From 7d24e2dfc197053f05f792a689171ab10a6cdf60 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Date: Sun, 6 Oct 2024 16:19:36 +0200
Subject: [PATCH] feat(dgsi): Update, with SAML provisional auth

---
 machines/compute01/dgsi/default.nix           |  62 ++++++++++--------
 .../compute01/secrets/dgsi-x509_cert_file     | Bin 0 -> 3616 bytes
 machines/compute01/secrets/dgsi-x509_key_file | Bin 0 -> 4864 bytes
 machines/compute01/secrets/secrets.nix        |   2 +
 npins/sources.json                            |   4 +-
 5 files changed, 39 insertions(+), 29 deletions(-)
 create mode 100644 machines/compute01/secrets/dgsi-x509_cert_file
 create mode 100644 machines/compute01/secrets/dgsi-x509_key_file

diff --git a/machines/compute01/dgsi/default.nix b/machines/compute01/dgsi/default.nix
index 1e972c3..f7fd9e2 100644
--- a/machines/compute01/dgsi/default.nix
+++ b/machines/compute01/dgsi/default.nix
@@ -8,7 +8,7 @@
 }:
 
 let
-  inherit (lib) mapAttrsToList;
+  inherit (lib) toLower;
 
   python =
     let
@@ -33,25 +33,29 @@ let
       };
     };
 
-  pythonEnv = python.withPackages (ps: [
-    ps.django
-    ps.gunicorn
-    ps.psycopg
-    ps.django-compressor
-    ps.django-import-export
+  pythonEnv = python.withPackages (
+    ps:
+    [
+      ps.django
+      ps.gunicorn
+      ps.psycopg
+      ps.django-compressor
+      ps.django-import-export
 
-    # Local packages
-    ps.django-allauth
-    ps.django-allauth-cas
-    ps.django-browser-reload
-    ps.django-bulma-forms
-    ps.django-sass-processor
-    ps.django-sass-processor-dart-sass
-    ps.django-unfold
-    ps.loadcredential
-    ps.pykanidm
-    ps.python-cas
-  ]);
+      # Local packages
+      ps.django-allauth
+      ps.django-allauth-cas
+      ps.django-browser-reload
+      ps.django-bulma-forms
+      ps.django-sass-processor
+      ps.django-sass-processor-dart-sass
+      ps.django-unfold
+      ps.loadcredential
+      ps.pykanidm
+      ps.python-cas
+    ]
+    ++ ps.django-allauth.optional-dependencies.saml
+  );
 
   staticDrv = pkgs.stdenv.mkDerivation {
     name = "dgsi-static";
@@ -67,8 +71,10 @@ let
     configurePhase = ''
       export DGSI_STATIC_ROOT=$out/static
       export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
-      export DGSI_KANIDM_CLIENT="dgsi_test";
-      export DGSI_KANIDM_AUTH_TOKEN="fake.token";
+      export DGSI_KANIDM_CLIENT="dgsi_test"
+      export DGSI_KANIDM_AUTH_TOKEN="fake.token"
+      export DGSI_X509_KEY=""
+      export DGSI_X509_CERT=""
     '';
 
     doBuild = false;
@@ -101,12 +107,14 @@ in
 
         serviceConfig = {
           DynamicUser = true;
-          LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
-            SECRET_KEY = config.age.secrets."dgsi-secret_key_file".path;
-            KANIDM_AUTH_TOKEN = config.age.secrets."dgsi-kanidm_auth_token_file".path;
-            KANIDM_SECRET = config.age.secrets."dgsi-kanidm_secret_file".path;
-            EMAIL_HOST_PASSWORD = config.age.secrets."dgsi-email_host_password_file".path;
-          };
+          LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
+            "EMAIL_HOST_PASSWORD"
+            "KANIDM_AUTH_TOKEN"
+            "KANIDM_SECRET"
+            "SECRET_KEY"
+            "X509_CERT"
+            "X509_KEY"
+          ];
           RuntimeDirectory = "django-apps/dgsi";
           StateDirectory = "django-apps/dgsi";
           UMask = "0027";
diff --git a/machines/compute01/secrets/dgsi-x509_cert_file b/machines/compute01/secrets/dgsi-x509_cert_file
new file mode 100644
index 0000000000000000000000000000000000000000..93b5ce601dfa2ff243bbf67c7d7c76e59ffdca20
GIT binary patch
literal 3616
zcmZY8=U<Zt+Xi51Q80=O6(2wptrjI>Hc3=Q_D;C7NMb1@A-S{ncHoO5A_C$n1qTSW
zhzbRzQU{=-Rt0LEh!sT&#ZeRo*ede&`Oq&uf5GuPuj@SJpekNvQrf&0ht_ObZnl9i
z7XlKW6l1q*;#FBl3<iOZ(J>_IR6>l1?v`0-5;-CZqb8&}4aigl3&5MzE(4uR%Hn0o
z@En#A?k0nv83M=+IG;g6FbMfJmjmQuKp7vdq0li35G2BM2#GY!4w#G%j0*Ru1{nB6
zJP;$pqD?3d0b#`{oiv(~V-tWNg^ATOxo`@=PjjRp1yngyF61K^5D%UvL1ghcB)dgS
zk?4p-AI-sF5Cw7))1`%bIL<7kg=x0Z^kUAZnhk1V!GIVe9IwJ7(_{{g2_+OkZAMU~
z(1__cBMvaSv$ROK28Gc9PPZ5dK)5W>3!tz*rItYwX(e17&7&3Dq*96-OUEf)ge;sI
zkLGH{9HIMP&1RR!=xu2vHUM!LK$J<O!#da$IY!2m16HR1D&%;u8mJkorn(Sb1YnY~
zb!qN|1g}nOhT}LaGy_z?;AWgT)x?4D5O9k&4UIyZ;Tk6<OG2k8rD+&EU#7EwB&L$e
za0*yvZz@ToM8Z?WC^~{FKueh{CEiN|jaUyA!WSyETq|8e)i7LXC@J13ONGPq9GVVi
z(ZGoyh5)1S2sSpw2X#|~Tn-cu#d9%enpx){$ysQZ8p2eh$rN<Gjo^@2trpP1)?j^B
z58Wx(z#S5moi1lspjNfxp8$Bg$%BBIxkxX?ClRp$Z<>y%vO|zO0S9hjQ6&-tj;}^R
zp%{@FVVCQKY$U>?<U7SA7+S{Dz&I)om&ryc1w1#wNcC~aCXr19#iJo6sFy{A$x;&x
zNTx-IR+>OI$qM{??SFd<bGZQ}5MzR=l@1gEw6KUQM}owf05?it#550Dfyd&YHiwxk
zate4*4ciDnQZZ%`lWX@%aVRugVnJKkdXd%W<`NPBwG_|f8(mnlUgb@2U<jXTa6TUU
z&q|~Y9#L#E>1bLELnD;41P-@OEXN@k2&mRbAlT4G5U<wxoLL9}VkZz(NEw#vv(Z^B
zsE{UbQyf~44=TgEbat!*iBXeX7&xfVN&iP<(mYr$7$d{j>`p5I?G~T_rxnT5sxStk
z$iU$^m8p29SD=St#7?q7uF-KIXe!HTa8rCjBizE}@YECuUO@s>SvsnX>yrF;C^93@
z#-j+`%1^Ul1X3&uj1i$zwRVROtJ83_1~L<G6==N)32vBGYUV?2WD5=BL8he&K$_bO
zG2lf;luf1(*qL4!Q%JVjv@|5jjJIiJYymCJn?=dek}VX3Q1d^3v%okY8i=82%nTP>
z&9M;OVz^#t5Uac>qSN6v%I$17-Qpo54F)`$&NXTX5Tyqxbqcg>pI6Eff@vHkCDoF}
z*I`sD4O}CzLz!xCf{NiLs6o-E*&JjmlMlua^hUOwVdpBCQa)UUF>)jhtI#1KX>?i=
z9)xjtbdA$)hhjjg6oS+71#~?|!%vXu^&)~;0a7tE35Kk*5f}`>M+JOYDizl&B_~k+
zt0{S8fh0a2w5jBF6+|Y+@li@OgXIBIVX3JOB<OQm0YHFJD_K@66^7EJ>SYeS6N$lE
zOlY3R#-j6WN+!(pPY2@TV@yz`0|bx;I$bOmsQFBnM#2}dtv-v-oaQ08NlKf@BXg5H
zTA>+251t;n*A`qnFnA>(=_V)YHs@L~->{NVy71`5DQ&V%XHT3gkAQDF96{_|pkB!F
z?pqc+9lX0gbg}Trx}4@E?)bvsQx&am8*{lU&QlM7uHYzJNR!=~M~oZa=r?B|D3|kR
zTiC3Om^V@7M+1|WZsH`pxDvSc{(`VIJUW>t^_>0=T9RE?TyW{)nXutZP3<WpBX;C)
zpDU05W9Uu&4gO6?>>ifS{c`SV?A5Ze<lj4^afZrW@W83x<W=VvJvy=?UPf}u2OGEI
zV}ri$3Hj|AEepBmZos+7hA%!I$-6^#&Uo@!<qh`Whr?=Y*IDWD!vt`5^{OC7^69^)
zZoaqa%Gz(}Rh>)r@;mw5XVuLYO13KK%~6jgjEi!Fzx?pae@Y+u-F@;6kUJjV*0iCt
zRyMKa(4-2D7dFwf=C{78r7yP5Y|q{?F}1X9PgN!BLS6g2sUZFY@64{c-;m#iqSHI*
z=$2|OHFoi-{tNjX%TL%~A%ou@R8G8%Sk(A#ZydMoDY;k{ursNByd&gV%=ChkKXXqf
zzF`){o%PKQ%Z)uYnrBX#oHPH)?a8Cl2}VOnXG!265G}Olu5QQYSNo!V%fum?Wuq!o
z@VbP}2fF-gpW3#y{M4kq`kz~mWnad$j*2WKBYQ0GGH|8=ler~CWXqAr{cg9{hyNK}
zS^_mJh0a#3leL_^eFIYK0JbbhS*a1G^hN(dTilpf(zGDCmW!UK@;eyvbg=A@|J_4t
zudC`W&6~$I9&B1iOJ9GoT7RM}gV9^+z$fRQ3p>OYPP>-hGCQt4kSE@+fEB*0>Yhu_
z=R9k93xsbqOj_=vP7979M*JLhB*Q-K&W@UQnwoS$u<vBsJU`uEitWN4Avr0Qxgu$1
z=uc5a!uq_u;y;3u0?h@v(Q}4YcZSF6BRL}>b#Gt+9B;*}!3y1&>>cMSKl55su(K*h
zv|`DnMMa5!?86oD7d+d&^`-3kx-VrP`P&-5JyvtwmY4ZO!mOf>x8$5>{Z;h?ROY+(
zFVxSY3T47yOI^ttep#KaAs};C)4WsVLj~dEC3@Re857T=a!rfAUjx)%oFnYq?ejlg
zI{I2T7D#|qe>_(6^j_si<Y!4W`MMWPQT+)kFGd~GY}#s9@^Hb4k1v*Vyq$#=Hw*=`
zH8ou^=*OesJ<O%~3{)@+f-X=-XNWG$IF(L<z>})3HQW96-TgAc|NYj2#VOq$*F>_!
z=o0vCK0a2#?{=T~;csHPy={bYk};*?Xy&?mLP28q?~QPY2er0ku<<q(H8)hdn_X@!
z8|_m{ugGp4h!V~%c@y@0_JvLIg%#J@YiFyM9qjmFeZZ~H`xM+S1N_a*-3HT5N$;Hg
zuVsOYOE$DO429G_SRe3bQFB@CrM2Y2uG_a!q<;OZ0~<;zCsVIv^AR(r@2qT|nX<|M
z^paz^^}T{_`ukO-6UTW0y=|`fs^Q_&7ove!!bY$5sz*XyQPa@>^HTA)O+7~k^h-&)
z&H6<JXTm-tzAXl-#%KK$Fgu7-a%=VpQQ(cDEwghZk)1~($IjoWZn*w@^}>Za&M&VX
za!lr&`=*x2f0e#_USWEp20Fv<1}}mEy9sGr3%^L%Hc&L2Szh0`t&sMCvXb<UzI&on
z)$SiYIe*eg&-5E*_JQv25)Rd#J!)5MEF}L@Cl<4KGX0JtCGDcKQ&!DC9-aL<XvWm7
zvB}Hn&}khy>-t6GfvX79KI)q6Pg0-VF8oWoYawD)`?}_ch@Uz$hNJZTmjievc0tWx
zg`uwXO5|Yc@~%+CjHcxUN-k4#&-i{y{Mx#RM~CMxzTZZ6XLhyaZa?t|-7#-+#{Kt~
zsbAkI=B>%u-mr68dG}amTF|}rErZyinQzwjoZr~`*mt;OwO?8Dp;*Y%j`7gi5cBRk
z6=Af?)%!VwuByaid$#=$aBPyg=C(-0=>E9>&g79@ccWw<`}MY8mBV3SUscX}?C*7A
zMCcEyv6oL01*81!;Pq(&YS_(tPp7mLl5b(8NmR|ZkXM#g=8@3fYvt!3+U5#Nv8wGU
z15L#_b45>g1f_qUima{E+a5kz6~N4Uk(NfyBB|t0F*9l&k1I?T!Q8&NfAh9aw5704
zr2wl2hLQ{S6NmcCuPmF&NOFXRzk2<Aq*!ouN;<K*YfU8(7<|6B{(umFCi_7-4?-w)
zThxZ6p|<<zsV#2~jjQ~h?2LGIHa4#Zpk{PdwcebW$6sPin3vJ1DKC|hD&@<jh2F_{
zO-Q~ub%kH(!vy)l==0GxM|N%=S+yv5yE|z^K_oB|GM3MrA2cxTDgL_nKwo{NzT|${
z%XLRSL>`Dccqyu3wM+Tyt&t_i??K{r3@b0Rv3G8J)%G5b3Mf1~2S(RjH!v&p!6nic
z%pX7dC|`W=p7}l}V_o)!-j2k&(#(&Ky2@%l4^<o;tST9obw(DSC~N$=z2;$0uh<|y
z9GUQ>q;K<uwxqcNYsK*0=`EVYlOE36wprYh-#z2p=z47Su<ChPYk<6M*>@1~k68^3
zaj#ZX_BOPB6>8eEp;C6|q&nF9c7|f~T-VX$Ro!O<A0ISmYN~Vd!M0*f6ZPdvan4v=
zoOG;-U;Cgh=kbo7NApgmj~eDxU(1I@99*=gGO~R5Ys$>wR!4+m!?BI0E{CL7m%lT{
z{Dm9(d+FsFd+Zmlo}YGW=+Xm7%i||?Pg-)1A3gnZ_Pf_tr=%RrDflWd%%3T$7})O#
zH}$7_y3?C|M`}9a5~H{NIKD4$4)*A9cGdKgwD5^gOGtlDP)9wbe%}}WCp%o9y<o)-
fvywT8seStS%aD-W+gygE%R#$(zki%@V$|~g-)-{+

literal 0
HcmV?d00001

diff --git a/machines/compute01/secrets/dgsi-x509_key_file b/machines/compute01/secrets/dgsi-x509_key_file
new file mode 100644
index 0000000000000000000000000000000000000000..7d51f6fd583df9bb4d2c5eb9f7e461236149c08d
GIT binary patch
literal 4864
zcmZA1c{~%2{|E36R4XD$j!G$EG_#vh+ibIwU3NsZ`>@%)**YZAMG<oJDHWwilAQG=
zl`f&EL?zva4k^+7`~3d+{L_E$f8LMh<MDdD-fw|S5-dp+>8)C$LX)^mqnClqU_fw$
zkHH`hmWV@PFfhtTN#sgn&^|g+NHjD$6doF@LC6px3W<dkg@MF|P^k(m#ULl>Y%;w?
zqtThsQ~*y&62U>yJXMIC4U46kWEPpy5Q^6EXec_85rPq^Lgk@&5{yBn{;knf3=E3y
zqfNxop*pz|%Y^G<Sh`rV42NbS7<{D&mT2Kw^=vs3FQw7cR16hhF$*P;IwT9nG^!0^
zD+$Tq#3(?aCK+0aVe-k*RvZ$_wwUk&e#qaN9+*f5(S2BOWvmvc(Fm<LUSc961c!k0
zglvLRD5n8cI(di;EP-M8dX^eZ1i%t(1hA4zGa6<1P?dtBkq8KEqFOHICP{cKsRAP>
zO6VL7(gx-Ir|As>p9DPzOQ8d3N)wbv*M`I(H8K{90fj)hP!Nd~0wX9u76zQk5b<>g
z4$DM<LG)IzNFAj>tH>%FhR(MTNjeY;V8-b!CYmlf1})Y?_%NneNTfo<G?@`$<zwKQ
zq(l_Ltb&4IJQxEe2C}eVmQqfFpcA>Y*vROZNDe^DLnTF01auvb5Mp5II20%xDW?N9
za*kYOi85lqSc!qH(%_9On+Rc0QxrA<mc#`ys7kXH!WRetNg=|-NKgz*Dv&}$u`~pZ
zm7uT?AxtqRL8h0g)o?H{38vGKVQgihA%<=UC8H$LL^x2HWX6z~f=Gat!R9FvZ7M9p
zEU-e9bel}W6o{2HtVv75Doh44&qmYAkg|kmbQBUt6~r)kGOQxO#tmfxN#-aTfQU3<
zg;0}~1~YSUAcfK#&6I-C|E2w3Z$V}YT}1aGpsi4?*`m;iO$HJkXfz9up?ryu$B2f-
zg26CxG(|(QvXweWR0u%LK*K>AtW?87YUD^%62_<phhhz+L|Y`>YLsHMu|xt?p@Ha7
zxWBa!1`6@-l|W>8C|xcg;x$x^4XvZASyU<2285G|NimU3F%B6`5rPRI2sqRL;0TRE
zJ%q>B31Wpw6rk7~Ei>cQ1Oy1AVMnr}&{n>U2v-S|92)X(jYLR7&}2SQ3?mJ15yr@Q
z1Yiuzkcf}ctAuo<E*gd*Ycx?bB^k-1B|wP^TmnF86o5jtG?3M##b~3fv?L&wi`QYP
zVgeZm#lTfGIGM)h(4(n|?7uY_lZPP7e7Fz;j*hU%O(q1NfK`)JN@0keKr%^K8deCN
z&($guARJN>kOi>-uu%{W1_#GVkq{Kk7Q<pfVHP$gmaH^ua7hA@Q7D0-=^%qa8fE!g
z(}JinDBTA^;|cK0B!Y=9FsiXOP&5X@hog8h6iN8+vOuq(tGJ3JhTMeK0CWPHn#0w>
zFrhF6C=!j7(7_>O6bpm|63}!88bu{XC0MjLHiw_^w`Ppgkr*-`TZoy#!=Q*r5lI?q
z!3bE9|Bhm+Mr*-BjUtNNz*EV93@8H5L<0n@7%3gaB@kdh3CS2Lfg%KEwk*Ly7qeqA
zA~TxAB5(+32$_;V|9{PbMYDhmL$FLQ5f~&si9WuYIBE{k2W*Im6UpU1BL8?P3IG?X
zWNJ1MBBgR5Ks+7^A#ms-3Kf_DF^ix$woy+NLjHY(0xnwqZ)LDZE*6b6l7J+=Oeo~x
z6>@->0Os*{60VdKoj_5cFdPM*rzc6NNg+@`aB#2>Hil*4a9~C-LSc}Gs#r*bnM36Y
zaG`Rk9AVK%>FM-PHcAIpYtR6{ra_{sYfsa(s-HNc`{J)N;(z%%PntgUSLNWY^?us$
zBU2=W<mENw;<noJ*_#yEd*642Iw$<7a9cg4c7MNhrcu7OVbaf)qpSiEe9!Tr<t`7;
z5mLJLcILOWVIJ+6e>388=4ibAmujc=XU0=A$%qR*>s0NdFKQ?2L1D>gV*}GA^U9*w
zOVc2IcJJVcYg+Jvu&ZeAs^KF~79LB)J$76<eVAzI?dW(7cL{j%%z3slZdGkkNeV-y
ze-OSEB5uC8U-qj7n4i^tVV+xglZQ7QvA2Gzesj6}h3~=UWyI=<lM*4{F&T~bINl17
zun&~#bTMb)d`(#|u5+^=hdhre^Ked^agV9-Dmln@+w*2^V9c<i#dW;;y087zLyWNO
z7gYTRRLA6JscGErQ?f@tR7K7j<bMSCH)q>&%YXG=iwn&>{UtVEOI<Yoovl2J5mx21
zr9Z^%*S6ve7xd}NpIpZ7?%wwEMe|?pGbn6xaFsQ|k@XL~Jznj5^*H;$c<KDTzF-sl
z>dbSBtm-EPmw3~1g!k6IZ^o^N$^8BE`Yyo354-)?JL;T>WncQQC<@cZN_SD6!)JS1
z-#RYyn+?3a=8xmu54Ag1d)!*}kSu(DXd|y%#t&09PSv;86~%1KxRvvCL-Xl~g2%p7
ztU;|)7Ch!iPS_JkGox>?X9Si$8<Do0T`F$&+`H+@jzHE27bv4)o|%^tG%+2tKVN?T
zvTs^nquY!G_dP^ZgwpR0>v$jLP-Uw_FLSYo>Q%8nd+APG$Jdry!|mX(z(V|nEx!9p
z`hPpkE_G{TH|u3yFZl}vORz=W{({o`OWJ!*wJftNw)d*^^GvDJ{XSUAZX7)P^xc7x
zJ+^r(FtgvjI;A?j?ZA*b>#orobqt8}S`<FJF?WDy*$A0yoV&d7A-V0)a`d$Yu`#Q|
z(;qMPJXCv0TE+;V<#V=NZ>)oHSLBcEWo(~Vn|AbWq=+Lp7ngLTM)J<Irz+1$*3-Fi
z^YLQ~Ar7<Z7nJ3lT(gdR-S%#ny!oJ^kHy?XICiG$%kI$W{Y216%P1k3O>FjiBdl(G
zVADg&4~q5=R46oAos0oyv8C_*yK}qr``=R+PV6aV{kpXHF8==R`P=$#G#)*UA_ZNw
zt^b<6y}Za7A5|!}lph%gAAoMiKYrOc`lj=NjBPZ;S!PYww2tcERl8*L*ost(VQ$du
zpkFV`PI#yS>0|kV&)tXj-R?io)-xWRcP_!?SxeSbKiL`(UnZ#-X2m$o@G82vA!%xS
zd4Zqiusvzh`+=sT-`_mjLYcr$FL4Jen>$pc4=&$<rN*TVStoCcT{~eds^_Gjv_?`;
z7=0<S%lq28F?=!~=Uz=Re_XUGHpuDuW<|laf!3@L*XR0a35Tk@4$h@DPS2k=QNF5R
zMcYI<WtoesLNr`GwxWx+?c_%{G<EJ|f#i4V{K9mXlApt4;eVQpy+@a07;{?h?5uOz
zWje7#Za3oPk;Qg<ULPIgdo!@{ju%DT`n!CC2L*n<FyN{sIp9HHp_*ukyQ6g2i3hpv
z_U+wXm0x6c*fAz{suuim((|~^eM?F&L<TnYoSTQaxM0%rubFw3H_5$^F}w4U|99Bf
z^nLz2CG_ME^!owHoR3sDpWO=L+v?lRwZ-ES`^ts1!{P3^8|3KMu;Z({ZA-$H1X`~5
z%l!l7D)sR{x*|p(rm`Q?^c>*_sBiSk-Sf08;}Ybwx~5Yj`C0F|%o$1XobY|`r-+>n
zpSxy`uhJi`@fz?yu>3^HQ{b9{uJ5HMU%H-K&<($?Yj0`uHDw0&A`0Ty3eT*4A!2$e
zdu{;)>wN-F*}pXyoO|C)Er#A$zXLTa)UM)<g?!Q9iX19zXrx}QJd++%5VH2SdF{Rc
zEBWDU*OeatLA(m*AWruUZUcnhx^K?6zLOP;A3n-l|N1dL{qV*B+?eAWLUGN2=Vd~o
z^)z$gc)i=oYm4ViU(ixnDGH(n9b0zxEp_LVJm(0kxQ(W3hcJ0H)B&-H9=I=j9Qo~k
z&vu?X>J5r&&Op-qnt#_+G->=Gv&NGA=YJocvt**jkMpSjob$?p+I5%vM?OCr=^(x6
zPV0djja3GhY;_0yGH}XE-MdbwjgSI=yreg}{rueVv*mH&lmp595#*$jQMZN_<@GJn
z!C1S}xJD~nyv?CzJU$0|dS(8n;-<RW3d(!j-DNv&0XBp3%0|OQc0r@<kl^~1r+q(L
z-6n6RCNx|rCV|(0<@GcF`JZ~GmI-nxxZ}J2D(0xi7RrSm_1D~nzHXA%C4-O=FHr)C
zv3f^G>LEOKB{VX4IK_`MyH&H!?asPcWn+G6pEEybPo*A?a0lNMZM93=6+hDV$8U)6
zaM#6OlQkb0GhDjwk1zFD)(!btU39wr+x!5`_-K2BD*yA1ErDQc%J;>NjncJk$hi?y
z1R+lY5f|8&yJ>FUNkU55yBN>3x5?CcIo&@i!Q<N@!M?d=6O6Y9x9@pj7aw_R=c+Y&
zH%QR7v-Qrhc{Nk@0}V*UydRTDdAIF?FoOqEzMdTeib@|v$Il4sj~(mZ=ez)OlA!(K
z7F@g{8UK92#i}EEqN_6H@u6#B8%>G__M86M{OKP6dBUTj3)y8S9>y)n?^HY~H~Z9_
z+_YBrN@DL~-Cb_d&LJE?z(wkK<Ndt2kgSu)l7MU)bWM2k<yYU!n|^h6wQua4Ud#*_
z`2FM<unC{k6uB^p**enS*9&xYU;lmet}Run{Hwu2_7}M4yggHfx9c1`gUgq>l8U(4
z!|8)*!C%ipQmp5ueBMegnl;0j|7J!1@rLDa${w$8an4tM{3ACHRg`bVUcE9TP+iC*
zaW3u`*99Oy2?_QoH-C7}+q+@o{c8iN#c@jeUiYBnO6uYFEwfYSH~g_=w6QbGQyv|o
zo~}`)p_J`uqB5sPR-dEpK!TD^9=4*1LD?Y6wP$3<6}E}DhIiW8ISfu;{1Nu^=?YP$
z<Db3n?eb1ddD5j<EYTJWfi6jNVq44Cw(oEW-u=PU`mKVtkn-vx;7ptOV(G}EA3o!U
zy5F47k^XAjn~v---94h52eQ4bp5}0f2A7{Z(UoF2LOg!+x7peaeM}AV#)D?$e*(Tb
zACG5exH&O1^mkP~=dR0i`j3dzE4qyzZ}m(*Qtxte8<ynYS{61fvFbi-?2C6=vwL8K
zjWl5@lguY<ilEdb*G5QSKMU4)+-_2mi-V4RpL}b5*!jx0_ghp`kXd$D3zFIb!d83Q
z_RGb^Ljv&1{=tj`?fwI;QsLIpwxLg}y-wv|zrVh;dg-JQe|b7+Hf^f5^=1FE;<^`&
znETfRxbBOcH4b#p#Ro4g70JLwj|L)ktsESEgh*XVo8@p4D4pvcmtSGiJCeL|zex8q
zrKFvUuPk$WhFuzw6Zm>v&dblS+y(E!4!df&l#S-S!46OT+t+Pr@$cm2E*}i4E_{5z
z0o47;=$_;7XlWkAVZXm3vt+btw4+m-z3AzLGv72f>YT9^vRsUdk&v)V;Nwz;U-&q~
z(LB@fUS=6khO6z3{MtW2eX9G)amgKf%?;L}|CuvskQwW4-Iw#iI{nRC!rk1HJG0@Q
zCCVq6@!LCa=L4hOiou-A4=dNFK2^Os(c8OdYV1xk_Sp(W_39fl-B#UN`e5Rc@RdHD
z$ip}86xe-3_pMa8!L6cL^8}ZU-4nCszg_n$nNVt;buZ%CPP;urpjiXBg<H0TD>{cV
z?{AW9!WoX$Bj5`!lK3Ty8%)>RlBLwLQvycaD2Mz*<lq52e;J@X5LeT;K<sd6`kVdf
z!D`}dUf$Hn)t<|))(e7M!@8}$kg}35-aU!5zPe{`_?o5;oBvQIt0Nti_f(yEif1QV
zp?brt<s90scG`6Vmz%nG{qrkt+Q{kmr0sX+-G1wYy&LfRx1r1T?1X!3OQ|2OBzI>~
z=4|;$3bAi`dGs!Gbr}Q0G$MA)xP7KMZ01eqMp8=IPta`gYfy=E()H|&Fm|_mUE(J-
zZp_^|VMmGg9Dl^4E0-aLntX2UO7DgM;E~j}fx^!nxhZzv?C;kq-|!oa=N^|vc6yM_
z2De8)%ClylU8B8BsaXEo!MTIb5!3xNJ7DC#hi6dB+$+aRyyU}2a+&MSSJLdaBB@>D
zNr`!Gd4dWjHyFDo<DKn(R#d@AgSn!+n0NDl=kq<AzU)}snw(RxyAFY>?5EbB1}1Ns
zF(viq1ed!x8SMo{>{hk1a}M}baGo^dIPuJyJ7cd-Z}5f>JUD_e_}Y$Ae2%3nKjgp5
z=~a3+bTHEPP5<JCa(sE}YH%cAV7EhFPNL;}k?%db52TJA6RX@RZe8Av6+=8uOgP!K
xv2k~8U@IhMaOobWGF-{j6xY#=w5aD@YZOYlD?Xx75mEfI{hIg7PNFFD{{W~RM@#?!

literal 0
HcmV?d00001

diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix
index f4737a6..c29f27f 100644
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@@ -10,6 +10,8 @@ lib.setDefault { inherit publicKeys; } [
   "dgsi-kanidm_auth_token_file"
   "dgsi-kanidm_secret_file"
   "dgsi-secret_key_file"
+  "dgsi-x509_cert_file"
+  "dgsi-x509_key_file"
   "ds-fr-secret_file"
   "grafana-oauth_client_secret_file"
   "grafana-smtp_password_file"
diff --git a/npins/sources.json b/npins/sources.json
index 17ff5c7..c914b7f 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -45,9 +45,9 @@
         "url": "https://git.dgnum.eu/DGNum/dgsi.git"
       },
       "branch": "main",
-      "revision": "a88d31541cfd836ba2bd4bb3c8ec8142e4cd8aa2",
+      "revision": "9c4413faa1610167d65b5c6110cdbc714eb14887",
       "url": null,
-      "hash": "0z31ib1xjdyzpwdnbj4j7r9nb5baiab3nbx0wg55dh2ifkxp2vqb"
+      "hash": "0pn684dc1s5v3nqiy6jpxpr26mv5z6pq1i5cvza9d2hi7lddp3wb"
     },
     "disko": {
       "type": "GitRelease",