feat(kanidm): Add SuiteNumerique Drive client

fix(snmp_exporter): increase scrape_timeout

.forgejo/workflows/lon-update.yaml

@@ -0,0 +1,20 @@
+###
+# This file was automatically generated with nix-actions.
+jobs:
+  update:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
+    - env:
+        LON_LIST_COMMITS: true
+        LON_TOKEN: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
+        LON_USER_EMAIL: admins+lon-bot@dgnum.eu
+        LON_USER_NAME: DGNum [bot]
+      run: "nix-shell -A lon-update --run 'set -o pipefail\nset -o nounset\nset -o
+        errexit\nlon bot forgejo'"
+name: Update dependencies
+on:
+  schedule:
+  - cron: 30 13 * * *

.forgejo/workflows/npins-update.yaml

@@ -1,973 +0,0 @@
-###
-# This file was automatically generated with nix-actions.
-env:
-  GIT_AUTHOR_EMAIL: chores@mail.hubrecht.ovh
-  GIT_AUTHOR_NAME: HT Chores
-  GIT_COMMITTER_EMAIL: chores@mail.hubrecht.ovh
-  GIT_COMMITTER_NAME: HT Chores
-jobs:
-  agenix:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/agenix
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update agenix'
-        GIT_UPDATE_BRANCH: npins-updates/agenix
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update agenix\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  arkheon:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/arkheon
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update arkheon'
-        GIT_UPDATE_BRANCH: npins-updates/arkheon
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update arkheon\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  cas-eleves:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/cas-eleves
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update cas-eleves'
-        GIT_UPDATE_BRANCH: npins-updates/cas-eleves
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update cas-eleves\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  cgroup-exporter:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/cgroup-exporter
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update cgroup-exporter'
-        GIT_UPDATE_BRANCH: npins-updates/cgroup-exporter
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update cgroup-exporter\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  colmena:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/colmena
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update colmena'
-        GIT_UPDATE_BRANCH: npins-updates/colmena
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update colmena\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  dgsi:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/dgsi
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update dgsi'
-        GIT_UPDATE_BRANCH: npins-updates/dgsi
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update dgsi\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  disko:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/disko
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update disko'
-        GIT_UPDATE_BRANCH: npins-updates/disko
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update disko\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  dns_nix:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/dns.nix
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update dns.nix'
-        GIT_UPDATE_BRANCH: npins-updates/dns.nix
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update dns.nix\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  git-hooks:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/git-hooks
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update git-hooks'
-        GIT_UPDATE_BRANCH: npins-updates/git-hooks
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update git-hooks\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  kadenios:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/kadenios
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update kadenios'
-        GIT_UPDATE_BRANCH: npins-updates/kadenios
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update kadenios\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  kat-pkgs:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/kat-pkgs
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update kat-pkgs'
-        GIT_UPDATE_BRANCH: npins-updates/kat-pkgs
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update kat-pkgs\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  liminix:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/liminix
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update liminix'
-        GIT_UPDATE_BRANCH: npins-updates/liminix
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update liminix\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  linkal:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/linkal
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update linkal'
-        GIT_UPDATE_BRANCH: npins-updates/linkal
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update linkal\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  lix:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/lix
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update lix'
-        GIT_UPDATE_BRANCH: npins-updates/lix
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update lix\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  lix-module:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/lix-module
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update lix-module'
-        GIT_UPDATE_BRANCH: npins-updates/lix-module
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update lix-module\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  metis:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/metis
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update metis'
-        GIT_UPDATE_BRANCH: npins-updates/metis
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update metis\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  microvm_nix:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/microvm.nix
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update microvm.nix'
-        GIT_UPDATE_BRANCH: npins-updates/microvm.nix
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update microvm.nix\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  nix-actions:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/nix-actions
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update nix-actions'
-        GIT_UPDATE_BRANCH: npins-updates/nix-actions
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update nix-actions\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  nix-modules:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/nix-modules
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update nix-modules'
-        GIT_UPDATE_BRANCH: npins-updates/nix-modules
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update nix-modules\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  nix-pkgs:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/nix-pkgs
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update nix-pkgs'
-        GIT_UPDATE_BRANCH: npins-updates/nix-pkgs
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update nix-pkgs\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  nix-reuse:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/nix-reuse
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update nix-reuse'
-        GIT_UPDATE_BRANCH: npins-updates/nix-reuse
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update nix-reuse\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  nixos-24_05:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/nixos-24.05
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update nixos-24.05'
-        GIT_UPDATE_BRANCH: npins-updates/nixos-24.05
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update nixos-24.05\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  nixos-24_11:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/nixos-24.11
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update nixos-24.11'
-        GIT_UPDATE_BRANCH: npins-updates/nixos-24.11
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update nixos-24.11\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  nixos-25_05:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/nixos-25.05
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update nixos-25.05'
-        GIT_UPDATE_BRANCH: npins-updates/nixos-25.05
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update nixos-25.05\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  nixos-unstable:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/nixos-unstable
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update nixos-unstable'
-        GIT_UPDATE_BRANCH: npins-updates/nixos-unstable
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update nixos-unstable\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  npins:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/npins
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update npins'
-        GIT_UPDATE_BRANCH: npins-updates/npins
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update npins\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  proxmox-nixos:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/proxmox-nixos
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update proxmox-nixos'
-        GIT_UPDATE_BRANCH: npins-updates/proxmox-nixos
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update proxmox-nixos\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  signal-irc-bridge:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/signal-irc-bridge
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update signal-irc-bridge'
-        GIT_UPDATE_BRANCH: npins-updates/signal-irc-bridge
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update signal-irc-bridge\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  snix-cache:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/snix-cache
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update snix-cache'
-        GIT_UPDATE_BRANCH: npins-updates/snix-cache
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update snix-cache\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  stateless-uptime-kuma:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/stateless-uptime-kuma
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update stateless-uptime-kuma'
-        GIT_UPDATE_BRANCH: npins-updates/stateless-uptime-kuma
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update stateless-uptime-kuma\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-  wp4nix:
-    runs-on: nix-infra
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-    - env:
-        GIT_UPDATE_BRANCH: npins-updates/wp4nix
-      name: Switch to a new branch
-      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-        \n  echo \"EXISTING_BRANCH=\" >> $GITHUB_ENV\nfi\n"
-    - env:
-        COMMIT_MESSAGE: 'chore(npins): Update wp4nix'
-        GIT_UPDATE_BRANCH: npins-updates/wp4nix
-      name: Open a PR if updates are present
-      run: "nix-shell -A npins-shell --run 'set -o pipefail\nset -o nounset\nset -o
-        errexit\nnpins update wp4nix\n\nif ! git diff --exit-code npins/sources.json
-        > /dev/null; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n \
-        \ git add npins/sources.json\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n \
-        \   git commit --amend --no-edit\n    git push --force\n  else\n    git commit
-        --message \"$COMMIT_MESSAGE\"\n    git push -u origin \"$GIT_UPDATE_BRANCH\"\
-        \n  fi\n\n  # Connect to the server with the cli\n  tea login add -n dgnum-chores
-        -t ${{ secrets.TEA_DGNUM_CHORES_TOKEN }} -u https://git.dgnum.eu\n\n  # Create
-        a pull request if needed\n  # i.e. no PR with the same title exists\n  if
-        [ -z $(tea pr ls -f='\\''head'\\'' -o simple | grep \"$GIT_UPDATE_BRANCH\"\
-        ) ]; then\n    tea pr create --description \"Automatic npins update\" --title
-        \"$COMMIT_MESSAGE\" --head \"$GIT_UPDATE_BRANCH\"\n  fi\nelif [ -n \"$EXISTING_BRANCH\"\
-        \ ]; then\n  git push --force\nfi\n'"
-name: Update dependencies
-on:
-  schedule:
-  - cron: 30 13 * * *

.gitattributes

@@ -5,3 +5,4 @@
 /.forgejo/workflows/*.yaml linguist-generated
 /LICENSES/* linguist-vendored
 /REUSE.toml linguist-generated
+lon.lock linguist-generated

REUSE.toml

@@ -2,7 +2,7 @@ version = 1
 [[annotations]]
 SPDX-FileCopyrightText = "NONE"
 SPDX-License-Identifier = "CC0-1.0"
-path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix", "patches/colmena/0001-*", "pkgs/by-name/docuseal/rubyEnv/*", "pkgs/by-name/docuseal/deps.json", "pkgs/by-name/docuseal/yarn.lock"]
+path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix", "**/lon.lock", "**/lon.nix", "patches/nixpkgs/403844.patch", "patches/colmena/0001-*", "pkgs/by-name/docuseal/rubyEnv/*", "pkgs/by-name/docuseal/deps.json", "pkgs/by-name/docuseal/yarn.lock"]
 precedence = "closest"
 
 [[annotations]]
@@ -59,12 +59,6 @@ SPDX-License-Identifier = "MIT"
 path = "lib/colmena/*"
 precedence = "closest"
 
-[[annotations]]
-SPDX-FileCopyrightText = "The [npins](https://github.com/andir/npins) contributors"
-SPDX-License-Identifier = "EUPL-1.2"
-path = "**/npins/*"
-precedence = "closest"
-
 [[annotations]]
 SPDX-FileCopyrightText = "The [forgejo](https://codeberg.org/forgejo/forgejo) contributors"
 SPDX-License-Identifier = "GPL-3.0-or-later"

bootstrap.nix

@@ -5,7 +5,7 @@
 # SPDX-License-Identifier: EUPL-1.2
 
 let
-  unpatchedSources = import ./npins;
+  unpatchedSources = import ./lon.nix;
 
   pkgs = import unpatchedSources.nixos-unstable { overlays = [ ]; };
 

default.nix

@@ -11,7 +11,10 @@ in
   sources ? bootstrap.sources,
   pkgs ? import sources.nixos-unstable {
     overlays = [
-      (_: super: { lib = super.lib.extend bootstrap.overlays.lib; })
+      (self: super: {
+        lib = super.lib.extend bootstrap.overlays.lib;
+        lon = self.callPackage (sources.lon + "/nix/packages/lon.nix") { };
+      })
     ];
   },
 }:
@@ -37,7 +40,6 @@ let
         stages = [ "pre-push" ];
         settings.ignore = [
           "**/lon.nix"
-          "**/npins"
         ];
       };
 
@@ -75,6 +77,11 @@ let
       "REUSE.toml"
       "shell.nix"
 
+      "**/lon.lock"
+      "**/lon.nix"
+
+      "patches/nixpkgs/403844.patch"
+
       # Commit revert
       "patches/colmena/0001-*"
 
@@ -177,13 +184,6 @@ let
         license = "MIT";
       }
 
-      # npins generated files
-      {
-        path = "**/npins/*";
-        license = "EUPL-1.2";
-        copyright = "The [npins](https://github.com/andir/npins) contributors";
-      }
-
       # images
       {
         path = "machines/nixos/compute01/extranix/static-data/images/forgejo.png";
@@ -238,7 +238,7 @@ in
 
     packages =
       [
-        (pkgs.callPackage "${sources.npins}/npins.nix" { })
+        pkgs.lon
 
         # SSO testing
         pkgs.kanidm
@@ -272,10 +272,6 @@ in
         scripts.push-to-cache
       ];
       eval-shell.packages = [ scripts.nix-build-and-cache ];
-      npins-shell.packages = [
-        (pkgs.callPackage "${sources.npins}/npins.nix" { })
-        pkgs.tea
-      ];
     };
   };
 }

lib/netconf-junos/default.nix

@@ -41,6 +41,7 @@ in
     ./system.nix
     ./vlans.nix
     ./routing-options.nix
+    ./snmp.nix
   ];
 
   options = {
@@ -102,6 +103,7 @@ in
           ${poe}
           ${access}
           ${routing-options}
+          ${snmp}
         </configuration>
       '';
       rpc = pkgs.writeText "${name}.rpc" ''

lib/netconf-junos/interfaces.nix

@@ -25,6 +25,7 @@ let
   interface =
     { name, config, ... }:
     let
+      intf_cfg = config;
       unit =
         { name, config, ... }:
         {
@@ -33,6 +34,13 @@ let
               default = true;
               example = false;
             };
+            description = mkOption {
+              type = str;
+              default = intf_cfg.description + "." + name;
+              description = ''
+                Descriptive name of this interface unit.
+              '';
+            };
             family = {
               ethernet-switching = {
                 enable = mkEnableOption "the ethernet switching on this logical interface";
@@ -115,6 +123,7 @@ let
               <unit>
                 <name>${name}</name>
                 ${optionalString (!config.enable) "<disable/>"}
+                ${optionalString config.enable "<description>${config.description}</description>"}
                 <family>
                   ${eth}${inet}${inet6}
                 </family>
@@ -131,6 +140,13 @@ let
             Configuration of the logical interfaces on this physical interface.
           '';
         };
+        description = mkOption {
+          type = str;
+          default = name;
+          description = ''
+            Descriptive name of this interface.
+          '';
+        };
         xml = mkOption {
           type = str;
           visible = false;
@@ -144,6 +160,7 @@ let
         ''
           <interface>
             <name>${name}</name>
+            ${optionalString config.enable "<description>${config.description}</description>"}
             ${optionalString (!config.enable) "<disable/>"}
             ${builtins.concatStringsSep "" units}
           </interface>

lib/netconf-junos/snmp.nix

@@ -0,0 +1,80 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, config, ... }:
+let
+  inherit (lib)
+    concatMapAttrsStringSep
+    mkOption
+    optionalString
+    ;
+  inherit (lib.types)
+    attrsOf
+    bool
+    enum
+    str
+    submodule
+    ;
+in
+{
+  options = {
+    snmp = {
+      filter-interfaces.all-internal-interfaces = mkOption {
+        type = bool;
+        default = false;
+        description = ''
+          Whether to filter internal interfaces.
+        '';
+      };
+      community = mkOption {
+        type = attrsOf (
+          submodule (
+            { name, config, ... }:
+            {
+              options = {
+                authorization = mkOption {
+                  type = enum [
+                    "read-only"
+                    "read-write"
+                  ];
+                  description = ''
+                    Authorization type.
+                  '';
+                };
+                xml = mkOption {
+                  type = str;
+                  visible = false;
+                  readOnly = true;
+                };
+              };
+              config.xml = ''
+                <community>
+                  <name>${name}</name>
+                  <authorization>${config.authorization}</authorization>
+                </community>
+              '';
+            }
+          )
+        );
+        default = { };
+        description = ''
+          Communities for SNMPv2 access.
+        '';
+      };
+    };
+    netconf.xmls.snmp = mkOption {
+      type = str;
+      visible = false;
+      readOnly = true;
+    };
+  };
+  config.netconf.xmls.snmp = ''
+    <snmp operation="replace">
+      <filter-interfaces>
+        ${optionalString config.snmp.filter-interfaces.all-internal-interfaces "<all-internal-interfaces/>"}
+      </filter-interfaces>
+      ${concatMapAttrsStringSep "" (_: comm: comm.xml) config.snmp.community}
+    </snmp>
+  '';
+}

lon.lock

@@ -0,0 +1,315 @@
+{
+  "version": "1",
+  "sources": {
+    "agenix": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "ryantm",
+      "repo": "agenix",
+      "branch": "main",
+      "revision": "564595d0ad4be7277e07fa63b5a991b3c645655d",
+      "url": "https://github.com/ryantm/agenix/archive/564595d0ad4be7277e07fa63b5a991b3c645655d.tar.gz",
+      "hash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU="
+    },
+    "arkheon": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "RaitoBezarius",
+      "repo": "arkheon",
+      "branch": "main",
+      "revision": "3eea876b29217d01cf2ef03ea9fdd8779d28ad04",
+      "url": "https://github.com/RaitoBezarius/arkheon/archive/3eea876b29217d01cf2ef03ea9fdd8779d28ad04.tar.gz",
+      "hash": "sha256-+R6MhTXuSzNeGQiL4DQwlP5yNhmnhbf7pQWPUWgcZSM="
+    },
+    "cas-eleves": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "bdbb2a6c772144813bd75316080f5fecd2c5cc9e",
+      "url": "https://git.dgnum.eu/DGNum/cas-eleves.git",
+      "hash": "sha256-kQDO331t2YsrDoVGHzftU6Y96VXfWNzgI7QmeBNCGTA=",
+      "lastModified": 1736030096,
+      "submodules": false
+    },
+    "cgroup-exporter": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "arianvp",
+      "repo": "cgroup-exporter",
+      "branch": "main",
+      "revision": "97b83d6d495b3cb6f959a4368fd93ac342d23706",
+      "url": "https://github.com/arianvp/cgroup-exporter/archive/97b83d6d495b3cb6f959a4368fd93ac342d23706.tar.gz",
+      "hash": "sha256-MP45mdfhZ3MjpL0sJolZ0GkY3Le8QoUDqS+loPtxu2I="
+    },
+    "colmena": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "b5135dc8af1d7637b337cc2632990400221da577",
+      "url": "https://git.dgnum.eu/DGNum/colmena",
+      "hash": "sha256-7gg+K3PEYlN0sGPgDlmnM8zgDDIV505gNcwjFN61Qvk=",
+      "lastModified": 1746392348,
+      "submodules": false
+    },
+    "dgsi": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "fbf6385e65400802a3f9f75f7cd91d5c01373d1b",
+      "url": "https://git.dgnum.eu/DGNum/dgsi.git",
+      "hash": "sha256-aOUI69wbMm9+KVWwcMw5TgVnk3DfjOzE4OEyYTD8XPU=",
+      "lastModified": 1748894673,
+      "submodules": false
+    },
+    "disko": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "nix-community",
+      "repo": "disko",
+      "branch": "master",
+      "revision": "cdf8deded8813edfa6e65544f69fdd3a59fa2bb4",
+      "url": "https://github.com/nix-community/disko/archive/cdf8deded8813edfa6e65544f69fdd3a59fa2bb4.tar.gz",
+      "hash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0="
+    },
+    "dns.nix": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "nix-community",
+      "repo": "dns.nix",
+      "branch": "master",
+      "revision": "a3196708a56dee76186a9415c187473b94e6cbae",
+      "url": "https://github.com/nix-community/dns.nix/archive/a3196708a56dee76186a9415c187473b94e6cbae.tar.gz",
+      "hash": "sha256-IK3r16N9pizf53AipOmrcrcyjVsPJwC4PI5hIqEyKwQ="
+    },
+    "git-hooks": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "cachix",
+      "repo": "git-hooks.nix",
+      "branch": "master",
+      "revision": "fa466640195d38ec97cf0493d6d6882bc4d14969",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/fa466640195d38ec97cf0493d6d6882bc4d14969.tar.gz",
+      "hash": "sha256-Wb2xeSyOsCoTCTj7LOoD6cdKLEROyFAArnYoS+noCWo="
+    },
+    "kadenios": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "4fd9e3a2117f54c4184b02fd3aef31626fcad149",
+      "url": "https://git.dgnum.eu/DGNum/kadenios.git",
+      "hash": "sha256-32alJ/9M+Vaa+zSzmoMgB1+f2h4GYP3OiJ8odRMeCdw=",
+      "lastModified": 1720702967,
+      "submodules": false
+    },
+    "kat-pkgs": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "master",
+      "revision": "19b3de953c4d4e8888b90019db81852f8ad39dbb",
+      "url": "https://git.dgnum.eu/lbailly/kat-pkgs",
+      "hash": "sha256-bWO5dHrwZWF2EbCuSzxigaKkJdNCBQx5nD1J/u2pdNg=",
+      "lastModified": 1749652165,
+      "submodules": false
+    },
+    "liminix": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "1322de1ee0cdb19fead79e12ab279ee0b575019a",
+      "url": "https://git.dgnum.eu/DGNum/liminix",
+      "hash": "sha256-k5QjFRwKK8Hw7bl6XwOHiwr7hmTtBMdOUWieNKM10x4=",
+      "lastModified": 1733703952,
+      "submodules": false
+    },
+    "linkal": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "JulienMalka",
+      "repo": "Linkal",
+      "branch": "main",
+      "revision": "085630bf369b68d2264baca020efc94c877d78e6",
+      "url": "https://github.com/JulienMalka/Linkal/archive/085630bf369b68d2264baca020efc94c877d78e6.tar.gz",
+      "hash": "sha256-nQ22VdXMO6M+rIsrPYHGmt7Zi7VWt9BeuF7WM+U2glQ="
+    },
+    "lix": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "d169c092fc28838a253be136d17fe7de1292c728",
+      "url": "https://git.lix.systems/lix-project/lix.git",
+      "hash": "sha256-gsPA3AAGi3pucRpzJbhWWyyOBv2/2OjAjU/SlcSE8Vc=",
+      "lastModified": 1743274305,
+      "submodules": false
+    },
+    "lix-module": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "fa69ae26cc32dda178117b46487c2165c0e08316",
+      "url": "https://git.lix.systems/lix-project/nixos-module.git",
+      "hash": "sha256-MB/b/xcDKqaVBxJIIxwb81r8ZiGLeKEcqokATRRroo8=",
+      "lastModified": 1742945498,
+      "submodules": false
+    },
+    "lon": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "nikstur",
+      "repo": "lon",
+      "branch": "main",
+      "revision": "c29151c0adefbf2eef904a3435350356cef98da2",
+      "url": "https://github.com/nikstur/lon/archive/c29151c0adefbf2eef904a3435350356cef98da2.tar.gz",
+      "hash": "sha256-1oQ4uLI92Ih2rmNyP4wzP9xZrQp48FHirOhV/aerZPc="
+    },
+    "metis": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "master",
+      "revision": "f8898110f4aa32c5384af605e727bfea9b0bd2de",
+      "url": "https://git.dgnum.eu/DGNum/metis",
+      "hash": "sha256-WrQCoe8h848nkQQfZnshsOdoY2NP5gAsl24hXpzDnR8=",
+      "lastModified": 1737730724,
+      "submodules": false
+    },
+    "microvm.nix": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "RaitoBezarius",
+      "repo": "microvm.nix",
+      "branch": "main",
+      "revision": "49899c9a4fdf75320785e79709bf1608c34caeb8",
+      "url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
+      "hash": "sha256-nn/kta8Od0T2k5+xQj+S2PNqOmxsDdHNaIv8eNtX5ms="
+    },
+    "nix-actions": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "06847b3256df402da0475dccb290832ec92a9f8c",
+      "url": "https://git.dgnum.eu/DGNum/nix-actions.git",
+      "hash": "sha256-2xOZdKiUfcriQFKG37vY96dgCJLndhLa7cGacq8+SA8=",
+      "lastModified": 1746294989,
+      "submodules": false
+    },
+    "nix-modules": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "dgnum",
+      "revision": "0cdf222c07b9cbd49857ae046fb41ae9f651cc3f",
+      "url": "https://git.hubrecht.ovh/hubrecht/nix-modules",
+      "hash": "sha256-VHlkJny+t1AhZ61JOeyYM1rLa4cPEoEt/5+vqAqAJgA=",
+      "lastModified": 1746016692,
+      "submodules": false
+    },
+    "nix-pkgs": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "dgnum",
+      "revision": "7a0e2e660b26ddd67bb8132beb6b13e3a69003a4",
+      "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs",
+      "hash": "sha256-1uzLfSTvB8UXN9zbzQr2cQXjARIXw1cBwPK6mA9GoXc=",
+      "lastModified": 1745005124,
+      "submodules": false
+    },
+    "nix-reuse": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "45633dc6a0512cbbb010bc615b5d1b6e46e57597",
+      "url": "https://git.dgnum.eu/DGNum/nix-reuse",
+      "hash": "sha256-xr63AvDLp+RS0F7qwuOoWNENuepPbpuHLe4VPS85XBQ=",
+      "lastModified": 1737547777,
+      "submodules": false
+    },
+    "nixos-24.05": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "NixOS",
+      "repo": "nixpkgs",
+      "branch": "nixos-24.05",
+      "revision": "b134951a4c9f",
+      "url": "https://github.com/NixOS/nixpkgs/archive/b134951a4c9f.tar.gz",
+      "hash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8="
+    },
+    "nixos-24.11": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "NixOS",
+      "repo": "nixpkgs",
+      "branch": "nixos-24.11",
+      "revision": "bf3287dac860",
+      "url": "https://github.com/NixOS/nixpkgs/archive/bf3287dac860.tar.gz",
+      "hash": "sha256-kwaaguGkAqTZ1oK0yXeQ3ayYjs8u/W7eEfrFpFfIDFA="
+    },
+    "nixos-25.05": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "NixOS",
+      "repo": "nixpkgs",
+      "branch": "nixos-25.05",
+      "revision": "70c74b02eac4",
+      "url": "https://github.com/NixOS/nixpkgs/archive/70c74b02eac4.tar.gz",
+      "hash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw="
+    },
+    "nixos-unstable": {
+      "type": "GitHub",
+      "fetchType": "tarball",
+      "owner": "NixOS",
+      "repo": "nixpkgs",
+      "branch": "nixos-unstable",
+      "revision": "d89fc19e405c",
+      "url": "https://github.com/NixOS/nixpkgs/archive/d89fc19e405c.tar.gz",
+      "hash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ="
+    },
+    "proxmox-nixos": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "91c96a414e14835b84adbf775f793739a5851fab",
+      "url": "https://github.com/SaumonNet/proxmox-nixos.git",
+      "hash": "sha256-YYbR1o5qTPUxpaVhkJcOGjghNGbIBQmivXAgNTFDxqU=",
+      "lastModified": 1743764738,
+      "submodules": false
+    },
+    "signal-irc-bridge": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "master",
+      "revision": "52a370b29ff2edbec63e192e782b934823263ef2",
+      "url": "https://git.dgnum.eu/mdebray/signal-irc-bridge",
+      "hash": "sha256-sR8v7bheOigZ08VAv/AX9wFNmMZQEUqEwX3V9wW68tc=",
+      "lastModified": 1744031004,
+      "submodules": false
+    },
+    "snix-cache": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "main",
+      "revision": "62346b99c2e1085203bc2e5bb5f07e7773977b49",
+      "url": "https://git.dgnum.eu/DGNum/snix-cache.git",
+      "hash": "sha256-6BYUWwzitWF2EV8wvJOlqensJ3x4f4ka+iZ9Zy5XnWI=",
+      "lastModified": 1744711329,
+      "submodules": false
+    },
+    "stateless-uptime-kuma": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "master",
+      "revision": "d378d1ce00c676fa22ef0808cf73f3e1c34e0191",
+      "url": "https://git.dgnum.eu/mdebray/stateless-uptime-kuma",
+      "hash": "sha256-Dq0Kk6inCrxsxRfpYJVDZ45pMW/OZ3AAecmgF+yIZQI=",
+      "lastModified": 1734436346,
+      "submodules": false
+    },
+    "wp4nix": {
+      "type": "Git",
+      "fetchType": "git",
+      "branch": "master",
+      "revision": "2fc9a0734168cab536e3129efa6397d6cd3ac89f",
+      "url": "https://git.helsinki.tools//helsinki-systems/wp4nix",
+      "hash": "sha256-abwqAZGsWuWqfxou8XlqedBvXsUw1/xanSgljLCJxdM=",
+      "lastModified": 1743397420,
+      "submodules": false
+    }
+  }
+}

lon.nix

@@ -0,0 +1,53 @@
+# Generated by lon. Do not modify!
+let
+
+  lock = builtins.fromJSON (builtins.readFile ./lon.lock);
+
+  # Override with a path defined in an environment variable. If no variable is
+  # set, the original path is used.
+  overrideFromEnv =
+    name: path:
+    let
+      replacement = builtins.getEnv "LON_OVERRIDE_${name}";
+    in
+    if replacement == "" then
+      path
+    else
+    # this turns the string into an actual Nix path (for both absolute and
+    # relative paths)
+    if builtins.substring 0 1 replacement == "/" then
+      /. + replacement
+    else
+      /. + builtins.getEnv "PWD" + "/${replacement}";
+
+  fetchSource =
+    args@{ fetchType, ... }:
+    if fetchType == "git" then
+      builtins.fetchGit (
+        {
+          url = args.url;
+          ref = args.branch;
+          rev = args.revision;
+          narHash = args.hash;
+          submodules = args.submodules;
+        }
+        // (
+          if args ? lastModified then
+            {
+              inherit (args) lastModified;
+              shallow = true;
+            }
+          else
+            { }
+        )
+      )
+    else if fetchType == "tarball" then
+      builtins.fetchTarball {
+        url = args.url;
+        sha256 = args.hash;
+      }
+    else
+      builtins.throw "Unsupported source type ${fetchType}";
+
+in
+builtins.mapAttrs (name: args: overrideFromEnv name (fetchSource args)) lock.sources

machines/netconf/Jaccess01.nix

@@ -2,6 +2,11 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
+{ lib, ... }:
+let
+  inherit (lib) mapAttrs mod;
+  inherit (lib.extra) genFuse;
+in
 {
   dgn-hardware.model = "EX2300-48P";
   dgn-isp = {
@@ -58,13 +63,6 @@
         "admin-core"
       ];
     };
-    # netcore01 (Potos)
-    "xe-0/1/2".ethernet-switching = {
-      interface-mode = "trunk";
-      vlans = [
-        "all"
-      ];
-    };
     # uplink
     "ge-0/1/3".ethernet-switching = {
       interface-mode = "trunk";
@@ -74,4 +72,22 @@
     # debug management
     "me0".inet.addresses = [ "192.168.42.6/24" ];
   };
+
+  interfaces =
+    {
+      "irb".unit."0".description = "Admin";
+    }
+    // mapAttrs (_: description: { inherit description; }) (
+      {
+        "xe-0/1/0" = "netcore01";
+        "xe-0/1/1" = "Jaccess04";
+        "ge-0/1/3" = "uplink-cri";
+        "ge-0/0/42" = "oob";
+        "ge-0/0/47" = "psu";
+      }
+      // genFuse (i: {
+        "ge-0/0/${toString i}" = "AP_H1_${toString (i / 6)}_${toString (mod i 6 + 1)}";
+      }) 18
+    );
+  snmp.community."public".authorization = "read-only";
 }

machines/netconf/Jaccess04.nix

@@ -2,6 +2,11 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
+{ lib, ... }:
+let
+  inherit (lib) mapAttrs mod;
+  inherit (lib.extra) genFuse;
+in
 {
   dgn-hardware.model = "EX2300-48P";
   dgn-isp = {
@@ -26,4 +31,18 @@
     # debug management
     "me0".inet.addresses = [ "192.168.42.6/24" ];
   };
+
+  interfaces =
+    {
+      "irb".unit."0".description = "Admin";
+    }
+    // mapAttrs (_: description: { inherit description; }) (
+      {
+        "xe-0/1/0" = "Jaccess01";
+      }
+      // genFuse (i: {
+        "ge-0/0/${toString i}" = "AP_H2_${toString (i / 2)}_${toString (mod i 2 + 1)}";
+      }) 6
+    );
+  snmp.community."public".authorization = "read-only";
 }

machines/netconf/netcore01.nix

@@ -2,6 +2,10 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
+{ lib, ... }:
+let
+  inherit (lib) mapAttrs;
+in
 {
   dgn-hardware = {
     model = "EX4400-24X";
@@ -44,4 +48,23 @@
       vlans = [ "hypervisor" ];
     };
   };
+
+  interfaces =
+    {
+      "irb".unit."0".description = "Admin";
+    }
+    // mapAttrs (_: description: { inherit description; }) {
+      "xe-0/0/0" = "Jaccess01";
+      "xe-0/0/3" = "Jaccess04";
+      "xe-0/0/21" = "vault01";
+      "xe-0/0/22" = "netcore02";
+      "ge-0/0/23" = "uplink-cri";
+      "xe-0/0/4" = "random02";
+      "xe-0/0/5" = "random03";
+      "xe-0/0/6" = "hypervisor01";
+      "xe-0/0/7" = "hypervisor02";
+      "xe-0/0/8" = "hypervisor03";
+      "xe-0/0/9" = "build01";
+    };
+  snmp.community."public".authorization = "read-only";
 }

machines/netconf/netcore02.nix

@@ -2,6 +2,10 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
+{ lib, ... }:
+let
+  inherit (lib) mapAttrs;
+in
 {
   dgn-hardware.model = "EX4100-F-48P";
   dgn-isp = {
@@ -53,4 +57,31 @@
     # debug management
     "me0".inet.addresses = [ "192.168.2.2/24" ];
   };
+
+  interfaces =
+    {
+      "irb".unit."0".description = "Admin";
+    }
+    // mapAttrs (_: description: { inherit description; }) {
+      "xe-0/2/0" = "netcore01";
+      "ge-0/0/0" = "hypervisor01_idrac";
+      "ge-0/0/2" = "hypervisor02_idrac";
+      "ge-0/0/4" = "hypervisor03_idrac";
+      "ge-0/0/6" = "build01_idrac";
+      "ge-0/0/8" = "random01_idrac";
+      "ge-0/0/10" = "random02_idrac";
+      "ge-0/0/12" = "random03_idrac";
+      "ge-0/0/14" = "vault01_idrac";
+
+      "ge-0/0/1" = "hypervisor01";
+      "ge-0/0/3" = "hypervisor02";
+      "ge-0/0/5" = "hypervisor03";
+      "ge-0/0/7" = "build01";
+      "ge-0/0/9" = "random03";
+
+      "ge-0/0/47" = "psu";
+      "ge-0/0/46" = "psu_pdu";
+      "ge-0/0/45" = "pdu_32A";
+    };
+  snmp.community."public".authorization = "read-only";
 }

machines/nixos/compute01/arkheon.nix

@@ -5,7 +5,7 @@
 { config, sources, ... }:
 
 {
-  nixpkgs.overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
+  nixpkgs.overlays = [ (import (sources.arkheon + "/overlay.nix")) ];
 
   services.arkheon = {
     enable = true;

machines/nixos/compute01/grafana/plugins.nix

@@ -16,4 +16,10 @@ builtins.map pkgs.grafanaPlugins.grafanaPlugin [
     version = "0.13.1";
     zipHash = "sha256-n1LskeOzp32LZS3PcsRh8FwQVBFVlzczfO2aGbEClSo=";
   }
+
+  {
+    pname = "knightss27-weathermap-panel";
+    version = "0.4.3";
+    zipHash = "sha256-N0jhFKYEgU8dZCJ1txcYg0rr17+FkGJjXjwyq2TSa74=";
+  }
 ]

machines/nixos/compute01/kanidm/default.nix

@@ -162,6 +162,23 @@ in
           ];
         };
 
+        dgn_openbao = {
+          displayName = "OpenBao [Vault]";
+          originLanding = "https://vault.dgnum.eu";
+          originUrl = [ "https://vault.dgnum.eu/ui/vault/auth/kanidm/oidc/callback" ];
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+
+          claimMaps.vault_group.valuesByGroup = {
+            grp_root = [ "admin" ];
+          };
+        };
+
         dgn_outline = {
           displayName = "Outline [Docs]";
           originUrl = "https://docs.dgnum.eu/auth/oidc.callback";
@@ -176,6 +193,9 @@ in
           ];
         };
 
+        ###
+        # NOTE: The following clients are currently used for experimental services
+
         dgn_docs = {
           displayName = "SuiteNumérique Docs [Docs]";
           originUrl = "https://docs.lab.dgnum.eu/api/v1.0/callback/";
@@ -190,10 +210,10 @@ in
           ];
         };
 
-        dgn_visio = {
-          displayName = "SuiteNumérique Visio [Visio]";
-          originUrl = "https://visio.lab.dgnum.eu/api/v1.0/callback/";
-          originLanding = "https://visio.lab.dgnum.eu";
+        dgn_drive = {
+          displayName = "SuiteNumérique Drive [Drive]";
+          originUrl = "https://drive.lab.dgnum.eu/api/v1.0/callback/";
+          originLanding = "https://drive.lab.dgnum.eu";
           preferShortUsername = true;
           allowInsecureClientDisablePkce = true;
 
@@ -204,10 +224,10 @@ in
           ];
         };
 
-        dgn_drive = {
-          displayName = "SuiteNumérique Drive [Drive]";
-          originUrl = "https://drive.lab.dgnum.eu/api/v1.0/callback/";
-          originLanding = "https://drive.lab.dgnum.eu";
+        dgn_visio = {
+          displayName = "SuiteNumérique Visio [Visio]";
+          originUrl = "https://visio.lab.dgnum.eu/api/v1.0/callback/";
+          originLanding = "https://visio.lab.dgnum.eu";
           preferShortUsername = true;
           allowInsecureClientDisablePkce = true;
 

machines/nixos/compute01/librenms/default.nix

@@ -24,12 +24,16 @@ in
     hostname = host;
 
     settings = {
-      auth.socialite.configs.kanidm = {
-        listener = "\\SocialiteProviders\\Kanidm\\KanidmExtendSocialite";
-        client_id = "$KANIDM_CLIENT_ID";
-        client_secret = "$KANIDM_CLIENT_SECRET";
-        redirect = "$KANIDM_REDIRECT_URI";
-        base_url = "$KANIDM_BASE_URL";
+      auth.socialite = {
+        configs.kanidm = {
+          listener = "\\SocialiteProviders\\Kanidm\\KanidmExtendSocialite";
+          client_id = "$KANIDM_CLIENT_ID";
+          client_secret = "$KANIDM_CLIENT_SECRET";
+          redirect = "$KANIDM_REDIRECT_URI";
+          base_url = "$KANIDM_BASE_URL";
+        };
+        default_role = "normal";
+        register = true;
       };
     };
 

machines/nixos/compute01/signal-irc-bridge.nix

@@ -9,7 +9,7 @@
   ...
 }:
 {
-  imports = [ (import (sources.signal-irc-bridge.outPath + "/module.nix")) ];
+  imports = [ (import (sources.signal-irc-bridge + "/module.nix")) ];
 
   services.signal-irc-bridge = {
     enable = true;

machines/nixos/storage01/openbao.nix

@@ -2,6 +2,8 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
+{ nixpkgs, ... }:
+
 let
   host = "vault.dgnum.eu";
   port = 3100;
@@ -12,6 +14,8 @@ in
   services.openbao = {
     enable = true;
 
+    package = nixpkgs.nixos."25.05".openbao;
+
     settings = {
       listener.tcp = {
         address = "127.0.0.1:${builtins.toString port}";
@@ -26,6 +30,8 @@ in
 
       cluster_addr = "http://${host}:${toString clusterPort}";
       api_addr = "https://${host}";
+
+      ui = true;
     };
   };
 

machines/nixos/vault01/monitoring/default.nix

@@ -5,5 +5,6 @@
 {
   imports = [
     ./victorialogs.nix
+    ./snmp.nix
   ];
 }

machines/nixos/vault01/monitoring/snmp.nix

@@ -0,0 +1,68 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  lib,
+  meta,
+  ...
+}:
+let
+  inherit (lib) elem filterAttrs mapAttrsToList;
+
+  port = 9004;
+in
+{
+  dgn-monitoring = {
+    exporters.ports.snmp = port;
+
+    scrapeConfigs = {
+      "switches" = {
+        static_configs =
+          mapAttrsToList
+            (hostname: cfg: {
+              targets = [ cfg.deployment.targetHost ];
+              labels = { inherit hostname; };
+            })
+            (
+              filterAttrs (
+                _: cfg:
+                cfg.nixpkgs.system == "netconf"
+                && elem cfg.site [
+                  "pot01"
+                  "hyp01"
+                  "hyp02"
+                ]
+              ) meta.nodes
+            );
+        scrape_timeout = "30s";
+        metrics_path = "/snmp";
+        params = {
+          auth = [ "public_v2" ];
+          module = [ "if_mib" ];
+        };
+        relabel_configs = [
+          {
+            target_label = "__param_target";
+            source_labels = [ "__address__" ];
+          }
+          {
+            target_label = "instance";
+            source_labels = [ "__param_target" ];
+          }
+          {
+            target_label = "__address__";
+            replacement = "localhost:${toString port}";
+          }
+        ];
+      };
+    };
+  };
+  services.prometheus.exporters.snmp = {
+    enable = true;
+
+    enableConfigCheck = false;
+    configurationPath = pkgs.prometheus-snmp-exporter.src + "/snmp.yml";
+  };
+}

machines/nixos/web01/static/default.nix

@@ -6,7 +6,6 @@
 
 let
   inherit (lib) recursiveUpdate;
-  websites = import ./npins;
 
   mkVhost =
     _:
@@ -19,7 +18,7 @@ let
 in
 
 {
-  services.nginx.virtualHosts = recursiveUpdate (builtins.mapAttrs mkVhost websites) {
+  services.nginx.virtualHosts = recursiveUpdate (builtins.mapAttrs mkVhost (import ./lon.nix)) {
     "eleves.dgnum.eu".locations."/".tryFiles = "$uri $uri/index.html /fr/$uri /en/$uri /fr/index.html";
 
     "retired.dgnum.eu".locations."/".tryFiles = "/index.html =404";

machines/nixos/web01/static/lon.lock

@@ -1,77 +1,65 @@
 {
-  "pins": {
+  "version": "1",
+  "sources": {
     "eleves.dgnum.eu": {
       "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/eleves.dgnum.eu.git"
-      },
+      "fetchType": "git",
       "branch": "main",
-      "submodules": false,
       "revision": "8884daadedd8b83482db650f0561377aefdc2078",
-      "url": null,
-      "hash": "sha256-nrOmpx4bubfFl0Xr9eg3C5D+a4091igkQNDi5Y/h9ts="
+      "url": "https://git.dgnum.eu/DGNum/eleves.dgnum.eu.git",
+      "hash": "sha256-nrOmpx4bubfFl0Xr9eg3C5D+a4091igkQNDi5Y/h9ts=",
+      "lastModified": 1713533686,
+      "submodules": false
     },
     "interq.ens.fr": {
       "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/interq.ens.fr.git"
-      },
+      "fetchType": "git",
       "branch": "main",
-      "submodules": false,
       "revision": "a7877c20817c06dc61d2e924b2d1c3f1d5085a36",
-      "url": null,
-      "hash": "sha256-nVf9W9CiecK1ymVj6H3/P88CFm/iHMsqjAxlZI34jRU="
+      "url": "https://git.dgnum.eu/DGNum/interq.ens.fr.git",
+      "hash": "sha256-nVf9W9CiecK1ymVj6H3/P88CFm/iHMsqjAxlZI34jRU=",
+      "lastModified": 1712914604,
+      "submodules": false
     },
     "qda.ens.fr": {
       "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/qda.ens.fr.git"
-      },
+      "fetchType": "git",
       "branch": "main",
-      "submodules": false,
       "revision": "8b17a3c3a61041d9672077376b78d22519282096",
-      "url": null,
-      "hash": "sha256-XScapvBngxTHjqwwH41Zz2zhB9xl7wvev+ImnP0ImYM="
+      "url": "https://git.dgnum.eu/DGNum/qda.ens.fr.git",
+      "hash": "sha256-XScapvBngxTHjqwwH41Zz2zhB9xl7wvev+ImnP0ImYM=",
+      "lastModified": 1704470915,
+      "submodules": false
     },
     "qr.dgnum.eu": {
       "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/qr.dgnum.eu.git"
-      },
+      "fetchType": "git",
       "branch": "main",
-      "submodules": false,
       "revision": "e6084bbbdccee3d700037b5f34ead386d649c470",
-      "url": null,
-      "hash": "sha256-scVmvpS2OZxYw0E6FM9ZN/t6vuxi35R56i9zFV6xndw="
+      "url": "https://git.dgnum.eu/DGNum/qr.dgnum.eu.git",
+      "hash": "sha256-scVmvpS2OZxYw0E6FM9ZN/t6vuxi35R56i9zFV6xndw=",
+      "lastModified": 1706123840,
+      "submodules": false
     },
     "retired.dgnum.eu": {
       "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/retired.dgnum.eu.git"
-      },
+      "fetchType": "git",
       "branch": "main",
-      "submodules": false,
       "revision": "735e56edee3b8a74c6d77463b6535308ac85c7b1",
-      "url": null,
-      "hash": "sha256-Xld0MiXrYsOcZxroOCNwIpdaU3Hrx9b+Dp9kkkUec1U="
+      "url": "https://git.dgnum.eu/DGNum/retired.dgnum.eu.git",
+      "hash": "sha256-Xld0MiXrYsOcZxroOCNwIpdaU3Hrx9b+Dp9kkkUec1U=",
+      "lastModified": 1703168902,
+      "submodules": false
     },
     "tuteurs.ens.fr": {
       "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/tuteurs.ens.fr.git"
-      },
+      "fetchType": "git",
       "branch": "main",
-      "submodules": false,
       "revision": "5d6dff073d0ee1b22f993e049bd0af914c523d96",
-      "url": null,
-      "hash": "sha256-Jm5hZMDLInKuh0grMucF1Pjan3OONDkWGmccMPp1d8I="
+      "url": "https://git.dgnum.eu/DGNum/tuteurs.ens.fr.git",
+      "hash": "sha256-Jm5hZMDLInKuh0grMucF1Pjan3OONDkWGmccMPp1d8I=",
+      "lastModified": 1712083706,
+      "submodules": false
     }
-  },
-  "version": 6
+  }
 }

machines/nixos/web01/static/lon.nix

@@ -0,0 +1,53 @@
+# Generated by lon. Do not modify!
+let
+
+  lock = builtins.fromJSON (builtins.readFile ./lon.lock);
+
+  # Override with a path defined in an environment variable. If no variable is
+  # set, the original path is used.
+  overrideFromEnv =
+    name: path:
+    let
+      replacement = builtins.getEnv "LON_OVERRIDE_${name}";
+    in
+    if replacement == "" then
+      path
+    else
+    # this turns the string into an actual Nix path (for both absolute and
+    # relative paths)
+    if builtins.substring 0 1 replacement == "/" then
+      /. + replacement
+    else
+      /. + builtins.getEnv "PWD" + "/${replacement}";
+
+  fetchSource =
+    args@{ fetchType, ... }:
+    if fetchType == "git" then
+      builtins.fetchGit (
+        {
+          url = args.url;
+          ref = args.branch;
+          rev = args.revision;
+          narHash = args.hash;
+          submodules = args.submodules;
+        }
+        // (
+          if args ? lastModified then
+            {
+              inherit (args) lastModified;
+              shallow = true;
+            }
+          else
+            { }
+        )
+      )
+    else if fetchType == "tarball" then
+      builtins.fetchTarball {
+        url = args.url;
+        sha256 = args.hash;
+      }
+    else
+      builtins.throw "Unsupported source type ${fetchType}";
+
+in
+builtins.mapAttrs (name: args: overrideFromEnv name (fetchSource args)) lock.sources

machines/nixos/web01/static/npins/default.nix

@@ -1,145 +0,0 @@
-/*
-  This file is provided under the MIT licence:
-
-  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-  The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-  THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-*/
-# Generated by npins. Do not modify; will be overwritten regularly
-let
-  data = builtins.fromJSON (builtins.readFile ./sources.json);
-  version = data.version;
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
-  range =
-    first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
-  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
-  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
-  concatStrings = builtins.concatStringsSep "";
-
-  # If the environment variable NPINS_OVERRIDE_${name} is set, then use
-  # the path directly as opposed to the fetched source.
-  # (Taken from Niv for compatibility)
-  mayOverride =
-    name: path:
-    let
-      envVarName = "NPINS_OVERRIDE_${saneName}";
-      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
-      ersatz = builtins.getEnv envVarName;
-    in
-    if ersatz == "" then
-      path
-    else
-      # this turns the string into an actual Nix path (for both absolute and
-      # relative paths)
-      builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
-        if builtins.substring 0 1 ersatz == "/" then
-          /. + ersatz
-        else
-          /. + builtins.getEnv "PWD" + "/${ersatz}"
-      );
-
-  mkSource =
-    name: spec:
-    assert spec ? type;
-    let
-      path =
-        if spec.type == "Git" then
-          mkGitSource spec
-        else if spec.type == "GitRelease" then
-          mkGitSource spec
-        else if spec.type == "PyPi" then
-          mkPyPiSource spec
-        else if spec.type == "Channel" then
-          mkChannelSource spec
-        else if spec.type == "Tarball" then
-          mkTarballSource spec
-        else
-          builtins.throw "Unknown source type ${spec.type}";
-    in
-    spec // { outPath = mayOverride name path; };
-
-  mkGitSource =
-    {
-      repository,
-      revision,
-      url ? null,
-      submodules,
-      hash,
-      ...
-    }:
-    assert repository ? type;
-    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
-    # In the latter case, there we will always be an url to the tarball
-    if url != null && !submodules then
-      builtins.fetchTarball {
-        inherit url;
-        sha256 = hash;
-      }
-    else
-      let
-        url =
-          if repository.type == "Git" then
-            repository.url
-          else if repository.type == "GitHub" then
-            "https://github.com/${repository.owner}/${repository.repo}.git"
-          else if repository.type == "GitLab" then
-            "${repository.server}/${repository.repo_path}.git"
-          else
-            throw "Unrecognized repository type ${repository.type}";
-        urlToName =
-          url: rev:
-          let
-            matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
-
-            short = builtins.substring 0 7 rev;
-
-            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
-          in
-          "${if matched == null then "source" else builtins.head matched}${appendShort}";
-        name = urlToName url revision;
-      in
-      builtins.fetchGit {
-        rev = revision;
-        allRefs = true;
-        narHash = hash;
-
-        inherit name submodules url;
-      };
-
-  mkPyPiSource =
-    { url, hash, ... }:
-    builtins.fetchurl {
-      inherit url;
-      sha256 = hash;
-    };
-
-  mkChannelSource =
-    { url, hash, ... }:
-    builtins.fetchTarball {
-      inherit url;
-      sha256 = hash;
-    };
-
-  mkTarballSource =
-    {
-      url,
-      locked_url ? url,
-      hash,
-      ...
-    }:
-    builtins.fetchTarball {
-      url = locked_url;
-      sha256 = hash;
-    };
-in
-if version == 6 then
-  builtins.mapAttrs mkSource data.pins
-else
-  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

machines/nixos/web03/django-apps/wikiens.nix

@@ -2,16 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-{
-  pkgs,
-  sources,
-  config,
-  ...
-}:
-
-let
-  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
-in
+{ config, ... }:
 
 {
   services.django-apps.sites.wikiens = {
@@ -26,16 +17,18 @@ in
 
     webHookSecret = config.age.secrets."webhook-wikiens_token".path;
 
-    python = pkgs.python3.override {
-      packageOverrides = _: _: {
-        inherit (nix-pkgs)
-          django-allauth
-          django-allauth-ens
-          django-wiki
-          loadcredential
-          ;
-      };
-    };
+    overlays.nix-pkgs = [
+      # Required packages
+      "django-allauth"
+      "django-allauth-ens"
+      "django-wiki"
+      "loadcredential"
+
+      # Dependencies
+      "django-allauth-cas"
+      "django-nyt"
+      "python-cas"
+    ];
 
     dependencies =
       ps:

meta/README.md

@@ -46,7 +46,7 @@ Machines can use different versions of NixOS, the supported ones are specified h
 - Run the following command
 
 ```bash
-npins add channel nixos-$VERSION
+lon add github --name nixos-$VERSION NixOS/nixpkgs nixos-$VERSION
 ```
 
 - Edit `meta/nixpkgs.nix` and add `$VERSION` to the supported version.

meta/network.nix

@@ -18,7 +18,7 @@
       hostId = "f57f3ba0";
 
       interfaces = { };
-      netbirdIp = null;
+      netbirdIp = "100.80.9.42";
     };
 
     build01 = {

meta/nodes/nixos.nix

@@ -58,16 +58,10 @@
 
       adminGroups = [ "fai" ];
 
-      deployment = {
-        targetHost = "fd26:baf9:d250:8000::ffff";
-        sshOptions = [
-          "-J"
-          "root@vault01.hyp01.infra.dgnum.eu"
-        ];
-      };
+      deployment.targetHost = "bridge01.dgnum";
 
       nixpkgs = {
-        version = "24.11";
+        version = "25.05";
         system = "nixos";
       };
     };
@@ -337,7 +331,7 @@
       stateVersion = "23.11";
 
       nixpkgs = {
-        version = "24.11";
+        version = "25.05";
         system = "nixos";
       };
 

npins/default.nix

@@ -1,145 +0,0 @@
-/*
-  This file is provided under the MIT licence:
-
-  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-  The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-  THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-*/
-# Generated by npins. Do not modify; will be overwritten regularly
-let
-  data = builtins.fromJSON (builtins.readFile ./sources.json);
-  version = data.version;
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
-  range =
-    first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
-  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
-  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
-  concatStrings = builtins.concatStringsSep "";
-
-  # If the environment variable NPINS_OVERRIDE_${name} is set, then use
-  # the path directly as opposed to the fetched source.
-  # (Taken from Niv for compatibility)
-  mayOverride =
-    name: path:
-    let
-      envVarName = "NPINS_OVERRIDE_${saneName}";
-      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
-      ersatz = builtins.getEnv envVarName;
-    in
-    if ersatz == "" then
-      path
-    else
-      # this turns the string into an actual Nix path (for both absolute and
-      # relative paths)
-      builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
-        if builtins.substring 0 1 ersatz == "/" then
-          /. + ersatz
-        else
-          /. + builtins.getEnv "PWD" + "/${ersatz}"
-      );
-
-  mkSource =
-    name: spec:
-    assert spec ? type;
-    let
-      path =
-        if spec.type == "Git" then
-          mkGitSource spec
-        else if spec.type == "GitRelease" then
-          mkGitSource spec
-        else if spec.type == "PyPi" then
-          mkPyPiSource spec
-        else if spec.type == "Channel" then
-          mkChannelSource spec
-        else if spec.type == "Tarball" then
-          mkTarballSource spec
-        else
-          builtins.throw "Unknown source type ${spec.type}";
-    in
-    spec // { outPath = mayOverride name path; };
-
-  mkGitSource =
-    {
-      repository,
-      revision,
-      url ? null,
-      submodules,
-      hash,
-      ...
-    }:
-    assert repository ? type;
-    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
-    # In the latter case, there we will always be an url to the tarball
-    if url != null && !submodules then
-      builtins.fetchTarball {
-        inherit url;
-        sha256 = hash;
-      }
-    else
-      let
-        url =
-          if repository.type == "Git" then
-            repository.url
-          else if repository.type == "GitHub" then
-            "https://github.com/${repository.owner}/${repository.repo}.git"
-          else if repository.type == "GitLab" then
-            "${repository.server}/${repository.repo_path}.git"
-          else
-            throw "Unrecognized repository type ${repository.type}";
-        urlToName =
-          url: rev:
-          let
-            matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
-
-            short = builtins.substring 0 7 rev;
-
-            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
-          in
-          "${if matched == null then "source" else builtins.head matched}${appendShort}";
-        name = urlToName url revision;
-      in
-      builtins.fetchGit {
-        rev = revision;
-        narHash = hash;
-        allRefs = true;
-
-        inherit name submodules url;
-      };
-
-  mkPyPiSource =
-    { url, hash, ... }:
-    builtins.fetchurl {
-      inherit url;
-      sha256 = hash;
-    };
-
-  mkChannelSource =
-    { url, hash, ... }:
-    builtins.fetchTarball {
-      inherit url;
-      sha256 = hash;
-    };
-
-  mkTarballSource =
-    {
-      url,
-      locked_url ? url,
-      hash,
-      ...
-    }:
-    builtins.fetchTarball {
-      url = locked_url;
-      sha256 = hash;
-    };
-in
-if version == 6 then
-  builtins.mapAttrs mkSource data.pins
-else
-  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

npins/sources.json

@@ -1,381 +0,0 @@
-{
-  "pins": {
-    "agenix": {
-      "type": "GitRelease",
-      "repository": {
-        "type": "GitHub",
-        "owner": "ryantm",
-        "repo": "agenix"
-      },
-      "pre_releases": false,
-      "version_upper_bound": null,
-      "release_prefix": null,
-      "submodules": false,
-      "version": "0.15.0",
-      "revision": "564595d0ad4be7277e07fa63b5a991b3c645655d",
-      "url": "https://api.github.com/repos/ryantm/agenix/tarball/refs/tags/0.15.0",
-      "hash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU="
-    },
-    "arkheon": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "RaitoBezarius",
-        "repo": "arkheon"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "3eea876b29217d01cf2ef03ea9fdd8779d28ad04",
-      "url": "https://github.com/RaitoBezarius/arkheon/archive/3eea876b29217d01cf2ef03ea9fdd8779d28ad04.tar.gz",
-      "hash": "sha256-+R6MhTXuSzNeGQiL4DQwlP5yNhmnhbf7pQWPUWgcZSM="
-    },
-    "cas-eleves": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/cas-eleves.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "bdbb2a6c772144813bd75316080f5fecd2c5cc9e",
-      "url": null,
-      "hash": "sha256-kQDO331t2YsrDoVGHzftU6Y96VXfWNzgI7QmeBNCGTA="
-    },
-    "cgroup-exporter": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "arianvp",
-        "repo": "cgroup-exporter"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "97b83d6d495b3cb6f959a4368fd93ac342d23706",
-      "url": "https://github.com/arianvp/cgroup-exporter/archive/97b83d6d495b3cb6f959a4368fd93ac342d23706.tar.gz",
-      "hash": "sha256-MP45mdfhZ3MjpL0sJolZ0GkY3Le8QoUDqS+loPtxu2I="
-    },
-    "colmena": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/colmena"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "b5135dc8af1d7637b337cc2632990400221da577",
-      "url": null,
-      "hash": "sha256-7gg+K3PEYlN0sGPgDlmnM8zgDDIV505gNcwjFN61Qvk="
-    },
-    "dgsi": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/dgsi.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "fbf6385e65400802a3f9f75f7cd91d5c01373d1b",
-      "url": null,
-      "hash": "sha256-aOUI69wbMm9+KVWwcMw5TgVnk3DfjOzE4OEyYTD8XPU="
-    },
-    "disko": {
-      "type": "GitRelease",
-      "repository": {
-        "type": "GitHub",
-        "owner": "nix-community",
-        "repo": "disko"
-      },
-      "pre_releases": false,
-      "version_upper_bound": null,
-      "release_prefix": null,
-      "submodules": false,
-      "version": "v1.11.0",
-      "revision": "cdf8deded8813edfa6e65544f69fdd3a59fa2bb4",
-      "url": "https://api.github.com/repos/nix-community/disko/tarball/refs/tags/v1.11.0",
-      "hash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0="
-    },
-    "dns.nix": {
-      "type": "GitRelease",
-      "repository": {
-        "type": "GitHub",
-        "owner": "nix-community",
-        "repo": "dns.nix"
-      },
-      "pre_releases": false,
-      "version_upper_bound": null,
-      "release_prefix": null,
-      "submodules": false,
-      "version": "v1.2.0",
-      "revision": "a3196708a56dee76186a9415c187473b94e6cbae",
-      "url": "https://api.github.com/repos/nix-community/dns.nix/tarball/refs/tags/v1.2.0",
-      "hash": "sha256-IK3r16N9pizf53AipOmrcrcyjVsPJwC4PI5hIqEyKwQ="
-    },
-    "git-hooks": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "cachix",
-        "repo": "git-hooks.nix"
-      },
-      "branch": "master",
-      "submodules": false,
-      "revision": "fa466640195d38ec97cf0493d6d6882bc4d14969",
-      "url": "https://github.com/cachix/git-hooks.nix/archive/fa466640195d38ec97cf0493d6d6882bc4d14969.tar.gz",
-      "hash": "sha256-Wb2xeSyOsCoTCTj7LOoD6cdKLEROyFAArnYoS+noCWo="
-    },
-    "kadenios": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/kadenios.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "4fd9e3a2117f54c4184b02fd3aef31626fcad149",
-      "url": null,
-      "hash": "sha256-32alJ/9M+Vaa+zSzmoMgB1+f2h4GYP3OiJ8odRMeCdw="
-    },
-    "kat-pkgs": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/lbailly/kat-pkgs"
-      },
-      "branch": "master",
-      "submodules": false,
-      "revision": "2df4e901590ebd139364d1df140a6ccb2cd0a5a7",
-      "url": null,
-      "hash": "sha256-W4pGBZs1+iPnuios88kbqb2ITdLalYq65G8IWGm+EKY="
-    },
-    "liminix": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/liminix"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "1322de1ee0cdb19fead79e12ab279ee0b575019a",
-      "url": null,
-      "hash": "sha256-k5QjFRwKK8Hw7bl6XwOHiwr7hmTtBMdOUWieNKM10x4="
-    },
-    "linkal": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "JulienMalka",
-        "repo": "Linkal"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "085630bf369b68d2264baca020efc94c877d78e6",
-      "url": "https://github.com/JulienMalka/Linkal/archive/085630bf369b68d2264baca020efc94c877d78e6.tar.gz",
-      "hash": "sha256-nQ22VdXMO6M+rIsrPYHGmt7Zi7VWt9BeuF7WM+U2glQ="
-    },
-    "lix": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.lix.systems/lix-project/lix.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "d169c092fc28838a253be136d17fe7de1292c728",
-      "url": null,
-      "hash": "sha256-gsPA3AAGi3pucRpzJbhWWyyOBv2/2OjAjU/SlcSE8Vc="
-    },
-    "lix-module": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.lix.systems/lix-project/nixos-module.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "fa69ae26cc32dda178117b46487c2165c0e08316",
-      "url": null,
-      "hash": "sha256-MB/b/xcDKqaVBxJIIxwb81r8ZiGLeKEcqokATRRroo8="
-    },
-    "metis": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/metis"
-      },
-      "branch": "master",
-      "submodules": false,
-      "revision": "f8898110f4aa32c5384af605e727bfea9b0bd2de",
-      "url": null,
-      "hash": "sha256-WrQCoe8h848nkQQfZnshsOdoY2NP5gAsl24hXpzDnR8="
-    },
-    "microvm.nix": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "RaitoBezarius",
-        "repo": "microvm.nix"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "49899c9a4fdf75320785e79709bf1608c34caeb8",
-      "url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
-      "hash": "sha256-nn/kta8Od0T2k5+xQj+S2PNqOmxsDdHNaIv8eNtX5ms="
-    },
-    "nix-actions": {
-      "type": "GitRelease",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/nix-actions.git"
-      },
-      "pre_releases": false,
-      "version_upper_bound": null,
-      "release_prefix": null,
-      "submodules": false,
-      "version": "v0.5.1",
-      "revision": "06847b3256df402da0475dccb290832ec92a9f8c",
-      "url": null,
-      "hash": "sha256-2xOZdKiUfcriQFKG37vY96dgCJLndhLa7cGacq8+SA8="
-    },
-    "nix-modules": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.hubrecht.ovh/hubrecht/nix-modules"
-      },
-      "branch": "dgnum",
-      "submodules": false,
-      "revision": "0cdf222c07b9cbd49857ae046fb41ae9f651cc3f",
-      "url": null,
-      "hash": "sha256-VHlkJny+t1AhZ61JOeyYM1rLa4cPEoEt/5+vqAqAJgA="
-    },
-    "nix-pkgs": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
-      },
-      "branch": "dgnum",
-      "submodules": false,
-      "revision": "7a0e2e660b26ddd67bb8132beb6b13e3a69003a4",
-      "url": null,
-      "hash": "sha256-1uzLfSTvB8UXN9zbzQr2cQXjARIXw1cBwPK6mA9GoXc="
-    },
-    "nix-reuse": {
-      "type": "GitRelease",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/nix-reuse"
-      },
-      "pre_releases": false,
-      "version_upper_bound": null,
-      "release_prefix": null,
-      "submodules": false,
-      "version": "v0.1.3",
-      "revision": "45633dc6a0512cbbb010bc615b5d1b6e46e57597",
-      "url": null,
-      "hash": "sha256-xr63AvDLp+RS0F7qwuOoWNENuepPbpuHLe4VPS85XBQ="
-    },
-    "nixos-24.05": {
-      "type": "Channel",
-      "name": "nixos-24.05",
-      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.7376.b134951a4c9f/nixexprs.tar.xz",
-      "hash": "sha256-m6KS4Y44VAxk5ZnELE2dzLbjPtKRGtsprphQC6A7Erk="
-    },
-    "nixos-24.11": {
-      "type": "Channel",
-      "name": "nixos-24.11",
-      "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.717608.bf3287dac860/nixexprs.tar.xz",
-      "hash": "sha256-i+e1YvYG/DiWvKoEM0DhWG87ZPzkkYQwKlc0tS5jx+E="
-    },
-    "nixos-25.05": {
-      "type": "Channel",
-      "name": "nixos-25.05",
-      "url": "https://releases.nixos.org/nixos/25.05/nixos-25.05beta801800.ca49c4304acf/nixexprs.tar.xz",
-      "hash": "sha256-O+9sQ6QEoKcM/lJXDumDdUZbuxs2TMuBf7xi3ivOXCo="
-    },
-    "nixos-unstable": {
-      "type": "Channel",
-      "name": "nixos-unstable",
-      "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05pre797896.d89fc19e405c/nixexprs.tar.xz",
-      "hash": "sha256-bFJJ/qwB3VJ0nFuVYYHJXinT4tNJ2jhXTVT6SpYiFOM="
-    },
-    "npins": {
-      "type": "GitRelease",
-      "repository": {
-        "type": "GitHub",
-        "owner": "andir",
-        "repo": "npins"
-      },
-      "pre_releases": false,
-      "version_upper_bound": null,
-      "release_prefix": null,
-      "submodules": false,
-      "version": "0.3.1",
-      "revision": "476671559d5879ad2f95fe21b9eb7c7541b3e718",
-      "url": "https://api.github.com/repos/andir/npins/tarball/refs/tags/0.3.1",
-      "hash": "sha256-PPk9Ve1pM3X7NfGeGb8Jiq4YDEwAjErP4xzGwLaakTU="
-    },
-    "proxmox-nixos": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://github.com/SaumonNet/proxmox-nixos.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "91c96a414e14835b84adbf775f793739a5851fab",
-      "url": null,
-      "hash": "sha256-YYbR1o5qTPUxpaVhkJcOGjghNGbIBQmivXAgNTFDxqU="
-    },
-    "signal-irc-bridge": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/mdebray/signal-irc-bridge"
-      },
-      "branch": "master",
-      "submodules": false,
-      "revision": "52a370b29ff2edbec63e192e782b934823263ef2",
-      "url": null,
-      "hash": "sha256-sR8v7bheOigZ08VAv/AX9wFNmMZQEUqEwX3V9wW68tc="
-    },
-    "snix-cache": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/snix-cache.git"
-      },
-      "branch": "main",
-      "submodules": false,
-      "revision": "62346b99c2e1085203bc2e5bb5f07e7773977b49",
-      "url": null,
-      "hash": "sha256-6BYUWwzitWF2EV8wvJOlqensJ3x4f4ka+iZ9Zy5XnWI="
-    },
-    "stateless-uptime-kuma": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/mdebray/stateless-uptime-kuma"
-      },
-      "branch": "master",
-      "submodules": false,
-      "revision": "d378d1ce00c676fa22ef0808cf73f3e1c34e0191",
-      "url": null,
-      "hash": "sha256-Dq0Kk6inCrxsxRfpYJVDZ45pMW/OZ3AAecmgF+yIZQI="
-    },
-    "wp4nix": {
-      "type": "Git",
-      "repository": {
-        "type": "GitLab",
-        "repo_path": "helsinki-systems/wp4nix",
-        "server": "https://git.helsinki.tools/"
-      },
-      "branch": "master",
-      "submodules": false,
-      "revision": "2fc9a0734168cab536e3129efa6397d6cd3ac89f",
-      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=2fc9a0734168cab536e3129efa6397d6cd3ac89f",
-      "hash": "sha256-abwqAZGsWuWqfxou8XlqedBvXsUw1/xanSgljLCJxdM="
-    }
-  },
-  "version": 6
-}

patches/default.nix

@@ -21,6 +21,10 @@ with {
     (local ./lix/02-fetchGit-locked.patch)
   ];
 
+  lon = [
+    (local ./lon/01-npins-import.patch)
+  ];
+
   "nixos-25.05" = [
     # Crabfit: don't depend on all google-fonts
     (local ./nixpkgs/03-crabfit-karla.patch)
@@ -56,13 +60,8 @@ with {
   "agenix" = [
     {
       _type = "url";
-      url = "https://github.com/ryantm/agenix/pull/292.patch";
+      url = "https://github.com/ryantm/agenix/commit/48b60f7c1c7023af52212555bdb6d07472402863.patch";
       hash = "sha256-e45hiHF0HbCYb+3RRhy+8nNIFvefb6SZSN3xcl1mpvI=";
     }
   ];
-
-  "npins" = [
-    (local ./npins/00-master.patch)
-    (local ./npins/01-sri-hashes.patch)
-  ];
 }

patches/lon/01-npins-import.patch

@@ -0,0 +1,625 @@
+From 70877569a4ce8f5274c5e6208469c240a34993a0 Mon Sep 17 00:00:00 2001
+From: Tom Hubrecht <tom@hubrecht.ovh>
+Date: Tue, 10 Jun 2025 15:26:22 +0200
+Subject: [PATCH 1/2] sources: Find default branch when none is supplied
+
+---
+ rust/lon/Cargo.lock      | 33 +++++++++++++++++++++++++++++++++
+ rust/lon/Cargo.toml      |  1 +
+ rust/lon/src/cli.rs      |  8 ++++----
+ rust/lon/src/git.rs      | 29 +++++++++++++++++++++++++++++
+ rust/lon/src/init/niv.rs |  4 ++--
+ rust/lon/src/sources.rs  | 18 +++++++++++++++---
+ 6 files changed, 84 insertions(+), 9 deletions(-)
+
+diff --git a/rust/lon/Cargo.lock b/rust/lon/Cargo.lock
+index 62f6176..b9e7944 100644
+--- a/rust/lon/Cargo.lock
++++ b/rust/lon/Cargo.lock
+@@ -17,6 +17,15 @@ version = "2.0.0"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+ checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627"
+ 
++[[package]]
++name = "aho-corasick"
++version = "1.1.3"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
++dependencies = [
++ "memchr",
++]
++
+ [[package]]
+ name = "android-tzdata"
+ version = "0.1.1"
+@@ -847,6 +856,7 @@ dependencies = [
+  "expect-test",
+  "indoc",
+  "log",
++ "regex",
+  "reqwest",
+  "serde",
+  "serde_json",
+@@ -1073,11 +1083,34 @@ dependencies = [
+  "getrandom 0.3.2",
+ ]
+ 
++[[package]]
++name = "regex"
++version = "1.11.1"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
++dependencies = [
++ "aho-corasick",
++ "memchr",
++ "regex-automata",
++ "regex-syntax",
++]
++
+ [[package]]
+ name = "regex-automata"
+ version = "0.4.9"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+ checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908"
++dependencies = [
++ "aho-corasick",
++ "memchr",
++ "regex-syntax",
++]
++
++[[package]]
++name = "regex-syntax"
++version = "0.8.5"
++source = "registry+https://github.com/rust-lang/crates.io-index"
++checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
+ 
+ [[package]]
+ name = "reqwest"
+diff --git a/rust/lon/Cargo.toml b/rust/lon/Cargo.toml
+index a60c24e..d7dd633 100644
+--- a/rust/lon/Cargo.toml
++++ b/rust/lon/Cargo.toml
+@@ -13,6 +13,7 @@ serde_json = "1.0.140"
+ sha2 = "0.10.9"
+ tempfile = "3.20.0"
+ reqwest = { version = "0.12", default-features = false, features = ["blocking","http2","rustls-tls","json"] }
++regex = "1.11.1"
+ 
+ [dev-dependencies]
+ expect-test = "1.5.1"
+diff --git a/rust/lon/src/cli.rs b/rust/lon/src/cli.rs
+index eb850d7..5806b1d 100644
+--- a/rust/lon/src/cli.rs
++++ b/rust/lon/src/cli.rs
+@@ -105,7 +105,7 @@ struct AddGitArgs {
+     /// URL to the repository
+     url: String,
+     /// Branch to track
+-    branch: String,
++    branch: Option<String>,
+     /// Revision to lock
+     #[arg(short, long)]
+     revision: Option<String>,
+@@ -122,7 +122,7 @@ struct AddGitHubArgs {
+     /// An identifier made up of {owner}/{repo}, e.g. nixos/nixpkgs
+     identifier: String,
+     /// Branch to track
+-    branch: String,
++    branch: Option<String>,
+     /// Name of the source
+     ///
+     /// If you do not supply this, the repository name is used as the source name.
+@@ -283,7 +283,7 @@ fn add_git(directory: impl AsRef<Path>, args: &AddGitArgs) -> Result<()> {
+ 
+     let source = GitSource::new(
+         &args.url,
+-        &args.branch,
++        args.branch.as_ref(),
+         args.revision.as_ref(),
+         args.submodules,
+         args.frozen,
+@@ -314,7 +314,7 @@ fn add_github(directory: impl AsRef<Path>, args: &AddGitHubArgs) -> Result<()> {
+     let source = GitHubSource::new(
+         owner,
+         repo,
+-        &args.branch,
++        args.branch.as_ref(),
+         args.revision.as_ref(),
+         args.frozen,
+     )?;
+diff --git a/rust/lon/src/git.rs b/rust/lon/src/git.rs
+index cb5b4df..381c337 100644
+--- a/rust/lon/src/git.rs
++++ b/rust/lon/src/git.rs
+@@ -5,6 +5,7 @@ use std::{
+ };
+ 
+ use anyhow::{Context, Result, bail};
++use regex::Regex;
+ use tempfile::TempDir;
+ 
+ #[derive(Clone, Debug)]
+@@ -129,6 +130,34 @@ fn find_newest_revision_for_ref(url: &str, reference: &str) -> Result<Revision>
+     Ok(Revision(references.remove(0).revision))
+ }
+ 
++/// Find the default branch for a git repository
++pub fn find_default_branch(url: &str) -> Result<String> {
++    let output = Command::new("git")
++        .arg("ls-remote")
++        .args(["--symref", url, "HEAD"])
++        .output()
++        .context("Failed to execute git ls-remote. Most likely it's not on PATH")?;
++
++    if !output.status.success() {
++        bail!(
++            "Failed to find the default branch for {}\n{}",
++            url,
++            String::from_utf8_lossy(&output.stderr)
++        )
++    }
++
++    let re = Regex::new(r"ref:.*refs/heads/(?<branch>.*)\tHEAD")?;
++
++    let Some(branch) = String::from_utf8_lossy(&output.stdout)
++        .lines()
++        .find_map(|x| re.captures(x).map(|matched| matched["branch"].into()))
++    else {
++        bail!("Failed to find the default branch for {url}",)
++    };
++
++    Ok(branch)
++}
++
+ /// Call `git ls-remote` with the provided args.
+ fn ls_remote(args: &[&str]) -> Result<Vec<RemoteInfo>> {
+     let output = Command::new("git")
+diff --git a/rust/lon/src/init/niv.rs b/rust/lon/src/init/niv.rs
+index 469fdc7..8d41670 100644
+--- a/rust/lon/src/init/niv.rs
++++ b/rust/lon/src/init/niv.rs
+@@ -42,7 +42,7 @@ impl Convertible for LockFile {
+                 let source = GitHubSource::new(
+                     owner,
+                     &package.repo,
+-                    &package.branch,
++                    Some(&package.branch),
+                     Some(&package.rev),
+                     false,
+                 )?;
+@@ -51,7 +51,7 @@ impl Convertible for LockFile {
+             } else {
+                 let source = GitSource::new(
+                     &package.repo,
+-                    &package.branch,
++                    Some(&package.branch),
+                     Some(&package.rev),
+                     false,
+                     false,
+diff --git a/rust/lon/src/sources.rs b/rust/lon/src/sources.rs
+index 92d8c2b..78bdbdb 100644
+--- a/rust/lon/src/sources.rs
++++ b/rust/lon/src/sources.rs
+@@ -170,11 +170,16 @@ pub struct GitSource {
+ impl GitSource {
+     pub fn new(
+         url: &str,
+-        branch: &str,
++        branch: Option<&String>,
+         revision: Option<&String>,
+         submodules: bool,
+         frozen: bool,
+     ) -> Result<Self> {
++        let branch = match branch {
++            Some(branch) => branch,
++            None => &git::find_default_branch(url)?,
++        };
++
+         let rev = match revision {
+             Some(rev) => rev,
+             None => &git::find_newest_revision(url, branch)?.to_string(),
+@@ -283,13 +288,20 @@ impl GitHubSource {
+     pub fn new(
+         owner: &str,
+         repo: &str,
+-        branch: &str,
++        branch: Option<&String>,
+         revision: Option<&String>,
+         frozen: bool,
+     ) -> Result<Self> {
++        let repo_url = &Self::git_url(owner, repo);
++
++        let branch = match branch {
++            Some(branch) => branch,
++            None => &git::find_default_branch(repo_url)?,
++        };
++
+         let rev = match revision {
+             Some(rev) => rev,
+-            None => &git::find_newest_revision(&Self::git_url(owner, repo), branch)?.to_string(),
++            None => &git::find_newest_revision(repo_url, branch)?.to_string(),
+         };
+         log::info!("Locked revision: {rev}");
+ 
+
+From eee3871a246605a7ab60714bb193846160ac8e64 Mon Sep 17 00:00:00 2001
+From: Tom Hubrecht <tom@hubrecht.ovh>
+Date: Tue, 10 Jun 2025 17:25:52 +0200
+Subject: [PATCH 2/2] cli: init from npins
+
+We convert three types of pins: `Git`, `GitRelease` and `Channel`
+---
+ rust/lon/src/cli.rs        |  13 ++-
+ rust/lon/src/init.rs       |   1 +
+ rust/lon/src/init/npins.rs | 218 +++++++++++++++++++++++++++++++++++++
+ rust/lon/tests/npins.json  |  86 +++++++++++++++
+ 4 files changed, 312 insertions(+), 6 deletions(-)
+ create mode 100644 rust/lon/src/init/npins.rs
+ create mode 100644 rust/lon/tests/npins.json
+
+diff --git a/rust/lon/src/cli.rs b/rust/lon/src/cli.rs
+index 5806b1d..57dcc50 100644
+--- a/rust/lon/src/cli.rs
++++ b/rust/lon/src/cli.rs
+@@ -11,7 +11,7 @@ use crate::{
+     bot::{Forge, Forgejo, GitHub, GitLab},
+     commit_message::CommitMessage,
+     git,
+-    init::{Convertible, niv},
++    init::{Convertible, niv, npins},
+     lock::Lock,
+     lon_nix::LonNix,
+     sources::{GitHubSource, GitSource, Source, Sources},
+@@ -82,6 +82,7 @@ struct InitArgs {
+ #[derive(Clone, ValueEnum)]
+ enum LockFileType {
+     Niv,
++    Npins,
+ }
+ 
+ #[derive(Subcommand)]
+@@ -261,13 +262,13 @@ fn init(directory: impl AsRef<Path>, args: &InitArgs) -> Result<()> {
+         bail!("No lock file type is provided");
+     };
+ 
+-    let lock_file = match lock_file_type {
+-        LockFileType::Niv => niv::LockFile::from_file(path)?,
+-    };
+-
+     log::info!("Initializing lon.lock from {path:?}");
+ 
+-    let sources = lock_file.convert()?;
++    let sources = match lock_file_type {
++        LockFileType::Niv => niv::LockFile::from_file(path)?.convert()?,
++        LockFileType::Npins => npins::LockFile::from_file(path)?.convert()?,
++    };
++
+     sources.write(&directory)?;
+ 
+     Ok(())
+diff --git a/rust/lon/src/init.rs b/rust/lon/src/init.rs
+index ec87afa..06e63f2 100644
+--- a/rust/lon/src/init.rs
++++ b/rust/lon/src/init.rs
+@@ -1,4 +1,5 @@
+ pub mod niv;
++pub mod npins;
+ 
+ use anyhow::Result;
+ 
+diff --git a/rust/lon/src/init/npins.rs b/rust/lon/src/init/npins.rs
+new file mode 100644
+index 0000000..8a38139
+--- /dev/null
++++ b/rust/lon/src/init/npins.rs
+@@ -0,0 +1,218 @@
++use std::{collections::BTreeMap, fs::File, io::Read, path::Path};
++
++use anyhow::{Context, Result, bail};
++use regex::Regex;
++use serde::Deserialize;
++
++use crate::{
++    init::Convertible,
++    sources::{GitHubSource, GitSource, Source, Sources},
++};
++
++#[derive(Debug, Deserialize)]
++pub struct LockFile {
++    pins: BTreeMap<String, Pin>,
++    version: u64,
++}
++
++#[derive(Debug, Deserialize)]
++#[serde(tag = "type")]
++pub enum Repository {
++    Git {
++        /// URL to the Git repository
++        url: String,
++    },
++    Forgejo {
++        server: String,
++        owner: String,
++        repo: String,
++    },
++    GitHub {
++        /// "owner/repo"
++        owner: String,
++        repo: String,
++    },
++    GitLab {
++        /// usually "owner/repo" or "group/owner/repo" (without leading or trailing slashes)
++        repo_path: String,
++        /// Of the kind <https://gitlab.example.org/>
++        ///
++        /// It must fit into the schema `<server>/<owner>/<repo>` to get a repository's URL.
++        server: String,
++        /// access token for private repositories
++        #[serde(skip_serializing_if = "Option::is_none")]
++        #[serde(default)]
++        private_token: Option<String>,
++    },
++}
++
++// HACK: We know that a Git pin has a branch associated to it and GitRelease has none,
++//       but to unify the behaviour, we set them bot to `Option`s
++#[derive(Debug, Deserialize)]
++#[serde(tag = "type")]
++pub enum Pin {
++    Git {
++        repository: Repository,
++        branch: Option<String>,
++        revision: String,
++        submodules: bool,
++        #[serde(default)]
++        frozen: bool,
++    },
++    GitRelease {
++        repository: Repository,
++        branch: Option<String>,
++        revision: String,
++        submodules: bool,
++        #[serde(default)]
++        frozen: bool,
++    },
++    Channel {
++        #[serde(rename = "name")]
++        channel: String,
++        url: String,
++        #[serde(default)]
++        frozen: bool,
++    },
++}
++
++impl LockFile {
++    pub fn from_file(path: impl AsRef<Path>) -> Result<Self> {
++        let file = File::open(path.as_ref())
++            .with_context(|| format!("Failed to open {:?}", path.as_ref()))?;
++        Self::from_reader(file)
++    }
++
++    fn from_reader(rdr: impl Read) -> Result<Self> {
++        serde_json::from_reader(rdr).context("Failed to deserialize npins lock file")
++    }
++}
++
++impl Convertible for LockFile {
++    fn convert(&self) -> Result<Sources> {
++        let mut sources = Sources::default();
++
++        if self.version == 1 {
++            bail!("Unsupported npins lockfile version: {}", &self.version)
++        }
++
++        let re = Regex::new(
++            r"https://releases\.nixos\.org/.*\.(?<shortrev>[a-f0-9]+)/nixexprs\.tar\.xz",
++        )?;
++
++        for (name, pin) in &self.pins {
++            log::info!("Converting {name}...");
++
++            let source = match pin {
++                Pin::Channel {
++                    channel,
++                    url,
++                    frozen,
++                } => {
++                    let Some(matched) = re.captures(url) else {
++                        bail!("Cannot extract revision from the channel url: {url}")
++                    };
++
++                    Source::GitHub(GitHubSource::new(
++                        "NixOS",
++                        "nixpkgs",
++                        Some(channel),
++                        Some(&matched["shortrev"].into()),
++                        *frozen,
++                    )?)
++                }
++                Pin::Git {
++                    repository,
++                    branch,
++                    revision,
++                    submodules,
++                    frozen,
++                }
++                | Pin::GitRelease {
++                    repository,
++                    branch,
++                    revision,
++                    submodules,
++                    frozen,
++                } => match repository {
++                    Repository::Git { url } => Source::Git(GitSource::new(
++                        url,
++                        branch.as_ref(),
++                        Some(revision),
++                        *submodules,
++                        *frozen,
++                    )?),
++                    Repository::GitHub { owner, repo } => {
++                        if *submodules {
++                            Source::Git(GitSource::new(
++                                &format!("https://github.com/{owner}/{repo}"),
++                                branch.as_ref(),
++                                Some(revision),
++                                *submodules,
++                                *frozen,
++                            )?)
++                        } else {
++                            Source::GitHub(GitHubSource::new(
++                                owner,
++                                repo,
++                                branch.as_ref(),
++                                Some(revision),
++                                *frozen,
++                            )?)
++                        }
++                    }
++                    Repository::Forgejo {
++                        server,
++                        owner,
++                        repo,
++                    } => Source::Git(GitSource::new(
++                        &format!("{server}/{owner}/{repo}"),
++                        branch.as_ref(),
++                        Some(revision),
++                        *submodules,
++                        *frozen,
++                    )?),
++                    Repository::GitLab {
++                        repo_path,
++                        server,
++                        private_token,
++                    } => {
++                        if private_token.is_some() {
++                            log::warn!(
++                                "GitLab source {name} is configured with a PAT, which unsupported in lon"
++                            );
++                        }
++                        Source::Git(GitSource::new(
++                            &format!("{server}/{repo_path}"),
++                            branch.as_ref(),
++                            Some(revision),
++                            *submodules,
++                            *frozen,
++                        )?)
++                    }
++                },
++            };
++
++            sources.add(name, source);
++        }
++
++        Ok(sources)
++    }
++}
++
++#[cfg(test)]
++mod tests {
++    use super::*;
++
++    impl LockFile {
++        fn from_str(s: &str) -> Result<Self> {
++            serde_json::from_str(s).context("Failed to deserialize npins lock file")
++        }
++    }
++
++    #[test]
++    fn parse_npins_lock_file() -> Result<()> {
++        LockFile::from_str(include_str!("../../tests/npins.json"))?;
++        Ok(())
++    }
++}
+diff --git a/rust/lon/tests/npins.json b/rust/lon/tests/npins.json
+new file mode 100644
+index 0000000..10ce4e2
+--- /dev/null
++++ b/rust/lon/tests/npins.json
+@@ -0,0 +1,86 @@
++{
++  "pins": {
++    "agenix": {
++      "type": "GitRelease",
++      "repository": {
++        "type": "GitHub",
++        "owner": "ryantm",
++        "repo": "agenix"
++      },
++      "pre_releases": false,
++      "version_upper_bound": null,
++      "release_prefix": null,
++      "submodules": false,
++      "version": "0.15.0",
++      "revision": "564595d0ad4be7277e07fa63b5a991b3c645655d",
++      "url": "https://api.github.com/repos/ryantm/agenix/tarball/refs/tags/0.15.0",
++      "hash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU="
++    },
++    "arkheon": {
++      "type": "Git",
++      "repository": {
++        "type": "GitHub",
++        "owner": "RaitoBezarius",
++        "repo": "arkheon"
++      },
++      "branch": "main",
++      "submodules": false,
++      "revision": "3eea876b29217d01cf2ef03ea9fdd8779d28ad04",
++      "url": "https://github.com/RaitoBezarius/arkheon/archive/3eea876b29217d01cf2ef03ea9fdd8779d28ad04.tar.gz",
++      "hash": "sha256-+R6MhTXuSzNeGQiL4DQwlP5yNhmnhbf7pQWPUWgcZSM="
++    },
++    "colmena": {
++      "type": "Git",
++      "repository": {
++        "type": "Git",
++        "url": "https://git.dgnum.eu/DGNum/colmena"
++      },
++      "branch": "main",
++      "submodules": false,
++      "revision": "b5135dc8af1d7637b337cc2632990400221da577",
++      "url": null,
++      "hash": "sha256-7gg+K3PEYlN0sGPgDlmnM8zgDDIV505gNcwjFN61Qvk="
++    },
++    "nix-actions": {
++      "type": "GitRelease",
++      "repository": {
++        "type": "Git",
++        "url": "https://git.dgnum.eu/DGNum/nix-actions.git"
++      },
++      "pre_releases": false,
++      "version_upper_bound": null,
++      "release_prefix": null,
++      "submodules": false,
++      "version": "v0.5.1",
++      "revision": "06847b3256df402da0475dccb290832ec92a9f8c",
++      "url": null,
++      "hash": "sha256-2xOZdKiUfcriQFKG37vY96dgCJLndhLa7cGacq8+SA8="
++    },
++    "nixos-25.05": {
++      "type": "Channel",
++      "name": "nixos-25.05",
++      "url": "https://releases.nixos.org/nixos/25.05/nixos-25.05.803579.70c74b02eac4/nixexprs.tar.xz",
++      "hash": "sha256-0RxtgAd4gHYPFFwICal8k8hvJBOkCeTjFkh4HsqYDbE="
++    },
++    "nixos-unstable": {
++      "type": "Channel",
++      "name": "nixos-unstable",
++      "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05pre797896.d89fc19e405c/nixexprs.tar.xz",
++      "hash": "sha256-bFJJ/qwB3VJ0nFuVYYHJXinT4tNJ2jhXTVT6SpYiFOM="
++    },
++    "wp4nix": {
++      "type": "Git",
++      "repository": {
++        "type": "GitLab",
++        "repo_path": "helsinki-systems/wp4nix",
++        "server": "https://git.helsinki.tools/"
++      },
++      "branch": "master",
++      "submodules": false,
++      "revision": "2fc9a0734168cab536e3129efa6397d6cd3ac89f",
++      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=2fc9a0734168cab536e3129efa6397d6cd3ac89f",
++      "hash": "sha256-abwqAZGsWuWqfxou8XlqedBvXsUw1/xanSgljLCJxdM="
++    }
++  },
++  "version": 6
++}

patches/lon/01-npins-import.patch.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+
+SPDX-License-Identifier: MIT

patches/npins/01-sri-hashes.patch

@@ -1,962 +0,0 @@
-From 6d86eb4b9884f46a38baaafd6a048cbfdc6a6b9b Mon Sep 17 00:00:00 2001
-From: Tom Hubrecht <tom@hubrecht.ovh>
-Date: Tue, 6 May 2025 18:32:31 +0200
-Subject: [PATCH] feat: Use SRI hashes for locking pins
-
-Here, we:
-- Switch to using SRI hashes for all locked inputs
-- Add support for narHash in fetchGit
-
-It is a follow-up of #87 using snix nix-compat crate for manipulating
-hashes
-
-Co-authored-by: Raito Bezarius <masterancpp@gmail.com>
----
- Cargo.lock      | 386 +++++++++++++++++++++++++++++++++++++++++++++++-
- Cargo.toml      |   2 +
- npins.nix       |   4 +
- src/default.nix |  10 +-
- src/git.rs      |  22 +--
- src/nix.rs      |  20 ++-
- src/pypi.rs     |  20 ++-
- src/versions.rs |  40 +++--
- 8 files changed, 466 insertions(+), 38 deletions(-)
-
-diff --git a/Cargo.lock b/Cargo.lock
-index fc0b0df..6345d09 100644
---- a/Cargo.lock
-+++ b/Cargo.lock
-@@ -120,12 +120,38 @@ version = "0.22.1"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
- 
-+[[package]]
-+name = "base64ct"
-+version = "1.7.3"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "89e25b6adfb930f02d1981565a6e5d9c547ac15a96606256d3b59040e5cd4ca3"
-+
- [[package]]
- name = "bitflags"
- version = "2.9.0"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "5c8214115b7bf84099f1309324e63141d4c5d7cc26862f97a0a857dbefe165bd"
- 
-+[[package]]
-+name = "block-buffer"
-+version = "0.10.4"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
-+dependencies = [
-+ "generic-array",
-+]
-+
-+[[package]]
-+name = "bstr"
-+version = "1.12.0"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "234113d19d0d7d613b40e86fb654acf958910802bcceab913a4f9e7cda03b1a4"
-+dependencies = [
-+ "memchr",
-+ "regex-automata",
-+ "serde",
-+]
-+
- [[package]]
- name = "bumpalo"
- version = "3.17.0"
-@@ -205,6 +231,21 @@ version = "1.0.3"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990"
- 
-+[[package]]
-+name = "const-oid"
-+version = "0.9.6"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
-+
-+[[package]]
-+name = "cpufeatures"
-+version = "0.2.17"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
-+dependencies = [
-+ "libc",
-+]
-+
- [[package]]
- name = "crossterm"
- version = "0.28.1"
-@@ -216,6 +257,69 @@ dependencies = [
-  "rustix",
- ]
- 
-+[[package]]
-+name = "crypto-common"
-+version = "0.1.6"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
-+dependencies = [
-+ "generic-array",
-+ "typenum",
-+]
-+
-+[[package]]
-+name = "curve25519-dalek"
-+version = "4.1.3"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
-+dependencies = [
-+ "cfg-if",
-+ "cpufeatures",
-+ "curve25519-dalek-derive",
-+ "digest",
-+ "fiat-crypto",
-+ "rustc_version",
-+ "subtle",
-+ "zeroize",
-+]
-+
-+[[package]]
-+name = "curve25519-dalek-derive"
-+version = "0.1.1"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
-+dependencies = [
-+ "proc-macro2",
-+ "quote",
-+ "syn",
-+]
-+
-+[[package]]
-+name = "data-encoding"
-+version = "2.9.0"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "2a2330da5de22e8a3cb63252ce2abb30116bf5265e89c0e01bc17015ce30a476"
-+
-+[[package]]
-+name = "der"
-+version = "0.7.10"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
-+dependencies = [
-+ "const-oid",
-+ "zeroize",
-+]
-+
-+[[package]]
-+name = "digest"
-+version = "0.10.7"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
-+dependencies = [
-+ "block-buffer",
-+ "crypto-common",
-+]
-+
- [[package]]
- name = "displaydoc"
- version = "0.2.5"
-@@ -227,6 +331,41 @@ dependencies = [
-  "syn",
- ]
- 
-+[[package]]
-+name = "ed25519"
-+version = "2.2.3"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
-+dependencies = [
-+ "pkcs8",
-+ "signature",
-+]
-+
-+[[package]]
-+name = "ed25519-dalek"
-+version = "2.1.1"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "4a3daa8e81a3963a60642bcc1f90a670680bd4a77535faa384e9d1c79d620871"
-+dependencies = [
-+ "curve25519-dalek",
-+ "ed25519",
-+ "serde",
-+ "sha2",
-+ "subtle",
-+ "zeroize",
-+]
-+
-+[[package]]
-+name = "enum-primitive-derive"
-+version = "0.3.0"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "ba7795da175654fe16979af73f81f26a8ea27638d8d9823d317016888a63dc4c"
-+dependencies = [
-+ "num-traits",
-+ "quote",
-+ "syn",
-+]
-+
- [[package]]
- name = "env_filter"
- version = "0.1.3"
-@@ -265,6 +404,12 @@ dependencies = [
-  "windows-sys 0.59.0",
- ]
- 
-+[[package]]
-+name = "fiat-crypto"
-+version = "0.2.9"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
-+
- [[package]]
- name = "fnv"
- version = "1.0.7"
-@@ -369,6 +514,16 @@ dependencies = [
-  "slab",
- ]
- 
-+[[package]]
-+name = "generic-array"
-+version = "0.14.7"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
-+dependencies = [
-+ "typenum",
-+ "version_check",
-+]
-+
- [[package]]
- name = "getrandom"
- version = "0.2.15"
-@@ -402,6 +557,12 @@ version = "0.31.1"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f"
- 
-+[[package]]
-+name = "glob"
-+version = "0.3.2"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2"
-+
- [[package]]
- name = "hashbrown"
- version = "0.15.2"
-@@ -719,6 +880,16 @@ version = "0.2.172"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
- 
-+[[package]]
-+name = "libmimalloc-sys"
-+version = "0.1.42"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "ec9d6fac27761dabcd4ee73571cdb06b7022dc99089acbe5435691edffaac0f4"
-+dependencies = [
-+ "cc",
-+ "libc",
-+]
-+
- [[package]]
- name = "linux-raw-sys"
- version = "0.4.15"
-@@ -753,6 +924,15 @@ version = "2.7.4"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
- 
-+[[package]]
-+name = "mimalloc"
-+version = "0.1.46"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "995942f432bbb4822a7e9c3faa87a695185b0d09273ba85f097b54f4e458f2af"
-+dependencies = [
-+ "libmimalloc-sys",
-+]
-+
- [[package]]
- name = "mime"
- version = "0.3.17"
-@@ -779,6 +959,53 @@ dependencies = [
-  "windows-sys 0.52.0",
- ]
- 
-+[[package]]
-+name = "nix-compat"
-+version = "0.1.0"
-+source = "git+https://git.snix.dev/snix/snix#4749964f06a7aa20ee19c5f7b3c97079e5c67911"
-+dependencies = [
-+ "bitflags",
-+ "bstr",
-+ "bytes",
-+ "data-encoding",
-+ "ed25519",
-+ "ed25519-dalek",
-+ "enum-primitive-derive",
-+ "futures",
-+ "glob",
-+ "mimalloc",
-+ "nix-compat-derive",
-+ "nom",
-+ "num-traits",
-+ "num_enum",
-+ "pin-project-lite",
-+ "serde",
-+ "serde_json",
-+ "sha2",
-+ "thiserror",
-+ "tokio",
-+ "tracing",
-+]
-+
-+[[package]]
-+name = "nix-compat-derive"
-+version = "0.1.0"
-+source = "git+https://git.snix.dev/snix/snix#4749964f06a7aa20ee19c5f7b3c97079e5c67911"
-+dependencies = [
-+ "proc-macro2",
-+ "quote",
-+ "syn",
-+]
-+
-+[[package]]
-+name = "nom"
-+version = "8.0.0"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "df9761775871bdef83bee530e60050f7e54b1105350d6884eb0fb4f46c2f9405"
-+dependencies = [
-+ "memchr",
-+]
-+
- [[package]]
- name = "npins"
- version = "0.3.1"
-@@ -787,11 +1014,13 @@ dependencies = [
-  "async-trait",
-  "clap",
-  "crossterm",
-+ "data-encoding",
-  "env_logger",
-  "futures",
-  "lenient_semver_parser",
-  "lenient_version",
-  "log",
-+ "nix-compat",
-  "reqwest",
-  "serde",
-  "serde_json",
-@@ -799,6 +1028,36 @@ dependencies = [
-  "url",
- ]
- 
-+[[package]]
-+name = "num-traits"
-+version = "0.2.19"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
-+dependencies = [
-+ "autocfg",
-+]
-+
-+[[package]]
-+name = "num_enum"
-+version = "0.7.3"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "4e613fc340b2220f734a8595782c551f1250e969d87d3be1ae0579e8d4065179"
-+dependencies = [
-+ "num_enum_derive",
-+]
-+
-+[[package]]
-+name = "num_enum_derive"
-+version = "0.7.3"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "af1844ef2428cc3e1cb900be36181049ef3d3193c63e43026cfe202983b27a56"
-+dependencies = [
-+ "proc-macro-crate",
-+ "proc-macro2",
-+ "quote",
-+ "syn",
-+]
-+
- [[package]]
- name = "object"
- version = "0.36.7"
-@@ -855,6 +1114,16 @@ version = "0.1.0"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
- 
-+[[package]]
-+name = "pkcs8"
-+version = "0.10.2"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
-+dependencies = [
-+ "der",
-+ "spki",
-+]
-+
- [[package]]
- name = "ppv-lite86"
- version = "0.2.21"
-@@ -864,6 +1133,15 @@ dependencies = [
-  "zerocopy",
- ]
- 
-+[[package]]
-+name = "proc-macro-crate"
-+version = "3.3.0"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "edce586971a4dfaa28950c6f18ed55e0406c1ab88bbce2c6f6293a7aaba73d35"
-+dependencies = [
-+ "toml_edit",
-+]
-+
- [[package]]
- name = "proc-macro2"
- version = "1.0.94"
-@@ -949,7 +1227,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "3779b94aeb87e8bd4e834cee3650289ee9e0d5677f976ecdb6d219e5f4f6cd94"
- dependencies = [
-  "rand_chacha",
-- "rand_core",
-+ "rand_core 0.9.3",
-  "zerocopy",
- ]
- 
-@@ -960,7 +1238,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
- dependencies = [
-  "ppv-lite86",
-- "rand_core",
-+ "rand_core 0.9.3",
-+]
-+
-+[[package]]
-+name = "rand_core"
-+version = "0.6.4"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
-+dependencies = [
-+ "getrandom 0.2.15",
- ]
- 
- [[package]]
-@@ -1079,6 +1366,15 @@ version = "2.1.1"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "357703d41365b4b27c590e3ed91eabb1b663f07c4c084095e60cbed4362dff0d"
- 
-+[[package]]
-+name = "rustc_version"
-+version = "0.4.1"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
-+dependencies = [
-+ "semver",
-+]
-+
- [[package]]
- name = "rustix"
- version = "0.38.44"
-@@ -1153,6 +1449,12 @@ version = "1.2.0"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
- 
-+[[package]]
-+name = "semver"
-+version = "1.0.26"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
-+
- [[package]]
- name = "serde"
- version = "1.0.219"
-@@ -1198,6 +1500,17 @@ dependencies = [
-  "serde",
- ]
- 
-+[[package]]
-+name = "sha2"
-+version = "0.10.9"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
-+dependencies = [
-+ "cfg-if",
-+ "cpufeatures",
-+ "digest",
-+]
-+
- [[package]]
- name = "shlex"
- version = "1.3.0"
-@@ -1213,6 +1526,15 @@ dependencies = [
-  "libc",
- ]
- 
-+[[package]]
-+name = "signature"
-+version = "2.2.0"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
-+dependencies = [
-+ "rand_core 0.6.4",
-+]
-+
- [[package]]
- name = "slab"
- version = "0.4.9"
-@@ -1238,6 +1560,16 @@ dependencies = [
-  "windows-sys 0.52.0",
- ]
- 
-+[[package]]
-+name = "spki"
-+version = "0.7.3"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
-+dependencies = [
-+ "base64ct",
-+ "der",
-+]
-+
- [[package]]
- name = "stable_deref_trait"
- version = "1.2.0"
-@@ -1370,6 +1702,23 @@ dependencies = [
-  "tokio",
- ]
- 
-+[[package]]
-+name = "toml_datetime"
-+version = "0.6.9"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "3da5db5a963e24bc68be8b17b6fa82814bb22ee8660f192bb182771d498f09a3"
-+
-+[[package]]
-+name = "toml_edit"
-+version = "0.22.26"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "310068873db2c5b3e7659d2cc35d21855dbafa50d1ce336397c666e3cb08137e"
-+dependencies = [
-+ "indexmap",
-+ "toml_datetime",
-+ "winnow",
-+]
-+
- [[package]]
- name = "tower"
- version = "0.5.2"
-@@ -1404,9 +1753,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "784e0ac535deb450455cbfa28a6f0df145ea1bb7ae51b821cf5e7927fdcfbdd0"
- dependencies = [
-  "pin-project-lite",
-+ "tracing-attributes",
-  "tracing-core",
- ]
- 
-+[[package]]
-+name = "tracing-attributes"
-+version = "0.1.28"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d"
-+dependencies = [
-+ "proc-macro2",
-+ "quote",
-+ "syn",
-+]
-+
- [[package]]
- name = "tracing-core"
- version = "0.1.33"
-@@ -1422,6 +1783,12 @@ version = "0.2.5"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
- 
-+[[package]]
-+name = "typenum"
-+version = "1.18.0"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "1dccffe3ce07af9386bfd29e80c0ab1a8205a2fc34e4bcd40364df902cfa8f3f"
-+
- [[package]]
- name = "unicode-ident"
- version = "1.0.18"
-@@ -1464,6 +1831,12 @@ version = "0.2.2"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
- 
-+[[package]]
-+name = "version_check"
-+version = "0.9.5"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
-+
- [[package]]
- name = "want"
- version = "0.3.1"
-@@ -1769,6 +2142,15 @@ version = "0.53.0"
- source = "registry+https://github.com/rust-lang/crates.io-index"
- checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486"
- 
-+[[package]]
-+name = "winnow"
-+version = "0.7.10"
-+source = "registry+https://github.com/rust-lang/crates.io-index"
-+checksum = "c06928c8748d81b05c9be96aad92e1b6ff01833332f281e8cfca3be4b35fc9ec"
-+dependencies = [
-+ "memchr",
-+]
-+
- [[package]]
- name = "wit-bindgen-rt"
- version = "0.39.0"
-diff --git a/Cargo.toml b/Cargo.toml
-index b603f77..badbe24 100644
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -32,6 +32,8 @@ futures = "0.3.31"
- clap = { version = "4.5", features = [ "derive", "env" ], optional = true }
- crossterm = { version = "0.28.1", default-features = false, optional = true }
- env_logger = { version = "^0.11.0", features = ["color", "auto-color", "regex"], default-features = false, optional = true }
-+nix-compat = { git = "https://git.snix.dev/snix/snix", version = "0.1.0" }
-+data-encoding = "2.9.0"
- 
- [dev-dependencies]
- env_logger = { version = "^0.11.0", features = ["color", "auto-color", "regex"], default-features = false }
-diff --git a/npins.nix b/npins.nix
-index 912d431..dfdcda8 100644
---- a/npins.nix
-+++ b/npins.nix
-@@ -51,6 +51,10 @@ let
-     version = cargoToml.package.version;
-     cargoLock = {
-       lockFile = src + "/Cargo.lock";
-+
-+      outputHashes = {
-+        "nix-compat-0.1.0" = "sha256-U9pAde6R2yoP8ivnoNX/1rve+ALrDk8+4R2BKoGzg24=";
-+      };
-     };
- 
-     inherit src;
-diff --git a/src/default.nix b/src/default.nix
-index 6592476..fc9ebc5 100644
---- a/src/default.nix
-+++ b/src/default.nix
-@@ -82,7 +82,7 @@ let
-     if url != null && !submodules then
-       builtins.fetchTarball {
-         inherit url;
--        sha256 = hash; # FIXME: check nix version & use SRI hashes
-+        sha256 = hash;
-       }
-     else
-       let
-@@ -109,9 +109,9 @@ let
-       in
-       builtins.fetchGit {
-         rev = revision;
--        inherit name;
--        # hash = hash;
--        inherit url submodules;
-+        narHash = hash;
-+
-+        inherit name submodules url;
-       };
- 
-   mkPyPiSource =
-@@ -140,7 +140,7 @@ let
-       sha256 = hash;
-     };
- in
--if version == 5 then
-+if version == 6 then
-   builtins.mapAttrs mkSource data.pins
- else
-   throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
-diff --git a/src/git.rs b/src/git.rs
-index 334e9d1..c7c5241 100644
---- a/src/git.rs
-+++ b/src/git.rs
-@@ -852,7 +852,7 @@ mod test {
-             pin.fetch(&version).await?,
-             OptionalUrlHashes {
-                 url: None,
--                hash: "17giznxp84h53jsm334dkp1fz6x9ff2yqfkq34ihq0ray1x3yhyd".into(),
-+                hash: "sha256-zUM/evAqAwwjGXg67IVzqZvvwp2NjFG1HAUSdLv98Z0=".into(),
-             }
-         );
-         Ok(())
-@@ -880,7 +880,7 @@ mod test {
-             pin.fetch(&version).await?,
-             ReleasePinHashes {
-                 url: None,
--                hash: "0q06gjh6129bfs0x072xicmq0q2psnq6ckf05p1jfdxwl7jljg06".into(),
-+                hash: "sha256-BjxJ5aG8NyfDLcBNZrDVV2CAK4tdHNCBdiuJYKB8BmA=".into(),
-                 revision: "35be5b2b2c3431de1100996487d53134f658b866".into(),
-             }
-         );
-@@ -908,7 +908,7 @@ mod test {
-             pin.fetch(&version).await?,
-             OptionalUrlHashes {
-                 url: Some("https://github.com/oliverwatkins/swing_library/archive/1edb0a9cebe046cc915a218c57dbf7f40739aeee.tar.gz".parse().unwrap()),
--                hash: "17giznxp84h53jsm334dkp1fz6x9ff2yqfkq34ihq0ray1x3yhyd".into(),
-+                hash: "sha256-zUM/evAqAwwjGXg67IVzqZvvwp2NjFG1HAUSdLv98Z0=".into(),
-             }
-         );
-         Ok(())
-@@ -942,7 +942,7 @@ mod test {
-                         .parse()
-                         .unwrap()
-                 ),
--                hash: "0q06gjh6129bfs0x072xicmq0q2psnq6ckf05p1jfdxwl7jljg06".into(),
-+                hash: "sha256-BjxJ5aG8NyfDLcBNZrDVV2CAK4tdHNCBdiuJYKB8BmA=".into(),
-             }
-         );
-         Ok(())
-@@ -976,7 +976,7 @@ mod test {
-                         .parse()
-                         .unwrap()
-                 ),
--                hash: "0arqpja90n3yy767x0ckwg4biqm4igcpa0vznvx3daaywjkb1v7v".into(),
-+                hash: "sha256-++ywpuReqTb6tn8DddmLpOK4yOOTgX7M8X5YkJS8OCs=".into(),
-             }
-         );
-         Ok(())
-@@ -1004,7 +1004,7 @@ mod test {
-             pin.fetch(&version).await?,
-             OptionalUrlHashes {
-                 url: Some("https://git.lix.systems/lix-project/lix/archive/4bbdb2f5564b9b42bcaf0e1eec28325300f31c72.tar.gz".parse().unwrap()),
--                hash: "03rygh7i9wzl6mhha6cv5q26iyzwy8l59d5cq4r6j5kpss9l1hn3".into(),
-+                hash: "sha256-w8JAk9Z3Fmkyway0VCjy/PtoBC6bGQVhNfTzFA98Pg8=".into(),
-             }
-         );
-         Ok(())
-@@ -1039,7 +1039,7 @@ mod test {
-                         .parse()
-                         .unwrap()
-                 ),
--                hash: "1iyylsiv1n6mf6rbi4k4fm5nv24a940cwfz92gk9fx6axh2kxjbz".into(),
-+                hash: "sha256-f8k+BezKdJfmE+k7zgBJiohtS3VkkriycdXYsKOm3sc=".into(),
-             }
-         );
-         Ok(())
-@@ -1067,7 +1067,7 @@ mod test {
-             pin.fetch(&version).await?,
-             OptionalUrlHashes {
-                 url: Some("https://gitlab.com/api/v4/projects/maxigaz%2Fgitlab-dark/repository/archive.tar.gz?sha=e7145078163692697b843915a665d4f41139a65c".parse().unwrap()),
--                hash: "0nmcr0g0cms4yx9wsgbyvxyvdlqwa9qdb8179g47rs0y04iylcsv".into(),
-+                hash: "sha256-WzPqIwEe6HzISyeg1XBSHNO2fd9+Pc1T90RXBh7IrFo=".into(),
-             }
-         );
-         Ok(())
-@@ -1100,7 +1100,7 @@ mod test {
-                 url: Some("https://gitlab.com/api/v4/projects/maxigaz%2Fgitlab-dark/repository/archive.tar.gz?ref=v1.16.0"
-                     .parse()
-                     .unwrap()),
--                hash: "0nmcr0g0cms4yx9wsgbyvxyvdlqwa9qdb8179g47rs0y04iylcsv".into(),
-+                hash: "sha256-WzPqIwEe6HzISyeg1XBSHNO2fd9+Pc1T90RXBh7IrFo=".into(),
-             }
-         );
-         Ok(())
-@@ -1128,7 +1128,7 @@ mod test {
-             pin.fetch(&version).await?,
-             OptionalUrlHashes {
-                 url: Some("https://gitlab.gnome.org/api/v4/projects/Archive%2Fgnome-games/repository/archive.tar.gz?sha=bca2071b6923d45d9aabac27b3ea1e40f5fa3006".parse().unwrap()),
--                hash: "0pn7mdj56flvvlhm96igx8g833sslzgypfb2a4zv7lj8z3kiikmg".into(),
-+                hash: "sha256-r84Y5/hI0rM/UWK569+nWo+BHuovmlQh3Zs6U2Srx14=".into(),
-             }
-         );
-         Ok(())
-@@ -1159,7 +1159,7 @@ mod test {
-             ReleasePinHashes {
-                 revision: "2c89145d52d072a4ca5da900c2676d890bfab1ff".into(),
-                 url: Some("https://gitlab.gnome.org/api/v4/projects/Archive%2Fgnome-games/repository/archive.tar.gz?ref=40.0".parse().unwrap()),
--                hash: "0pn7mdj56flvvlhm96igx8g833sslzgypfb2a4zv7lj8z3kiikmg".into(),
-+                hash: "sha256-r84Y5/hI0rM/UWK569+nWo+BHuovmlQh3Zs6U2Srx14=".into(),
-             }
-         );
-         Ok(())
-diff --git a/src/nix.rs b/src/nix.rs
-index 2248079..499e0e7 100644
---- a/src/nix.rs
-+++ b/src/nix.rs
-@@ -1,5 +1,6 @@
- use crate::check_url;
- use anyhow::{Context, Result};
-+use data_encoding::BASE64;
- use log::debug;
- 
- #[allow(unused)]
-@@ -8,6 +9,16 @@ pub struct PrefetchInfo {
-     hash: String,
- }
- 
-+pub fn hash_to_sri(s: &str, algo: &str) -> Result<String> {
-+    let hash = nix_compat::nixhash::from_str(s, Some(algo))?;
-+
-+    Ok(format!(
-+        "{}-{}",
-+        hash.algo(),
-+        BASE64.encode(hash.digest_as_bytes())
-+    ))
-+}
-+
- pub async fn nix_prefetch_tarball(url: impl AsRef<str>) -> Result<String> {
-     let url = url.as_ref();
-     check_url(url).await?;
-@@ -37,8 +48,11 @@ pub async fn nix_prefetch_tarball(url: impl AsRef<str>) -> Result<String> {
-     }
- 
-     let stdout = String::from_utf8_lossy(&output.stdout);
--    log::debug!("Got hash: {}", stdout);
--    Ok(String::from(stdout.trim()))
-+    let hash = stdout.trim();
-+
-+    log::debug!("Got sha256: {}", hash);
-+
-+    hash_to_sri(&hash, "sha256")
- }
- 
- pub async fn nix_prefetch_git(
-@@ -111,5 +125,5 @@ pub async fn nix_prefetch_git(
-     let info: NixPrefetchGitResponse = serde_json::from_slice(&output.stdout)
-         .context("Failed to deserialize nix-pfetch-git JSON response.")?;
- 
--    Ok(info.sha256)
-+    hash_to_sri(&info.sha256, "sha256")
- }
-diff --git a/src/pypi.rs b/src/pypi.rs
-index 51191d2..5d744ef 100644
---- a/src/pypi.rs
-+++ b/src/pypi.rs
-@@ -1,6 +1,6 @@
- //! Pin a PyPi package
- 
--use crate::*;
-+use crate::{nix::hash_to_sri, *};
- use anyhow::{Context, Result};
- use lenient_version::Version;
- use serde::{Deserialize, Serialize};
-@@ -125,11 +125,15 @@ impl Updatable for Pin {
-                 anyhow::format_err!("Unsupported package: must contain some \"source\" download",)
-             })?;
- 
--        let hash = latest_source.digests.remove("sha256").ok_or_else(|| {
--            anyhow::format_err!(
--                "JSON metadata is invalid: must contain a `sha256` entry within `digests`",
--            )
--        })?;
-+        let hash = latest_source
-+            .digests
-+            .remove("sha256")
-+            .ok_or_else(|| {
-+                anyhow::format_err!(
-+                    "JSON metadata is invalid: must contain a `sha256` entry within `digests`",
-+                )
-+            })
-+            .and_then(|s| hash_to_sri(&s, "sha256"))?;
- 
-         Ok(GenericUrlHashes {
-             hash,
-@@ -190,7 +194,7 @@ mod test {
-         assert_eq!(
-             pin.fetch(&version).await?,
-             GenericUrlHashes {
--                hash: "3953b158b7b690642d68cd6beb1d59f6e10526f2ee10a6fb4636a913cc95e718".into(),
-+                hash: "sha256-OVOxWLe2kGQtaM1r6x1Z9uEFJvLuEKb7RjapE8yV5xg=".into(),
-                 url: "https://files.pythonhosted.org/packages/d1/d5/0c270c22d61ff6b883d0f24956f13e904b131b5ac2829e0af1cda99d70b1/gaiatest-0.34.tar.gz".parse().unwrap(),
-             }
-         );
-@@ -216,7 +220,7 @@ mod test {
-         assert_eq!(
-             pin.fetch(&version).await?,
-             GenericUrlHashes {
--                hash: "39d09c6627255fcf39c938937995665b6377799c4fa141f6b481bcb5e6a688ac".into(),
-+                hash: "sha256-OdCcZiclX885yTiTeZVmW2N3eZxPoUH2tIG8teamiKw=".into(),
-                 url: "https://files.pythonhosted.org/packages/fd/75/6e72889c3b154a179040b94963a50901966ff30b68600271df374b2ded7a/streamlit-0.89.0.tar.gz".parse().unwrap(),
-             }
-         );
-diff --git a/src/versions.rs b/src/versions.rs
-index 003402f..a65c995 100644
---- a/src/versions.rs
-+++ b/src/versions.rs
-@@ -1,11 +1,12 @@
- //! Versioning support for the save format
- 
- use super::*;
-+use crate::nix::hash_to_sri;
- use anyhow::{Context, Result};
- use serde_json::{json, Map, Value};
- 
- /// The current format version
--pub const LATEST: u64 = 5;
-+pub const LATEST: u64 = 6;
- 
- /// Custom manual deserialize wrapper that checks the version
- pub fn from_value_versioned(value: Value) -> Result<NixPins> {
-@@ -83,11 +84,18 @@ pub fn upgrade(mut pins_raw: Map<String, Value>) -> Result<Value> {
-      * They are omitted here; Only non-trivial upgrades should be inserted.
-      */
-     type Upgrader = Box<dyn Fn(&mut Map<String, Value>) -> Result<()>>;
--    let version_upgraders: BTreeMap<u64, Upgrader> = [(
--        0,
--        Box::new(|pins_raw: &mut Map<String, Value>| generic_upgrader(pins_raw, upgrade_v0_pin))
--            as Upgrader,
--    )]
-+    let version_upgraders: BTreeMap<u64, Upgrader> = [
-+        (
-+            0,
-+            Box::new(|pins_raw: &mut Map<String, Value>| generic_upgrader(pins_raw, upgrade_v0_pin))
-+                as Upgrader,
-+        ),
-+        (
-+            5,
-+            Box::new(|pins_raw: &mut Map<String, Value>| generic_upgrader(pins_raw, upgrade_v5_pin))
-+                as Upgrader,
-+        ),
-+    ]
-     .into_iter()
-     .collect();
- 
-@@ -224,6 +232,20 @@ fn upgrade_v0_pin(name: &str, raw_pin: &mut Map<String, Value>) -> Result<()> {
-     Ok(())
- }
- 
-+/* v5→v6. This upgrade changes the hashes of git and git-release pins to use SRI hashes instead of
-+ * raw sha256 hashes.
-+ */
-+fn upgrade_v5_pin(name: &str, raw_pin: &mut Map<String, Value>) -> Result<()> {
-+    log::debug!("Updating {} to v6", name);
-+
-+    if let Some(raw_hash) = raw_pin.remove("hash") {
-+        let hash: String = serde_json::from_value(raw_hash)?;
-+        raw_pin.insert("hash".into(), hash_to_sri(&hash, "sha256")?.into());
-+    }
-+
-+    Ok(())
-+}
-+
- #[cfg(test)]
- mod test {
-     use super::*;
-@@ -301,19 +323,19 @@ mod test {
-                     "nixos-mailserver".into() => Pin::Git {
-                         input: git::GitPin::new(git::Repository::git("https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git".parse().unwrap()), "nixos-21.11".into(), false),
-                         version: Some(git::GitRevision::new("6e3a7b2ea6f0d68b82027b988aa25d3423787303".into()).unwrap()),
--                        hashes: Some(git::OptionalUrlHashes { url: None, hash: "1i56llz037x416bw698v8j6arvv622qc0vsycd20lx3yx8n77n44".into() } ),
-+                        hashes: Some(git::OptionalUrlHashes { url: None, hash: "sha256-hNhzLOp+dApEY15vwLAQZu+sjEQbJcOXCaSfAT6lpsQ=".into() } ),
-                         frozen: Frozen::default(),
-                     },
-                     "nixpkgs".into() => Pin::Git {
-                         input: git::GitPin::new(git::Repository::github("nixos", "nixpkgs"), "nixpkgs-unstable".into(), false),
-                         version: Some(git::GitRevision::new("5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2".into()).unwrap()),
--                        hashes: Some(git::OptionalUrlHashes { url: Some("https://github.com/nixos/nixpkgs/archive/5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2.tar.gz".parse().unwrap()), hash: "1r74afnalgcbpv7b9sbdfbnx1kfj0kp1yfa60bbbv27n36vqdhbb".into() }),
-+                        hashes: Some(git::OptionalUrlHashes { url: Some("https://github.com/nixos/nixpkgs/archive/5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2.tar.gz".parse().unwrap()), hash: "sha256-a8GGtxn2iL3WAkY5H+4E0s3Q7XJt6bTOvos9qqxT5OQ=".into() }),
-                         frozen: Frozen::default(),
-                     },
-                     "streamlit".into() => Pin::PyPi {
-                         input: pypi::Pin { name: "streamlit".into(), version_upper_bound: None },
-                         version: Some(GenericVersion { version: "1.3.1".into() }),
--                        hashes: Some(GenericUrlHashes { url: "https://files.pythonhosted.org/packages/c3/9d/ac871992617220442832af12c3808716f4349ab05ff939d695fe8b542f00/streamlit-1.3.1.tar.gz".parse().unwrap(), hash: "adec7935c9cf774b9115b2456cf2f48c4f49b9f67159a97db0fe228357c1afdf".into() } ),
-+                        hashes: Some(GenericUrlHashes { url: "https://files.pythonhosted.org/packages/c3/9d/ac871992617220442832af12c3808716f4349ab05ff939d695fe8b542f00/streamlit-1.3.1.tar.gz".parse().unwrap(), hash: "sha256-rex5NcnPd0uRFbJFbPL0jE9JufZxWal9sP4ig1fBr98=".into() } ),
-                         frozen: Frozen::default(),
-                     },
-                     "youtube-dl".into() => Pin::GitRelease {

pkgs/default.nix

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: EUPL-1.2
 
 {
-  sources ? import ../npins,
+  sources ? import ../lon.nix,
   pkgs ? import sources."nixos-unstable" { },
   callPackage ? pkgs.callPackage,
 }:

workflows/lon-update.nix

@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ nix-actions, ... }:
+
+let
+  inherit (nix-actions.lib) nix-shell secret;
+in
+
+{
+  name = "Update dependencies";
+  on.schedule = [
+    # Run every 24h
+    { cron = "30 13 * * *"; }
+  ];
+
+  jobs = {
+    update = {
+      runs-on = "nix";
+      steps = [
+        {
+          uses = "actions/checkout@v4";
+          "with".token = secret "TEA_DGNUM_CHORES_TOKEN";
+        }
+        {
+          env = {
+            LON_TOKEN = secret "TEA_DGNUM_CHORES_TOKEN";
+            LON_USER_NAME = "DGNum [bot]";
+            LON_USER_EMAIL = "admins+lon-bot@dgnum.eu";
+            # LON_LABELS = "bot";
+            LON_LIST_COMMITS = true;
+          };
+
+          run = nix-shell {
+            script = "lon bot forgejo";
+            shell = "lon-update";
+          };
+        }
+      ];
+    };
+  };
+}

workflows/npins-update.nix

@@ -1,98 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-{ lib, nix-actions, ... }:
-
-let
-  inherit (nix-actions.lib) secret;
-
-  inherit (lib) genAttrs mapAttrs' nameValuePair;
-
-  dependencies = builtins.attrNames (import ../npins);
-in
-
-{
-  name = "Update dependencies";
-  on.schedule = [
-    # Run every 24h
-    { cron = "30 13 * * *"; }
-  ];
-
-  # Global environment, necessary for rebases and commits
-  env = rec {
-    GIT_AUTHOR_NAME = "HT Chores";
-    GIT_AUTHOR_EMAIL = "chores@mail.hubrecht.ovh";
-    GIT_COMMITTER_NAME = GIT_AUTHOR_NAME;
-    GIT_COMMITTER_EMAIL = GIT_AUTHOR_EMAIL;
-  };
-
-  jobs = mapAttrs' (name: nameValuePair (builtins.replaceStrings [ "." ] [ "_" ] name)) (
-    genAttrs dependencies (name: {
-      runs-on = "nix-infra";
-      steps = [
-        (nix-actions.lib.steps.checkout {
-          fetch-depth = 0;
-          token = secret "TEA_DGNUM_CHORES_TOKEN";
-        })
-
-        {
-          env.GIT_UPDATE_BRANCH = "npins-updates/${name}";
-
-          name = "Switch to a new branch";
-          run = # bash
-            ''
-              if git ls-remote --exit-code --heads origin "refs/heads/$GIT_UPDATE_BRANCH"; then
-                git switch "$GIT_UPDATE_BRANCH"
-                git rebase main
-                echo "EXISTING_BRANCH=1" >> $GITHUB_ENV
-              else
-                git switch -C "$GIT_UPDATE_BRANCH"
-                echo "EXISTING_BRANCH=" >> $GITHUB_ENV
-              fi
-            '';
-        }
-
-        {
-          env = {
-            GIT_UPDATE_BRANCH = "npins-updates/${name}";
-            COMMIT_MESSAGE = "chore(npins): Update ${name}";
-          };
-
-          name = "Open a PR if updates are present";
-          run = nix-actions.lib.nix-shell {
-            shell = "npins-shell";
-            script = ''
-              npins update ${name}
-
-              if ! git diff --exit-code npins/sources.json > /dev/null; then
-                echo "[+] Changes detected, pushing updates."
-
-                git add npins/sources.json
-
-                if [ -n "$EXISTING_BRANCH" ]; then
-                  git commit --amend --no-edit
-                  git push --force
-                else
-                  git commit --message "$COMMIT_MESSAGE"
-                  git push -u origin "$GIT_UPDATE_BRANCH"
-                fi
-
-                # Connect to the server with the cli
-                tea login add -n dgnum-chores -t ${secret "TEA_DGNUM_CHORES_TOKEN"} -u https://git.dgnum.eu
-
-                # Create a pull request if needed
-                # i.e. no PR with the same title exists
-                if [ -z $(tea pr ls -f='head' -o simple | grep "$GIT_UPDATE_BRANCH") ]; then
-                  tea pr create --description "Automatic npins update" --title "$COMMIT_MESSAGE" --head "$GIT_UPDATE_BRANCH"
-                fi
-              elif [ -n "$EXISTING_BRANCH" ]; then
-                git push --force
-              fi
-            '';
-          };
-        }
-      ];
-    })
-  );
-}