chore(netbox): Upgrade

.envrc

@@ -1 +1,2 @@
+watch_file workflows/*
 use nix

.forgejo/workflows/check-meta.yaml

@@ -1,25 +1,21 @@
-name: Check meta
-on:
-  pull_request:
-    branches:
-      - main
-  push:
-    paths:
-      - 'meta/*'
-
 jobs:
-  check_meta:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Check the validity of meta options
-        run: nix-build meta/verify.nix -A meta
-
   check_dns:
     runs-on: nix
     steps:
-      - uses: actions/checkout@v3
-
-      - name: Check the validity of the DNS configuration
-        run: nix-build meta/verify.nix -A dns --no-out-link
+    - uses: actions/checkout@v3
+    - name: Check the validity of the DNS configuration
+      run: nix-build meta/verify.nix -A dns
+  check_meta:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check the validity of meta options
+      run: nix-build meta/verify.nix -A meta
+name: Check meta
+'on':
+  pull_request:
+    branches:
+    - main
+  push:
+    paths:
+    - meta/*

.forgejo/workflows/check-workflows.yaml

@@ -0,0 +1,16 @@
+jobs:
+  check_workflows:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check that the workflows are up to date
+      run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
+        -eq 0 ]'
+name: Check workflows
+'on':
+  pull_request:
+    branches:
+    - main
+  push:
+    paths:
+    - workflows/*

.forgejo/workflows/ds-fr.yaml

@@ -1,56 +0,0 @@
-name: ds-fr update
-on:
-  schedule:
-    - cron: "26 18 * * wed"
-
-jobs:
-  npins_update:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-
-      - name: Update DS and open PR if necessary
-        run: |
-          # Fetch the latest release tag
-          VERSION=$(curl -L \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
-          | jq -r '.tag_name')
-
-          # Move to the ds-fr directory
-          cd machines/compute01/ds-fr/package
-
-          # Run the update script
-          ./update.sh -v "$VERSION"
-
-          if [ ! -z "$(git diff --name-only)" ]; then
-            echo "[+] Changes detected, pushing updates."
-
-            git switch -C ds-update
-
-            git add .
-
-            git config user.name "DGNum Chores"
-            git config user.email "tech@dgnum.eu"
-
-            git commit --message "chore(ds-fr): Update"
-            git push --set-upstream origin ds-update --force
-
-            # Connect to the server with the cli
-            tea login add \
-              -n dgnum-chores \
-              -t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-              -u https://git.dgnum.eu
-
-            # Create a pull request if needed
-            # i.e. no PR with the same title exists
-            if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
-              tea pr create \
-                --description "Automatic ds-fr update" \
-                --title "chore(ds-fr): Update" \
-                --head ds-update
-            fi
-          fi

.forgejo/workflows/eval-nodes.yaml

@@ -0,0 +1,119 @@
+jobs:
+  bridge01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: bridge01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache bridge01
+      run: nix-shell -A eval-nodes --run cache-node
+  compute01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: compute01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache compute01
+      run: nix-shell -A eval-nodes --run cache-node
+  geo01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: geo01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache geo01
+      run: nix-shell -A eval-nodes --run cache-node
+  geo02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: geo02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache geo02
+      run: nix-shell -A eval-nodes --run cache-node
+  rescue01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: rescue01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache rescue01
+      run: nix-shell -A eval-nodes --run cache-node
+  storage01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: storage01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache storage01
+      run: nix-shell -A eval-nodes --run cache-node
+  vault01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: vault01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache vault01
+      run: nix-shell -A eval-nodes --run cache-node
+  web01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: web01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache web01
+      run: nix-shell -A eval-nodes --run cache-node
+  web02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: web02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache web02
+      run: nix-shell -A eval-nodes --run cache-node
+  web03:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: web03
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache web03
+      run: nix-shell -A eval-nodes --run cache-node
+name: Build all the nodes
+'on':
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main

.forgejo/workflows/eval.yaml

@@ -1,200 +0,0 @@
-name: build configuration
-on:
-  pull_request:
-    types: [opened, synchronize, edited, reopened]
-    branches:
-      - main
-  push:
-    branches:
-      - main
-
-jobs:
-  build_and_cache_compute01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "compute01"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_compute01
-          path: paths.txt
-
-  build_and_cache_storage01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "storage01"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_storage01
-          path: paths.txt
-
-  build_and_cache_rescue01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "rescue01"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_rescue01
-          path: paths.txt
-
-  build_and_cache_geo01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "geo01"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_geo01
-          path: paths.txt
-
-  build_and_cache_geo02:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "geo02"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_geo02
-          path: paths.txt
-
-  build_and_cache_vault01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "vault01"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_vault01
-          path: paths.txt
-
-  build_and_cache_web01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "web01"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_web01
-          path: paths.txt
-
-  build_and_cache_web02:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "web02"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_web02
-          path: paths.txt
-
-  build_and_cache_web03:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "web03"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_web02
-          path: paths.txt
-
-  build_and_cache_bridge01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build and cache the node
-        run: nix-shell --run cache-node
-        env:
-          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
-          STORE_USER: "admin"
-          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
-          BUILD_NODE: "bridge01"
-
-      - uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: outputs_web02
-          path: paths.txt

.forgejo/workflows/lint.yaml

@@ -1,11 +0,0 @@
-name: lint
-on: [push, pull_request]
-
-jobs:
-  check:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Run pre-commit on all files
-        run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.

.forgejo/workflows/npins-update.yaml

@@ -0,0 +1,25 @@
+jobs:
+  npins_update:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        depth: 0
+        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
+    - name: Update dependencies and open PR if necessary
+      run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n  echo\
+        \ \"[+] Changes detected, pushing updates.\"\n\n  git switch -C npins-update\n\
+        \n  git add npins\n\n  git config user.name \"DGNum Chores\"\n  git config\
+        \ user.email \"tech@dgnum.eu\"\n\n  git commit --message \"chore(npins): Update\"\
+        \n  git push --set-upstream origin npins-update --force\n\n  # Connect to\
+        \ the server with the cli\n  tea login add \\\n    -n dgnum-chores \\\n  \
+        \  -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n    -u https://git.dgnum.eu\n\
+        \n  # Create a pull request if needed\n  # i.e. no PR with the same title\
+        \ exists\n  if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):\
+        \ Update dgnum-chores')\" ]; then\n    tea pr create \\\n      --description\
+        \ \"Automatic npins update\" \\\n      --title \"chore(npins): Update\" \\\
+        \n      --head npins-update\n  fi\nfi\n"
+name: npins update
+'on':
+  schedule:
+  - cron: 25 15 * * *

.forgejo/workflows/pre-commit.yaml

@@ -0,0 +1,12 @@
+jobs:
+  check:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run pre-commit on all files
+      run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
+        pre-push --show-diff-on-failure'
+name: Run pre-commit on all files
+'on':
+- push
+- pull_request

default.nix

@@ -41,7 +41,15 @@
 }:
 
 let
-  git-checks = (import (builtins.storePath sources.git-hooks)).run {
+  inherit (pkgs.lib)
+    isFunction
+    mapAttrs
+    mapAttrs'
+    nameValuePair
+    removeSuffix
+    ;
+
+  git-checks = (import sources.git-hooks).run {
     src = ./.;
 
     hooks = {
@@ -67,6 +75,22 @@ let
       commitizen.enable = true;
     };
   };
+
+  workflows = (import sources.nix-actions { inherit pkgs; }).install {
+    src = ./.;
+
+    workflows = mapAttrs' (
+      name: _:
+      nameValuePair (removeSuffix ".nix" name) (
+        let
+          w = import ./workflows/${name};
+        in
+        if isFunction w then w { inherit (pkgs) lib; } else w
+      )
+    ) (builtins.readDir ./workflows);
+  };
+
+  scripts = import ./scripts { inherit pkgs; };
 in
 
 {
@@ -78,36 +102,35 @@ in
 
   mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
 
-  shells = {
-    default = pkgs.mkShell {
-      name = "dgnum-infra";
+  devShell = pkgs.mkShell {
+    name = "dgnum-infra";
 
-      packages = [
-        (pkgs.nixos-generators.overrideAttrs (_: {
-          version = "1.8.0-unstable";
-          src = builtins.storePath sources.nixos-generators;
-        }))
-        pkgs.npins
+    packages = [
+      (pkgs.nixos-generators.overrideAttrs (_: {
+        version = "1.8.0-unstable";
+        src = sources.nixos-generators;
+      }))
+      pkgs.npins
 
-        (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
-        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
-        (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
+      (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
+      (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
+      (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
+    ] ++ (builtins.attrValues scripts);
 
-      ] ++ (import ./scripts { inherit pkgs; });
+    shellHook = ''
+      ${git-checks.shellHook}
+      ${workflows.shellHook}
+    '';
 
-      shellHook = ''
-        ${git-checks.shellHook}
-      '';
+    preferLocalBuild = true;
 
-      preferLocalBuild = true;
-    };
+    ###
+    # Alternative shells
 
-    pre-commit = pkgs.mkShell {
-      name = "pre-commit-shell";
-
-      shellHook = ''
-        ${git-checks.shellHook}
-      '';
+    passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
+      pre-commit.shellHook = git-checks.shellHook;
+      check-workflows.shellHook = workflows.shellHook;
+      eval-nodes.packages = [ scripts.cache-node ];
     };
   };
 }

lib/nix-lib/default.nix

@@ -190,8 +190,11 @@ rec {
     recursiveFuse [
       (enableModules enabledModules)
 
-      { imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
+      {
+        imports =
+          (extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
+      }
 
-      extraConfig
+      (removeAttrs extraConfig [ "imports" ])
     ];
 }

machines/compute01/stirling-pdf/default.nix

@@ -10,7 +10,7 @@ let
   # - push to a new branch dgn-v0.A.B where A.B is the new version
   # - finally, update the commit hash of the customization patch
 
-  dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
+  dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
   port = 8084;
 in
 

machines/storage01/forgejo-runners.nix

@@ -1,10 +1,4 @@
-{
-  config,
-  pkgs,
-  nixpkgs,
-  sources,
-  ...
-}:
+{ config, pkgs, ... }:
 
 let
   url = "https://git.dgnum.eu";
@@ -30,8 +24,6 @@ let
         options = "--cpus=4";
       };
     };
-
-  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
   services.forgejo-nix-runners = {
@@ -43,10 +35,8 @@ in
     tokenFile = config.age.secrets."forgejo_runners-token_file".path;
 
     dependencies = [
-      nix-pkgs.colmena
       pkgs.npins
       pkgs.tea
-      nixpkgs.unstable.nixfmt-rfc-style
     ];
 
     containerOptions = [ "--cpus=4" ];

machines/storage01/forgejo.nix

@@ -61,7 +61,7 @@ in
 
         service = {
           EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
-          EMAIL_DOMAIN_BLOCKLIST = "*.shop";
+          EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
           ENABLE_NOTIFY_MAIL = true;
 
           DISABLE_REGISTRATION = false;

machines/web01/netbox.nix

@@ -13,7 +13,7 @@ in
   services = {
     netbox = {
       enable = true;
-      package = nixpkgs.unstable.netbox_3_7;
+      package = nixpkgs.unstable.netbox_4_1;
       secretKeyFile = "/dev/null";
       listenAddress = "127.0.0.1";
       plugins = p: [ p.netbox-qrcode ];

machines/web03/django-apps/default.nix

@@ -3,6 +3,7 @@
     ./annuaire.nix
     ./bocal.nix
     ./gestiojeux.nix
+    ./interludes.nix
     ./wikiens.nix
   ];
 

machines/web03/django-apps/interludes.nix

@@ -0,0 +1,66 @@
+{
+  config,
+  pkgs,
+  sources,
+  ...
+}:
+
+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+in
+
+{
+  services.webhook.extraArgs = [ "-debug" ];
+  services.django-apps.sites.interludes = {
+    source = "https://git.eleves.ens.fr/dlesbre/site-interludes";
+    branch = "master";
+    domain = "interludes.ens.fr";
+
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+
+      serverAliases = [ "interludes.webapps.dgnum.eu" ];
+    };
+
+    webHookSecret = config.age.secrets."webhook-interludes_token".path;
+
+    application = {
+      type = "wsgi";
+      module = "interludes";
+    };
+
+    dbType = "sqlite";
+
+    python = pkgs.python3.override {
+      packageOverrides = _: _: { inherit (nix-pkgs) python-cas loadcredential; };
+    };
+
+    django = ps: ps.django_4;
+    dependencies = ps: [
+      ps.loadcredential
+      ps.python-ldap
+      ps.python-cas
+    ];
+
+    credentials = {
+      SECRET_KEY = config.age.secrets."dj_interludes-secret_key_file".path;
+      EMAIL_HOST_PASSWORD = config.age.secrets."dj_interludes-email_host_password_file".path;
+    };
+
+    environment = {
+      INTERLUDES_ALLOWED_HOSTS = [
+        "interludes.ens.fr"
+        "interludes.webapps.dgnum.eu"
+      ];
+
+      # E-mail configuration
+      INTERLUDES_SERVER_EMAIL = "noreply-interludes-admin@ens.fr";
+      INTERLUDES_DEFAULT_FROM_EMAIL = "noreply-interludes@ens.fr";
+      INTERLUDES_EMAIL_HOST = "clipper.ens.fr";
+      INTERLUDES_EMAIL_PORT = 465;
+      INTERLUDES_EMAIL_HOST_USER = "interludes";
+      INTERLUDES_DEBUG = false;
+    };
+  };
+}

machines/web03/secrets/dj_interludes-email_host_password_file

@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA iJSzsbA8RiEhUIyhlKWCASQKoSQstjK4drMYl+PsChw
+8THrknrBu0WGFEb4xTZiJxEY26q7sW83rwViDjyTE24
+-> ssh-ed25519 QlRB9Q e7PRE212Ggt8nO6Bb+BabO85FOARsJGs9cPJmZNI9kg
+ubKIBxI1ZBXttA7TWj401siKNT1HyB+N2MsZ+ldkgb8
+-> ssh-ed25519 r+nK/Q EWV24Emm9hENa+yUAuQpkuJ0uJ0zIv+vRIbWpM4Wtg4
+J59wnHRytgNqpX4+5HaJ9KZ5GvhckgtRK6TzfX7Ci8Y
+-> ssh-rsa krWCLQ
+AvmrzShR+XTpUpKaScoqvgFQ40PTSqh8p383p98xjG5LIz5kqJoWBnxJK7JabBpq
+JkqVeq5XdH5RX4weobieG4KYUV8EDheLfOMXH5BrPgeJO4yhJ1rzH+oHBw4TwvFM
+UvEZEAVgi3G1/suPfJAkO7QRkZjE7fRppEo5RAI0gMlM43YyJavrfqVIqB40Uugk
+h0b0ybChUbKpXlZjqhYAAMN45jTAvW1emO0DMeIk6dbmnbZNdibul8f+NNdWKbI1
+9NN5iH2IzuqTdc6gkE4912hdDeUJ4NZ6x/Fxp1/u3d1z/Yg7daUQUXUIoDX0Hyvb
++01dH0D/7kzRhEdNLO2NXA
+-> ssh-ed25519 /vwQcQ GAsAj2i65KDQeFhe69YR2ycdGskop1wu3Lzrxp59sTg
+wCSUqEtWv0i6sNg1RVtHI/jZh3VeNX3qtnbagXoNGT4
+-> ssh-ed25519 0R97PA mFZ3q/3jd1guXl8bhRWyYjgsgE4JErJEels6vdmpfCs
+7oIAT0MTsaKxbf26PSDBk7KqfyFgcBq09FGJ9v/rXqE
+-> ssh-ed25519 JGx7Ng tpslfMWMJMUH46EGycbLiXotVdXlP4xmK0slb7XKYS8
+wLLfX4jX4mIxzI8zr2GBlpBcPztTrHqKngi/ON0TExg
+-> ssh-ed25519 bUjjig zLoniLfwKGH9Ctu34103WHBvjIyImtPyKx8O+5UMLUU
+sYsterVGvCg6JWA0z3AO5sSlj9DBfj8u5o5jH9K2xeA
+-> ssh-ed25519 VQSaNw oHzU9Lc/7p+MZAjVylzC63h586vOcffXkkpAi4XB8Q0
+7T8CREpaCxM58KMYW28FY2i+ELjrx3eC3K7xaBy7O6A
+-> (_o61>U-grease .P>ZRrj~ -=7S;N
+6vnQVKKZwp4JowIwVb4klrhaR6NZjwlZYnngVQ0wqVenMZPj9oyhIXthLRqE1Q6/
+k+sGxA
+--- +yT0o8oZJS+32MeUAl8T9zREh31rq77pSVsSoFjHO5A
+è™ñΗ´ä!î^ûØÖ8Ô‚zøÑaÒÓÐàÔ@Ö¡s\ ˜_ÃÃúoÖö<C396>wõÖ¥Cr)¾€fû¿AÃ'•3D€â

machines/web03/secrets/dj_interludes-secret_key_file

@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA 7v2qJ+2ZSp0tf4m6gcK2ShFF9ulNm/g3aHu3Wqe4Sxo
+ZyVqTqBCK51/U5yxtp23nywprQv46yL90zwx6+DqKRg
+-> ssh-ed25519 QlRB9Q IePmluoRImtaDplOoVqNiwfTQMKF1CuF4M6AzurXGRY
+JjtOeyvARlc9t5Q+LS2+TZwAUgV4Qn2L8SFkw9YLnaU
+-> ssh-ed25519 r+nK/Q LGPI7PmVPnZDQe6Su5MZQauxRHZkBKehyNbMq+BKlGQ
+3RvcfLAFKaScusYKf47zFNAtnot7wySvytuD81s6TwM
+-> ssh-rsa krWCLQ
+xGH7rl+r8L5HEp6JUlAm04ktn9rQsWfBBlSRp7UsOi6ojwCfjjIA91yUrYw8TYRs
+Ci60uoLS7cuMtSE/jQVU/FuVtR5kwjhOkWmQDHrC7rUWb6CufusxPIVJ0xanp3wo
+cc2t+EfSdpVyGIx5N8BEMhQ6sR2EfERHGfUrnKCpcL5hM5L8ZHnVh6CkRBtvZaq0
+Zy44Ob4pqH6fDz7EziM1hBkfg9myN+/Iqfvg5OUnfSrqooLZ8l0gDvGafS5fok91
+uqb0PGDiv6lwzpaj87jKUCaXAF3ag2KAa6j8sbZ4+fSsQeB/jhH7hTlWcAR/oEFW
+fuPQDFKxMucAsPjv1H1iaQ
+-> ssh-ed25519 /vwQcQ +5+xDNQyRwBWXT6c593S01OG9IemNul/81G4ie1hTVg
+Tzkq0toOCqdHOZNPiy/rUrO2eQXTDHi7g+jKbrWU/hU
+-> ssh-ed25519 0R97PA WEMs0phnuvw1kQaqeSkovwFUL6w7J6wh+V7D82NxfDs
+V5npmkeTPVcnaNwDtoy7PqBRllPTuQjvF9Qu14V59os
+-> ssh-ed25519 JGx7Ng 3bty0WCf+ElvPEFt7fSpgYf5MeFUPaZ4vVGWPUAjn0I
+ggl5CgXaUx4T6qbA9EG1oaF9NbfFYye4davm7lKqUvI
+-> ssh-ed25519 bUjjig zFlaOVzFEkPG+J3Yz7alPgSiCVbC/7u/hCTVIP8X/Ho
+3PBIRu9ZKfb9lkzijw6kKjX0ztXBkiwVaQUx8rxuYJc
+-> ssh-ed25519 VQSaNw btusrepFF5Jhl3x2YWs6wVrHwzb6qBXfDXESclQJAXo
+HwfOU3tyP9OsNjTkaMMmJnd4b+0ZfxJLkP6xe5jsAZE
+-> Tp-grease s03Py `u6"4 E|5 _
+3CvcQ6NEZKLY1F6y0cTMQPwV9mJvHB0T7dauvWJAYKkfb95TymqfDYGWwW1veND2
+n1XD/arAJHVwva95K7TaQdsNLPGo8/VePQGUnYqi
+--- qe75UTWqdDd0gGg0nm054SFZ2AgqVBw/bbycvcZSfQY
+ãñêÕ]¹¦zÂg©;Ê¡îñ˜öÓ´0éÅYëÀHãŒ!
@ìp­ö¸T«?£iÞ‰áèÚ>I^ü‚l·o5”¯ë:{¬gJk£vø>€W8ði

machines/web03/secrets/secrets.nix

@@ -1,3 +1,6 @@
 (import ../../../keys).mkSecrets [ "web03" ] [
   # List of secrets for web03
+  "dj_interludes-email_host_password_file"
+  "dj_interludes-secret_key_file"
+  "webhook-interludes_token"
 ]

npins/sources.json

@@ -59,10 +59,10 @@
       "pre_releases": false,
       "version_upper_bound": null,
       "release_prefix": null,
-      "version": "v1.8.2",
-      "revision": "0a97c6683ecb8d92ab0ce4c3c39e896e4a3fe388",
-      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.2",
-      "hash": "1xivgibk1fa07z4xqxpyha6yyb0pmahf52caf1kgh8zxr231ai1v"
+      "version": "v1.9.0",
+      "revision": "49a4936cee640e27d74baee6fd1278285d29b100",
+      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0",
+      "hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388"
     },
     "dns.nix": {
       "type": "GitRelease",
@@ -87,9 +87,9 @@
         "repo": "git-hooks.nix"
       },
       "branch": "master",
-      "revision": "3c3e88f0f544d6bb54329832616af7eb971b6be6",
-      "url": "https://github.com/cachix/git-hooks.nix/archive/3c3e88f0f544d6bb54329832616af7eb971b6be6.tar.gz",
-      "hash": "04pwjz423iq2nkazkys905gvsm5j39722ngavrnx42b8msr5k555"
+      "revision": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/cd1af27aa85026ac759d5d3fccf650abe7e1bbf0.tar.gz",
+      "hash": "1icl4cz33lkr4bz7fvlf3jppmahgpzij81wfa5any3z7w7b5lnxw"
     },
     "kadenios": {
       "type": "Git",
@@ -144,9 +144,9 @@
         "url": "https://git.lix.systems/lix-project/lix.git"
       },
       "branch": "main",
-      "revision": "0ff8f9132552e03497b07e1e5c068660a7a04515",
+      "revision": "c859d03013712b349d82ee6223948d6d03e63a8d",
       "url": null,
-      "hash": "0qdaiqp5q2nb0yffc03vhlbd55v1jk3jlxz26prhk0hxddz0xhyq"
+      "hash": "14bn1c3azvnkp1wl28x7y288vpd2gp96nswlnfzrcp13a4ivbbbf"
     },
     "lix-module": {
       "type": "Git",
@@ -155,9 +155,9 @@
         "url": "https://git.lix.systems/lix-project/nixos-module.git"
       },
       "branch": "main",
-      "revision": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d",
+      "revision": "691193879d96bdfd1e6ab5ebcca2fadc7604cf34",
       "url": null,
-      "hash": "0jxpqaz12lqibg03iv36sa0shfvamn2yhg937llv3kl4csijd34f"
+      "hash": "1h4f2p6x8vq7bfc20hxk6zz9i4imsjjkmf0m28bzmx6vinxqimj4"
     },
     "lon": {
       "type": "Git",
@@ -194,6 +194,20 @@
       "url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
       "hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
     },
+    "nix-actions": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.dgnum.eu/DGNum/nix-actions.git"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "v0.2.2",
+      "revision": "b9cb5d6f945d1e3fd7b70d63848c70335e9912e8",
+      "url": null,
+      "hash": "0m6bw5qlrchsigx7x4nz3xkcn3dnr14k5j0ws9lbggnldnz9qg2w"
+    },
     "nix-modules": {
       "type": "Git",
       "repository": {
@@ -201,9 +215,9 @@
         "url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
       },
       "branch": "main",
-      "revision": "516225dc6958645284b11b74b9ce31e01993341c",
+      "revision": "695cf83c526dd3d78c8ed79b33f80019db4c8019",
       "url": null,
-      "hash": "1cxn1m1xf9p7p8a0y8r6iwp08d886k5rmgl947r9d0vg7ah31kmj"
+      "hash": "0xqv1rx0dnl3r1rhqdahcp8jqv8j9qc1v6xnmfiv0ddh81jd0szj"
     },
     "nix-patches": {
       "type": "GitRelease",
@@ -226,15 +240,15 @@
         "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
       },
       "branch": "main",
-      "revision": "e3fac77b062c9fe98dc1b5a367b0a8e70cde9624",
+      "revision": "e27e07f9c03a3bc756f9447a2288ca6f14130ffc",
       "url": null,
-      "hash": "12xqh19mv8zgvyrh4vfnc95acf45x81g398pyqsd1xy1l7030r7i"
+      "hash": "06vydk09wniygpy04yjh07g9raswimhwwfj1cysigx2lxrg0997a"
     },
     "nixos-24.05": {
       "type": "Channel",
       "name": "nixos-24.05",
-      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5809.4eb33fe664af/nixexprs.tar.xz",
-      "hash": "02hxkkrpf33s6nsqkla1292zw64dqfq9wpkda5hry3vr3fhxwwg4"
+      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz",
+      "hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh"
     },
     "nixos-generators": {
       "type": "Git",
@@ -244,21 +258,21 @@
         "repo": "nixos-generators"
       },
       "branch": "master",
-      "revision": "dd28a0806e7124fe392c33c9ccaa12f21970401f",
-      "url": "https://github.com/nix-community/nixos-generators/archive/dd28a0806e7124fe392c33c9ccaa12f21970401f.tar.gz",
-      "hash": "09226kqddjg1m8m1q9n4l1hsln93hckhj238q0v851wxbwd0qq73"
+      "revision": "15a87ccb45e06d24a9fd5f99a49782efe11b23f0",
+      "url": "https://github.com/nix-community/nixos-generators/archive/15a87ccb45e06d24a9fd5f99a49782efe11b23f0.tar.gz",
+      "hash": "0mwllbwinr6cira94347vhzq3jn3zgp28xg6w1ga0ncls7s476q4"
     },
     "nixos-unstable": {
       "type": "Channel",
       "name": "nixos-unstable",
-      "url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre694395.4c2fcb090b1f/nixexprs.tar.xz",
-      "hash": "05fszj13lci5gdbn5grn92wd3mzj6f7gy11kqj78xcsg69m2wbrl"
+      "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta708622.5e4fbfb6b3de/nixexprs.tar.xz",
+      "hash": "18zd6qnn1zmz3pgq2q484lmdk486ncxyp8r5g9c71r9dc8jr5dnc"
     },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre694416.ccc0c2126893/nixexprs.tar.xz",
-      "hash": "0cn1z4wzps8nfqxzr6l5mbn81adcqy2cy2ic70z13fhzicmxfsbx"
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz",
+      "hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd"
     },
     "proxmox-nixos": {
       "type": "Git",
@@ -268,9 +282,9 @@
         "repo": "proxmox-nixos"
       },
       "branch": "main",
-      "revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18",
-      "url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz",
-      "hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4"
+      "revision": "93880e244b528deca89828bc1edf08e23ccc18c4",
+      "url": "https://github.com/SaumonNet/proxmox-nixos/archive/93880e244b528deca89828bc1edf08e23ccc18c4.tar.gz",
+      "hash": "0dyiv7mvvxc0zygfzfb6zhc0v3s7a9pv8xydprxgqhyy1sajp02h"
     },
     "signal-irc-bridge": {
       "type": "Git",
@@ -302,9 +316,9 @@
         "server": "https://git.helsinki.tools/"
       },
       "branch": "master",
-      "revision": "f72adfc39c18630b45f8c982910314246d4a8d92",
-      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=f72adfc39c18630b45f8c982910314246d4a8d92",
-      "hash": "08qfaav3vb832dr3r6f2n1ah6zyryvab0dxsaxwi6gk5p3zad3l8"
+      "revision": "10c3f658aecc0a54baf062137071b129f3897111",
+      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=10c3f658aecc0a54baf062137071b129f3897111",
+      "hash": "13gbzfrz9vv9iz43bfl67hl11lsmrh524mw6kkjavfwpzw5shm1g"
     }
   },
   "version": 3

patches/06-netbox-qrcode.patch

@@ -0,0 +1,70 @@
+diff --git a/pkgs/development/python-modules/netbox-qrcode/default.nix b/pkgs/development/python-modules/netbox-qrcode/default.nix
+new file mode 100644
+index 000000000000..b378b839a8dc
+--- /dev/null
++++ b/pkgs/development/python-modules/netbox-qrcode/default.nix
+@@ -0,0 +1,51 @@
++{ lib
++, buildPythonPackage
++, fetchFromGitHub
++, setuptools
++, wheel
++, pillow
++, qrcode
++, netbox
++}:
++
++buildPythonPackage rec {
++  pname = "netbox-qrcode";
++  version = "0.0.13";
++  pyproject = true;
++
++  src = fetchFromGitHub {
++    owner = "netbox-community";
++    repo = "netbox-qrcode";
++    rev = "v${version}";
++    hash = "sha256-/labSZyB1SkU/uemuL946RDk8IVEAgCYJY2vrJFney0=";
++  };
++
++  nativeBuildInputs = [
++    setuptools
++    wheel
++  ];
++
++  propagatedBuildInputs = [
++    qrcode
++    pillow
++  ];
++
++  checkInputs = [
++    netbox
++  ];
++
++  preFixup = ''
++    export PYTHONPATH=${netbox}/opt/netbox/netbox:$PYTHONPATH
++  '';
++
++  pythonImportsCheck = [
++    "netbox_qrcode"
++  ];
++
++  meta = with lib; {
++    description = "NetBox Plugin for generate QR Codes";
++    homepage = "https://github.com/netbox-community/netbox-qrcode";
++    license = licenses.asl20;
++    maintainers = with maintainers; [ sinavir ];
++  };
++}
+diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
+index 9999d745e3ac..b226e0063672 100644
+--- a/pkgs/top-level/python-packages.nix
++++ b/pkgs/top-level/python-packages.nix
+@@ -8989,6 +8989,8 @@ self: super: with self; {
+ 
+   netbox-reorder-rack = callPackage ../development/python-modules/netbox-reorder-rack { };
+ 
++  netbox-qrcode = callPackage ../development/python-modules/netbox-qrcode { };
++
+   netcdf4 = callPackage ../development/python-modules/netcdf4 { };
+ 
+   netdata = callPackage ../development/python-modules/netdata { };

patches/default.nix

@@ -1,10 +1,8 @@
 {
   "nixos-24.05" = [
-    # netbox qrcode plugin
     {
-      _type = "commit";
-      sha = "c82191d848e7a37e125ee15c485f32ac01afc0b2";
-      hash = "sha256-TooktlqihtULzJJsHvm8EubbUdJZvbDKdIDcYu7Qcig=";
+      _type = "static";
+      path = ./06-netbox-qrcode.patch;
     }
 
     # nixos/nextcloud: Rename autocreate (a no-op) to verify_bucket_exists
@@ -50,9 +48,8 @@
   "nixos-unstable" = [
     # netbox qrcode plugin
     {
-      _type = "commit";
-      sha = "c82191d848e7a37e125ee15c485f32ac01afc0b2";
-      hash = "sha256-TooktlqihtULzJJsHvm8EubbUdJZvbDKdIDcYu7Qcig=";
+      _type = "static";
+      path = ./06-netbox-qrcode.patch;
     }
 
     # Build netbird-relay

scripts/cache-node.sh

@@ -1,6 +1,9 @@
-set -eu -o pipefail
+set -o errexit
+set -o nounset
+set -o pipefail
+shopt -s lastpipe
 
-drv=$("@colmena@/bin/colmena" eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
+drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
 
 # Build the derivation and send it to the great beyond
 nix-store --query --requisites --force-realise --include-outputs "$drv" | grep -v '.*\.drv' >paths.txt

scripts/check-deployment.sh

@@ -1,7 +1,3 @@
-#!/usr/bin/env bash
-#!@bash@/bin/bash
-# shellcheck shell=bash
-
 set -o errexit
 set -o nounset
 set -o pipefail
@@ -20,7 +16,7 @@ Exemple:
 
 while [[ $# -gt 0 ]]; do
   case "$1" in
-  --help|-h)
+  --help | -h)
     echo "$usage"
     exit 0
     ;;
@@ -51,13 +47,13 @@ GIT_TOP_LEVEL=$(git rev-parse --show-toplevel)
 
 echo "Cloning local main..."
 git clone -q --branch main --single-branch "$GIT_TOP_LEVEL" "$TMP"
-pushd "$TMP" > /dev/null || exit 2
+pushd "$TMP" >/dev/null || exit 2
 
 ####################
 # Evaluate configs #
 ####################
 
-colmena_failed () {
+colmena_failed() {
   >&2 echo "Colmena failed. Check your config. Logs:"
   >&2 cat "$COLMENA_LOGS"
   exit 3
@@ -68,7 +64,7 @@ COLMENA_LOGS=$(mktemp)
 echo "Evaluating configs..."
 # Disable warning because of '${}'
 # shellcheck disable=SC2016
-RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2> "$COLMENA_LOGS" || colmena_failed)
+RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2>"$COLMENA_LOGS" || colmena_failed)
 
 rm "$COLMENA_LOGS"
 echo "Evaluation finished"
@@ -77,49 +73,48 @@ echo "Evaluation finished"
 # retrieve and check current-system #
 #####################################
 
-retrieve_current_system () {
+retrieve_current_system() {
   # TODO implement a less invasive method
   ssh -n "root@$1" "readlink -f /run/current-system"
 }
 
-
 return_status=0
-echo "$RESULTS" | @jq@/bin/jq -c '.[]' |
-while IFS=$'\n' read -r c; do
+echo "$RESULTS" | jq -c '.[]' |
+  while IFS=$'\n' read -r c; do
 
-  machine=$(echo "$c" | @jq@/bin/jq -r '.machine')
-  if [[ -n ${node-} ]] && [[ "$machine" != "$node" ]]; then
-    echo "Skipping ${machine}"
-    continue
-  fi
-  expected_path=$(echo "$c" | @jq@/bin/jq -r '.path')
-  domain=$(echo "$c" | @jq@/bin/jq -r '.domain')
-  drv_path=$(echo "$c" | @jq@/bin/jq -r '.drv')
+    machine=$(echo "$c" | jq -r '.machine')
+    if [[ -n ${node-} ]] && [[ "$machine" != "$node" ]]; then
+      echo "Skipping ${machine}"
+      continue
+    fi
+    expected_path=$(echo "$c" | jq -r '.path')
+    domain=$(echo "$c" | jq -r '.domain')
+    drv_path=$(echo "$c" | jq -r '.drv')
 
-  err=0
-  current_path=$(retrieve_current_system "$domain") || err=1
-  if [[ "1" == "${err}" ]] ; then
-    echo "❌ failed to contact $domain !"
-    continue
-  fi
+    err=0
+    current_path=$(retrieve_current_system "$domain") || err=1
+    if [[ "1" == "${err}" ]]; then
+      echo "❌ failed to contact $domain !"
+      continue
+    fi
 
-  if [ "$expected_path" == "$current_path" ] ; then
-    echo "✅ $machine -> OK"
-  elif [[ -n ${diff-} ]] ; then
-    nix-copy-closure --from "root@$domain" "$current_path"
-    nix-store -r "$drv_path"
-    echo "$machine -> error. nvd output:"
-    @nvd@/bin/nvd  diff "$expected_path" "$current_path"
-    return_status=1
-  else
-    echo "☠️ $machine -> error:"
-    echo "   - Expected system: $expected_path"
-    echo "   - Current system:  $current_path"
-    return_status=1
-  fi
-done
+    if [ "$expected_path" == "$current_path" ]; then
+      echo "✅ $machine -> OK"
+    elif [[ -n ${diff-} ]]; then
+      nix-copy-closure --from "root@$domain" "$current_path"
+      nix-store -r "$drv_path"
+      echo "$machine -> error. nvd output:"
+      nvd diff "$expected_path" "$current_path"
+      return_status=1
+    else
+      echo "☠️ $machine -> error:"
+      echo "   - Expected system: $expected_path"
+      echo "   - Current system:  $current_path"
+      return_status=1
+    fi
+  done
 
-popd > /dev/null || exit 2
+popd >/dev/null || exit 2
 rm -r "$TMP"
 
 exit $return_status

scripts/default.nix

@@ -1,39 +1,32 @@
-{ pkgs, ... }:
+{ pkgs }:
 
 let
-  substitutions = {
-    inherit (pkgs)
-      bash
+  inherit (pkgs.lib) mapAttrs;
+
+  inherit (pkgs)
+    writeShellApplication
+    colmena
+    jq
+    nvd
+    ;
+
+  scripts = {
+    cache-node = [ colmena ];
+    check-deployment = [
       colmena
-      coreutils
-      nvd
-      git
       jq
-      ;
+      nvd
+    ];
+    launch-vm = [ colmena ];
+    list-nodes = [ jq ];
   };
-
-  mkShellScript =
-    name:
-    (pkgs.substituteAll (
-      {
-        inherit name;
-        src = ./. + "/${name}.sh";
-        dir = "/bin/";
-        isExecutable = true;
-
-        checkPhase = ''
-          ${pkgs.stdenv.shellDryRun} "$target"
-        '';
-      }
-      // substitutions
-    ));
-
-  scripts = [
-    "cache-node"
-    "check-deployment"
-    "launch-vm"
-    "list-nodes"
-  ];
 in
 
-builtins.map mkShellScript scripts
+mapAttrs (
+  name: runtimeInputs:
+  writeShellApplication {
+    inherit name runtimeInputs;
+
+    text = builtins.readFile ./${name}.sh;
+  }
+) scripts

scripts/launch-vm.sh

@@ -1,33 +1,35 @@
-#!@bash@/bin/bash
-# shellcheck shell=bash
 set -o errexit
 set -o nounset
 set -o pipefail
+shopt -s lastpipe
 
 MACHINE=""
 HOSTFWD=""
 
 while getopts 'p:o:h' opt; do
   case "$opt" in
-    p)
-      HOSTFWD=",hostfwd=tcp::$OPTARG$HOSTFWD"
-      ;;
+  p)
+    HOSTFWD=",hostfwd=tcp::$OPTARG$HOSTFWD"
+    ;;
 
-    o)
-      MACHINE="$OPTARG"
-      ;;
+  o)
+    MACHINE="$OPTARG"
+    ;;
 
-    h|?)
-      echo "Usage: $(basename "$0") [-p hostport-:guestport] -o MACHINE"
-      exit 1
-      ;;
+  h | ?)
+    echo "Usage: $(basename "$0") [-p hostport-:guestport] -o MACHINE"
+    exit 1
+    ;;
   esac
 done
-shift "$((OPTIND -1))"
+shift "$((OPTIND - 1))"
 
-if [ -z "$MACHINE" ]; then echo "-o option needed"; exit 1; fi
+if [ -z "$MACHINE" ]; then
+  echo "-o option needed"
+  exit 1
+fi
 
-DRV_PATH=$(@colmena@/bin/colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
+DRV_PATH=$(colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
 
 echo "Realising $DRV_PATH"
 RESULT=$(nix-store -r "$DRV_PATH")

scripts/list-nodes.sh

@@ -1,6 +1,8 @@
-#!@bash@/bin/bash
-# shellcheck shell=bash
+set -o errexit
+set -o nounset
+set -o pipefail
+shopt -s lastpipe
 
-cd $(@git@/bin/git rev-parse --show-toplevel)
+cd "$(git rev-parse --show-toplevel)"
 
-nix-instantiate --strict --eval --json -A nodes | @jq@/bin/jq .
+nix-instantiate --strict --eval --json -A nodes | jq .

shell.nix

@@ -1 +1 @@
-(import ./. { }).shells.default
+(import ./. { }).devShell

workflows/check-meta.nix

@@ -0,0 +1,31 @@
+{
+  name = "Check meta";
+  on = {
+    pull_request.branches = [ "main" ];
+    push.paths = [ "meta/*" ];
+  };
+
+  jobs = {
+    check_meta = {
+      runs-on = "nix";
+      steps = [
+        { uses = "actions/checkout@v3"; }
+        {
+          name = "Check the validity of meta options";
+          run = "nix-build meta/verify.nix -A meta";
+        }
+      ];
+    };
+
+    check_dns = {
+      runs-on = "nix";
+      steps = [
+        { uses = "actions/checkout@v3"; }
+        {
+          name = "Check the validity of the DNS configuration";
+          run = "nix-build meta/verify.nix -A dns";
+        }
+      ];
+    };
+  };
+}

workflows/check-workflows.nix

@@ -0,0 +1,20 @@
+{
+  name = "Check workflows";
+  on = {
+    pull_request.branches = [ "main" ];
+    push.paths = [ "workflows/*" ];
+  };
+
+  jobs = {
+    check_workflows = {
+      runs-on = "nix";
+      steps = [
+        { uses = "actions/checkout@v3"; }
+        {
+          name = "Check that the workflows are up to date";
+          run = "nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l) -eq 0 ]'";
+        }
+      ];
+    };
+  };
+}

workflows/eval-nodes.nix

@@ -0,0 +1,32 @@
+{ lib }:
+
+let
+  inherit (lib) attrNames genAttrs;
+
+  nodes = attrNames (builtins.readDir ../machines);
+in
+
+{
+  name = "Build all the nodes";
+  on = {
+    pull_request.branches = [ "main" ];
+    push.branches = [ "main" ];
+  };
+
+  jobs = genAttrs nodes (node: {
+    runs-on = "nix";
+    steps = [
+      { uses = "actions/checkout@v3"; }
+      {
+        name = "Build and cache ${node}";
+        run = "nix-shell -A eval-nodes --run cache-node";
+        env = {
+          STORE_ENDPOINT = "https://tvix-store.dgnum.eu/infra-signing/";
+          STORE_USER = "admin";
+          STORE_PASSWORD = "\${{ secrets.STORE_PASSWORD }}";
+          BUILD_NODE = node;
+        };
+      }
+    ];
+  });
+}

workflows/npins-update.nix

@@ -1,31 +1,24 @@
-name: npins update
-on:
-  schedule:
+{
+  name = "npins update";
+  on.schedule = [
     # Run at 11 o'clock every wednesday
-    - cron: "25 15 * * *"
+    { cron = "25 15 * * *"; }
+  ];
 
-jobs:
-  npins_update:
-    runs-on: nix
-    steps:
-      # - name: Install applications
-      #   run: apt-get update && apt-get install sudo
-      #
-      - uses: actions/checkout@v3
-        with:
-          depth: 0
-          token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-      #
-      # - uses: https://github.com/cachix/install-nix-action@v22
-      #   with:
-      #     nix_path: nixpkgs=channel:nixos-unstable
+  jobs.npins_update = {
+    runs-on = "nix";
+    steps = [
+      {
+        uses = "actions/checkout@v3";
+        "with" = {
+          depth = 0;
+          token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
+        };
+      }
 
-      # - name: Install tea
-      #   run: |
-      #     nix-env -f '<nixpkgs>' -i tea
-
-      - name: Update dependencies and open PR if necessary
-        run: |
+      {
+        name = "Update dependencies and open PR if necessary";
+        run = ''
           npins update
 
           if [ ! -z "$(git diff --name-only)" ]; then
@@ -44,7 +37,7 @@ jobs:
             # Connect to the server with the cli
             tea login add \
               -n dgnum-chores \
-              -t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
+              -t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
               -u https://git.dgnum.eu
 
             # Create a pull request if needed
@@ -56,3 +49,8 @@ jobs:
                 --head npins-update
             fi
           fi
+        '';
+      }
+    ];
+  };
+}

workflows/pre-commit.nix

@@ -0,0 +1,18 @@
+{
+  name = "Run pre-commit on all files";
+  on = [
+    "push"
+    "pull_request"
+  ];
+
+  jobs.check = {
+    runs-on = "nix";
+    steps = [
+      { uses = "actions/checkout@v3"; }
+      {
+        name = "Run pre-commit on all files";
+        run = "nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure'";
+      }
+    ];
+  };
+}