flarum: add email-filter extension

mattermost: remove unsupported edition message from menu
mattermost: fix override format
2025-01-16 09:13:07 +08:00 · 2025-01-15 11:28:24 +08:00 · 2025-01-15 10:22:16 +08:00 · 2025-01-15 10:00:21 +08:00 · 2025-01-14 16:40:35 +08:00 · 2025-01-09 11:00:08 +08:00
32 changed files with 10932 additions and 249 deletions
--- a/m-labs-intl/60-tunnels.yaml
+++ b/m-labs-intl/60-tunnels.yaml
@ -0,0 +1,18 @@
+network:
+   version: 2
+   renderer: networkd
+   ethernets:
+     eth0:
+       addresses:
+       - 5.78.86.156/32
+       - 2a01:4ff:1f0:83de::2/64
+       - 2a01:4ff:1f0:83de::3/64
+       - 2a01:4ff:1f0:83de::4/64
+   tunnels:
+     gre1:
+       mode: gre
+       local: 5.78.86.156
+       remote: 94.190.212.123
+       addresses:
+        - 10.47.3.0/31
+
--- a/m-labs-intl/gretun.service
+++ b/m-labs-intl/gretun.service
@ -0,0 +1,14 @@
+[Unit]
+Description=GRE tunnel to the main host
+After=network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/root/gretun.sh
+ExecStop=/root/gretun_down.sh
+Restart=on-failure
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- a/m-labs-intl/gretun.sh
+++ b/m-labs-intl/gretun.sh
@ -0,0 +1,10 @@
+#!/bin/bash
+
+/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
+/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
+
+/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
+/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
+
+/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
--- a/m-labs-intl/gretun_down.sh
+++ b/m-labs-intl/gretun_down.sh
@ -0,0 +1,10 @@
+#!/bin/bash
+
+/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
+/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
+
+/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
+/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
+
+/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
--- a/m-labs-intl/m-labs-intl.com
+++ b/m-labs-intl/m-labs-intl.com
@ -0,0 +1,81 @@
+upstream rfq_server {
+    server 127.0.0.1:5000;
+}
+
+server {
+    limit_conn addr 5;
+
+    root /var/www/m-labs-intl.com/html;
+    index index.html index.htm index.nginx-debian.html;
+
+    server_name m-labs-intl.com;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    listen [::]:443 ssl ipv6only=on; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    server_name www.m-labs-intl.com;
+    return 301 https://m-labs-intl.com$request_uri;
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    server_name hooks.m-labs-intl.com;
+    limit_conn addr 5;
+
+    location /rfq {
+        proxy_pass http://rfq_server/rfq;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 30;
+        proxy_connect_timeout 30;
+        proxy_send_timeout 30;
+    }
+
+    location / {
+        return 418;
+    }
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    limit_conn addr 5;
+    if ($host = m-labs-intl.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    if ($host = www.m-labs-intl.com) {
+        return 301 https://m-labs-intl.com$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    listen [::]:80;
+
+    server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
+    return 301 https://$host$request_uri;
+}
--- a/m-labs-intl/m-labs.hk.conf
+++ b/m-labs-intl/m-labs.hk.conf
@ -0,0 +1,34 @@
+
+
+connections {
+  m_labs {
+    version = 2
+    encap = no
+    mobike = no
+    send_certreq = no
+    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
+    local_addrs = 5.78.86.156
+    remote_addrs = 94.190.212.123
+    local {
+      auth = pubkey
+      id = fqdn:m-labs-intl.com
+      pubkeys = m-labs-intl.com
+    }
+    remote {
+      auth = pubkey
+      id = fqdn:m-labs.hk
+      pubkeys = m-labs.hk
+    }
+    children {
+      con1 {
+        mode = transport
+        ah_proposals = sha256-curve25519,sha256-ecp256
+        esp_proposals =
+        local_ts = 5.78.86.156[gre]
+        remote_ts = 94.190.212.123[gre]
+        start_action = start
+        close_action = none
+      }
+    }
+  } 
+}
--- a/m-labs-intl/mail.secret
+++ b/m-labs-intl/mail.secret
--- a/m-labs-intl/nginx.conf
+++ b/m-labs-intl/nginx.conf
@ -0,0 +1,65 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	# Rate limiting
+	limit_conn_zone $binary_remote_addr zone=addr:10m;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
--- a/m-labs-intl/rfq.service
+++ b/m-labs-intl/rfq.service
@ -0,0 +1,12 @@
+[Unit]
+Description=RFQ service
+After=network.target
+
+[Service]
+Type=simple
+User=rfqserver
+ExecStart=/home/rfqserver/runrfq.sh
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/m-labs-intl/runrfq.sh
+++ b/m-labs-intl/runrfq.sh
@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+export FLASK_DEBUG=0
+export FLASK_MAIL_SERVER=mail.m-labs.hk
+export FLASK_MAIL_PORT=465
+export FLASK_MAIL_USE_SSL=True
+export FLASK_MAIL_USERNAME=sysop-intl@m-labs-intl.com
+export FLASK_MAIL_PASSWORD_FILE=/home/rfqserver/mail.secret
+export FLASK_MAIL_RECIPIENT=sales@m-labs.hk
+export FLASK_MAIL_SENDER=sysop-intl@m-labs-intl.com
+
+cd /home/rfqserver/web2019/server
+source venv/bin/activate
+python3 -m flask --app rfq run --port=5000
--- a/m-labs-intl/setup.md
+++ b/m-labs-intl/setup.md
@ -0,0 +1,99 @@
+# Setup m-labs-intl.com server
+
+```shell
+# Install required packages
+apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
+  strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
+snap install --classic certbot
+ln -s /snap/bin/certbot /usr/bin/certbot
+
+# Set up networks (includes GRE)
+cp 60-tunnels.yaml /etc/netplan/
+netplan apply
+
+# set up IPsec-AH connection
+cp m-labs.hk.conf /etc/swanctl/conf.d/
+echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
+sysctl -p
+cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
+pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
+pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
+cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
+systemctl enable strongswan --now
+systemctl restart strongswan
+
+# Set up website
+cp m-labs-intl.com /etc/nginx/sites-available/
+cp nginx.conf /etc/nginx/
+ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
+systemctl enable nginx --now
+service nginx restart
+
+# Issue SSL certificate - website only, the mail is on the HK side
+certbot --nginx
+service nginx restart
+
+# Create a user for automatic website deployment from nixbld
+useradd -m zolaupd
+mkdir -p /var/www/m-labs-intl.com/html
+chown -R zolaupd /var/www/m-labs-intl.com/
+sudo -u zolaupd sh -c '
+  cd /home/zolaupd;
+  mkdir /home/zolaupd/.ssh;
+  echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
+  chmod 700 .ssh/
+  chmod 600 .ssh/authorized_keys
+  '
+
+# Create a user for RFQ hooks service
+useradd -m rfqserver
+cp runrfq.sh /home/rfqserver/
+cp mail.secret /home/rfqserver/
+chown rfqserver /home/rfqserver/runrfq.sh
+chmod +x /home/rfqserver/runrfq.sh
+chown rfqserver /home/rfqserver/mail.secret
+
+sudo -u rfqserver sh -c '
+  cd /home/rfqserver;
+  git clone https://git.m-labs.hk/M-Labs/web2019.git;
+  cd web2019;
+  python3 -m venv ./venv;
+  source venv/bin/activate;
+  pip install -r requirements.txt;
+'
+cp rfq.service /etc/systemd/system/
+
+# Automate port forwarding rules creation
+cp gretun.sh /root/gretun.sh
+cp gretun_down.sh /root/gretun_down.sh
+chmod u+x /root/gretun.sh
+chmod u+x /root/gretun_down.sh
+cp gretun.service /etc/systemd/system/
+
+# Enable custom services
+systemctl daemon-reload
+systemctl enable rfq.service --now
+systemctl enable gretun.service --now
+
+# Setup basic firewall rules  
+ufw default deny
+ufw default allow outgoing
+
+ufw allow from 94.190.212.123
+ufw allow from 2001:470:f891:1::/64
+ufw allow from 202.77.7.238
+ufw allow from 2001:470:18:390::2
+ufw allow "Nginx HTTP"
+ufw allow "Nginx HTTPS"
+ufw limit OpenSSH
+ufw allow 25/tcp
+ufw allow 587/tcp
+ufw limit 500,4500/udp
+
+ufw route allow in on gre1 out on eth0
+ufw allow from 10.47.3.0/31
+
+ufw show added
+ufw enable
+```
--- a/nixbld-etc-nixos/afws-module.nix
+++ b/nixbld-etc-nixos/afws-module.nix
@ -10,16 +10,34 @@ in
      default = false;
      description = "Enable AFWS server";
    };
+    logFile = mkOption {
+      type = types.str;
+      default = "/var/lib/afws/logs/afws.log";
+      description = "Path to the log file";
+    };
+    logBackupCount = mkOption {
+      type = types.int;
+      default = 30;
+      description = "Number of daily log files to keep";
+    };
  };

  config = mkIf config.services.afws.enable {
    systemd.services.afws = {
      description = "AFWS server";
      wantedBy = [ "multi-user.target" ];
+      preStart = ''
+        mkdir -p "$(dirname ${config.services.afws.logFile})"
+        chown afws:afws "$(dirname ${config.services.afws.logFile})"
+      '';
      serviceConfig = {
        User = "afws";
        Group = "afws";
-        ExecStart = "${afws}/bin/afws_server";
+        ExecStart = ''
+          ${afws}/bin/afws_server \
+            --log-file ${config.services.afws.logFile} \
+            --log-backup-count ${toString config.services.afws.logBackupCount}
+        '';
        ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
      };
      path = [ pkgs.nix pkgs.git ];
--- a/nixbld-etc-nixos/backup-module.nix
+++ b/nixbld-etc-nixos/backup-module.nix
@ -26,9 +26,10 @@ let
    ${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
    ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
    ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
+    ${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql

    exec 6< /etc/nixos/secret/backup-passphrase
-    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
+    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
        ${pkgs.bzip2}/bin/bzip2 | \
        ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
  '';
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@ -6,6 +6,9 @@ let
  netifLan = "enp5s0f1";
  netifWifi = "wlp6s0";
  netifSit = "henet0";
+  netifUSA = "trump0";
+  netifAlt = "alt0";
+  netifAltVlan = "vlan0";
  hydraWwwOutputs = "/var/www/hydra-outputs";
 in
 {
@ -17,8 +20,8 @@ in
      ./afws-module.nix
      ./rt.nix
      (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/41059fc548088e49e3ddb3a2b4faeb5de018e60f/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:0xvch92yi4mc1acj08461wrgrva63770aiis02vpvaa7a1xqaibv";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/nixos-mailserver-nixos.tar.gz";
+        sha256 = "sha256:1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma";
      })
    ];

@ -90,6 +93,15 @@ in
      allowedTCPPorts = [ 53 80 443 2222 7402 ];
      allowedUDPPorts = [ 53 67 500 4500 ];
      trustedInterfaces = [ netifLan ];
+      logRefusedConnections = false;
+      extraCommands = ''
+        iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
+        iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
+      '';
+      extraStopCommands = ''
+        iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
+        iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
+      '';
    };
    useDHCP = false;
    interfaces."${netifWan}".useDHCP = true;  # PCCW - always wants active DHCP lease or cuts you off
@ -176,11 +188,21 @@ in
        iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP  # HP printer, wifi
        iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP  # HP printer, ethernet
        iptables -w -A FORWARD -j block-insecure-devices
+
+        iptables -w -N pccw-sucks
+        iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
+        iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
+        iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
+        iptables -w -A FORWARD -j pccw-sucks
      '';
      extraStopCommands = ''
        iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
        iptables -w -F block-insecure-devices 2>/dev/null|| true
        iptables -w -X block-insecure-devices 2>/dev/null|| true
+
+        iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
+        iptables -w -F pccw-sucks 2>/dev/null|| true
+        iptables -w -X pccw-sucks 2>/dev/null|| true
      '';
    };
    sits."${netifSit}" = {
@ -193,14 +215,37 @@ in
      addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
      routes = [{ address = "::"; prefixLength = 0; }];
    };
-    greTunnels.alt0 = {
+    greTunnels."${netifUSA}" = {
+      dev = netifWan;
+      remote = "5.78.86.156";
+      local = "94.190.212.123";
+      ttl = 255;
+      type = "tun";
+    };
+    greTunnels."${netifAlt}" = {
      dev = netifWan;
      remote = "103.206.98.1";
      local = "94.190.212.123";
      ttl = 255;
      type = "tun";
    };
-    interfaces.alt0 = {
+    interfaces."${netifUSA}" = {
+      ipv4.addresses = [
+        {
+          address = "10.47.3.1";
+          prefixLength = 31;
+        }
+      ];
+      ipv4.routes = [
+        {
+          address = "0.0.0.0";
+          prefixLength = 0;
+          via = "10.47.3.0";
+          options.table = "3";
+        }
+      ];
+    };
+    interfaces."${netifAlt}" = {
      ipv4.addresses = [
        {
          address = "103.206.98.227";
@ -217,12 +262,12 @@ in
      ];
    };
    vlans = {
-      vlan0 = {
+      "${netifAltVlan}" = {
        id = 2;
        interface = netifLan;
      };
    };
-    interfaces.vlan0 = {
+    interfaces."${netifAltVlan}" = {
      ipv4.addresses = [{
        address = "103.206.98.200";
        prefixLength = 29;
@ -255,7 +300,7 @@ in
      id = "fqdn:igw0.hkg.as150788.net";
      pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
    };
-    children.alt0 = {
+    children."${netifAlt}" = {
      mode = "transport";
      ah_proposals = [ "sha256-curve25519" ];
      remote_ts = [ "103.206.98.1[gre]" ];
@ -263,6 +308,27 @@ in
      start_action = "start";
    };
  };
+  services.strongswan-swanctl.swanctl.connections.usa = {
+    local_addrs = [ "94.190.212.123" ];
+    remote_addrs = [ "5.78.86.156" ];
+    local.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs.hk";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
+    };
+    remote.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs-intl.com";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
+    };
+    children."${netifUSA}" = {
+      mode = "transport";
+      ah_proposals = [ "sha256-curve25519" ];
+      remote_ts = [ "5.78.86.156[gre]" ];
+      local_ts = [ "94.190.212.123[gre]" ];
+      start_action = "start";
+    };
+  };

  systemd.services.network-custom-route-backup = {
    wantedBy = [ "network.target" ];
@ -273,6 +339,15 @@ in
      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
    };
  };
+  systemd.services.network-custom-route-usa = {
+    wantedBy = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
+      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
+    };
+  };
  systemd.services.network-custom-route-alt = {
    wantedBy = [ "network.target" ];
    serviceConfig = {
@ -283,6 +358,15 @@ in
    };
  };

+  systemd.services."network-addresses-${netifUSA}" = {
+    after = pkgs.lib.mkOverride 1 [ "network-pre.target" "${netifUSA}-netdev.service" "systemd-udevd.service" ];
+    requires = [ "systemd-udevd.service" ];
+  };
+  systemd.services."network-addresses-${netifAlt}" = {
+    after = pkgs.lib.mkOverride 1 [ "network-pre.target" "${netifAlt}-netdev.service" "systemd-udevd.service" ];
+    requires = [ "systemd-udevd.service" ];
+  };
+
  # https://kb.isc.org/docs/dnssec-key-and-signing-policy
  # chown named.named /etc/nixos/named
  services.bind = {
@ -375,10 +459,14 @@ in
           notify explicit;
           also-notify {
             216.218.130.2;   # ns1.he.net
+             213.239.220.50;  # ns1.qnetp.net
+             88.198.32.245;   # new qnetp
           };
           '';
        slaves = [
          "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
+          "213.239.220.50" "2a01:4f8:a0:7041::1"  # ns1.qnetp.net
+          "88.198.32.245"                         # new qnetp
        ];
      };
      "200-29.98.206.103.in-addr.arpa" = {
@ -412,6 +500,7 @@ in
    enable = true;
    radios.${netifWifi} = {
      band = "2g";
+      channel = 7;
      countryCode = "HK";
      networks.${netifWifi} = {
        ssid = "M-Labs";
@ -461,11 +550,6 @@ in
        "/kasli/192.168.1.70"
        "/kasli-customer/192.168.1.75"
        "/stabilizer-customer/192.168.1.76"
-
-        # Google can't do DNS geolocation correctly and slows down websites of everyone using
-        # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
-        # cannot reach.
-        "/fonts.googleapis.com/142.250.207.74"
      ];

      dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
@ -491,10 +575,23 @@ in
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
-    wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal
-    irssi tmux usbutils imagemagick jq zip unzip
+    lm_sensors
+    acpi
+    usbutils
+    pciutils
    iw
    nvme-cli
+    smartmontools
+    psmisc
+
+    wget
+    vim
+    git
+    file
+    imagemagick
+    jq
+
+    nixops_unstable_minimal
    borgbackup
    bind
    waypipe
@ -524,6 +621,7 @@ in
  services.openssh.settings.X11Forwarding = true;
  services.openssh.authorizedKeysInHomedir = false;
  programs.mosh.enable = true;
+  programs.tmux.enable = true;

  programs.fish.enable = true;
  programs.zsh.enable = true;
@ -550,7 +648,6 @@ in
    SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
    '';

-  sound.enable = true;
  services.mpd.enable = true;
  services.mpd.musicDirectory = "/tank/sb-public/FLAC";
  services.mpd.network.listenAddress = "192.168.1.1";
@ -567,38 +664,23 @@ in
  users.extraUsers.root = {
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
    ];
    shell = pkgs.fish;
  };
  # https://github.com/NixOS/nixpkgs/issues/155357
  security.sudo.enable = true;

+  # M-Labs HK
  users.extraUsers.sb = {
    isNormalUser = true;
    extraGroups = ["lp" "scanner" "afws" "audio"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
    ];
    shell = pkgs.fish;
  };
-  users.extraUsers.rj = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
-     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
-     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
-    ];
-  };
-  users.extraUsers.nkrackow = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
-    ];
-  };
  users.extraUsers.spaqin = {
    isNormalUser = true;
    extraGroups = ["lp" "afws"];
@ -620,6 +702,35 @@ in
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
    ];
  };
+
+  # M-Labs PH
+  users.extraUsers.flo = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
+    ];
+  };
+
+  # QUARTIQ
+  users.extraUsers.rj = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
+     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
+     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
+    ];
+  };
+  users.extraUsers.eduardotenholder = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
+    ];
+  };
+
+  # HKUST
  users.extraUsers.derppening = {
    isNormalUser = true;
    openssh.authorizedKeys.keys = [
@ -630,7 +741,6 @@ in
  users.extraUsers.nix = {
    isNormalUser = true;
  };
-  boot.kernel.sysctl."kernel.dmesg_restrict" = true;
  services.udev.packages = [ pkgs.sane-backends ];

  nix.settings.max-jobs = 10;
@ -651,6 +761,14 @@ in
        job = web:web:web
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
      </runcommand>
+      <runcommand>
+        job = web:web:web-ph
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web-ph
+      </runcommand>
+      <runcommand>
+        job = web:web:web-intl
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
+      </runcommand>
      <runcommand>
        job = web:web:nmigen-docs
        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
@ -762,6 +880,10 @@ in
  services.gitea = {
    enable = true;
    appName = "M-Labs Git";
+    database = {
+      type = "postgres";
+      socket = "/run/postgresql";
+    };
    mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
    settings = {
      server = {
@ -809,32 +931,44 @@ in
    siteUrl = "https://chat.m-labs.hk/";
    mutableConfig = true;
  };
-  services.postgresql.package = pkgs.postgresql_12;
  services.matterbridge = {
    enable = true;
    configPath = "/etc/nixos/secret/matterbridge.toml";
  };
- 
+
+  services.postgresql = {
+    package = pkgs.postgresql_15;
+    settings.listen_addresses = pkgs.lib.mkForce "";
+    identMap =
+      ''
+      rt rt rt_user
+      '';
+  };
+
  nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
    nix = super.nix.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
    });
-    hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
+    hydra = super.hydra.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [
        ./hydra-conda.patch
        ./hydra-msys2.patch
-        ./hydra-restrictdist.patch
      ];
      hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
      doCheck = false;  # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
    });
+    mattermost = super.mattermost.overrideAttrs(oldAttrs: {
+      webapp = oldAttrs.webapp.overrideAttrs (webappAttrs: {
+        patches = webappAttrs.patches or [ ] ++ [ ./mattermost-remove-free-banner.patch ];
+      });
+    });
    matterbridge = super.matterbridge.overrideAttrs(oa: {
      patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
    });
  };

  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "sb" + "@m-labs.hk";
+  security.acme.defaults.email = "sb@m-labs.hk";

  # https://github.com/NixOS/nixpkgs/issues/106862
  systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
@ -864,7 +998,7 @@ in
            expires 60d;
          '';
        };
-        locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
+        locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";

        # legacy URLs, redirect to avoid breaking people's bookmarks
        locations."/gateware.html".extraConfig = ''
@ -922,9 +1056,24 @@ in
      };
    in {
      "m-labs.hk" = mainWebsite;
-      "www.m-labs.hk" = mainWebsite;
-      "m-labs.ph" = mainWebsite;
-      "www.m-labs.ph" = mainWebsite;
+      "www.m-labs.hk" = {
+        addSSL = true;
+        enableACME = true;
+        globalRedirect = "m-labs.hk";
+      };
+      "m-labs.ph" = {
+        root = "${hydraWwwOutputs}/web-ph";
+        forceSSL = true;
+        enableACME = true;
+        extraConfig = ''
+          error_page 404 /404.html;
+        '';
+      };
+      "www.m-labs.ph" = {
+        addSSL = true;
+        enableACME = true;
+        globalRedirect = "m-labs.ph";
+      };
      "nixbld.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
@ -1025,15 +1174,6 @@ in
      "forum.m-labs.hk" = {
        forceSSL = true;
        enableACME = true;
-        root = "/var/www/flarum/public";
-        locations."~ \.php$".extraConfig = ''
-          fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
-          fastcgi_index index.php;
-        '';
-        extraConfig = ''
-          index index.php;
-          include /var/www/flarum/.nginx.conf;
-        '';
      };
      "perso.m-labs.hk" = {
        addSSL = true;
@ -1080,7 +1220,7 @@ in
      "www.193thz.com" = {
        addSSL = true;
        enableACME = true;
-        root = "/var/www/193thz";
+        globalRedirect = "193thz.com";
      };
      "nmigen.net" = {
        addSSL = true;
@ -1090,7 +1230,7 @@ in
      "www.nmigen.net" = {
        addSSL = true;
        enableACME = true;
-        root = "${hydraWwwOutputs}/nmigen-docs";
+        globalRedirect = "nmigen.net";
      };
    };
  };
@ -1105,23 +1245,17 @@ in
      };
    };
  };
+
  services.mysql = {
    enable = true;
-    package = pkgs.mariadb;
+    package = pkgs.lib.mkForce pkgs.mariadb;
+    ensureDatabases = pkgs.lib.mkForce [];
+    ensureUsers = pkgs.lib.mkForce [];
  };
-  services.phpfpm.pools.flarum = {
-    user = "nobody";
-    settings = {
-      "listen.owner" = "nginx";
-      "listen.group" = "nginx";
-      "listen.mode" = "0600";
-      "pm" = "dynamic";
-      "pm.max_children" = 5;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 1;
-      "pm.max_spare_servers" = 3;
-      "pm.max_requests" = 500;
-    };
+  services.flarum = {
+    enable = true;
+    package = pkgs.callPackage ./flarum {};
+    domain = "forum.m-labs.hk";
  };

  services.rt = {
@ -1146,7 +1280,18 @@ in
      Restart = "on-failure";
      User = "rt";
      Group = "rt";
-      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
+      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
+    };
+  };
+  systemd.services.rt-fetchmail-intl = {
+    description = "Fetchmail for RT (intl)";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "dovecot2.service" ];
+    serviceConfig = {
+      Restart = "on-failure";
+      User = "rt";
+      Group = "rt";
+      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
    };
  };

@ -1154,24 +1299,44 @@ in
    enable = true;
    localDnsResolver = false;  # conflicts with dnsmasq
    fqdn = "mail.m-labs.hk";
-    domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
+    domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ];
    enablePop3 = true;
    enablePop3Ssl = true;
    certificateScheme = "acme-nginx";
  } // (import /etc/nixos/secret/email_settings.nix);
+  services.postfix = {
+    mapFiles."sender_transport" = builtins.toFile "sender_transport" ''
+        @m-labs-intl.com intltunnel:
+    '';
+    config = {
+      sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
+    };
+    masterConfig."intltunnel" = {
+      type = "unix";
+      command = "smtp";
+      args = [
+        "-o" "inet_interfaces=10.47.3.1"
+        "-o" "smtp_helo_name=mail.m-labs-intl.com"
+        "-o" "inet_protocols=ipv4"
+       ];
+    };
+  };
  services.roundcube = {
    enable = true;
    hostName = "mail.m-labs.hk";
+    # https://github.com/roundcube/roundcubemail/issues/5869
    extraConfig = ''
      $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
+      $config['session_storage'] = "php";
    '';
  };

  services.nextcloud = {
    enable = true;
-    package = pkgs.nextcloud29;
+    package = pkgs.nextcloud30;
+    extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
    hostName = "files.m-labs.hk";
    https = true;
    maxUploadSize = "2G";
--- a/nixbld-etc-nixos/flarum/composer.lock
+++ b/nixbld-etc-nixos/flarum/composer.lock
--- a/nixbld-etc-nixos/flarum/default.nix
+++ b/nixbld-etc-nixos/flarum/default.nix
@ -0,0 +1,38 @@
+{
+  lib,
+  php,
+  fetchFromGitHub,
+  fetchpatch,
+}:
+
+php.buildComposerProject (finalAttrs: {
+  pname = "flarum";
+  version = "1.8.1";
+
+  src = fetchFromGitHub {
+    owner = "flarum";
+    repo = "flarum";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
+  };
+
+  patches = [
+    # Add useful flarum extensions (polls, subscribed, upload, email-filter)
+    ./flarum-extensions.patch
+  ];
+
+  composerLock = ./composer.lock;
+  composerStrictValidation = false;
+  vendorHash = "sha256-rWvIKiQVyfvUprYfm/+Jdq+DO5qymyWp+Xh0c0nY2Cw=";
+
+  meta = with lib; {
+    changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
+    description = "Flarum is a delightfully simple discussion platform for your website";
+    homepage = "https://github.com/flarum/flarum";
+    license = lib.licenses.mit;
+    maintainers = with maintainers; [
+      fsagbuya
+      jasonodoom
+    ];
+  };
+})
--- a/nixbld-etc-nixos/flarum/flarum-extensions.patch
+++ b/nixbld-etc-nixos/flarum/flarum-extensions.patch
@ -0,0 +1,17 @@
+diff --git a/composer.json b/composer.json
+index c63b5f8..4bc00c1 100644
+--- a/composer.json
+++ b/composer.json
+@@ -37,7 +37,11 @@
+         "flarum/sticky": "*",
+         "flarum/subscriptions": "*",
+         "flarum/suspend": "*",
+-        "flarum/tags": "*"
+        "flarum/tags": "*",
+        "fof/polls": "*",
+        "fof/subscribed": "*",
+        "fof/upload": "*",
+        "nyu8/flarum-email-filter": "^1.0"
+     },
+     "config": {
+         "preferred-install": "dist",
--- a/nixbld-etc-nixos/gitea-home.tmpl
+++ b/nixbld-etc-nixos/gitea-home.tmpl
@ -15,7 +15,7 @@
 	<div class="ui stackable middle very relaxed page grid">
 		<div class="sixteen wide center column">
 			<p class="large">
-				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have.
+				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
 			</p>
 		</div>
 	</div>
--- a/nixbld-etc-nixos/gitea-signin.tmpl
+++ b/nixbld-etc-nixos/gitea-signin.tmpl
@ -4,7 +4,7 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="ui container column fluid">
 			{{template "user/auth/signin_inner" .}}
-			To get an account (also available to external contributors), simply write to sb@m-***s.hk.
+			To get an account (also available to external contributors), simply write to sb@m-labs.hk.
 		</div>
 	</div>
 </div>
--- a/nixbld-etc-nixos/hydra-restrictdist.patch
+++ b/nixbld-etc-nixos/hydra-restrictdist.patch
@ -1,32 +0,0 @@
-diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
-index a9b0d558..71869ba0 100644
--- a/src/lib/Hydra/Controller/Root.pm
-+++ b/src/lib/Hydra/Controller/Root.pm
-@@ -19,6 +19,11 @@ use Net::Prometheus;
- # Put this controller at top-level.
- __PACKAGE__->config->{namespace} = '';
- 
-+sub isRedistRestricted {
-+  my ($path) = @_;
-+
-+  return index($path, "-RESTRICTDIST-") >= 0;
-+}
- 
- sub noLoginNeeded {
-   my ($c) = @_;
-@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
-         $path = $Nix::Config::storeDir . "/$path";
- 
-         gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
-+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
- 
-         $c->stash->{current_view} = 'NixNAR';
-         $c->stash->{storePath} = $path;
-@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
-             setCacheHeaders($c, 60 * 60);
-             return;
-         }
-+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
- 
-         $c->stash->{storePath} = $path;
-         $c->forward('Hydra::View::NARInfo');
--- a/nixbld-etc-nixos/mattermost-remove-free-banner.patch
+++ b/nixbld-etc-nixos/mattermost-remove-free-banner.patch
@ -0,0 +1,210 @@
+diff --git webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
+index 9af4fc7354..60ae3160e8 100644
+--- webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
+++ webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
+@@ -9,10 +9,6 @@ import Logo from 'components/common/svg_images_components/logo_dark_blue_svg';
+ const ProductBrandingTeamEditionContainer = styled.div`
+     display: flex;
+     align-items: center;
+-
+-    > * + * {
+-        margin-left: 8px;
+-    }
+ `;
+ 
+ const StyledLogo = styled(Logo)`
+@@ -21,23 +17,6 @@ const StyledLogo = styled(Logo)`
+     }
+ `;
+ 
+-const Badge = styled.div`
+-    display: flex;
+-    align-self: center;
+-    padding: 2px 6px;
+-    position: relative;
+-    top: 1px;
+-    border-radius: var(--radius-s);
+-    margin-left: 12px;
+-    background: rgba(var(--sidebar-text-rgb), 0.08);
+-    color: rgba(var(--sidebar-text-rgb), 0.75);
+-    font-family: 'Open Sans', sans-serif;
+-    font-size: 10px;
+-    font-weight: 600;
+-    letter-spacing: 0.025em;
+-    line-height: 16px;
+-`;
+-
+ const ProductBrandingTeamEdition = (): JSX.Element => {
+     return (
+         <ProductBrandingTeamEditionContainer tabIndex={0}>
+@@ -45,7 +24,6 @@ const ProductBrandingTeamEdition = (): JSX.Element => {
+                 width={116}
+                 height={20}
+             />
+-            <Badge>{'FREE EDITION'}</Badge>
+         </ProductBrandingTeamEditionContainer>
+     );
+ };
+diff --git webapp/channels/src/components/header_footer_route/header.scss webapp/channels/src/components/header_footer_route/header.scss
+index e7c76f9861..2841858f44 100644
+--- webapp/channels/src/components/header_footer_route/header.scss
+++ webapp/channels/src/components/header_footer_route/header.scss
+@@ -39,23 +39,6 @@
+                 width: 170px;
+                 fill: var(--center-channel-color);
+             }
+-
+-            .freeBadge {
+-                position: relative;
+-                top: 1px;
+-                display: flex;
+-                align-self: center;
+-                padding: 2px 6px;
+-                border-radius: var(--radius-s);
+-                margin-left: 12px;
+-                background: rgba(var(--center-channel-color-rgb), 0.08);
+-                color: rgba(var(--center-channel-color-rgb), 0.75);
+-                font-family: 'Open Sans', sans-serif;
+-                font-size: 10px;
+-                font-weight: 600;
+-                letter-spacing: 0.025em;
+-                line-height: 16px;
+-            }
+         }
+     }
+ 
+@@ -77,12 +60,6 @@
+             margin-top: 12px;
+         }
+     }
+-
+-    &.has-free-banner.has-custom-site-name {
+-        .header-back-button {
+-            bottom: -20px;
+-        }
+-    }
+ }
+ 
+ @media screen and (max-width: 699px) {
+diff --git webapp/channels/src/components/header_footer_route/header.tsx webapp/channels/src/components/header_footer_route/header.tsx
+index 8cd1d8a624..55554fb0ad 100644
+--- webapp/channels/src/components/header_footer_route/header.tsx
+++ webapp/channels/src/components/header_footer_route/header.tsx
+@@ -25,33 +25,15 @@ const Header = ({alternateLink, backButtonURL, onBackButtonClick}: HeaderProps)
+ 
+     const ariaLabel = SiteName || 'Mattermost';
+ 
+-    let freeBanner = null;
+-    if (license.IsLicensed === 'false') {
+-        freeBanner = <><Logo/><span className='freeBadge'>{'FREE EDITION'}</span></>;
+-    }
+-
+     let title: React.ReactNode = SiteName;
+     if (title === 'Mattermost') {
+-        if (freeBanner) {
+-            title = '';
+-        } else {
+-            title = <Logo/>;
+-        }
+        title = <Logo/>;
+     }
+ 
+     return (
+-        <div className={classNames('hfroute-header', {'has-free-banner': freeBanner, 'has-custom-site-name': title})}>
+        <div className={classNames('hfroute-header', {'has-custom-site-name': title})}>
+             <div className='header-main'>
+                 <div>
+-                    {freeBanner &&
+-                        <Link
+-                            className='header-logo-link'
+-                            to='/'
+-                            aria-label={ariaLabel}
+-                        >
+-                            {freeBanner}
+-                        </Link>
+-                    }
+                     {title &&
+                         <Link
+                             className='header-logo-link'
+diff --git webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
+index 35646539c4..fbdbb39710 100644
+--- webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
+++ webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
+@@ -1,42 +1,17 @@
+ // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+ // See LICENSE.txt for license information.
+ 
+-import React from 'react';
+-import {useIntl} from 'react-intl';
+ import {useSelector} from 'react-redux';
+-import styled from 'styled-components';
+ 
+ import {getLicense} from 'mattermost-redux/selectors/entities/general';
+ 
+-import ExternalLink from 'components/external_link';
+-
+-import {LicenseLinks} from 'utils/constants';
+-
+ import './menu_item.scss';
+ 
+-const FreeVersionBadge = styled.div`
+-     position: relative;
+-     top: 1px;
+-     display: flex;
+-     padding: 2px 6px;
+-     border-radius: var(--radius-s);
+-     margin-bottom: 6px;
+-     background: rgba(var(--center-channel-color-rgb), 0.08);
+-     color: rgba(var(--center-channel-color-rgb), 0.75);
+-     font-family: 'Open Sans', sans-serif;
+-     font-size: 10px;
+-     font-weight: 600;
+-     letter-spacing: 0.025em;
+-     line-height: 16px;
+-`;
+-
+ type Props = {
+     id: string;
+ }
+ 
+ const MenuStartTrial = (props: Props): JSX.Element | null => {
+-    const {formatMessage} = useIntl();
+-
+     const license = useSelector(getLicense);
+     const isCurrentLicensed = license?.IsLicensed;
+ 
+@@ -44,33 +19,7 @@ const MenuStartTrial = (props: Props): JSX.Element | null => {
+         return null;
+     }
+ 
+-    return (
+-        <li
+-            className={'MenuStartTrial'}
+-            role='menuitem'
+-            id={props.id}
+-        >
+-            <FreeVersionBadge>{'FREE EDITION'}</FreeVersionBadge>
+-            <div className='editionText'>
+-                {formatMessage(
+-                    {
+-                        id: 'navbar_dropdown.versionText',
+-                        defaultMessage: 'This is the free <link>unsupported</link> edition of Mattermost.',
+-                    },
+-                    {
+-                        link: (msg: React.ReactNode) => (
+-                            <ExternalLink
+-                                location='menu_start_trial.unsupported-link'
+-                                href={LicenseLinks.UNSUPPORTED}
+-                            >
+-                                {msg}
+-                            </ExternalLink>
+-                        ),
+-                    },
+-                )}
+-            </div>
+-        </li>
+-    );
+    return null;
+ };
+ 
+ export default MenuStartTrial;
--- a/nixbld-etc-nixos/named/m-labs-intl.com
+++ b/nixbld-etc-nixos/named/m-labs-intl.com
@ -1,7 +1,7 @@
 $TTL 7200

@						SOA	ns.m-labs-intl.com. sb.m-labs.hk. (
-							2024060601
+							2024101401
 							7200
 							3600
 							86400
@ -10,11 +10,21 @@ $TTL 7200

 						NS		ns.m-labs-intl.com.
 						NS		ns1.he.net.
+						NS		ns1.qnetp.net.

 						A		5.78.86.156
 						AAAA	2a01:4ff:1f0:83de::1
+						MX		10 mail.m-labs-intl.com.
+						TXT		"v=spf1 mx -all"
+						TXT		"google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"

 ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2

+mail					A		5.78.86.156
+mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
+_dmarc					TXT		"v=DMARC1; p=none"
+
 www						CNAME	@
+hooks					CNAME	@
--- a/nixbld-etc-nixos/named/m-labs.hk
+++ b/nixbld-etc-nixos/named/m-labs.hk
@ -1,7 +1,7 @@
 $TTL 7200

@						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
-							2024060201
+							2024080501
 							7200
 							3600
 							86400
@ -43,17 +43,7 @@ files					CNAME	@
 docs					CNAME	@

 rpi-1					AAAA	2001:470:f891:1:dea6:32ff:fe8a:6a93
-rpi-2					AAAA	2001:470:f891:1:ba27:ebff:fef0:e9e6
 rpi-4					AAAA	2001:470:f891:1:dea6:32ff:fe14:fce9
-chiron					AAAA	2001:470:f891:1:7f02:9ebf:bee9:3dc7
-old-nixbld				AAAA	2001:470:f891:1:a07b:f49a:a4ef:aad9
-zeus					AAAA	2001:470:f891:1:4fd7:e70a:68bf:e9c1
-franz					AAAA	2001:470:f891:1:1b65:a743:2335:f5c6
-hera					AAAA	2001:470:f891:1:8b5e:404d:ef4e:9d92
-hestia					AAAA	2001:470:f891:1:881c:f409:a090:8401
-vulcan					AAAA	2001:470:f891:1:105d:3f15:bd53:c5ac
-
-aux						A		42.200.147.171

 router.alt				A		103.206.98.200
 stewardship1.alt		A		103.206.98.201
--- a/nixbld-etc-nixos/nix-networked-derivations.patch
+++ b/nixbld-etc-nixos/nix-networked-derivations.patch
@ -1,8 +1,8 @@
-diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
-index 64b55ca6a..9b4e52b8e 100644
--- a/src/libstore/build/local-derivation-goal.cc
-+++ b/src/libstore/build/local-derivation-goal.cc
-@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
+diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
+index 2a09e3dd4..7dc03855f 100644
+--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
+@@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
 
     assert(derivationType);
 
@ -11,7 +11,7 @@ index 64b55ca6a..9b4e52b8e 100644
     /* Are we doing a chroot build? */
     {
         auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
+@@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
         else if (settings.sandboxMode == smDisabled)
             useChroot = false;
         else if (settings.sandboxMode == smRelaxed)
@ -20,7 +20,7 @@ index 64b55ca6a..9b4e52b8e 100644
     }
 
     auto & localStore = getLocalStore();
-@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
                 "nogroup:x:65534:\n", sandboxGid()));
 
         /* Create /etc/hosts with localhost entry. */
@ -29,7 +29,7 @@ index 64b55ca6a..9b4e52b8e 100644
             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
 
         /* Make the closure of the inputs available in the chroot,
-@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
            us.
         */
 
@ -38,16 +38,16 @@ index 64b55ca6a..9b4e52b8e 100644
             privateNetwork = true;
 
         userNamespaceSync.create();
-@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
+@@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
        to the builder is generally impure, but the output of
        fixed-output derivations is by definition pure (since we
        already know the cryptographic hash of the output). */
 -    if (!derivationType->isSandboxed()) {
 +    if (networked || !derivationType->isSandboxed()) {
-         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
-             env[i] = getEnv(i).value_or("");
-     }
-@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
+         auto & impureEnv = settings.impureEnv.get();
+         if (!impureEnv.empty())
+             experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
+@@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
             /* Fixed-output derivations typically need to access the
                network, so give them access to /etc/resolv.conf and so
                on. */
@ -56,21 +56,21 @@ index 64b55ca6a..9b4e52b8e 100644
                 // Only use nss functions to resolve hosts and
                 // services. Don’t use it for anything else that may
                 // be configured for this system. This limits the
-@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
-                     #include "sandbox-defaults.sb"
+@@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
+                 #include "sandbox-defaults.sb"
+                 ;
+ 
+-            if (!derivationType->isSandboxed())
+            if (networked || !derivationType->isSandboxed())
+                 sandboxProfile +=
+                     #include "sandbox-network.sb"
                     ;
- 
-                if (!derivationType->isSandboxed())
-+                if (networked || !derivationType->isSandboxed())
-                     sandboxProfile +=
-                         #include "sandbox-network.sb"
-                         ;
-diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
-index 0a05081c7..4c251718c 100644
--- a/src/libstore/build/local-derivation-goal.hh
-+++ b/src/libstore/build/local-derivation-goal.hh
-@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
- 
+diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
+index bf25cf2a6..28f8c1e95 100644
+--- a/src/libstore/unix/build/local-derivation-goal.hh
+++ b/src/libstore/unix/build/local-derivation-goal.hh
+@@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
+      */
     Path chrootRootDir;
 
 +    bool networked;
--- a/nixbld-etc-nixos/rt.nix
+++ b/nixbld-etc-nixos/rt.nix
@ -19,14 +19,9 @@ let
      Set($Timezone, '${cfg.timeZone}');

      Set($DatabaseType, 'Pg');
-      Set($DatabaseHost, 'localhost');
-      Set($DatabaseUser, 'rt_user');
+      Set($DatabaseHost, '/run/postgresql');
+      Set($DatabaseUser, 'rt');
      Set($DatabaseName, 'rt5');
-      # Read database password from file
-      open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
-      my $dbpw = do { local $/; <$fh> };
-      $dbpw =~ s/^\s+|\s+$//g;
-      Set($DatabasePassword, $dbpw);

      # System (Logging)
      Set($LogToSTDERR, undef); # Don't log twice
@ -35,7 +30,7 @@ let
      Set($OwnerEmail, '${cfg.ownerEmail}');
      Set($MaxAttachmentSize, 15360000);
      Set($CheckMoreMSMailHeaders, 1);
-      Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$');
+      Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
      Set($LoopsToRTOwner, 0);

      # System (Outgoing mail)
@ -154,13 +149,6 @@ in {
      type = str;
    };

-    dbPasswordFile = mkOption {
-      description = "File containing the database password";
-      type = str;
-      default = "/etc/nixos/secret/rtpasswd";
-      internal = true;
-    };
-
    domain = mkOption {
      description = "Which domain RT is running on";
      type = str;
@ -245,8 +233,6 @@ in {

          PrivateNetwork = false;
          MemoryDenyWriteExecute = false;
-
-          ReadOnlyPaths = [ cfg.dbPasswordFile ];
        };

        environment = {
--- a/nixops/common-users.nix
+++ b/nixops/common-users.nix
@ -4,7 +4,7 @@
  root = {
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
    ];
  };
  sb = {
@ -12,7 +12,7 @@
    extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
    ];
  };
  rj = {
@ -57,7 +57,7 @@
  };
  esavkin = {
    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout" "libvirtd"];
+    extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
    openssh.authorizedKeys.keys = [
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
    ];
@ -111,13 +111,6 @@
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
    ];
  };
-  architeuthis = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMhLPEGWDUauFHjiVduBMJrIMKT8SvtTDHXDVudUZrhewQy08h4NEEyWmczP4WMeyugI/L/a+J+Vc8mImgqSoHw52823LVcnR9EKnJoqnwAHU/J+41vIWAN2LAryd4p9yg=="
-    ];
-  };
  abdul = {
    isNormalUser = true;
    extraGroups = ["plugdev" "dialout"];
@ -125,21 +118,6 @@
      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
    ];
  };
-  lyken = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ88QJlh/+F/xwXQlPEmQVmtycb8FfabxCdeiP3gTHUCV8y4PLh3ubY+EsY+Xhy/GlOAPdX7KSpiII3dndYfwZWzorXVoPBhhPKEIumFBOinWfp5kRVzWOD61gCwsYoVBg=="
-    ];
-  };
-  wanglm = {
-    isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNhRITe/qj/zvW2dZbXNmyJxLHPgJAynlWh6NCGGarJbkhj8c1UFLUo2Hv7xqGil4PZnPGru4WwHX0RhWS/I39UPzfVvuntRGenNqqpo2T9Ble80QCawpZ2c07w7FkVq7g=="
-    ];
-  };
-

  dpn = {
    isNormalUser = true;
--- a/nixops/desktop.nix
+++ b/nixops/desktop.nix
@ -12,6 +12,7 @@ in

  boot.loader.systemd-boot.memtest86.enable = true;
  boot.loader.grub.memtest86.enable = true;
+  boot.kernel.sysctl."kernel.dmesg_restrict" = false;

  imports =
    [
@ -64,8 +65,8 @@ in
    xournal
    xsane
    gtkwave unzip zip gnupg
-    gnome3.gnome-tweaks
-    gnome3.ghex
+    gnome-tweaks
+    ghex
    jq sublime3 rink qemu_kvm
    tmux screen gdb minicom picocom
    artiq.packages.x86_64-linux.openocd-bscanspi
@ -129,17 +130,9 @@ in
    nssmdns4 = true;
  };

-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio = {
-    enable = true;
-    package = pkgs.pulseaudioFull;
-  };
+  hardware.graphics.enable32Bit = true;

-  hardware.opengl.driSupport32Bit = true;
-  hardware.pulseaudio.support32Bit = true;
-
-  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
+  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];

  # Enable the X11 windowing system.
  services.xserver.enable = true;
--- a/nixops/extra-udev.nix
+++ b/nixops/extra-udev.nix
@ -23,4 +23,5 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660"
 SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
 # DSLogic
 SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
 ''
--- a/nixops/juno-hardware-configuration.nix
+++ b/nixops/juno-hardware-configuration.nix
@ -1,48 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/3dca09c8-f725-416a-9f89-b69297698ca9";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/4E51-B390";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  nixpkgs.config.nvidia.acceptLicense = true;
-  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
-  services.xserver.videoDrivers = [ "nvidia" ];
-  services.xserver.displayManager.gdm.wayland = false;
-
-  system.stateVersion = "23.05";
-}
--- a/nixops/nixops.nix
+++ b/nixops/nixops.nix
@ -13,7 +13,6 @@
  chiron = import ./desktop.nix { host = "chiron"; };
  old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
  franz = import ./desktop.nix { host = "franz"; };
-  juno = import ./desktop.nix { host = "juno"; };
  demeter = import ./desktop.nix { host = "demeter"; };
  vulcan = import ./desktop.nix { host = "vulcan"; };
  rc = import ./desktop.nix { host = "rc"; };
--- a/nixops/rpi.nix
+++ b/nixops/rpi.nix
@ -15,6 +15,7 @@ in
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
  boot.initrd.includeDefaultModules = false;
+  boot.kernel.sysctl."kernel.dmesg_restrict" = false;

  fileSystems = {
    "/" = {
--- a/remote-ipsec.txt
+++ b/remote-ipsec.txt
@ -0,0 +1,49 @@
+connections {
+  bypass-ipsec {
+    remote_addrs = 127.0.0.1
+    children {
+      bypass-isakmp-v4 {
+        local_ts = 0.0.0.0/0[udp/isakmp]
+        remote_ts = 0.0.0.0/0[udp/isakmp]
+        mode = pass
+        start_action = trap
+      }
+      bypass-isakmp-v6 {
+        local_ts = ::/0[udp/isakmp]
+        remote_ts = ::/0[udp/isakmp]
+        mode = pass
+        start_action = trap
+      }
+    }
+  }
+  m_labs {
+    version = 2
+    encap = no
+    mobike = no
+    send_certreq = no
+    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
+    local_addrs = 103.206.98.1
+    remote_addrs = 94.190.212.123
+    local {
+      auth = pubkey
+      id = fqdn:igw0.hkg.as150788.net
+      pubkeys = igw0.hkg.as150788.net
+    }
+    remote {
+      auth = pubkey
+      id = fqdn:m-labs.hk
+      pubkeys = m-labs.hk
+    }
+    children {
+      con1 {
+        mode = transport
+        ah_proposals = sha256-curve25519,sha256-ecp256
+        esp_proposals =
+        local_ts = 103.206.98.1[gre]
+        remote_ts = 94.190.212.123[gre]
+        start_action = none
+        close_action = none
+      }
+    }
+  }
+}
Author	SHA1	Message	Date
Florian Agbuya	865385f6f2	flarum: add email-filter extension	2025-01-16 09:13:07 +08:00
Florian Agbuya	e226551eca	mattermost: remove unsupported edition message from menu	2025-01-15 11:28:24 +08:00
Florian Agbuya	a572fe236c	mattermost: fix override format	2025-01-15 10:22:16 +08:00
Florian Agbuya	e2c78a5064	mattermost: remove free edition banner spam	2025-01-15 10:00:21 +08:00
Egor Savkin	0e62d0a78a	Fix GRE tunnels restarted before udev service started This patch adds explicit requirements for network addresses services to run after and only when udevd service is running. Also depend on virt netdev creation service instead of device Signed-off-by: Egor Savkin <es@m-labs.hk>	2025-01-14 16:40:35 +08:00
Egor Savkin	1b0cc6544e	Do not merge PH with main website Signed-off-by: Egor Savkin <es@m-labs.hk> # Conflicts: # nixbld-etc-nixos/configuration.nix	2025-01-09 11:00:08 +08:00
Sébastien Bourdeauducq	18bc04b419	nixbld: attempt to work around 'PHP Error: Invalid compose ID' roundcube bug	2025-01-08 22:11:32 +08:00
Sébastien Bourdeauducq	3f33c1c980	Revert "Use dedicated website folder for PH region" This reverts commit `0b3fe57a93`.	2025-01-08 10:32:29 +08:00
Egor Savkin	0b3fe57a93	Use dedicated website folder for PH region Signed-off-by: Egor Savkin <es@m-labs.hk>	2025-01-07 12:34:26 +08:00
Sébastien Bourdeauducq	e4b6c68ae3	nixops: add back abdul	2024-12-18 18:19:29 +08:00
Sebastien Bourdeauducq	060c6bfe21	nixbld: unscramble email addresses for gitea	2024-12-04 21:21:36 +08:00
Egor Savkin	da74156ca8	Reduce websites duplication Redirect www.* URLs to non-www.* with default 301 code in order to reduce number of copies of the websites in search engines Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-12-04 16:55:36 +08:00
Sébastien Bourdeauducq	9558882e2b	dmesg_restrict is now default on NixOS 24.11	2024-12-04 12:33:07 +08:00
Sébastien Bourdeauducq	9e74ec65bb	nixbld: hydra-restrictdist not needed anymore	2024-12-04 12:25:40 +08:00
Sébastien Bourdeauducq	1b51f86343	nixbld: patch correct hydra package	2024-12-04 12:25:23 +08:00
Sébastien Bourdeauducq	b088c11806	nixbld: reduce mattermost spam	2024-12-04 12:06:12 +08:00
Sébastien Bourdeauducq	6510ba9a2d	nixbld: nixpkgs 24.11	2024-12-03 19:27:26 +08:00
Sébastien Bourdeauducq	81cfe07acd	unscramble email	2024-12-03 17:41:25 +08:00
Florian Agbuya	a8593a2e97	flarum: update core and packages	2024-11-29 11:49:31 +08:00
Sebastien Bourdeauducq	7f10e2b817	nixops: remove juno	2024-11-27 18:52:28 +08:00
Sébastien Bourdeauducq	2f1235a997	update sb backup key	2024-11-26 21:46:47 +08:00
Sébastien Bourdeauducq	c7ea537622	Revert "Break cycle dependency of tunnel netdev services on network setup" Does not solve the problem. This reverts commit `b1779b57cc`.	2024-11-25 12:11:36 +08:00
Florian Agbuya	d1236d548d	afws: enable file logging with afws group permissions	2024-11-22 15:34:23 +08:00
Sebastien Bourdeauducq	98c1ecd325	nixops: nixpkgs 24.11 compatibility	2024-11-16 18:49:26 +08:00
Sébastien Bourdeauducq	45e718d65a	nixops: add esavkin to wireshark group	2024-11-06 15:25:21 +08:00
Sébastien Bourdeauducq	243deb96be	nixbld: update Nix patch	2024-11-05 18:45:40 +08:00
Egor Savkin	b1779b57cc	Break cycle dependency of tunnel netdev services on network setup This changes the following chain after nixos-rebuild switch with modified tunnel interfaces: stop network-setup -> stop TUN-netdev -> stop network-addresses-TUN -> start network-addresses-TUN (fails since it depends on TUN-netdev which is off). Chain after this change: stop TUN-netdev -> stop network-setup -> stop network-addresses-TUN -> start TUN-netdev -> start network-addresses-TUN -> start network-setup Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-30 17:23:52 +08:00
Sébastien Bourdeauducq	4f8d84e3ef	nixbld: enable prioNixbld for new defenestrate	2024-10-30 14:53:56 +08:00
Egor Savkin	eabd92d2e8	Use tunnel for uploading web-intl Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-24 17:35:34 +08:00
Sébastien Bourdeauducq	04a64c3710	nixbld: set up RT for m-labs-intl.com	2024-10-24 15:49:41 +08:00
Egor Savkin	d27ee750a2	m-labs-intl.com VPS setup information Co-authored-by: Egor Savkin <es@m-labs.hk> Co-committed-by: Egor Savkin <es@m-labs.hk>	2024-10-21 15:48:17 +08:00
Sébastien Bourdeauducq	14e9d63ab7	nixbld: apply TCP MSS clamping to USA tunnel	2024-10-17 15:08:27 +08:00
Sébastien Bourdeauducq	19aee9b59f	nixbld: send mail from m-labs-intl.com through trump0	2024-10-17 15:04:50 +08:00
Sébastien Bourdeauducq	f8a3d54b54	nixbld: update simple-nixos-mailserver	2024-10-17 15:04:14 +08:00
Sébastien Bourdeauducq	c499a7ce86	nixbld: keep checking SPF for email from tunnel GRE preserves source IP information.	2024-10-17 14:48:04 +08:00
Sébastien Bourdeauducq	476f5d1d6c	nixbld: update to nextcloud 30	2024-10-16 11:33:07 +08:00
Sebastien Bourdeauducq	ecf40fb2db	nixbld: fix firewall issue with incoming USA tunnel connections	2024-10-15 21:27:43 +08:00
Sébastien Bourdeauducq	34102e66ad	nixbld: install nextcloud forms app	2024-10-15 16:22:33 +08:00
Sébastien Bourdeauducq	93ae830468	nixbld: disable IPv6 MX for m-labs-intl.com	2024-10-14 14:23:15 +08:00
Sébastien Bourdeauducq	8af66556b9	nixbld: remove google fonts workaround	2024-10-11 17:27:10 +08:00
Sébastien Bourdeauducq	94cff9bb09	nixbld: revert `233998b8` (did not fix the problem)	2024-10-08 16:11:12 +08:00
Sébastien Bourdeauducq	2bf7bb0638	nixbld: connect to USA VPN	2024-10-08 16:09:56 +08:00
Sébastien Bourdeauducq	3419fe6013	nixbld: remove nkrackow user	2024-10-05 10:15:13 +08:00
Sébastien Bourdeauducq	ec53c0cbdd	nixbld: add eduardotenholder user	2024-10-02 18:41:45 +08:00
Sébastien Bourdeauducq	0258f5cff4	nixbld: reorganize users (NFC)	2024-10-02 18:40:48 +08:00
Sébastien Bourdeauducq	b723b7f8c0	nixbld: clean up/update systemPackages	2024-09-30 15:12:01 +08:00
Sébastien Bourdeauducq	0c336f3dd7	nixbld: do not log refused connections Happen all the time and spam the kernel log.	2024-09-30 14:40:09 +08:00
Sebastien Bourdeauducq	11181f0397	nixbld: flarum createDatabaseLocally no longer needed https://github.com/NixOS/nixpkgs/pull/341340	2024-09-23 10:52:08 +08:00
Sebastien Bourdeauducq	aaf70f36df	nixops: remove user accounts	2024-09-13 13:23:15 +08:00
Sébastien Bourdeauducq	4a288abe2b	nixbld: keep automatic flarum DB migrations	2024-09-10 17:12:44 +08:00
Sébastien Bourdeauducq	246a375dfb	add remote IPsec settings	2024-09-05 14:36:37 +08:00
Sébastien Bourdeauducq	635f90f0c7	nixbld/flarum: use nix	2024-08-31 17:27:16 +08:00
Sébastien Bourdeauducq	8a187ba5b9	nixbld: SIT can take larger packets	2024-08-29 18:55:52 +08:00
Sébastien Bourdeauducq	9383227c5b	nixbld: consistent netif variables	2024-08-29 18:53:33 +08:00
Sébastien Bourdeauducq	233998b8f3	nixbld: work around tunnel bring-up race condition	2024-08-29 18:40:17 +08:00
Sébastien Bourdeauducq	90a6b84c09	nixbld: work around tunnel TCPMSS issues	2024-08-29 18:39:52 +08:00
Sébastien Bourdeauducq	23e1fa029a	nixbld: upgrade postgresql	2024-08-25 11:06:19 +08:00
Egor Savkin	75035b387e	Skip SPF for mails originating from intl Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-08-20 10:59:27 +08:00
Sébastien Bourdeauducq	4f48ea611a	nixops: remove wanglm user	2024-08-19 11:18:06 +08:00
Sébastien Bourdeauducq	6dc8214102	nixbld/backup: include gitea DB dump	2024-08-17 18:26:46 +08:00
Sébastien Bourdeauducq	a6b216bb87	nixbld/gitea: move to postgresql	2024-08-17 18:18:56 +08:00
Sébastien Bourdeauducq	6e21a95ba8	nixbld/named: add qnetp slave DNS for m-labs-intl.com	2024-08-15 19:52:42 +08:00
Sébastien Bourdeauducq	d08186a27a	nixbld/named: enable CAA for m-labs-intl.com	2024-08-14 11:52:25 +08:00
Sébastien Bourdeauducq	5d132565e6	nixbld/named: add hooks.m-labs-intl.com	2024-08-14 11:42:38 +08:00
Sébastien Bourdeauducq	97ca7ea3ce	nixbld: mail setup for m-labs-intl.com WIP	2024-08-14 11:38:19 +08:00
Sébastien Bourdeauducq	e24c167f8b	Revert "nixbld: block SAP spam" Option seems to have no effect. This reverts commit `b769b47075`.	2024-08-14 10:58:49 +08:00
Egor Savkin	18194be5c3	nixbld: deploy web2019 to the intl domain Co-authored-by: Egor Savkin <es@m-labs.hk> Co-committed-by: Egor Savkin <es@m-labs.hk>	2024-08-14 10:54:52 +08:00
Sébastien Bourdeauducq	7781d6236e	nixbld/rt: disable TCP	2024-08-11 12:19:15 +08:00
Sébastien Bourdeauducq	93e19c74e9	nixbld/rt: use psql peer authentication	2024-08-11 12:12:28 +08:00
Sébastien Bourdeauducq	4ccab3cf2b	nixbld: remove outdated DNS records	2024-08-05 19:13:34 +08:00
Sebastien Bourdeauducq	69fe8c9866	nixbld: add flo user	2024-08-01 07:32:11 +08:00
Sebastien Bourdeauducq	b769b47075	nixbld: block SAP spam	2024-07-02 09:56:02 +02:00
Sébastien Bourdeauducq	f0668fa5b7	juno: mobo swap	2024-06-27 14:20:30 +08:00
Sébastien Bourdeauducq	8422d16978	nixops: add new DSLogic USB ID	2024-06-26 13:29:20 +08:00