel-color-rgb), 0.08);
+-                color: rgba(var(--center-channel-color-rgb), 0.75);
+-                font-family: 'Open Sans', sans-serif;
+-                font-size: 10px;
+-                font-weight: 600;
+-                letter-spacing: 0.025em;
+-                line-height: 16px;
+-            }
+         }
+     }
+ 
+@@ -77,12 +60,6 @@
+             margin-top: 12px;
+         }
+     }
+-
+-    &.has-free-banner.has-custom-site-name {
+-        .header-back-button {
+-            bottom: -20px;
+-        }
+-    }
+ }
+ 
+ @media screen and (max-width: 699px) {
+diff --git webapp/channels/src/components/header_footer_route/header.tsx webapp/channels/src/components/header_footer_route/header.tsx
+index 8cd1d8a624..55554fb0ad 100644
+--- webapp/channels/src/components/header_footer_route/header.tsx
++++ webapp/channels/src/components/header_footer_route/header.tsx
+@@ -25,33 +25,15 @@ const Header = ({alternateLink, backButtonURL, onBackButtonClick}: HeaderProps)
+ 
+     const ariaLabel = SiteName || 'Mattermost';
+ 
+-    let freeBanner = null;
+-    if (license.IsLicensed === 'false') {
+-        freeBanner = <><Logo/><span className='freeBadge'>{'FREE EDITION'}</span></>;
+-    }
+-
+     let title: React.ReactNode = SiteName;
+     if (title === 'Mattermost') {
+-        if (freeBanner) {
+-            title = '';
+-        } else {
+-            title = <Logo/>;
+-        }
++        title = <Logo/>;
+     }
+ 
+     return (
+-        <div className={classNames('hfroute-header', {'has-free-banner': freeBanner, 'has-custom-site-name': title})}>
++        <div className={classNames('hfroute-header', {'has-custom-site-name': title})}>
+             <div className='header-main'>
+                 <div>
+-                    {freeBanner &&
+-                        <Link
+-                            className='header-logo-link'
+-                            to='/'
+-                            aria-label={ariaLabel}
+-                        >
+-                            {freeBanner}
+-                        </Link>
+-                    }
+                     {title &&
+                         <Link
+                             className='header-logo-link'
+diff --git webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
+index 35646539c4..fbdbb39710 100644
+--- webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
++++ webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
+@@ -1,42 +1,17 @@
+ // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+ // See LICENSE.txt for license information.
+ 
+-import React from 'react';
+-import {useIntl} from 'react-intl';
+ import {useSelector} from 'react-redux';
+-import styled from 'styled-components';
+ 
+ import {getLicense} from 'mattermost-redux/selectors/entities/general';
+ 
+-import ExternalLink from 'components/external_link';
+-
+-import {LicenseLinks} from 'utils/constants';
+-
+ import './menu_item.scss';
+ 
+-const FreeVersionBadge = styled.div`
+-     position: relative;
+-     top: 1px;
+-     display: flex;
+-     padding: 2px 6px;
+-     border-radius: var(--radius-s);
+-     margin-bottom: 6px;
+-     background: rgba(var(--center-channel-color-rgb), 0.08);
+-     color: rgba(var(--center-channel-color-rgb), 0.75);
+-     font-family: 'Open Sans', sans-serif;
+-     font-size: 10px;
+-     font-weight: 600;
+-     letter-spacing: 0.025em;
+-     line-height: 16px;
+-`;
+-
+ type Props = {
+     id: string;
+ }
+ 
+ const MenuStartTrial = (props: Props): JSX.Element | null => {
+-    const {formatMessage} = useIntl();
+-
+     const license = useSelector(getLicense);
+     const isCurrentLicensed = license?.IsLicensed;
+ 
+@@ -44,33 +19,7 @@ const MenuStartTrial = (props: Props): JSX.Element | null => {
+         return null;
+     }
+ 
+-    return (
+-        <li
+-            className={'MenuStartTrial'}
+-            role='menuitem'
+-            id={props.id}
+-        >
+-            <FreeVersionBadge>{'FREE EDITION'}</FreeVersionBadge>
+-            <div className='editionText'>
+-                {formatMessage(
+-                    {
+-                        id: 'navbar_dropdown.versionText',
+-                        defaultMessage: 'This is the free <link>unsupported</link> edition of Mattermost.',
+-                    },
+-                    {
+-                        link: (msg: React.ReactNode) => (
+-                            <ExternalLink
+-                                location='menu_start_trial.unsupported-link'
+-                                href={LicenseLinks.UNSUPPORTED}
+-                            >
+-                                {msg}
+-                            </ExternalLink>
+-                        ),
+-                    },
+-                )}
+-            </div>
+-        </li>
+-    );
++    return null;
+ };
+ 
+ export default MenuStartTrial;

nixbld-etc-nixos/nix-networked-derivations.patch

@@ -1,8 +1,8 @@
-diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
+diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
-index 64b55ca6a..9b4e52b8e 100644
+index 2a09e3dd4..7dc03855f 100644
---- a/src/libstore/build/local-derivation-goal.cc
+--- a/src/libstore/unix/build/local-derivation-goal.cc
-+++ b/src/libstore/build/local-derivation-goal.cc
++++ b/src/libstore/unix/build/local-derivation-goal.cc
-@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
+@@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
  
      assert(derivationType);
  
@@ -11,7 +11,7 @@ index 64b55ca6a..9b4e52b8e 100644
      /* Are we doing a chroot build? */
      {
          auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
+@@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
          else if (settings.sandboxMode == smDisabled)
              useChroot = false;
          else if (settings.sandboxMode == smRelaxed)
@@ -20,7 +20,7 @@ index 64b55ca6a..9b4e52b8e 100644
      }
  
      auto & localStore = getLocalStore();
-@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
                  "nogroup:x:65534:\n", sandboxGid()));
  
          /* Create /etc/hosts with localhost entry. */
@@ -29,7 +29,7 @@ index 64b55ca6a..9b4e52b8e 100644
              writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
  
          /* Make the closure of the inputs available in the chroot,
-@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
             us.
          */
  
@@ -38,16 +38,16 @@ index 64b55ca6a..9b4e52b8e 100644
              privateNetwork = true;
  
          userNamespaceSync.create();
-@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
+@@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
         to the builder is generally impure, but the output of
         fixed-output derivations is by definition pure (since we
         already know the cryptographic hash of the output). */
 -    if (!derivationType->isSandboxed()) {
 +    if (networked || !derivationType->isSandboxed()) {
-         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
+         auto & impureEnv = settings.impureEnv.get();
-             env[i] = getEnv(i).value_or("");
+         if (!impureEnv.empty())
-     }
+             experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
-@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
+@@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
              /* Fixed-output derivations typically need to access the
                 network, so give them access to /etc/resolv.conf and so
                 on. */
@@ -56,7 +56,7 @@ index 64b55ca6a..9b4e52b8e 100644
                  // Only use nss functions to resolve hosts and
                  // services. Don’t use it for anything else that may
                  // be configured for this system. This limits the
-@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
+@@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
                  #include "sandbox-defaults.sb"
                  ;
  
@@ -65,12 +65,12 @@ index 64b55ca6a..9b4e52b8e 100644
                  sandboxProfile +=
                      #include "sandbox-network.sb"
                      ;
-diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
+diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
-index 0a05081c7..4c251718c 100644
+index bf25cf2a6..28f8c1e95 100644
---- a/src/libstore/build/local-derivation-goal.hh
+--- a/src/libstore/unix/build/local-derivation-goal.hh
-+++ b/src/libstore/build/local-derivation-goal.hh
++++ b/src/libstore/unix/build/local-derivation-goal.hh
-@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
+@@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
- 
+      */
      Path chrootRootDir;
  
 +    bool networked;

nixops/common-users.nix

@@ -4,7 +4,7 @@
   root = {
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
     ];
   };
   sb = {
@@ -12,7 +12,7 @@
     extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
     ];
   };
   rj = {
@@ -57,7 +57,7 @@
   };
   esavkin = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout" "libvirtd"];
+    extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
     ];
@@ -111,6 +111,20 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
     ];
   };
+  abdul = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
+    ];
+  };
+  ram = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCj+Mel4VIhr1nchiLhZ5YbuT9WhR5ItFhFq2QWE/h2j0Xh3UEfsT++z2I/RQ/q4Qp1EFVVBCVCnfhpdshCKAzElGf96ZhHASUE4yZv+3f+yFRVTFy8xBw2gNQE8o2vlfGq/v2SnKiqt21Y3j7zYgbSJwSSS7V3EKO++l09jjQeRV1mORwO3hDDKs+GU6RIcHcNUIrb35F08el9+IZjIQ1wehH2v8pyEQXXWSvgdGS2IOQEA4HRNg+MVg3X1i5r/YVy838jQn9neqG7PnSluXawVpNubBTwly5DzWlzhSUfeKRF+dsPv+dtyr0/JQ9B/guGXGs3ojgq2Gy4DTCo2FCm6bzZCu7nvbiEjq896KhX5YexJo6r4c34luDaTEXNf9H1oHchrQp4F7E/u0+r4YAK1N6GWUQOxTLge7abhZ1d43jVuY57vtpphw+Iouit0/XKqSOChrnazy2USfqm2xH08ZcWx/fdmBbyMhsI02378sBOwf6jFbxaSCVKXMRc5l7HBfxm6dv/C04q/P/H/6S7OscDvVB/ZTNPjMQhUE4E7McwfOga1B6O3YiPjEq0SoCp//zY5Q6ZlK+4U5eEoJj6GBnED3Xq7WcSw4pB5YlOPX1wB7gxJWlvfRaaRycDVG2I6/RJzkWfDJkW3z3YI8Cl7Y/ZwJhB1Tz9pa7qwJsS0w=="
+    ];
+  };
 
   dpn = {
     isNormalUser = true;

nixops/desktop.nix

@@ -12,6 +12,7 @@ in
 
   boot.loader.systemd-boot.memtest86.enable = true;
   boot.loader.grub.memtest86.enable = true;
+  boot.kernel.sysctl."kernel.dmesg_restrict" = false;
 
   imports =
     [
@@ -64,8 +65,8 @@ in
     xournal
     xsane
     gtkwave unzip zip gnupg
-    gnome3.gnome-tweaks
+    gnome-tweaks
-    gnome3.ghex
+    ghex
     jq sublime3 rink qemu_kvm
     tmux screen gdb minicom picocom
     artiq.packages.x86_64-linux.openocd-bscanspi
@@ -129,17 +130,9 @@ in
     nssmdns4 = true;
   };
 
-  # Enable sound.
+  hardware.graphics.enable32Bit = true;
-  sound.enable = true;
-  hardware.pulseaudio = {
-    enable = true;
-    package = pkgs.pulseaudioFull;
-  };
 
-  hardware.opengl.driSupport32Bit = true;
+  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
-  hardware.pulseaudio.support32Bit = true;
-
-  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
 
   # Enable the X11 windowing system.
   services.xserver.enable = true;

nixops/juno-hardware-configuration.nix

@@ -1,42 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ata_piix" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/3dca09c8-f725-416a-9f89-b69297698ca9";
-      fsType = "ext4";
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = true;
-
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-
-  nixpkgs.config.nvidia.acceptLicense = true;
-  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
-  services.xserver.videoDrivers = [ "nvidia" ];
-  services.xserver.displayManager.gdm.wayland = false;
-
-  system.stateVersion = "23.05";
-}

nixops/nixops.nix

@@ -13,7 +13,6 @@
   chiron = import ./desktop.nix { host = "chiron"; };
   old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
   franz = import ./desktop.nix { host = "franz"; };
-  juno = import ./desktop.nix { host = "juno"; };
   demeter = import ./desktop.nix { host = "demeter"; };
   vulcan = import ./desktop.nix { host = "vulcan"; };
   rc = import ./desktop.nix { host = "rc"; };

nixops/rpi.nix

@@ -15,6 +15,7 @@ in
   boot.loader.generic-extlinux-compatible.enable = true;
   boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
   boot.initrd.includeDefaultModules = false;
+  boot.kernel.sysctl."kernel.dmesg_restrict" = false;
 
   fileSystems = {
     "/" = {