flarum: add email-filter extension

This patch adds explicit requirements for network addresses services to run after and only when udevd service is running. Also depend on virt netdev creation service instead of device

Signed-off-by: Egor Savkin <es@m-labs.hk>

m-labs-intl/60-tunnels.yaml

@@ -0,0 +1,18 @@
+network:
+   version: 2
+   renderer: networkd
+   ethernets:
+     eth0:
+       addresses:
+       - 5.78.86.156/32
+       - 2a01:4ff:1f0:83de::2/64
+       - 2a01:4ff:1f0:83de::3/64
+       - 2a01:4ff:1f0:83de::4/64
+   tunnels:
+     gre1:
+       mode: gre
+       local: 5.78.86.156
+       remote: 94.190.212.123
+       addresses:
+        - 10.47.3.0/31
+

m-labs-intl/gretun.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=GRE tunnel to the main host
+After=network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/root/gretun.sh
+ExecStop=/root/gretun_down.sh
+Restart=on-failure
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

m-labs-intl/gretun.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
+/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
+
+/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
+/usr/sbin/iptables -A FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
+
+/usr/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

m-labs-intl/gretun_down.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.47.3.1:25
+/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 25 -j ACCEPT
+
+/usr/sbin/iptables -t nat -D PREROUTING -p tcp -i eth0 --dport 587 -j DNAT --to-destination 10.47.3.1:587
+/usr/sbin/iptables -D FORWARD -p tcp -d 10.47.3.1/31 --dport 587 -j ACCEPT
+
+/usr/sbin/iptables -D FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+/usr/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

m-labs-intl/m-labs-intl.com

@@ -0,0 +1,81 @@
+upstream rfq_server {
+    server 127.0.0.1:5000;
+}
+
+server {
+    limit_conn addr 5;
+
+    root /var/www/m-labs-intl.com/html;
+    index index.html index.htm index.nginx-debian.html;
+
+    server_name m-labs-intl.com;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    listen [::]:443 ssl ipv6only=on; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    server_name www.m-labs-intl.com;
+    return 301 https://m-labs-intl.com$request_uri;
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    server_name hooks.m-labs-intl.com;
+    limit_conn addr 5;
+
+    location /rfq {
+        proxy_pass http://rfq_server/rfq;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 30;
+        proxy_connect_timeout 30;
+        proxy_send_timeout 30;
+    }
+
+    location / {
+        return 418;
+    }
+
+    listen [::]:443 ssl; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/m-labs-intl.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/m-labs-intl.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    limit_conn addr 5;
+    if ($host = m-labs-intl.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    if ($host = www.m-labs-intl.com) {
+        return 301 https://m-labs-intl.com$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    listen [::]:80;
+
+    server_name m-labs-intl.com www.m-labs-intl.com hooks.m-labs-intl.com;
+    return 301 https://$host$request_uri;
+}

m-labs-intl/m-labs.hk.conf

@@ -0,0 +1,34 @@
+
+
+connections {
+  m_labs {
+    version = 2
+    encap = no
+    mobike = no
+    send_certreq = no
+    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
+    local_addrs = 5.78.86.156
+    remote_addrs = 94.190.212.123
+    local {
+      auth = pubkey
+      id = fqdn:m-labs-intl.com
+      pubkeys = m-labs-intl.com
+    }
+    remote {
+      auth = pubkey
+      id = fqdn:m-labs.hk
+      pubkeys = m-labs.hk
+    }
+    children {
+      con1 {
+        mode = transport
+        ah_proposals = sha256-curve25519,sha256-ecp256
+        esp_proposals =
+        local_ts = 5.78.86.156[gre]
+        remote_ts = 94.190.212.123[gre]
+        start_action = start
+        close_action = none
+      }
+    }
+  } 
+}

m-labs-intl/nginx.conf

@@ -0,0 +1,65 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	# Rate limiting
+	limit_conn_zone $binary_remote_addr zone=addr:10m;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+

m-labs-intl/rfq.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=RFQ service
+After=network.target
+
+[Service]
+Type=simple
+User=rfqserver
+ExecStart=/home/rfqserver/runrfq.sh
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

m-labs-intl/runrfq.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+export FLASK_DEBUG=0
+export FLASK_MAIL_SERVER=mail.m-labs.hk
+export FLASK_MAIL_PORT=465
+export FLASK_MAIL_USE_SSL=True
+export FLASK_MAIL_USERNAME=sysop-intl@m-labs-intl.com
+export FLASK_MAIL_PASSWORD_FILE=/home/rfqserver/mail.secret
+export FLASK_MAIL_RECIPIENT=sales@m-labs.hk
+export FLASK_MAIL_SENDER=sysop-intl@m-labs-intl.com
+
+cd /home/rfqserver/web2019/server
+source venv/bin/activate
+python3 -m flask --app rfq run --port=5000

m-labs-intl/setup.md

@@ -0,0 +1,99 @@
+# Setup m-labs-intl.com server
+
+```shell
+# Install required packages
+apt install git nginx-full python3 python3.12-venv python3-pip iptables ufw \
+  strongswan strongswan-swanctl strongswan-pki strongswan-libcharon
+snap install --classic certbot
+ln -s /snap/bin/certbot /usr/bin/certbot
+
+# Set up networks (includes GRE)
+cp 60-tunnels.yaml /etc/netplan/
+netplan apply
+
+# set up IPsec-AH connection
+cp m-labs.hk.conf /etc/swanctl/conf.d/
+echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
+sysctl -p
+cp m-labs.hk /etc/swanctl/pubkey/m-labs.hk # get pubkey from nixbld
+pki --gen --type rsa --size 4096 --outform pem > /etc/swanctl/private/m-labs-intl.com
+pki --pub --in /etc/swanctl/private/m-labs-intl.com --outform pem > /etc/swanctl/pubkey/m-labs-intl.com
+cp /etc/swanctl/pubkey/m-labs-intl.com m-labs-intl.com # add it to the nixbld
+systemctl enable strongswan --now
+systemctl restart strongswan
+
+# Set up website
+cp m-labs-intl.com /etc/nginx/sites-available/
+cp nginx.conf /etc/nginx/
+ln -s /etc/nginx/sites-available/m-labs-intl.com /etc/nginx/sites-enabled/
+systemctl enable nginx --now
+service nginx restart
+
+# Issue SSL certificate - website only, the mail is on the HK side
+certbot --nginx
+service nginx restart
+
+# Create a user for automatic website deployment from nixbld
+useradd -m zolaupd
+mkdir -p /var/www/m-labs-intl.com/html
+chown -R zolaupd /var/www/m-labs-intl.com/
+sudo -u zolaupd sh -c '
+  cd /home/zolaupd;
+  mkdir /home/zolaupd/.ssh;
+  echo -n "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP1OJJM8g/1ffxDjN31XKEfGmrYaW03lwpyTa1UGWqVx
+  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6R6XK0IiuAKxVKvSABm4m9bfOlvfJcMvTpjenuXUPv" > /home/zolaupd/.ssh/authorized_keys
+  chmod 700 .ssh/
+  chmod 600 .ssh/authorized_keys
+  '
+
+# Create a user for RFQ hooks service
+useradd -m rfqserver
+cp runrfq.sh /home/rfqserver/
+cp mail.secret /home/rfqserver/
+chown rfqserver /home/rfqserver/runrfq.sh
+chmod +x /home/rfqserver/runrfq.sh
+chown rfqserver /home/rfqserver/mail.secret
+
+sudo -u rfqserver sh -c '
+  cd /home/rfqserver;
+  git clone https://git.m-labs.hk/M-Labs/web2019.git;
+  cd web2019;
+  python3 -m venv ./venv;
+  source venv/bin/activate;
+  pip install -r requirements.txt;
+'
+cp rfq.service /etc/systemd/system/
+
+# Automate port forwarding rules creation
+cp gretun.sh /root/gretun.sh
+cp gretun_down.sh /root/gretun_down.sh
+chmod u+x /root/gretun.sh
+chmod u+x /root/gretun_down.sh
+cp gretun.service /etc/systemd/system/
+
+# Enable custom services
+systemctl daemon-reload
+systemctl enable rfq.service --now
+systemctl enable gretun.service --now
+
+# Setup basic firewall rules  
+ufw default deny
+ufw default allow outgoing
+
+ufw allow from 94.190.212.123
+ufw allow from 2001:470:f891:1::/64
+ufw allow from 202.77.7.238
+ufw allow from 2001:470:18:390::2
+ufw allow "Nginx HTTP"
+ufw allow "Nginx HTTPS"
+ufw limit OpenSSH
+ufw allow 25/tcp
+ufw allow 587/tcp
+ufw limit 500,4500/udp
+
+ufw route allow in on gre1 out on eth0
+ufw allow from 10.47.3.0/31
+
+ufw show added
+ufw enable
+```

nixbld-etc-nixos/afws-module.nix

@@ -10,16 +10,34 @@ in
       default = false;
       description = "Enable AFWS server";
     };
+    logFile = mkOption {
+      type = types.str;
+      default = "/var/lib/afws/logs/afws.log";
+      description = "Path to the log file";
+    };
+    logBackupCount = mkOption {
+      type = types.int;
+      default = 30;
+      description = "Number of daily log files to keep";
+    };
   };
 
   config = mkIf config.services.afws.enable {
     systemd.services.afws = {
       description = "AFWS server";
       wantedBy = [ "multi-user.target" ];
+      preStart = ''
+        mkdir -p "$(dirname ${config.services.afws.logFile})"
+        chown afws:afws "$(dirname ${config.services.afws.logFile})"
+      '';
       serviceConfig = {
         User = "afws";
         Group = "afws";
-        ExecStart = "${afws}/bin/afws_server";
+        ExecStart = ''
+          ${afws}/bin/afws_server \
+            --log-file ${config.services.afws.logFile} \
+            --log-backup-count ${toString config.services.afws.logBackupCount}
+        '';
         ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
       };
       path = [ pkgs.nix pkgs.git ];

nixbld-etc-nixos/backup-module.nix

@@ -26,9 +26,10 @@ let
     ${config.services.mysql.package}/bin/mysqldump --user=root --single-transaction flarum > flarum.sql
     ${config.services.postgresql.package}/bin/pg_dump mattermost > mattermost.sql
     ${config.services.postgresql.package}/bin/pg_dump rt5 > rt.sql
+    ${config.services.postgresql.package}/bin/pg_dump gitea > gitea.sql
 
     exec 6< /etc/nixos/secret/backup-passphrase
-    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql | \
+    ${pkgs.gnutar}/bin/tar cf - ${lib.concatMapStringsSep " " (p: "--exclude \"${p}\"") excludePaths} /etc/nixos /var/vmail /var/lib/hedgedoc /var/lib/gitea /var/lib/afws /var/lib/mattermost/data /var/www/193thz flarum.sql mattermost.sql rt.sql gitea.sql | \
         ${pkgs.bzip2}/bin/bzip2 | \
         ${pkgs.gnupg}/bin/gpg --symmetric --batch --passphrase-fd 6
   '';

nixbld-etc-nixos/configuration.nix

@@ -1,14 +1,14 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
 { config, pkgs, ... }:
 
 let
   netifWan = "enp4s0";
+  netifWanBackup = "enp11s0";
   netifLan = "enp5s0f1";
   netifWifi = "wlp6s0";
   netifSit = "henet0";
+  netifUSA = "trump0";
+  netifAlt = "alt0";
+  netifAltVlan = "vlan0";
   hydraWwwOutputs = "/var/www/hydra-outputs";
 in
 {
@@ -20,8 +20,8 @@ in
       ./afws-module.nix
       ./rt.nix
       (builtins.fetchTarball {
-        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/008d78cc21959e33d0d31f375b88353a7d7121ae/nixos-mailserver-nixos.tar.gz";
-        sha256 = "sha256:0pnfyg4icsvrw390a227m8b1j5w8awicx5aza3d0fiyyzpnrpn5a";
+        url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/af7d3bf5daeba3fc28089b015c0dd43f06b176f2/nixos-mailserver-nixos.tar.gz";
+        sha256 = "sha256:1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma";
       })
     ];
 
@@ -31,7 +31,7 @@ in
   boot.loader.grub.efiSupport = true;
   boot.loader.efi.canTouchEfiVariables = true;
   hardware.cpu.amd.updateMicrocode = true;
-  boot.supportedFilesystems = ["zfs"];
+  boot.supportedFilesystems.zfs = true;
   boot.kernelParams = ["zfs.l2arc_write_max=536870912"];
   boot.binfmt.emulatedSystems = [ "armv7l-linux" "aarch64-linux" ];
 
@@ -90,11 +90,35 @@ in
     hostName = "nixbld";
     hostId = "e423f012";
     firewall = {
-      allowedTCPPorts = [ 53 80 443 7402 ];
+      allowedTCPPorts = [ 53 80 443 2222 7402 ];
       allowedUDPPorts = [ 53 67 500 4500 ];
       trustedInterfaces = [ netifLan ];
+      logRefusedConnections = false;
+      extraCommands = ''
+        iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
+        iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
+      '';
+      extraStopCommands = ''
+        iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
+        iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
+      '';
+    };
+    useDHCP = false;
+    interfaces."${netifWan}".useDHCP = true;  # PCCW - always wants active DHCP lease or cuts you off
+    interfaces."${netifWanBackup}" = {        # HKBN - no DHCP with static IP service
+      ipv4.addresses = [{
+        address = "202.77.7.238";
+        prefixLength = 30;
+      }];
+      ipv4.routes = [
+        {
+          address = "0.0.0.0";
+          prefixLength = 0;
+          via = "202.77.7.237";
+          options.table = "2";
+        }
+      ];
     };
-    interfaces."${netifWan}".useDHCP = true;
     interfaces."${netifLan}" = {
       ipv4.addresses = [{
         address = "192.168.1.1";
@@ -112,6 +136,11 @@ in
           prefixLength = 24;
           options.table = "1";
         }
+        {
+          address = "192.168.1.0";
+          prefixLength = 24;
+          options.table = "2";
+        }
       ];
     };
     interfaces."${netifWifi}" = {
@@ -123,6 +152,19 @@ in
         address = "2001:470:f891:2::";
         prefixLength = 64;
       }];
+      # same hack as above
+      ipv4.routes = [
+        {
+          address = "192.168.12.0";
+          prefixLength = 24;
+          options.table = "1";
+        }
+        {
+          address = "192.168.12.0";
+          prefixLength = 24;
+          options.table = "2";
+        }
+      ];
     };
     nat = {
       enable = true;
@@ -135,11 +177,6 @@ in
         { sourcePort = 2204; destination = "192.168.1.204:22"; proto = "tcp"; }
       ];
       extraCommands = ''
-        iptables -w -N block-lan-from-wifi
-        iptables -w -A block-lan-from-wifi -i ${netifLan} -o ${netifWifi} -j DROP
-        iptables -w -A block-lan-from-wifi -i ${netifWifi} -o ${netifLan} -j DROP
-        iptables -w -A FORWARD -j block-lan-from-wifi
-
         iptables -w -N block-insecure-devices
         iptables -w -A block-insecure-devices -m mac --mac-source 00:20:0c:6c:ee:ba -j DROP  # keysight SA
         iptables -w -A block-insecure-devices -m mac --mac-source 74:5b:c5:20:c1:5f -j DROP  # siglent scope
@@ -151,15 +188,21 @@ in
         iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP  # HP printer, wifi
         iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP  # HP printer, ethernet
         iptables -w -A FORWARD -j block-insecure-devices
+
+        iptables -w -N pccw-sucks
+        iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
+        iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
+        iptables -A pccw-sucks -o ${netifUSA} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
+        iptables -w -A FORWARD -j pccw-sucks
       '';
       extraStopCommands = ''
-        iptables -w -D FORWARD -j block-lan-from-wifi 2>/dev/null|| true
-        iptables -w -F block-lan-from-wifi 2>/dev/null|| true
-        iptables -w -X block-lan-from-wifi 2>/dev/null|| true
-
         iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
         iptables -w -F block-insecure-devices 2>/dev/null|| true
         iptables -w -X block-insecure-devices 2>/dev/null|| true
+
+        iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
+        iptables -w -F pccw-sucks 2>/dev/null|| true
+        iptables -w -X pccw-sucks 2>/dev/null|| true
       '';
     };
     sits."${netifSit}" = {
@@ -172,14 +215,37 @@ in
       addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
       routes = [{ address = "::"; prefixLength = 0; }];
     };
-    greTunnels.alt0 = {
+    greTunnels."${netifUSA}" = {
+      dev = netifWan;
+      remote = "5.78.86.156";
+      local = "94.190.212.123";
+      ttl = 255;
+      type = "tun";
+    };
+    greTunnels."${netifAlt}" = {
       dev = netifWan;
       remote = "103.206.98.1";
       local = "94.190.212.123";
       ttl = 255;
       type = "tun";
     };
-    interfaces.alt0 = {
+    interfaces."${netifUSA}" = {
+      ipv4.addresses = [
+        {
+          address = "10.47.3.1";
+          prefixLength = 31;
+        }
+      ];
+      ipv4.routes = [
+        {
+          address = "0.0.0.0";
+          prefixLength = 0;
+          via = "10.47.3.0";
+          options.table = "3";
+        }
+      ];
+    };
+    interfaces."${netifAlt}" = {
       ipv4.addresses = [
         {
           address = "103.206.98.227";
@@ -196,12 +262,12 @@ in
       ];
     };
     vlans = {
-      vlan0 = {
+      "${netifAltVlan}" = {
         id = 2;
         interface = netifLan;
       };
     };
-    interfaces.vlan0 = {
+    interfaces."${netifAltVlan}" = {
       ipv4.addresses = [{
         address = "103.206.98.200";
         prefixLength = 29;
@@ -234,7 +300,7 @@ in
       id = "fqdn:igw0.hkg.as150788.net";
       pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
     };
-    children.alt0 = {
+    children."${netifAlt}" = {
       mode = "transport";
       ah_proposals = [ "sha256-curve25519" ];
       remote_ts = [ "103.206.98.1[gre]" ];
@@ -242,17 +308,65 @@ in
       start_action = "start";
     };
   };
+  services.strongswan-swanctl.swanctl.connections.usa = {
+    local_addrs = [ "94.190.212.123" ];
+    remote_addrs = [ "5.78.86.156" ];
+    local.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs.hk";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
+    };
+    remote.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs-intl.com";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
+    };
+    children."${netifUSA}" = {
+      mode = "transport";
+      ah_proposals = [ "sha256-curve25519" ];
+      remote_ts = [ "5.78.86.156[gre]" ];
+      local_ts = [ "94.190.212.123[gre]" ];
+      start_action = "start";
+    };
+  };
 
-  systemd.services.custom-network-setup = {
+  systemd.services.network-custom-route-backup = {
     wantedBy = [ "network.target" ];
     serviceConfig = {
       Type = "oneshot";
       RemainAfterExit = true;
-      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.0/24 table 1";
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 202.77.7.238/30 table 2";
+      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
+    };
+  };
+  systemd.services.network-custom-route-usa = {
+    wantedBy = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
+      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
+    };
+  };
+  systemd.services.network-custom-route-alt = {
+    wantedBy = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 103.206.98.200/29 table 1";
       ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
     };
   };
 
+  systemd.services."network-addresses-${netifUSA}" = {
+    after = pkgs.lib.mkOverride 1 [ "network-pre.target" "${netifUSA}-netdev.service" "systemd-udevd.service" ];
+    requires = [ "systemd-udevd.service" ];
+  };
+  systemd.services."network-addresses-${netifAlt}" = {
+    after = pkgs.lib.mkOverride 1 [ "network-pre.target" "${netifAlt}-netdev.service" "systemd-udevd.service" ];
+    requires = [ "systemd-udevd.service" ];
+  };
+
   # https://kb.isc.org/docs/dnssec-key-and-signing-policy
   # chown named.named /etc/nixos/named
   services.bind = {
@@ -276,11 +390,13 @@ in
            also-notify {
              213.239.220.50;  # ns1.qnetp.net
              216.218.130.2;   # ns1.he.net
+             88.198.32.245;   # new qnetp
            };
            '';
         slaves = [
           "213.239.220.50" "2a01:4f8:a0:7041::1"  # ns1.qnetp.net
           "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
+          "88.198.32.245"                         # new qnetp
         ];
       };
       "m-labs.ph" = {
@@ -332,6 +448,27 @@ in
           "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
         ];
       };
+      "m-labs-intl.com" = {
+        name = "m-labs-intl.com";
+        master = true;
+        file = "/etc/nixos/named/m-labs-intl.com";
+        extraConfig =
+           ''
+           dnssec-policy "default";
+           inline-signing yes;
+           notify explicit;
+           also-notify {
+             216.218.130.2;   # ns1.he.net
+             213.239.220.50;  # ns1.qnetp.net
+             88.198.32.245;   # new qnetp
+           };
+           '';
+        slaves = [
+          "216.218.133.2" "2001:470:600::2"       # slave.dns.he.net
+          "213.239.220.50" "2a01:4f8:a0:7041::1"  # ns1.qnetp.net
+          "88.198.32.245"                         # new qnetp
+        ];
+      };
       "200-29.98.206.103.in-addr.arpa" = {
         name = "200-29.98.206.103.in-addr.arpa";
         master = true;
@@ -363,6 +500,7 @@ in
     enable = true;
     radios.${netifWifi} = {
       band = "2g";
+      channel = 7;
       countryCode = "HK";
       networks.${netifWifi} = {
         ssid = "M-Labs";
@@ -412,11 +550,6 @@ in
         "/kasli/192.168.1.70"
         "/kasli-customer/192.168.1.75"
         "/stabilizer-customer/192.168.1.76"
-
-        # Google can't do DNS geolocation correctly and slows down websites of everyone using
-        # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
-        # cannot reach.
-        "/fonts.googleapis.com/142.250.207.74"
       ];
 
       dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
@@ -442,10 +575,23 @@ in
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
-    wget vim git file lm_sensors acpi pciutils psmisc nixopsUnstable
-    irssi tmux usbutils imagemagick jq zip unzip
+    lm_sensors
+    acpi
+    usbutils
+    pciutils
     iw
     nvme-cli
+    smartmontools
+    psmisc
+
+    wget
+    vim
+    git
+    file
+    imagemagick
+    jq
+
+    nixops_unstable_minimal
     borgbackup
     bind
     waypipe
@@ -472,7 +618,10 @@ in
   services.openssh.enable = true;
   services.openssh.settings.PasswordAuthentication = false;
   services.openssh.settings.GatewayPorts = "clientspecified";
+  services.openssh.settings.X11Forwarding = true;
+  services.openssh.authorizedKeysInHomedir = false;
   programs.mosh.enable = true;
+  programs.tmux.enable = true;
 
   programs.fish.enable = true;
   programs.zsh.enable = true;
@@ -499,85 +648,103 @@ in
     SUBSYSTEM=="usb", ATTRS{idVendor}=="07cf", ATTRS{idProduct}=="4204", MODE="0660", GROUP="lp"
     '';
 
+  services.mpd.enable = true;
+  services.mpd.musicDirectory = "/tank/sb-public/FLAC";
+  services.mpd.network.listenAddress = "192.168.1.1";
+  services.mpd.extraConfig =
+    ''
+    audio_output_format "192000:24:2"
+    audio_output {
+      type "alsa"
+      name "alsa"
+      device "hw:1,1"
+    }
+    '';
+
   users.extraUsers.root = {
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNdIiLvP2hmDUFyyE0oLOIXrjrMdWWpBV9/gPR5m4AiARx4JkufIDZzmptdYQ5FhJORJ4lluPqp7dAmahoSwg4lv9Di0iNQpHMJvNGZLHYKM1H1FWCCFIEDJ8bD4SVfrDg=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
     ];
     shell = pkgs.fish;
   };
   # https://github.com/NixOS/nixpkgs/issues/155357
   security.sudo.enable = true;
 
+  # M-Labs HK
   users.extraUsers.sb = {
     isNormalUser = true;
-    extraGroups = ["lp" "scanner" "afws"];
+    extraGroups = ["lp" "scanner" "afws" "audio"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
     ];
     shell = pkgs.fish;
   };
-  users.extraUsers.rj = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-  };
-  users.extraUsers.nkrackow = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
-    ];
-  };
-  users.extraUsers.occheung = {
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig=="
-    ];
-  };
   users.extraUsers.spaqin = {
     isNormalUser = true;
-    extraGroups = ["lp" "scanner" "afws"];
+    extraGroups = ["lp" "afws"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOtmlQmIK/cEUkcwA/y9jC4AohjoEmikerpxzPhZZtOcENidN/vFum58jIcSxBvjHnILOzhfCTeLvbvGbQOFE53a7FOyEHmIzXRKS86Mg5bPHUBJxRSq9MjulGZXES3HOQ=="
     ];
     shell = pkgs.zsh;
   };
-  users.extraUsers.esavkin = {
+  users.extraUsers.therobs12 = {
     isNormalUser = true;
     extraGroups = ["lp" "afws"];
     openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
     ];
   };
   users.extraUsers.morgan = {
     isNormalUser = true;
-    extraGroups = ["lp"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
     ];
   };
+
+  # M-Labs PH
+  users.extraUsers.flo = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
+    ];
+  };
+
+  # QUARTIQ
+  users.extraUsers.rj = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
+     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
+     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
+    ];
+  };
+  users.extraUsers.eduardotenholder = {
+    isNormalUser = true;
+    extraGroups = ["afws"];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
+    ];
+  };
+
+  # HKUST
   users.extraUsers.derppening = {
     isNormalUser = true;
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
     ];
   };
-  users.extraUsers.dpn = {
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = [
-      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGChLocYJi8XcSJkIjT2Olm3jPGjtRq5aORa5G9F3OqmjCfvav9Q5+2Mc64XqHtNTffnJuDe4gv+lVJatC0URvPs2HyxXmxRK0jgkkLSUsV2SYLlgMqHW3jsrdh6wKBmkg=="
-    ];
-  };
+
   users.extraUsers.nix = {
     isNormalUser = true;
   };
-  boot.kernel.sysctl."kernel.dmesg_restrict" = true;
   services.udev.packages = [ pkgs.sane-backends ];
 
   nix.settings.max-jobs = 10;
   nix.nrBuildUsers = 64;
-  nix.settings.trusted-users = ["sb"];
   services.hydra = {
     enable = true;
     useSubstitutes = true;
@@ -594,6 +761,14 @@ in
         job = web:web:web
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web
       </runcommand>
+      <runcommand>
+        job = web:web:web-ph
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/web-ph
+      </runcommand>
+      <runcommand>
+        job = web:web:web-intl
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ${pkgs.rsync}/bin/rsync -r -c $(jq -r '.outputs[0].path' < $HYDRA_JSON)/ zolaupd@10.47.3.0:/var/www/m-labs-intl.com/html/
+      </runcommand>
       <runcommand>
         job = web:web:nmigen-docs
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/nmigen-docs
@@ -620,6 +795,10 @@ in
         job = artiq:extra-beta:conda-channel
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-beta
       </runcommand>
+      <runcommand>
+        job = artiq:extra-beta:msys2-repos
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
+      </runcommand>
 
       <runcommand>
         job = artiq:main:artiq-manual-html
@@ -633,17 +812,21 @@ in
         job = artiq:extra:conda-channel
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel
       </runcommand>
+      <runcommand>
+        job = artiq:extra:msys2-repos
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos
+      </runcommand>
 
       <runcommand>
-        job = artiq:full-legacy:artiq-manual-html
+        job = artiq:main-legacy:artiq-manual-html
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-html-legacy
       </runcommand>
       <runcommand>
-        job = artiq:full-legacy:artiq-manual-latexpdf
-        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-latexpdf-legacy
+        job = artiq:main-legacy:artiq-manual-pdf
+        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-manual-pdf-legacy
       </runcommand>
       <runcommand>
-        job = artiq:full-legacy:conda-channel
+        job = artiq:extra-legacy:conda-channel
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-legacy
       </runcommand>
 
@@ -652,11 +835,6 @@ in
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-conda-channel-archives/$(jq -r '.build' < $HYDRA_JSON)
       </runcommand>
 
-      <runcommand>
-        job = artiq:extra-beta:msys2-repos
-        command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-beta
-      </runcommand>
-
       <runcommand>
         job = artiq:main-nac3:msys2-repos
         command = [ $(jq '.buildStatus' < $HYDRA_JSON) = 0 ] && ln -sfn $(jq -r '.outputs[0].path' < $HYDRA_JSON) ${hydraWwwOutputs}/artiq-msys2-repos-nac3
@@ -693,6 +871,7 @@ in
     secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1
     experimental-features = nix-command flakes
   '';
+  nix.settings.allowed-uris = "github: gitlab: git+https://";  # https://github.com/NixOS/nix/issues/5039
   nix.settings.extra-sandbox-paths = ["/opt"];
 
   services.mlabs-backup.enable = true;
@@ -701,11 +880,19 @@ in
   services.gitea = {
     enable = true;
     appName = "M-Labs Git";
+    database = {
+      type = "postgres";
+      socket = "/run/postgresql";
+    };
     mailerPasswordFile = "/etc/nixos/secret/mailerpassword";
     settings = {
       server = {
         ROOT_URL = "https://git.m-labs.hk/";
         HTTP_PORT = 3001;
+        DISABLE_SSH = false;
+        SSH_CREATE_AUTHORIZED_KEYS_FILE = false;
+        START_SSH_SERVER = true;
+        SSH_PORT = 2222;
       };
 
       indexer = {
@@ -714,7 +901,8 @@ in
 
       mailer = {
         ENABLED = true;
-        HOST = "mail.m-labs.hk:587";
+        SMTP_ADDR = "mail.m-labs.hk";
+        SMTP_PORT = "587";
         FROM = "sysop@m-labs.hk";
         USER = "sysop@m-labs.hk";
       };
@@ -743,33 +931,44 @@ in
     siteUrl = "https://chat.m-labs.hk/";
     mutableConfig = true;
   };
-  services.postgresql.package = pkgs.postgresql_12;
   services.matterbridge = {
     enable = true;
     configPath = "/etc/nixos/secret/matterbridge.toml";
   };
- 
+
+  services.postgresql = {
+    package = pkgs.postgresql_15;
+    settings.listen_addresses = pkgs.lib.mkForce "";
+    identMap =
+      ''
+      rt rt rt_user
+      '';
+  };
+
   nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
     nix = super.nix.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [ ./nix-networked-derivations.patch ];
     });
-    hydra_unstable = super.hydra_unstable.overrideAttrs(oa: {
+    hydra = super.hydra.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [
         ./hydra-conda.patch
         ./hydra-msys2.patch
-        ./hydra-restrictdist.patch
-        ./hydra-hack-allowed-uris.patch  # work around https://github.com/NixOS/nix/issues/5039
       ];
       hydraPath = oa.hydraPath + ":" + super.lib.makeBinPath [ super.jq ];
       doCheck = false;  # FIXME: ldap tests fail on hydra rebuild, seems unrelated to patches above.
     });
+    mattermost = super.mattermost.overrideAttrs(oldAttrs: {
+      webapp = oldAttrs.webapp.overrideAttrs (webappAttrs: {
+        patches = webappAttrs.patches or [ ] ++ [ ./mattermost-remove-free-banner.patch ];
+      });
+    });
     matterbridge = super.matterbridge.overrideAttrs(oa: {
       patches = oa.patches or [] ++ [ ./matterbridge-disable-github.patch ];
     });
   };
 
   security.acme.acceptTerms = true;
-  security.acme.defaults.email = "sb" + "@m-labs.hk";
+  security.acme.defaults.email = "sb@m-labs.hk";
 
   # https://github.com/NixOS/nixpkgs/issues/106862
   systemd.services."acme-fixperms".wants = [ "bind.service" "dnsmasq.service" ];
@@ -799,7 +998,7 @@ in
             expires 60d;
           '';
         };
-        locations."/nuc-netboot/".alias = "${import ./defenestrate}/";
+        locations."/nuc-netboot/".alias = "${import ./defenestrate { prioNixbld = true; } }/";
 
         # legacy URLs, redirect to avoid breaking people's bookmarks
         locations."/gateware.html".extraConfig = ''
@@ -835,10 +1034,10 @@ in
           alias = "${hydraWwwOutputs}/artiq-manual-pdf/ARTIQ.pdf";
         };
         locations."/artiq/manual-legacy/" = {
-          alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/share/doc/artiq-manual/html/";
+          alias = "${hydraWwwOutputs}/artiq-manual-html-legacy/";
         };
         locations."=/artiq/manual-legacy.pdf" = {
-          alias = "${hydraWwwOutputs}/artiq-manual-latexpdf-legacy/share/doc/artiq-manual/ARTIQ.pdf";
+          alias = "${hydraWwwOutputs}/artiq-manual-pdf-legacy/ARTIQ.pdf";
         };
 
         # legacy content
@@ -857,9 +1056,24 @@ in
       };
     in {
       "m-labs.hk" = mainWebsite;
-      "www.m-labs.hk" = mainWebsite;
-      "m-labs.ph" = mainWebsite;
-      "www.m-labs.ph" = mainWebsite;
+      "www.m-labs.hk" = {
+        addSSL = true;
+        enableACME = true;
+        globalRedirect = "m-labs.hk";
+      };
+      "m-labs.ph" = {
+        root = "${hydraWwwOutputs}/web-ph";
+        forceSSL = true;
+        enableACME = true;
+        extraConfig = ''
+          error_page 404 /404.html;
+        '';
+      };
+      "www.m-labs.ph" = {
+        addSSL = true;
+        enableACME = true;
+        globalRedirect = "m-labs.ph";
+      };
       "nixbld.m-labs.hk" = {
         forceSSL = true;
         enableACME = true;
@@ -874,6 +1088,12 @@ in
             autoindex on;
           '';
         };
+        locations."/artiq/" = {
+          alias = "${hydraWwwOutputs}/artiq-msys2-repos/";
+          extraConfig = ''
+            autoindex on;
+          '';
+        };
         locations."/artiq-nac3/" = {
           alias = "${hydraWwwOutputs}/artiq-msys2-repos-nac3/";
           extraConfig = ''
@@ -954,20 +1174,14 @@ in
       "forum.m-labs.hk" = {
         forceSSL = true;
         enableACME = true;
-        root = "/var/www/flarum/public";
-        locations."~ \.php$".extraConfig = ''
-          fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
-          fastcgi_index index.php;
-        '';
-        extraConfig = ''
-          index index.php;
-          include /var/www/flarum/.nginx.conf;
-        '';
       };
       "perso.m-labs.hk" = {
         addSSL = true;
         enableACME = true;
         root = "/var/www/perso";
+        extraConfig = ''
+          autoindex on;
+        '';
       };
       "rt.m-labs.hk" = {
         forceSSL = true;
@@ -1006,7 +1220,7 @@ in
       "www.193thz.com" = {
         addSSL = true;
         enableACME = true;
-        root = "/var/www/193thz";
+        globalRedirect = "193thz.com";
       };
       "nmigen.net" = {
         addSSL = true;
@@ -1016,7 +1230,7 @@ in
       "www.nmigen.net" = {
         addSSL = true;
         enableACME = true;
-        root = "${hydraWwwOutputs}/nmigen-docs";
+        globalRedirect = "nmigen.net";
       };
     };
   };
@@ -1031,23 +1245,17 @@ in
       };
     };
   };
+
   services.mysql = {
     enable = true;
-    package = pkgs.mariadb;
+    package = pkgs.lib.mkForce pkgs.mariadb;
+    ensureDatabases = pkgs.lib.mkForce [];
+    ensureUsers = pkgs.lib.mkForce [];
   };
-  services.phpfpm.pools.flarum = {
-    user = "nobody";
-    settings = {
-      "listen.owner" = "nginx";
-      "listen.group" = "nginx";
-      "listen.mode" = "0600";
-      "pm" = "dynamic";
-      "pm.max_children" = 5;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 1;
-      "pm.max_spare_servers" = 3;
-      "pm.max_requests" = 500;
-    };
+  services.flarum = {
+    enable = true;
+    package = pkgs.callPackage ./flarum {};
+    domain = "forum.m-labs.hk";
   };
 
   services.rt = {
@@ -1072,7 +1280,18 @@ in
       Restart = "on-failure";
       User = "rt";
       Group = "rt";
-      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail -f /etc/nixos/secret/rt_fetchmailrc'";
+      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail.pid -f /etc/nixos/secret/rt_fetchmailrc'";
+    };
+  };
+  systemd.services.rt-fetchmail-intl = {
+    description = "Fetchmail for RT (intl)";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "dovecot2.service" ];
+    serviceConfig = {
+      Restart = "on-failure";
+      User = "rt";
+      Group = "rt";
+      ExecStart = "${pkgs.bash}/bin/bash -c 'PATH=${pkgs.rt}/bin HOME=/tmp ${pkgs.fetchmail}/bin/fetchmail --pidfile /tmp/.fetchmail-intl.pid -f /etc/nixos/secret/rt_fetchmailrc_intl'";
     };
   };
 
@@ -1080,29 +1299,51 @@ in
     enable = true;
     localDnsResolver = false;  # conflicts with dnsmasq
     fqdn = "mail.m-labs.hk";
-    domains = [ "m-labs.hk" "m-labs.ph" "193thz.com" "malloctech.fr" ];
+    domains = [ "m-labs.hk" "m-labs.ph" "m-labs-intl.com" "193thz.com" "malloctech.fr" ];
     enablePop3 = true;
     enablePop3Ssl = true;
     certificateScheme = "acme-nginx";
   } // (import /etc/nixos/secret/email_settings.nix);
+  services.postfix = {
+    mapFiles."sender_transport" = builtins.toFile "sender_transport" ''
+        @m-labs-intl.com intltunnel:
+    '';
+    config = {
+      sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
+    };
+    masterConfig."intltunnel" = {
+      type = "unix";
+      command = "smtp";
+      args = [
+        "-o" "inet_interfaces=10.47.3.1"
+        "-o" "smtp_helo_name=mail.m-labs-intl.com"
+        "-o" "inet_protocols=ipv4"
+       ];
+    };
+  };
   services.roundcube = {
     enable = true;
     hostName = "mail.m-labs.hk";
+    # https://github.com/roundcube/roundcubemail/issues/5869
     extraConfig = ''
       $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
       $config['smtp_user'] = "%u";
       $config['smtp_pass'] = "%p";
+      $config['session_storage'] = "php";
     '';
   };
 
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud27;
+    package = pkgs.nextcloud30;
+    extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
     hostName = "files.m-labs.hk";
     https = true;
     maxUploadSize = "2G";
     config.adminpassFile = "/etc/nixos/secret/nextcloud_pass.txt";
-    config.defaultPhoneRegion = "HK";
+    settings.default_phone_region = "HK";
+    settings.log_type = "file";
+    phpOptions."opcache.interned_strings_buffer" = "12";
   };
 
   services.hedgedoc = {

nixbld-etc-nixos/flarum/default.nix

@@ -0,0 +1,38 @@
+{
+  lib,
+  php,
+  fetchFromGitHub,
+  fetchpatch,
+}:
+
+php.buildComposerProject (finalAttrs: {
+  pname = "flarum";
+  version = "1.8.1";
+
+  src = fetchFromGitHub {
+    owner = "flarum";
+    repo = "flarum";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
+  };
+
+  patches = [
+    # Add useful flarum extensions (polls, subscribed, upload, email-filter)
+    ./flarum-extensions.patch
+  ];
+
+  composerLock = ./composer.lock;
+  composerStrictValidation = false;
+  vendorHash = "sha256-rWvIKiQVyfvUprYfm/+Jdq+DO5qymyWp+Xh0c0nY2Cw=";
+
+  meta = with lib; {
+    changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
+    description = "Flarum is a delightfully simple discussion platform for your website";
+    homepage = "https://github.com/flarum/flarum";
+    license = lib.licenses.mit;
+    maintainers = with maintainers; [
+      fsagbuya
+      jasonodoom
+    ];
+  };
+})

nixbld-etc-nixos/flarum/flarum-extensions.patch

@@ -0,0 +1,17 @@
+diff --git a/composer.json b/composer.json
+index c63b5f8..4bc00c1 100644
+--- a/composer.json
++++ b/composer.json
+@@ -37,7 +37,11 @@
+         "flarum/sticky": "*",
+         "flarum/subscriptions": "*",
+         "flarum/suspend": "*",
+-        "flarum/tags": "*"
++        "flarum/tags": "*",
++        "fof/polls": "*",
++        "fof/subscribed": "*",
++        "fof/upload": "*",
++        "nyu8/flarum-email-filter": "^1.0"
+     },
+     "config": {
+         "preferred-install": "dist",

nixbld-etc-nixos/gitea-home.tmpl

@@ -15,7 +15,7 @@
 	<div class="ui stackable middle very relaxed page grid">
 		<div class="sixteen wide center column">
 			<p class="large">
-				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-***.hk stating the username you would like to have.
+				Welcome! This Gitea instance is here to support projects related to <a href="https://m-labs.hk">M-Labs</a>. You may want to browse the <a href="https://git.m-labs.hk/M-Labs/">M-Labs organization</a> where many projects are located. If you would like an account (we give them to anyone who wants to contribute on projects related to Sinara, ARTIQ, nMigen, etc.), simply write a short email to sb@m-labs.hk stating the username you would like to have.
 			</p>
 		</div>
 	</div>

nixbld-etc-nixos/gitea-signin.tmpl

@@ -4,7 +4,7 @@
 	<div class="ui middle very relaxed page grid">
 		<div class="ui container column fluid">
 			{{template "user/auth/signin_inner" .}}
-			To get an account (also available to external contributors), simply write to sb@m-***s.hk.
+			To get an account (also available to external contributors), simply write to sb@m-labs.hk.
 		</div>
 	</div>
 </div>

nixbld-etc-nixos/hydra-hack-allowed-uris.patch

@@ -1,13 +0,0 @@
-diff --git a/src/hydra-eval-jobs/hydra-eval-jobs.cc b/src/hydra-eval-jobs/hydra-eval-jobs.cc
-index 934bf42e..48f2d248 100644
---- a/src/hydra-eval-jobs/hydra-eval-jobs.cc
-+++ b/src/hydra-eval-jobs/hydra-eval-jobs.cc
-@@ -281,6 +281,8 @@ int main(int argc, char * * argv)
-            to the environment. */
-         evalSettings.restrictEval = true;
- 
-+        evalSettings.allowedUris = {"https://github.com/m-labs/", "https://git.m-labs.hk/m-labs/", "https://gitlab.com/duke-artiq/"};
-+
-         /* When building a flake, use pure evaluation (no access to
-            'getEnv', 'currentSystem' etc. */
-         evalSettings.pureEval = myArgs.flake;

nixbld-etc-nixos/hydra-restrictdist.patch

@@ -1,32 +0,0 @@
-diff --git src/lib/Hydra/Controller/Root.pm src/lib/Hydra/Controller/Root.pm
-index a9b0d558..71869ba0 100644
---- a/src/lib/Hydra/Controller/Root.pm
-+++ b/src/lib/Hydra/Controller/Root.pm
-@@ -19,6 +19,11 @@ use Net::Prometheus;
- # Put this controller at top-level.
- __PACKAGE__->config->{namespace} = '';
- 
-+sub isRedistRestricted {
-+  my ($path) = @_;
-+
-+  return index($path, "-RESTRICTDIST-") >= 0;
-+}
- 
- sub noLoginNeeded {
-   my ($c) = @_;
-@@ -319,6 +324,7 @@ sub nar :Local :Args(1) {
-         $path = $Nix::Config::storeDir . "/$path";
- 
-         gone($c, "Path " . $path . " is no longer available.") unless isValidPath($path);
-+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
- 
-         $c->stash->{current_view} = 'NixNAR';
-         $c->stash->{storePath} = $path;
-@@ -368,6 +374,7 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
-             setCacheHeaders($c, 60 * 60);
-             return;
-         }
-+        notFound($c, "Redistribution restricted") if isRedistRestricted($path);
- 
-         $c->stash->{storePath} = $path;
-         $c->forward('Hydra::View::NARInfo');

nixbld-etc-nixos/mattermost-remove-free-banner.patch

@@ -0,0 +1,210 @@
+diff --git webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
+index 9af4fc7354..60ae3160e8 100644
+--- webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
++++ webapp/channels/src/components/global_header/left_controls/product_menu/product_branding_team_edition/product_branding_team_edition.tsx
+@@ -9,10 +9,6 @@ import Logo from 'components/common/svg_images_components/logo_dark_blue_svg';
+ const ProductBrandingTeamEditionContainer = styled.div`
+     display: flex;
+     align-items: center;
+-
+-    > * + * {
+-        margin-left: 8px;
+-    }
+ `;
+ 
+ const StyledLogo = styled(Logo)`
+@@ -21,23 +17,6 @@ const StyledLogo = styled(Logo)`
+     }
+ `;
+ 
+-const Badge = styled.div`
+-    display: flex;
+-    align-self: center;
+-    padding: 2px 6px;
+-    position: relative;
+-    top: 1px;
+-    border-radius: var(--radius-s);
+-    margin-left: 12px;
+-    background: rgba(var(--sidebar-text-rgb), 0.08);
+-    color: rgba(var(--sidebar-text-rgb), 0.75);
+-    font-family: 'Open Sans', sans-serif;
+-    font-size: 10px;
+-    font-weight: 600;
+-    letter-spacing: 0.025em;
+-    line-height: 16px;
+-`;
+-
+ const ProductBrandingTeamEdition = (): JSX.Element => {
+     return (
+         <ProductBrandingTeamEditionContainer tabIndex={0}>
+@@ -45,7 +24,6 @@ const ProductBrandingTeamEdition = (): JSX.Element => {
+                 width={116}
+                 height={20}
+             />
+-            <Badge>{'FREE EDITION'}</Badge>
+         </ProductBrandingTeamEditionContainer>
+     );
+ };
+diff --git webapp/channels/src/components/header_footer_route/header.scss webapp/channels/src/components/header_footer_route/header.scss
+index e7c76f9861..2841858f44 100644
+--- webapp/channels/src/components/header_footer_route/header.scss
++++ webapp/channels/src/components/header_footer_route/header.scss
+@@ -39,23 +39,6 @@
+                 width: 170px;
+                 fill: var(--center-channel-color);
+             }
+-
+-            .freeBadge {
+-                position: relative;
+-                top: 1px;
+-                display: flex;
+-                align-self: center;
+-                padding: 2px 6px;
+-                border-radius: var(--radius-s);
+-                margin-left: 12px;
+-                background: rgba(var(--center-channel-color-rgb), 0.08);
+-                color: rgba(var(--center-channel-color-rgb), 0.75);
+-                font-family: 'Open Sans', sans-serif;
+-                font-size: 10px;
+-                font-weight: 600;
+-                letter-spacing: 0.025em;
+-                line-height: 16px;
+-            }
+         }
+     }
+ 
+@@ -77,12 +60,6 @@
+             margin-top: 12px;
+         }
+     }
+-
+-    &.has-free-banner.has-custom-site-name {
+-        .header-back-button {
+-            bottom: -20px;
+-        }
+-    }
+ }
+ 
+ @media screen and (max-width: 699px) {
+diff --git webapp/channels/src/components/header_footer_route/header.tsx webapp/channels/src/components/header_footer_route/header.tsx
+index 8cd1d8a624..55554fb0ad 100644
+--- webapp/channels/src/components/header_footer_route/header.tsx
++++ webapp/channels/src/components/header_footer_route/header.tsx
+@@ -25,33 +25,15 @@ const Header = ({alternateLink, backButtonURL, onBackButtonClick}: HeaderProps)
+ 
+     const ariaLabel = SiteName || 'Mattermost';
+ 
+-    let freeBanner = null;
+-    if (license.IsLicensed === 'false') {
+-        freeBanner = <><Logo/><span className='freeBadge'>{'FREE EDITION'}</span></>;
+-    }
+-
+     let title: React.ReactNode = SiteName;
+     if (title === 'Mattermost') {
+-        if (freeBanner) {
+-            title = '';
+-        } else {
+-            title = <Logo/>;
+-        }
++        title = <Logo/>;
+     }
+ 
+     return (
+-        <div className={classNames('hfroute-header', {'has-free-banner': freeBanner, 'has-custom-site-name': title})}>
++        <div className={classNames('hfroute-header', {'has-custom-site-name': title})}>
+             <div className='header-main'>
+                 <div>
+-                    {freeBanner &&
+-                        <Link
+-                            className='header-logo-link'
+-                            to='/'
+-                            aria-label={ariaLabel}
+-                        >
+-                            {freeBanner}
+-                        </Link>
+-                    }
+                     {title &&
+                         <Link
+                             className='header-logo-link'
+diff --git webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
+index 35646539c4..fbdbb39710 100644
+--- webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
++++ webapp/channels/src/components/widgets/menu/menu_items/menu_start_trial.tsx
+@@ -1,42 +1,17 @@
+ // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+ // See LICENSE.txt for license information.
+ 
+-import React from 'react';
+-import {useIntl} from 'react-intl';
+ import {useSelector} from 'react-redux';
+-import styled from 'styled-components';
+ 
+ import {getLicense} from 'mattermost-redux/selectors/entities/general';
+ 
+-import ExternalLink from 'components/external_link';
+-
+-import {LicenseLinks} from 'utils/constants';
+-
+ import './menu_item.scss';
+ 
+-const FreeVersionBadge = styled.div`
+-     position: relative;
+-     top: 1px;
+-     display: flex;
+-     padding: 2px 6px;
+-     border-radius: var(--radius-s);
+-     margin-bottom: 6px;
+-     background: rgba(var(--center-channel-color-rgb), 0.08);
+-     color: rgba(var(--center-channel-color-rgb), 0.75);
+-     font-family: 'Open Sans', sans-serif;
+-     font-size: 10px;
+-     font-weight: 600;
+-     letter-spacing: 0.025em;
+-     line-height: 16px;
+-`;
+-
+ type Props = {
+     id: string;
+ }
+ 
+ const MenuStartTrial = (props: Props): JSX.Element | null => {
+-    const {formatMessage} = useIntl();
+-
+     const license = useSelector(getLicense);
+     const isCurrentLicensed = license?.IsLicensed;
+ 
+@@ -44,33 +19,7 @@ const MenuStartTrial = (props: Props): JSX.Element | null => {
+         return null;
+     }
+ 
+-    return (
+-        <li
+-            className={'MenuStartTrial'}
+-            role='menuitem'
+-            id={props.id}
+-        >
+-            <FreeVersionBadge>{'FREE EDITION'}</FreeVersionBadge>
+-            <div className='editionText'>
+-                {formatMessage(
+-                    {
+-                        id: 'navbar_dropdown.versionText',
+-                        defaultMessage: 'This is the free <link>unsupported</link> edition of Mattermost.',
+-                    },
+-                    {
+-                        link: (msg: React.ReactNode) => (
+-                            <ExternalLink
+-                                location='menu_start_trial.unsupported-link'
+-                                href={LicenseLinks.UNSUPPORTED}
+-                            >
+-                                {msg}
+-                            </ExternalLink>
+-                        ),
+-                    },
+-                )}
+-            </div>
+-        </li>
+-    );
++    return null;
+ };
+ 
+ export default MenuStartTrial;

nixbld-etc-nixos/named/193thz.com

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	ns.193thz.com. sb.m-labs.hk. (
-							2023121301
+							2024060201
 							7200
 							3600
 							86400
@@ -12,11 +12,12 @@ $TTL 7200
 						NS		ns1.he.net.
 
 						A		94.190.212.123
+						A		202.77.7.238
 						AAAA	2001:470:18:390::2
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=5eIjLyhM_siRg5Fc2Z3AMSbheH0JFOn5iR3TCEXakqU"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 
 ns						A		94.190.212.123

nixbld-etc-nixos/named/200-29.98.206.103.in-addr.arpa

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
-							2024010901
+							2024060201
 							7200
 							3600
 							86400
@@ -10,7 +10,7 @@ $TTL 7200
 
 						NS		NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G.
 						NS		ns1.he.net.
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 200	PTR	router.alt.m-labs.hk.
 201	PTR	stewardship1.alt.m-labs.hk.

nixbld-etc-nixos/named/m-labs-intl.com

@@ -0,0 +1,30 @@
+$TTL 7200
+
+@						SOA	ns.m-labs-intl.com. sb.m-labs.hk. (
+							2024101401
+							7200
+							3600
+							86400
+							600)
+
+
+						NS		ns.m-labs-intl.com.
+						NS		ns1.he.net.
+						NS		ns1.qnetp.net.
+
+						A		5.78.86.156
+						AAAA	2a01:4ff:1f0:83de::1
+						MX		10 mail.m-labs-intl.com.
+						TXT		"v=spf1 mx -all"
+						TXT		"google-site-verification=BlQd5_5wWW7calKC7bZA0GdoxR8-zj4gwJEg9sGJ3l8"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1768317117"
+
+ns						A		94.190.212.123
+ns						AAAA	2001:470:18:390::2
+
+mail					A		5.78.86.156
+mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
+_dmarc					TXT		"v=DMARC1; p=none"
+
+www						CNAME	@
+hooks					CNAME	@

nixbld-etc-nixos/named/m-labs.hk

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	NS.XN--WBTZ5WPQAJ35CFXC.XN--J6W193G. sb.m-labs.hk. (
-							2024010901
+							2024080501
 							7200
 							3600
 							86400
@@ -13,14 +13,16 @@ $TTL 7200
 						NS		ns1.he.net.
 
 						A		94.190.212.123
+						A		202.77.7.238
 						AAAA	2001:470:18:390::2
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=Tf_TEGZLG7-2BE70hMjLnzjDZ1qUeUZ6vxzbl1sagT8"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 
 mail					A		94.190.212.123
+mail					A		202.77.7.238
 mail					AAAA	2001:470:18:390::2
 mail._domainkey			TXT		"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl38A/Z0IInVU157qzrWgMfYm2iDHoWZsTyiiOoZdT7kHMzS/M2OMXMt7r5g1/7pCPClsGUDJvKGqVMmjJuPleMyKHwpGeT92qDNEFpt6ahneap/oYx5eBYM/vGcgmleNxyIoBHsptaZvqD4vCEFaC22f8UL5QAgQD3wCH3FwlpQIDAQAB"
 _dmarc					TXT		"v=DMARC1; p=none"
@@ -41,17 +43,7 @@ files					CNAME	@
 docs					CNAME	@
 
 rpi-1					AAAA	2001:470:f891:1:dea6:32ff:fe8a:6a93
-rpi-2					AAAA	2001:470:f891:1:ba27:ebff:fef0:e9e6
 rpi-4					AAAA	2001:470:f891:1:dea6:32ff:fe14:fce9
-chiron					AAAA	2001:470:f891:1:7f02:9ebf:bee9:3dc7
-old-nixbld				AAAA	2001:470:f891:1:a07b:f49a:a4ef:aad9
-zeus					AAAA	2001:470:f891:1:4fd7:e70a:68bf:e9c1
-franz					AAAA	2001:470:f891:1:1b65:a743:2335:f5c6
-hera					AAAA	2001:470:f891:1:8b5e:404d:ef4e:9d92
-hestia					AAAA	2001:470:f891:1:881c:f409:a090:8401
-vulcan					AAAA	2001:470:f891:1:105d:3f15:bd53:c5ac
-
-aux						A		42.200.147.171
 
 router.alt				A		103.206.98.200
 stewardship1.alt		A		103.206.98.201

nixbld-etc-nixos/named/m-labs.ph

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	ns1.m-labs.ph. sb.m-labs.hk. (
-							2024010901
+							2024060201
 							7200
 							3600
 							86400
@@ -12,11 +12,12 @@ $TTL 7200
 						NS		ns1.he.net.
 
 						A		94.190.212.123
+						A		202.77.7.238
 						AAAA	2001:470:18:390::2
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=g2k8M1fhbYOPs4C37SeGCfNlD6paWcexamji1DXrp0o"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 ns1						A		94.190.212.123
 ns1						AAAA	2001:470:18:390::2

nixbld-etc-nixos/named/malloctech.fr

@@ -1,7 +1,7 @@
 $TTL 7200
 
 @						SOA	ns.malloctech.fr. sb.m-labs.hk. (
-							2024010901
+							2024060201
 							7200
 							3600
 							86400
@@ -14,7 +14,7 @@ $TTL 7200
 						MX		10 mail.m-labs.hk.
 						TXT		"v=spf1 mx a:router.alt.m-labs.hk -all"
 						TXT		"google-site-verification=LALF-fafTnmkL-18m3CzwFjSwEV1C7NeKexiNfMYsOw"
-						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/496268470"
+						CAA		0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1758987512"
 
 ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2

nixbld-etc-nixos/nix-networked-derivations.patch

@@ -1,8 +1,8 @@
-diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
-index 64b55ca6a..9b4e52b8e 100644
---- a/src/libstore/build/local-derivation-goal.cc
-+++ b/src/libstore/build/local-derivation-goal.cc
-@@ -180,6 +180,8 @@ void LocalDerivationGoal::tryLocalBuild()
+diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
+index 2a09e3dd4..7dc03855f 100644
+--- a/src/libstore/unix/build/local-derivation-goal.cc
++++ b/src/libstore/unix/build/local-derivation-goal.cc
+@@ -197,6 +197,8 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
  
      assert(derivationType);
  
@@ -11,7 +11,7 @@ index 64b55ca6a..9b4e52b8e 100644
      /* Are we doing a chroot build? */
      {
          auto noChroot = parsedDrv->getBoolAttr("__noChroot");
-@@ -197,7 +199,7 @@ void LocalDerivationGoal::tryLocalBuild()
+@@ -214,7 +216,7 @@ Goal::Co LocalDerivationGoal::tryLocalBuild()
          else if (settings.sandboxMode == smDisabled)
              useChroot = false;
          else if (settings.sandboxMode == smRelaxed)
@@ -20,7 +20,7 @@ index 64b55ca6a..9b4e52b8e 100644
      }
  
      auto & localStore = getLocalStore();
-@@ -691,7 +693,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -737,7 +739,7 @@ void LocalDerivationGoal::startBuilder()
                  "nogroup:x:65534:\n", sandboxGid()));
  
          /* Create /etc/hosts with localhost entry. */
@@ -29,7 +29,7 @@ index 64b55ca6a..9b4e52b8e 100644
              writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
  
          /* Make the closure of the inputs available in the chroot,
-@@ -895,7 +897,7 @@ void LocalDerivationGoal::startBuilder()
+@@ -938,7 +940,7 @@ void LocalDerivationGoal::startBuilder()
             us.
          */
  
@@ -38,16 +38,16 @@ index 64b55ca6a..9b4e52b8e 100644
              privateNetwork = true;
  
          userNamespaceSync.create();
-@@ -1134,7 +1136,7 @@ void LocalDerivationGoal::initEnv()
+@@ -1177,7 +1179,7 @@ void LocalDerivationGoal::initEnv()
         to the builder is generally impure, but the output of
         fixed-output derivations is by definition pure (since we
         already know the cryptographic hash of the output). */
 -    if (!derivationType->isSandboxed()) {
 +    if (networked || !derivationType->isSandboxed()) {
-         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
-             env[i] = getEnv(i).value_or("");
-     }
-@@ -1799,7 +1801,7 @@ void LocalDerivationGoal::runChild()
+         auto & impureEnv = settings.impureEnv.get();
+         if (!impureEnv.empty())
+             experimentalFeatureSettings.require(Xp::ConfigurableImpureEnv);
+@@ -1851,7 +1853,7 @@ void LocalDerivationGoal::runChild()
              /* Fixed-output derivations typically need to access the
                 network, so give them access to /etc/resolv.conf and so
                 on. */
@@ -56,21 +56,21 @@ index 64b55ca6a..9b4e52b8e 100644
                  // Only use nss functions to resolve hosts and
                  // services. Don’t use it for anything else that may
                  // be configured for this system. This limits the
-@@ -2050,7 +2052,7 @@ void LocalDerivationGoal::runChild()
-                     #include "sandbox-defaults.sb"
+@@ -2083,7 +2085,7 @@ void LocalDerivationGoal::runChild()
+                 #include "sandbox-defaults.sb"
+                 ;
+ 
+-            if (!derivationType->isSandboxed())
++            if (networked || !derivationType->isSandboxed())
+                 sandboxProfile +=
+                     #include "sandbox-network.sb"
                      ;
- 
--                if (!derivationType->isSandboxed())
-+                if (networked || !derivationType->isSandboxed())
-                     sandboxProfile +=
-                         #include "sandbox-network.sb"
-                         ;
-diff --git a/src/libstore/build/local-derivation-goal.hh b/src/libstore/build/local-derivation-goal.hh
-index 0a05081c7..4c251718c 100644
---- a/src/libstore/build/local-derivation-goal.hh
-+++ b/src/libstore/build/local-derivation-goal.hh
-@@ -66,6 +66,8 @@ struct LocalDerivationGoal : public DerivationGoal
- 
+diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
+index bf25cf2a6..28f8c1e95 100644
+--- a/src/libstore/unix/build/local-derivation-goal.hh
++++ b/src/libstore/unix/build/local-derivation-goal.hh
+@@ -83,6 +83,8 @@ struct LocalDerivationGoal : public DerivationGoal
+      */
      Path chrootRootDir;
  
 +    bool networked;

nixbld-etc-nixos/rt.nix

@@ -19,14 +19,9 @@ let
       Set($Timezone, '${cfg.timeZone}');
 
       Set($DatabaseType, 'Pg');
-      Set($DatabaseHost, 'localhost');
-      Set($DatabaseUser, 'rt_user');
+      Set($DatabaseHost, '/run/postgresql');
+      Set($DatabaseUser, 'rt');
       Set($DatabaseName, 'rt5');
-      # Read database password from file
-      open my $fh, '<', '${cfg.dbPasswordFile}' or die 'Can\'t open file $!';
-      my $dbpw = do { local $/; <$fh> };
-      $dbpw =~ s/^\s+|\s+$//g;
-      Set($DatabasePassword, $dbpw);
 
       # System (Logging)
       Set($LogToSTDERR, undef); # Don't log twice
@@ -35,7 +30,7 @@ let
       Set($OwnerEmail, '${cfg.ownerEmail}');
       Set($MaxAttachmentSize, 15360000);
       Set($CheckMoreMSMailHeaders, 1);
-      Set($RTAddressRegexp, '^(helpdesk|sales)\@(m-labs.hk)$');
+      Set($RTAddressRegexp, '^(helpdesk)\@(m-labs.hk|m-labs-intl.com)$');
       Set($LoopsToRTOwner, 0);
 
       # System (Outgoing mail)
@@ -154,13 +149,6 @@ in {
       type = str;
     };
 
-    dbPasswordFile = mkOption {
-      description = "File containing the database password";
-      type = str;
-      default = "/etc/nixos/secret/rtpasswd";
-      internal = true;
-    };
-
     domain = mkOption {
       description = "Which domain RT is running on";
       type = str;
@@ -245,8 +233,6 @@ in {
 
           PrivateNetwork = false;
           MemoryDenyWriteExecute = false;
-
-          ReadOnlyPaths = [ cfg.dbPasswordFile ];
         };
 
         environment = {

nixops/athena-hardware-configuration.nix

@@ -8,19 +8,21 @@
     [ (modulesPath + "/installer/scan/not-detected.nix")
     ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/3dca09c8-f725-416a-9f89-b69297698ca9";
+    { device = "/dev/disk/by-uuid/89463254-b38d-45db-92b6-0f7d92a44f47";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/4E51-B390";
+    { device = "/dev/disk/by-uuid/F84B-ACC5";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];
@@ -30,18 +32,14 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = true;
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  nixpkgs.config.nvidia.acceptLicense = true;
-  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
-  services.xserver.videoDrivers = [ "nvidia" ];
-  services.xserver.displayManager.gdm.wayland = false;
+  hardware.cpu.intel.updateMicrocode = true;
 
-  system.stateVersion = "23.05";
+  system.stateVersion = "23.11";
 }

nixops/chiron-hardware-configuration.nix

@@ -18,6 +18,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/060C-8772";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/common-users.nix

@@ -4,7 +4,7 @@
   root = {
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
     ];
   };
   sb = {
@@ -12,7 +12,7 @@
     extraGroups = ["wheel" "plugdev" "dialout" "libvirtd"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF/YybP+fQ0J+bNqM5Vgx5vDmVqVWsgUdF1moUxghv7d73GZAFaM6IFBdrXTAa33AwnWwDPMrTgP1V6SXBkb3ciJo/lD1urJGbydbSI5Ksq9d59wvOeANvyWYrQw6+eqTQ=="
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDf6+TFaUtITiiU7b6DOiT4/C8fzCq70j9DGnNyo/+5bS7ffRezTS0AqqltHQs9/lbjUbtP+Iil7RUGF0o0X6v5y/Gt/GdV9QR+Nv1mJCF1KVOeMKm/vB0jjN+ncwHU+BA=="
     ];
   };
   rj = {
@@ -57,7 +57,7 @@
   };
   esavkin = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout" "libvirtd"];
+    extraGroups = ["plugdev" "dialout" "libvirtd" "wireshark"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLDJI4GFLBmScbeR8Jh4Gi8A/2nuGlYtFTJVT+Es/bzdiPRk8DLG62T0hyRR+8LfHjbrCsDuYFNztT8hHGXd7h3xp3y2X7ArkJo8xUK5QxGd5D2Zn4ANfZTTVkoGlEHbFA=="
     ];
@@ -78,14 +78,14 @@
   };
   linuswck = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
+    extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAFYwmik6/xY1vb9aKBOpKklKOwSJJ0PEgNwWNULghZGJ0g4CTk04LXLSMYBm1SW74df8YMgaE/eoidq6smN6hKIgo8s3qPQGZAi4UXffMs2ciqXNa/zZcCu3PyZvyksxA=="
     ];
   };
   morgan = {
     isNormalUser = true;
-    extraGroups = ["plugdev" "dialout"];
+    extraGroups = ["plugdev" "dialout" "wireshark" "libvirtd"];
     openssh.authorizedKeys.keys = [
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
     ];
@@ -104,6 +104,20 @@
       "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOKwN4ui94QfouYYlkI1lc3WgtjURVYLTdAizJIBnY3dNRNblAiuvTD4pQ+LEI+eOTg4SnQz1NeqH4YOQhbT5+/nZojvGTb3UVN13ZYND+Gci3DdqB2mwIYop7kMXwHgLQ=="
     ];
   };
+  therobs12 = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK1tUg7TtceARRnGI80Ai5kNFolFfZ++LH9v1UoRCiJdxeQWPdNYO0Gj7+ejJvgZXwvN4yHGgcZHraEml4Mj/dKrEMFygfuYLDRmXtPFwX6TNMrWlxMhPzuNY+yCaxlqYg=="
+    ];
+  };
+  abdul = {
+    isNormalUser = true;
+    extraGroups = ["plugdev" "dialout"];
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBONzKWn65erPM2xBCe9Dcw8dHRQCJmvzwhX72iHE1xVlAr7UcB1PMOjEB25MFfV/kCIFS5UB5wuoPvq+/oZ3EXiFjmQtsb669KN6MkZNyDqP5Y2W8gR1wVa/ZLfH4HynHg=="
+    ];
+  };
 
   dpn = {
     isNormalUser = true;

nixops/demeter-hardware-configuration.nix

@@ -21,6 +21,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/76A2-F01F";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/desktop.nix

@@ -10,6 +10,10 @@ in
   nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
   programs.command-not-found.dbPath = "${pkgs.path}/programs.sqlite";
 
+  boot.loader.systemd-boot.memtest86.enable = true;
+  boot.loader.grub.memtest86.enable = true;
+  boot.kernel.sysctl."kernel.dmesg_restrict" = false;
+
   imports =
     [
       (./. + "/${host}-hardware-configuration.nix")
@@ -61,7 +65,8 @@ in
     xournal
     xsane
     gtkwave unzip zip gnupg
-    gnome3.gnome-tweaks
+    gnome-tweaks
+    ghex
     jq sublime3 rink qemu_kvm
     tmux screen gdb minicom picocom
     artiq.packages.x86_64-linux.openocd-bscanspi
@@ -89,6 +94,7 @@ in
   services.avscan.enable = true;
 
   services.openssh.enable = true;
+  services.openssh.authorizedKeysInHomedir = false;
   services.openssh.settings.PasswordAuthentication = false;
   services.openssh.extraConfig =
     ''
@@ -121,29 +127,17 @@ in
   };
   services.avahi = {
     enable = true;
-    nssmdns = true;
+    nssmdns4 = true;
   };
 
-  # Enable sound.
-  sound.enable = true;
-  hardware.pulseaudio = {
-    enable = true;
-    package = pkgs.pulseaudioFull;
-  };
+  hardware.graphics.enable32Bit = true;
 
-  hardware.opengl.driSupport32Bit = true;
-  hardware.pulseaudio.support32Bit = true;
-
-  i18n.inputMethod = {
-    enabled = "fcitx5";
-    fcitx5.addons = [ pkgs.fcitx5-table-extra pkgs.fcitx5-m17n ];
-  };
-  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
+  fonts.packages = [ pkgs.noto-fonts pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-emoji pkgs.noto-fonts-extra pkgs.emacs-all-the-icons-fonts ];
 
   # Enable the X11 windowing system.
   services.xserver.enable = true;
-  services.xserver.layout = "us";
-  services.xserver.xkbOptions = "eurosign:e";
+  services.xserver.xkb.layout = "us";
+  services.xserver.xkb.options = "eurosign:e";
 
   services.xserver.displayManager.gdm.enable = true;
   services.xserver.desktopManager.gnome.enable = true;

nixops/experimental-users.nix

@@ -1,4 +0,0 @@
-{ pkgs, ... }:
-
-{
-}

nixops/extra-udev.nix

@@ -21,4 +21,7 @@ SUBSYSTEM=="usb", ATTRS{idVendor}=="2109", ATTRS{idProduct}=="2812", MODE="0660"
 # LibreVNA
 SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
 SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="4121", MODE="0660", GROUP="plugdev"
+# DSLogic
+SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0020", MODE="0660", GROUP="plugdev"
+SUBSYSTEM=="usb", ATTRS{idVendor}=="2a0e", ATTRS{idProduct}=="0034", MODE="0660", GROUP="plugdev"
 ''

nixops/franz-hardware-configuration.nix

@@ -10,7 +10,6 @@
 
   boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
-  boot.kernelPackages = pkgs.linuxPackages_5_15;
   boot.kernelModules = [ "kvm-intel" ];
   boot.blacklistedKernelModules = [ "iwlwifi" ];
   boot.extraModulePackages = [ ];
@@ -24,6 +23,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/A33B-F001";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/hera-hardware-configuration.nix

@@ -18,6 +18,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/8C30-F6DC";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/hestia-hardware-configuration.nix

@@ -18,6 +18,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/E085-5F21";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

nixops/jupiter-hardware-configuration.nix

@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/315af039-6799-43ac-8999-7da69a6fbd1e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/45B7-790E";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  
+  system.stateVersion = "24.05";
+}

nixops/nixops.nix

@@ -6,8 +6,6 @@
   network.enableRollback = true;
 
   rpi-1 = import ./rpi.nix { host = "rpi-1"; rpi4 = true; };
-  rpi-2 = import ./rpi.nix { host = "rpi-2"; rpi4 = false; experimental-users = true; };
-  rpi-3 = import ./rpi.nix { host = "rpi-3"; rpi4 = true; };
   rpi-4 = import ./rpi.nix { host = "rpi-4"; rpi4 = true; };
   zeus = import ./desktop.nix { host = "zeus"; };
   hera = import ./desktop.nix { host = "hera"; };
@@ -15,6 +13,10 @@
   chiron = import ./desktop.nix { host = "chiron"; };
   old-nixbld = import ./desktop.nix { host = "old-nixbld"; };
   franz = import ./desktop.nix { host = "franz"; };
-  juno = import ./desktop.nix { host = "juno"; };
   demeter = import ./desktop.nix { host = "demeter"; };
+  vulcan = import ./desktop.nix { host = "vulcan"; };
+  rc = import ./desktop.nix { host = "rc"; };
+  athena = import ./desktop.nix { host = "athena"; };
+  jupiter = import ./desktop.nix { host = "jupiter"; };
+  saturn = import ./desktop.nix { host = "saturn"; };
 }

nixops/old-nixbld-hardware-configuration.nix

@@ -21,6 +21,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/D0A3-DDAE";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

nixops/rc-hardware-configuration.nix

@@ -0,0 +1,50 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/348c924c-1d86-44ff-84af-2594f414e7d0";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/1BDC-44BB";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/opt" =
+    { device = "/dev/disk/by-uuid/cf0f51b6-7b95-4c74-9390-37dc4c86f32b";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  system.stateVersion = "23.11";
+}

nixops/rpi.nix

@@ -15,6 +15,7 @@ in
   boot.loader.generic-extlinux-compatible.enable = true;
   boot.kernelParams = if rpi4 then ["cma=64M"] else []; # work around https://github.com/raspberrypi/linux/issues/3208
   boot.initrd.includeDefaultModules = false;
+  boot.kernel.sysctl."kernel.dmesg_restrict" = false;
 
   fileSystems = {
     "/" = {
@@ -24,6 +25,7 @@ in
   };
 
   services.openssh.enable = true;
+  services.openssh.authorizedKeysInHomedir = false;
   services.openssh.settings.PasswordAuthentication = false;
   services.openssh.settings.GatewayPorts = "clientspecified";
   services.openssh.extraConfig =
@@ -34,15 +36,12 @@ in
 
   networking.hostName = host;
 
-  networking.firewall.allowedTCPPorts = if host == "rpi-2" then [ 6000 ] else [];
-
   time.timeZone = "Asia/Hong_Kong";
 
   users.extraGroups.plugdev = { };
   users.mutableUsers = false;
   users.defaultUserShell = pkgs.fish;
-  users.extraUsers = (import ./common-users.nix { inherit pkgs; }) //
-    (pkgs.lib.optionalAttrs experimental-users (import ./experimental-users.nix { inherit pkgs; })) // {
+  users.extraUsers = (import ./common-users.nix { inherit pkgs; }) // {
     nixbld = {
       isNormalUser = true;
       extraGroups = ["plugdev" "dialout"];

nixops/saturn-hardware-configuration.nix

@@ -0,0 +1,43 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/51d521ec-4807-4b71-8a89-116b89f72d2e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/877D-AF6A";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp86s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  
+  system.stateVersion = "24.05";
+}

nixops/vulcan-hardware-configuration.nix

@@ -0,0 +1,41 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/67168ae0-6448-4b40-b278-406290224b4f";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/8F4B-AD84";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  system.stateVersion = "23.05";
+}

nixops/zeus-hardware-configuration.nix

@@ -18,6 +18,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/91B4-E546";
       fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices = [ ];

remote-ipsec.txt

@@ -0,0 +1,49 @@
+connections {
+  bypass-ipsec {
+    remote_addrs = 127.0.0.1
+    children {
+      bypass-isakmp-v4 {
+        local_ts = 0.0.0.0/0[udp/isakmp]
+        remote_ts = 0.0.0.0/0[udp/isakmp]
+        mode = pass
+        start_action = trap
+      }
+      bypass-isakmp-v6 {
+        local_ts = ::/0[udp/isakmp]
+        remote_ts = ::/0[udp/isakmp]
+        mode = pass
+        start_action = trap
+      }
+    }
+  }
+  m_labs {
+    version = 2
+    encap = no
+    mobike = no
+    send_certreq = no
+    proposals = aes128gcm128-sha256-prfsha256-curve25519,aes128gcm128-sha256-prfsha256-ecp256
+    local_addrs = 103.206.98.1
+    remote_addrs = 94.190.212.123
+    local {
+      auth = pubkey
+      id = fqdn:igw0.hkg.as150788.net
+      pubkeys = igw0.hkg.as150788.net
+    }
+    remote {
+      auth = pubkey
+      id = fqdn:m-labs.hk
+      pubkeys = m-labs.hk
+    }
+    children {
+      con1 {
+        mode = transport
+        ah_proposals = sha256-curve25519,sha256-ecp256
+        esp_proposals =
+        local_ts = 103.206.98.1[gre]
+        remote_ts = 94.190.212.123[gre]
+        start_action = none
+        close_action = none
+      }
+    }
+  }
+}