afws: enable file logging with afws group permissions

This changes the following chain after nixos-rebuild switch with modified tunnel interfaces:
stop network-setup -> stop TUN-netdev -> stop network-addresses-TUN -> start network-addresses-TUN (fails since it depends on TUN-netdev which is off).

Chain after this change:
stop TUN-netdev -> stop network-setup -> stop network-addresses-TUN -> start TUN-netdev -> start network-addresses-TUN -> start network-setup

Signed-off-by: Egor Savkin <es@m-labs.hk>

m-labs-intl/60-tunnels.yaml

@@ -0,0 +1,18 @@
+network:
+   version: 2
+   renderer: networkd
+   ethernets:
+     eth0:
+       addresses:
+       - 5.78.86.156/32
+       - 2a01:4ff:1f0:83de::2/64
+       - 2a01:4ff:1f0:83de::3/64
+       - 2a01:4ff:1f0:83de::4/64
+   tunnels:
+     gre1:
+       mode: gre
+       local: 5.78.86.156
+       remote: 94.190.212.123
+       addresses:
+        - 10.47.3.0/31
+

m-labs-intl/gretun.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=GRE tunnel to the main host
+After=network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/root/gretun.sh
+ExecStop=/root/gretun_down.sh
+Restart=on-failure
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

m-labs-intl/gretun.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
+/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
+
+/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
+/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
+
+/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

m-labs-intl/gretun_down.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
+/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
+
+/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
+/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
+
+/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

m-labs-intl/m-labs-intl.com

@@ -0,0 +1,81 @@
+upstream rfq_server {
+    server 127.0.0.1:5000;
+}
+
+server {
+    limit_conn addr 5;
+
+    root /var/www/m-labs-intl.com/html;
+    index index.html index.htm index.nginx-debian.html;
+
+    server_name m-labs-intl.com;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    listen [::]:443 ssl ipv6only=on; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    server_name www.m-labs-intl.com;
+    return 301 https://m-labs-intl.com$request_uri;
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    server_name hooks.m-labs-intl.com;
+    limit_conn addr 5;
+
+    location /rfq {
+        proxy_pass http://rfq_server/rfq;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 30;
+        proxy_connect_timeout 30;
+        proxy_send_timeout 30;
+    }
+
+    location / {
+        return 418;
+    }
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    limit_conn addr 5;
+    if ($host = m-labs-intl.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    if ($host = www.m-labs-intl.com) {
+        return 301 https://m-labs-intl.com$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    listen [::]:80;
+
+    server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
+    return 301 https://$host$request_uri;
+}

m-labs-intl/m-labs.hk.conf

@@ -0,0 +1,34 @@
+
+
+connections {
+  m_labs {
+    version = 2
+    encap = no
+    mobike = no
+    send_certreq = no
+    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
+    local_addrs = 5.78.86.156
+    remote_addrs = 94.190.212.123
+    local {
+      auth = pubkey
+      id = fqdn:m-labs-intl.com
+      pubkeys = m-labs-intl.com
+    }
+    remote {
+      auth = pubkey
+      id = fqdn:m-labs.hk
+      pubkeys = m-labs.hk
+    }
+    children {
+      con1 {
+        mode = transport
+        ah_proposals = sha256-curve25519,sha256-ecp256
+        esp_proposals =
+        local_ts = 5.78.86.156[gre]
+        remote_ts = 94.190.212.123[gre]
+        start_action = start
+        close_action = none
+      }
+    }
+  } 
+}

m-labs-intl/nginx.conf

@@ -0,0 +1,65 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	# Rate limiting
+	limit_conn_zone $binary_remote_addr zone=addr:10m;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+

m-labs-intl/rfq.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=RFQ service
+After=network.target
+
+[Service]
+Type=simple
+User=rfqserver
+ExecStart=/home/rfqserver/runrfq.sh
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

m-labs-intl/runrfq.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+export FLASK_DEBUG=0
+export FLASK_MAIL_SERVER=mail.m-labs.hk
+export FLASK_MAIL_PORT=465
+export FLASK_MAIL_USE_SSL=True
+export FLASK_MAIL_USERNAME=sysop-intl@m-labs-intl.com
+export FLASK_MAIL_PASSWORD_FILE=/home/rfqserver/mail.secret
+export FLASK_MAIL_RECIPIENT=sales@m-labs.hk
+export FLASK_MAIL_SENDER=sysop-intl@m-labs-intl.com
+
+cd /home/rfqserver/web2019/server
+source venv/bin/activate
+python3 -m flask --app rfq run --port=5000

m-labs-intl/setup.md

@@ -0,0 +1,99 @@
+# Setup m-labs-intl.com server
+
+```shell
+# Install required packages
+apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
+  strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
+snap install --classic certbot
+ln -s /snap/bin/certbot /usr/bin/certbot
+
+# Set up networks (includes GRE)
+cp 60-tunnels.yaml /etc/netplan/
+netplan apply
+
+# set up IPsec-AH connection
+cp m-labs.hk.conf /etc/swanctl/conf.d/
+echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
+sysctl -p
+cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
+pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
+pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
+cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
+systemctl enable strongswan --now
+systemctl restart strongswan
+
+# Set up website
+cp m-labs-intl.com /etc/nginx/sites-available/
+cp nginx.conf /etc/nginx/
+ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
+systemctl enable nginx --now
+service nginx restart
+
+# Issue SSL certificate - website only, the mail is on the HK side
+certbot --nginx
+service nginx restart
+
+# Create a user for automatic website deployment from nixbld
+useradd -m zolaupd
+mkdir -p /var/www/m-labs-intl.com/html
+chown -R zolaupd /var/www/m-labs-intl.com/
+sudo -u zolaupd sh -c '
+  cd /home/zolaupd;
+  mkdir /home/zolaupd/.ssh;
+  echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
+  chmod 700 .ssh/
+  chmod 600 .ssh/authorized_keys
+  '
+
+# Create a user for RFQ hooks service
+useradd -m rfqserver
+cp runrfq.sh /home/rfqserver/
+cp mail.secret /home/rfqserver/
+chown rfqserver /home/rfqserver/runrfq.sh
+chmod +x /home/rfqserver/runrfq.sh
+chown rfqserver /home/rfqserver/mail.secret
+
+sudo -u rfqserver sh -c '
+  cd /home/rfqserver;
+  git clone https://git.m-labs.hk/M-Labs/web2019.git;
+  cd web2019;
+  python3 -m venv ./venv;
+  source venv/bin/activate;
+  pip install -r requirements.txt;
+'
+cp rfq.service /etc/systemd/system/
+
+# Automate port forwarding rules creation
+cp gretun.sh /root/gretun.sh
+cp gretun_down.sh /root/gretun_down.sh
+chmod u+x /root/gretun.sh
+chmod u+x /root/gretun_down.sh
+cp gretun.service /etc/systemd/system/
+
+# Enable custom services
+systemctl daemon-reload
+systemctl enable rfq.service --now
+systemctl enable gretun.service --now
+
+# Setup basic firewall rules  
+ufw default deny
+ufw default allow outgoing
+
+ufw allow from 94.190.212.123
+ufw allow from 2001:470:f891:1::/64
+ufw allow from 202.77.7.238
+ufw allow from 2001:470:18:390::2
+ufw allow "Nginx HTTP"
+ufw allow "Nginx HTTPS"
+ufw limit OpenSSH
+ufw allow 25/tcp
+ufw allow 587/tcp
+ufw limit 500,4500/udp
+
+ufw route allow in on gre1 out on eth0
+ufw allow from 10.47.3.0/31
+
+ufw show added
+ufw enable
+```

nixbld-etc-nixos/afws-module.nix

@@ -10,16 +10,34 @@ in
       default = false;
       description = "Enable AFWS server";
     };
+    logFile = mkOption {
+      type = types.str;
+      default = "/var/lib/afws/logs/afws.log";
+      description = "Path to the log file";
+    };
+    logBackupCount = mkOption {
+      type = types.int;
+      default = 30;
+      description = "Number of daily log files to keep";
+    };
   };
 
   config = mkIf config.services.afws.enable {
     systemd.services.afws = {
       description = "AFWS server";
       wantedBy = [ "multi-user.target" ];
+      preStart = ''
+        mkdir -p "$(dirname ${config.services.afws.logFile})"
+        chown afws:afws "$(dirname ${config.services.afws.logFile})"
+      '';
       serviceConfig = {
         User = "afws";
         Group = "afws";
-        ExecStart = "${afws}/bin/afws_server";
+        ExecStart = ''
+          ${afws}/bin/afws_server \
+            --log-file ${config.services.afws.logFile} \
+            --log-backup-count ${toString config.services.afws.logBackupCount}
+        '';
         ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
       };
       path = [ pkgs.nix pkgs.git ];

nixbld-etc-nixos/configuration.nix

@@ -192,6 +192,7 @@ in
         iptables -w -N pccw-sucks
         iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
         iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
+        iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
         iptables -w -A FORWARD -j pccw-sucks
       '';
       extraStopCommands = ''
@@ -357,6 +358,14 @@ in
     };
   };
 
+  # Break cycle dependency making netdev service stop when network-setup is stopped
+  systemd.services."${netifAlt}-netdev" = {
+      partOf = pkgs.lib.mkOverride 1 [ ];
+  };
+  systemd.services."${netifUSA}-netdev" = {
+      partOf = pkgs.lib.mkOverride 1 [ ];
+  };
+
   # https://kb.isc.org/docs/dnssec-key-and-signing-policy
   # chown named.named /etc/nixos/named
   services.bind = {
@@ -754,7 +763,7 @@ in
       </runcommand>
       <runcommand>
         job = web:web:web-intl
-        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@5.78.86.156:/var/www/m-labs-intl.com/html/
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
       </runcommand>
       <runcommand>
         job = web:web:nmigen-docs
@@ -981,7 +990,7 @@ in
             expires 60d;
           '';
         };
-        locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
+        locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
 
         # legacy URLs, redirect to avoid breaking people's bookmarks
         locations."/gateware.html".extraConfig = ''
@@ -1248,7 +1257,18 @@ in
       Restart = "on-failure";
       User = "rt";
       Group = "rt";
-      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
+      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
+    };
+  };
+  systemd.services.rt-fetchmail-intl = {
+    description = "Fetchmail for RT (intl)";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "dovecot2.service" ];
+    serviceConfig = {
+      Restart = "on-failure";
+      User = "rt";
+      Group = "rt";
+      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
     };
   };
 

nixbld-etc-nixos/nix-networked-derivations.patch

@@ -1,8 +1,8 @@
 diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
-index 64b55ca6a..9b4e52b8e 100644
+index 763045a80..d7c5cc82e 100644
 --- a/src/libstore/build/local-derivation-goal.cc
 +++ b/src/libstore/build/local-derivation-goal.cc
-@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
+@@ -190,6 +190,8 @@ void LocalDerivationGoal::tryLocalBuild()
  
      assert(derivationType);
  
@@ -11,7 +11,7 @@ index 64b55ca6a..9b4e52b8e 100644
      /* Are we doing a chroot build? */
      {
          auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
+@@ -207,7 +209,7 @@ void LocalDerivationGoal::tryLocalBuild()
          else if (settings.sandboxMode == smDisabled)
              useChroot = false;
          else if (settings.sandboxMode == smRelaxed)
@@ -20,7 +20,7 @@ index 64b55ca6a..9b4e52b8e 100644
      }
  
      auto & localStore = getLocalStore();
-@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -717,7 +719,7 @@ void LocalDerivationGoal::startBuilder()
                  "nogroup:x:65534:\n", sandboxGid()));
  
          /* Create /etc/hosts with localhost entry. */
@@ -29,7 +29,7 @@ index 64b55ca6a..9b4e52b8e 100644
              writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
  
          /* Make the closure of the inputs available in the chroot,
-@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -921,7 +923,7 @@ void LocalDerivationGoal::startBuilder()
             us.
          */
  
@@ -38,7 +38,7 @@ index 64b55ca6a..9b4e52b8e 100644
              privateNetwork = true;
  
          userNamespaceSync.create();
-@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
+@@ -1160,7 +1162,7 @@ void LocalDerivationGoal::initEnv()
         to the builder is generally impure, but the output of
         fixed-output derivations is by definition pure (since we
         already know the cryptographic hash of the output). */
@@ -47,7 +47,7 @@ index 64b55ca6a..9b4e52b8e 100644
          for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
              env[i] = getEnv(i).value_or("");
      }
-@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
+@@ -1829,7 +1831,7 @@ void LocalDerivationGoal::runChild()
              /* Fixed-output derivations typically need to access the
                 network, so give them access to /etc/resolv.conf and so
                 on. */
@@ -56,21 +56,21 @@ index 64b55ca6a..9b4e52b8e 100644
                  // Only use nss functions to resolve hosts and
                  // services. Don’t use it for anything else that may
                  // be configured for this system. This limits the
-@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
-                     #include "sandbox-defaults.sb"
-                     ;
+@@ -2071,7 +2073,7 @@ void LocalDerivationGoal::runChild()
+                 #include "sandbox-defaults.sb"
+                 ;
  
--                if (!derivationType->isSandboxed())
-+                if (networked || !derivationType->isSandboxed())
-                     sandboxProfile +=
-                         #include "sandbox-network.sb"
-                         ;
+-            if (!derivationType->isSandboxed())
++            if (networked || !derivationType->isSandboxed())
+                 sandboxProfile +=
+                     #include "sandbox-network.sb"
+                     ;
 diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
-index 0a05081c7..4c251718c 100644
+index 86b86c01e..95b03aae8 100644
 --- a/src/libstore/build/local-derivation-goal.hh
 +++ b/src/libstore/build/local-derivation-goal.hh
-@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
- 
+@@ -82,6 +82,8 @@ struct LocalDerivationGoal : public DerivationGoal
+      */
      Path chrootRootDir;
  
 +    bool networked;

nixbld-etc-nixos/rt.nix

@@ -30,7 +30,7 @@ let
       Set($OwnerEmail, '${cfg.ownerEmail}');
       Set($MaxAttachmentSize, 15360000);
       Set($CheckMoreMSMailHeaders, 1);
-      Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$');
+      Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
       Set($LoopsToRTOwner, 0);
 
       # System (Outgoing mail)

nixops/common-users.nix

@@ -57,7 +57,7 @@
   };
   esavkin = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout" "libvirtd"];
+    extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
     ];

nixops/desktop.nix

@@ -64,8 +64,8 @@ in
     xournal
     xsane
     gtkwave unzip zip gnupg
-    gnome3.gnome-tweaks
-    gnome3.ghex
+    gnome-tweaks
+    ghex
     jq sublime3 rink qemu_kvm
     tmux screen gdb minicom picocom
     artiq.packages.x86_64-linux.openocd-bscanspi
@@ -129,17 +129,9 @@ in
     nssmdns4 = true;
   };
 
-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio = {
-    enable = true;
-    package = pkgs.pulseaudioFull;
-  };
+  hardware.graphics.enable32Bit = true;
 
-  hardware.opengl.driSupport32Bit = true;
-  hardware.pulseaudio.support32Bit = true;
-
-  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
+  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
 
   # Enable the X11 windowing system.
   services.xserver.enable = true;