fix(web03/dj-apps): Use secret tokens

fix(netbox-agent): Disable as it is broken
chore(patches): Reorganize
2024-11-25 16:06:08 +01:00 · 2024-11-25 15:18:28 +01:00 · 2024-11-25 11:15:20 +01:00 · 2024-11-23 11:33:56 +01:00 · 2024-11-22 23:12:18 +01:00 · 2024-11-22 15:27:34 +00:00
65 changed files with 1078 additions and 1389 deletions
--- a/.envrc
+++ b/.envrc
@ -1 +1,2 @@
 watch_file workflows/*
 use nix
--- a/.forgejo/workflows/check-meta.yaml
+++ b/.forgejo/workflows/check-meta.yaml
@ -1,3 +1,16 @@
 jobs:
  check_dns:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - name: Check the validity of the DNS configuration
      run: nix-build meta/verify.nix -A dns
  check_meta:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - name: Check the validity of meta options
      run: nix-build meta/verify.nix -A meta
 name: Check meta
 on:
  pull_request:
@ -5,21 +18,4 @@ on:
    - main
  push:
    paths:
-      - 'meta/*'
+    - meta/*
 jobs:
  check_meta:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Check the validity of meta options
        run: nix-build meta/verify.nix -A meta
  check_dns:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Check the validity of the DNS configuration
        run: nix-build meta/verify.nix -A dns --no-out-link
--- a/.forgejo/workflows/check-workflows.yaml
+++ b/.forgejo/workflows/check-workflows.yaml
@ -0,0 +1,16 @@
 jobs:
  check_workflows:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - name: Check that the workflows are up to date
      run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
        -eq 0 ]'
 name: Check workflows
 on:
  pull_request:
    branches:
    - main
  push:
    paths:
    - workflows/*
--- a/.forgejo/workflows/ds-fr.yaml
+++ b/.forgejo/workflows/ds-fr.yaml
@ -1,56 +0,0 @@
 name: ds-fr update
 on:
  schedule:
    - cron: "26 18 * * wed"
 jobs:
  npins_update:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
        with:
          token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
      - name: Update DS and open PR if necessary
        run: |
          # Fetch the latest release tag
          VERSION=$(curl -L \
            -H "Accept: application/vnd.github+json" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
          | jq -r '.tag_name')
          # Move to the ds-fr directory
          cd machines/compute01/ds-fr/package
          # Run the update script
          ./update.sh -v "$VERSION"
          if [ ! -z "$(git diff --name-only)" ]; then
            echo "[+] Changes detected, pushing updates."
            git switch -C ds-update
            git add .
            git config user.name "DGNum Chores"
            git config user.email "tech@dgnum.eu"
            git commit --message "chore(ds-fr): Update"
            git push --set-upstream origin ds-update --force
            # Connect to the server with the cli
            tea login add \
              -n dgnum-chores \
              -t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
              -u https://git.dgnum.eu
            # Create a pull request if needed
            # i.e. no PR with the same title exists
            if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
              tea pr create \
                --description "Automatic ds-fr update" \
                --title "chore(ds-fr): Update" \
                --head ds-update
            fi
          fi
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@ -0,0 +1,119 @@
 jobs:
  bridge01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: bridge01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache bridge01
      run: nix-shell -A eval-nodes --run cache-node
  compute01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: compute01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache compute01
      run: nix-shell -A eval-nodes --run cache-node
  geo01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: geo01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache geo01
      run: nix-shell -A eval-nodes --run cache-node
  geo02:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: geo02
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache geo02
      run: nix-shell -A eval-nodes --run cache-node
  rescue01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: rescue01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache rescue01
      run: nix-shell -A eval-nodes --run cache-node
  storage01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: storage01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache storage01
      run: nix-shell -A eval-nodes --run cache-node
  vault01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: vault01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache vault01
      run: nix-shell -A eval-nodes --run cache-node
  web01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: web01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache web01
      run: nix-shell -A eval-nodes --run cache-node
  web02:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: web02
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache web02
      run: nix-shell -A eval-nodes --run cache-node
  web03:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: web03
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache web03
      run: nix-shell -A eval-nodes --run cache-node
 name: Build all the nodes
 on:
  pull_request:
    branches:
    - main
  push:
    branches:
    - main
--- a/.forgejo/workflows/eval.yaml
+++ b/.forgejo/workflows/eval.yaml
@ -1,200 +0,0 @@
 name: build configuration
 on:
  pull_request:
    types: [opened, synchronize, edited, reopened]
    branches:
      - main
  push:
    branches:
      - main
 jobs:
  build_and_cache_compute01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "compute01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_compute01
          path: paths.txt
  build_and_cache_storage01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "storage01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_storage01
          path: paths.txt
  build_and_cache_rescue01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "rescue01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_rescue01
          path: paths.txt
  build_and_cache_geo01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "geo01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_geo01
          path: paths.txt
  build_and_cache_geo02:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "geo02"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_geo02
          path: paths.txt
  build_and_cache_vault01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "vault01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_vault01
          path: paths.txt
  build_and_cache_web01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "web01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web01
          path: paths.txt
  build_and_cache_web02:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "web02"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web02
          path: paths.txt
  build_and_cache_web03:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "web03"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web02
          path: paths.txt
  build_and_cache_bridge01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "bridge01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web02
          path: paths.txt
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -1,11 +0,0 @@
 name: lint
 on: [push, pull_request]
 jobs:
  check:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Run pre-commit on all files
        run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.
--- a/.forgejo/workflows/npins-update.yaml
+++ b/.forgejo/workflows/npins-update.yaml
@ -0,0 +1,25 @@
 jobs:
  npins_update:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - name: Update dependencies and open PR if necessary
      run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n  echo
        \"[+] Changes detected, pushing updates.\"\n\n  git switch -C npins-update\n\
        \n  git add npins\n\n  git config user.name \"DGNum Chores\"\n  git config
        user.email \"tech@dgnum.eu\"\n\n  git commit --message \"chore(npins): Update\"\
        \n  git push --set-upstream origin npins-update --force\n\n  # Connect to
        the server with the cli\n  tea login add \\\n    -n dgnum-chores \\\n    -t
        \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n    -u https://git.dgnum.eu\n\
        \n  # Create a pull request if needed\n  # i.e. no PR with the same title
        exists\n  if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
        Update dgnum-chores')\" ]; then\n    tea pr create \\\n      --description
        \"Automatic npins update\" \\\n      --title \"chore(npins): Update\" \\\n\
        \      --head npins-update\n  fi\nfi\n"
 name: npins update
 on:
  schedule:
  - cron: 25 15 * * *
--- a/.forgejo/workflows/pre-commit.yaml
+++ b/.forgejo/workflows/pre-commit.yaml
@ -0,0 +1,12 @@
 jobs:
  check:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - name: Run pre-commit on all files
      run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
        pre-push --show-diff-on-failure'
 name: Run pre-commit on all files
 on:
 - push
 - pull_request
--- a/default.nix
+++ b/default.nix
@ -41,7 +41,15 @@
 }:
 let
-  git-checks = (import (builtins.storePath sources.git-hooks)).run {
+  inherit (pkgs.lib)
    isFunction
    mapAttrs
    mapAttrs'
    nameValuePair
    removeSuffix
    ;
  git-checks = (import sources.git-hooks).run {
    src = ./.;
    hooks = {
@ -67,6 +75,22 @@ let
      commitizen.enable = true;
    };
  };
  workflows = (import sources.nix-actions { inherit pkgs; }).install {
    src = ./.;
    workflows = mapAttrs' (
      name: _:
      nameValuePair (removeSuffix ".nix" name) (
        let
          w = import ./workflows/${name};
        in
        if isFunction w then w { inherit (pkgs) lib; } else w
      )
    ) (builtins.readDir ./workflows);
  };
  scripts = import ./scripts { inherit pkgs; };
 in
 {
@ -78,36 +102,35 @@ in
  mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
-  shells = {
+  devShell = pkgs.mkShell {
    default = pkgs.mkShell {
    name = "dgnum-infra";
    packages = [
      (pkgs.nixos-generators.overrideAttrs (_: {
        version = "1.8.0-unstable";
-          src = builtins.storePath sources.nixos-generators;
+        src = sources.nixos-generators;
      }))
      pkgs.npins
      (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
      (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
      (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
-
+    ] ++ (builtins.attrValues scripts);
      ] ++ (import ./scripts { inherit pkgs; });
    shellHook = ''
      ${git-checks.shellHook}
      ${workflows.shellHook}
    '';
    preferLocalBuild = true;
    };
-    pre-commit = pkgs.mkShell {
+    ###
-      name = "pre-commit-shell";
+    # Alternative shells
-      shellHook = ''
+    passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
-        ${git-checks.shellHook}
+      pre-commit.shellHook = git-checks.shellHook;
-      '';
+      check-workflows.shellHook = workflows.shellHook;
      eval-nodes.packages = [ scripts.cache-node ];
    };
  };
 }
--- a/hive.nix
+++ b/hive.nix
@ -64,23 +64,12 @@ in
  };
  defaults =
-    {
+    { name, nodeMeta, ... }:
      pkgs,
      name,
      nodeMeta,
      ...
    }:
    {
      # Import the default modules
      imports = [
        ./modules
-        (import "${sources.lix-module}/module.nix" {
+        (import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
          lix = pkgs.applyPatches {
            name = "lix-2.90.patched";
            src = sources.lix;
            patches = [ ./patches/00-disable-installChecks-lix.patch ];
          };
        })
      ];
      # Include default secrets
--- a/keys/default.nix
+++ b/keys/default.nix
@ -25,6 +25,9 @@ rec {
    web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
    # SSH keys of the DGNum members
    agroudiev = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
    ];
    catvayor = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
    ];
@ -44,8 +47,10 @@ rec {
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
    ];
    mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
    mdebray = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
    ];
    raito = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
--- a/lib/nix-lib/default.nix
+++ b/lib/nix-lib/default.nix
@ -190,8 +190,11 @@ rec {
    recursiveFuse [
      (enableModules enabledModules)
-      { imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
+      {
        imports =
          (extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
      }
-      extraConfig
+      (removeAttrs extraConfig [ "imports" ])
    ];
 }
--- a/machines/compute01/ds-fr/default.nix
+++ b/machines/compute01/ds-fr/default.nix
@ -1,7 +1,14 @@
-{ config, ... }:
+{
  config,
  pkgs,
  sources,
  ...
 }:
 let
  host = "demarches.dgnum.eu";
  dgn-id = "fca8f72cd60c00e74d7735ec13e4e3a22e8e1244";
 in
 {
  imports = [ ./module.nix ];
@ -11,6 +18,18 @@ in
  services.demarches-simplifiees = {
    enable = true;
    package =
      ((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
        initialDeploymentDate = "20230923";
      }).overrideAttrs
        (old: {
          dsModules = old.dsModules.overrideAttrs {
            prePatch = ''
              ${pkgs.lib.getExe pkgs.git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
            '';
          };
        });
    secretFile = config.age.secrets."ds-fr-secret_file".path;
    initialDeploymentDate = "20230923";
--- a/machines/compute01/kanidm/default.nix
+++ b/machines/compute01/kanidm/default.nix
@ -2,7 +2,6 @@
  config,
  lib,
  meta,
  nixpkgs,
  ...
 }:
@ -43,7 +42,7 @@ in
  services.kanidm = {
    enableServer = true;
-    package = nixpkgs.unstable.kanidm;
+    # package = nixpkgs.unstable.kanidm;
    serverSettings = {
      inherit domain;
--- a/machines/compute01/stirling-pdf/default.nix
+++ b/machines/compute01/stirling-pdf/default.nix
@ -10,7 +10,7 @@ let
  # - push to a new branch dgn-v0.A.B where A.B is the new version
  # - finally, update the commit hash of the customization patch
-  dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
+  dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
  port = 8084;
 in
--- a/machines/storage01/forgejo-runners.nix
+++ b/machines/storage01/forgejo-runners.nix
@ -1,10 +1,4 @@
-{
+{ config, pkgs, ... }:
  config,
  pkgs,
  nixpkgs,
  sources,
  ...
 }:
 let
  url = "https://git.dgnum.eu";
@ -30,8 +24,6 @@ let
        options = "--cpus=4";
      };
    };
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
  services.forgejo-nix-runners = {
@ -39,14 +31,12 @@ in
    inherit url;
-    storePath = "/data/slow/nix";
+    storePath = "/data/slow";
    tokenFile = config.age.secrets."forgejo_runners-token_file".path;
    dependencies = [
      nix-pkgs.colmena
      pkgs.npins
      pkgs.tea
      nixpkgs.unstable.nixfmt-rfc-style
    ];
    containerOptions = [ "--cpus=4" ];
--- a/machines/storage01/forgejo.nix
+++ b/machines/storage01/forgejo.nix
@ -61,6 +61,7 @@ in
        service = {
          EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
          EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
          ENABLE_NOTIFY_MAIL = true;
          DISABLE_REGISTRATION = false;
--- a/machines/storage01/tvix-cache/default.nix
+++ b/machines/storage01/tvix-cache/default.nix
@ -135,10 +135,11 @@ in
  systemd.services."tvix-store" = {
    wantedBy = [ "multi-user.target" ];
    environment = {
-      RUST_LOG = "debug";
+      RUST_LOG = "info";
    };
    serviceConfig = {
      UMask = "007";
      LimitNOFILE = 1048576;
      ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
      StateDirectory = "tvix-store";
      RuntimeDirectory = "tvix-store";
--- a/machines/web01/metis/default.nix
+++ b/machines/web01/metis/default.nix
@ -6,30 +6,35 @@
 }:
 let
-  metis = import sources.metis { inherit pkgs; };
+  inherit (lib) mapAttrsToList match;
-  inherit (metis) providers;
+  metis = import sources.metis { inherit pkgs; };
 in
 {
  services.nginx.virtualHosts."calendrier.dgnum.eu" = {
    enableACME = true;
    forceSSL = true;
-    root = metis.production;
+    root = metis.package;
    locations = lib.mapAttrs' (
-      name: value:
+      name: domain:
      lib.nameValuePair "/cal/${name}/" {
        extraConfig = ''
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_pass ${value};
+          proxy_pass https://${domain}/remote.php/dav/public-calendars/;
        '';
      }
-    ) providers;
+    ) metis.providers;
    extraConfig = ''
      rewrite ^/calendrier(.*)$ $1 permanent;
    '';
  };
  assertions = mapAttrsToList (name: domain: {
    assertion = (match "[a-z-]+" name == [ ]) && (match "[a-z.-]+" domain == [ ]);
    message = "The provider `${name}` associated to the domain `${domain}` seems to have an incorrect definition.";
  }) metis.providers;
 }
--- a/machines/web01/netbox.nix
+++ b/machines/web01/netbox.nix
@ -13,7 +13,7 @@ in
  services = {
    netbox = {
      enable = true;
-      package = nixpkgs.unstable.netbox_3_7;
+      package = nixpkgs.unstable.netbox_4_1;
      secretKeyFile = "/dev/null";
      listenAddress = "127.0.0.1";
      plugins = p: [ p.netbox-qrcode ];
--- a/machines/web01/redirections.nix
+++ b/machines/web01/redirections.nix
@ -29,7 +29,6 @@ in
      "bds.wp.dgnum.eu" = "bds.ens.fr";
      "www.tuteurs.ens.fr" = "tuteurs.ens.fr";
      "www.interq.ens.fr" = "interq.ens.fr";
      "www.lanuit.ens.fr" = "lanuit.ens.fr";
    };
    temporary = {
--- a/machines/web03/django-apps/annuaire.nix
+++ b/machines/web03/django-apps/annuaire.nix
@ -1,4 +1,9 @@
-{ pkgs, sources, ... }:
+{
  pkgs,
  sources,
  config,
  ...
 }:
 let
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
@ -15,7 +20,7 @@ in
      forceSSL = true;
    };
-    webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
+    webHookSecret = config.age.secrets."webhook-annuaire_token".path;
    python = pkgs.python3.override {
      packageOverrides = _: _: { inherit (nix-pkgs) authens loadcredential; };
@ -30,7 +35,7 @@ in
    ];
    credentials = {
-      SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
+      SECRET_KEY = config.age.secrets."dj_annuaire-secret_key_file".path;
    };
    environment = {
--- a/machines/web03/django-apps/bocal.nix
+++ b/machines/web03/django-apps/bocal.nix
@ -0,0 +1,49 @@
 {
  pkgs,
  sources,
  config,
  ...
 }:
 let
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
  services.django-apps.sites.bocal = {
    source = "https://git.dgnum.eu/DGNum/www-bocal";
    branch = "main";
    domain = "bocal.webapps.dgnum.eu";
    nginx = {
      enableACME = true;
      forceSSL = true;
    };
    webHookSecret = config.age.secrets."webhook-bocal_token".path;
    python = pkgs.python3.override {
      packageOverrides = _: _: { inherit (nix-pkgs) django-cas-ng django-solo loadcredential; };
    };
    dependencies = ps: [
      ps.django
      ps.django-cas-ng
      ps.django-markdownx
      ps.django-solo
      ps.markdown
      ps.pillow
      ps.loadcredential
    ];
    credentials = {
      SECRET_KEY = config.age.secrets."dj_bocal-secret_key_file".path;
    };
    environment = {
      DJANGO_SETTINGS_MODULE = "app.settings";
      BOCAL_ALLOWED_HOSTS = [ "bocal.webapps.dgnum.eu" ];
      BOCAL_RHOSTS_PATH = "/var/lib/django-apps/bocal/.rhosts";
    };
  };
 }
--- a/machines/web03/django-apps/default.nix
+++ b/machines/web03/django-apps/default.nix
@ -1,14 +1,18 @@
 {
  imports = [
    ./annuaire.nix
    ./bocal.nix
    ./gestiojeux.nix
    ./interludes.nix
    ./wikiens.nix
  ];
  services.django-apps = {
    enable = true;
    webhook = {
-      domain = "hooks.webapps.dgnum.eu";
+      domain = "apps-webhook.dgnum.eu";
      nginx = {
        enableACME = true;
        forceSSL = true;
--- a/machines/web03/django-apps/gestiojeux.nix
+++ b/machines/web03/django-apps/gestiojeux.nix
@ -1,4 +1,9 @@
-{ pkgs, sources, ... }:
+{
  pkgs,
  sources,
  config,
  ...
 }:
 let
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
@ -15,7 +20,7 @@ in
      forceSSL = true;
    };
-    webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
+    webHookSecret = config.age.secrets."webhook-gestiojeux_token".path;
    application = {
      type = "wsgi";
@ -54,7 +59,7 @@ in
    mediaDirectory = "source/public/media";
    credentials = {
-      SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
+      SECRET_KEY = config.age.secrets."dj_gestiojeux-secret_key_file".path;
    };
    environment = {
--- a/machines/web03/django-apps/interludes.nix
+++ b/machines/web03/django-apps/interludes.nix
@ -0,0 +1,66 @@
 {
  config,
  pkgs,
  sources,
  ...
 }:
 let
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
  services.webhook.extraArgs = [ "-debug" ];
  services.django-apps.sites.interludes = {
    source = "https://git.eleves.ens.fr/dlesbre/site-interludes";
    branch = "master";
    domain = "interludes.ens.fr";
    nginx = {
      enableACME = true;
      forceSSL = true;
      serverAliases = [ "interludes.webapps.dgnum.eu" ];
    };
    webHookSecret = config.age.secrets."webhook-interludes_token".path;
    application = {
      type = "wsgi";
      module = "interludes";
    };
    dbType = "sqlite";
    python = pkgs.python3.override {
      packageOverrides = _: _: { inherit (nix-pkgs) python-cas loadcredential; };
    };
    django = ps: ps.django_4;
    dependencies = ps: [
      ps.loadcredential
      ps.python-ldap
      ps.python-cas
    ];
    credentials = {
      SECRET_KEY = config.age.secrets."dj_interludes-secret_key_file".path;
      EMAIL_HOST_PASSWORD = config.age.secrets."dj_interludes-email_host_password_file".path;
    };
    environment = {
      INTERLUDES_ALLOWED_HOSTS = [
        "interludes.ens.fr"
        "interludes.webapps.dgnum.eu"
      ];
      # E-mail configuration
      INTERLUDES_SERVER_EMAIL = "noreply-interludes-admin@ens.fr";
      INTERLUDES_DEFAULT_FROM_EMAIL = "noreply-interludes@ens.fr";
      INTERLUDES_EMAIL_HOST = "clipper.ens.fr";
      INTERLUDES_EMAIL_PORT = 465;
      INTERLUDES_EMAIL_HOST_USER = "interludes";
      INTERLUDES_DEBUG = false;
    };
  };
 }
--- a/machines/web03/django-apps/wikiens.nix
+++ b/machines/web03/django-apps/wikiens.nix
@ -0,0 +1,55 @@
 {
  pkgs,
  sources,
  config,
  ...
 }:
 let
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
  services.django-apps.sites.wikiens = {
    source = "https://git.dgnum.eu/DGNum/wiki-eleves";
    branch = "main";
    domain = "wiki.eleves.ens.fr";
    nginx = {
      enableACME = true;
      forceSSL = true;
    };
    webHookSecret = config.age.secrets."webhook-wikiens_token".path;
    python = pkgs.python3.override {
      packageOverrides = _: _: {
        inherit (nix-pkgs)
          django-allauth
          django-allauth-ens
          django-wiki
          loadcredential
          ;
      };
    };
    dependencies =
      ps:
      [
        ps.django
        ps.django-allauth-ens
        ps.django-wiki
        ps.loadcredential
        ps.tinycss2
      ]
      ++ ps.django-allauth.optional-dependencies.socialaccount;
    credentials = {
      SECRET_KEY = config.age.secrets."dj_wikiens-secret_key_file".path;
    };
    environment = {
      WIKIENS_ALLOWED_HOSTS = [ "wiki.eleves.ens.fr" ];
    };
  };
 }
--- a/machines/web03/secrets/dj_annuaire-secret_key_file
+++ b/machines/web03/secrets/dj_annuaire-secret_key_file
--- a/machines/web03/secrets/dj_bocal-secret_key_file
+++ b/machines/web03/secrets/dj_bocal-secret_key_file
@ -0,0 +1,30 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA HF+w4Kuk7Wo2s94SeNxAB3zFZhKNn1fPabJhUK/xGH0
 KY5tknNrICYq0HTfNRX760OPyWPJ8B4Sasq8BjN9a6k
 -> ssh-ed25519 QlRB9Q OGcCe/S1aIQckJGzt4Wz+DFebTZpNV+YCevnVOPDMXQ
 keDckjD4Vjhj3gmQnW0V8nJ1Soubkhb9WP28fsanhMA
 -> ssh-ed25519 r+nK/Q lO6xwuhfQ6gMlJzFBF5J9c2elEg1J3leAt5x1uTYGSk
 HQG0VQXvn72CIOqe6FRGrSX8TIa7sBB3cOZZQzXBl8w
 -> ssh-rsa krWCLQ
 pvF18GVS3dHr2jiss4sn00UqVVM2f/6BmkpYMgAVQ3FNpgnimQGsgCssuBo3Hjrc
 BTO4v2U6cQ28LTUsruWdPhRChT0zfGRtx1QIn0tPzy3XKUxjt2XkBeblxtLhCHmI
 muQ0yA15bP+aQfZn0dE1Eb4krw1unKWE4f82L/BQ5Y/i1P2rubhyBhBoQRb6atHv
 S2EWBafaNr3orbFl9FPMjhWW3WZX/zKJxlu0saN88I6ZU2967mdR4PogMpL9iqST
 atraraA1jG6mR9Ojloyrf8FG6wTlplDlZk8Sgtg88FD1iHMN1q0DQv1LwRoD3QUa
 ywIn9MABMufNXQ+jm/DQpw
 -> ssh-ed25519 /vwQcQ 83MxgOJhIBBGU6IRcTQPtxtyR4MapAxhdKT634w/em4
 scNxodN5j1HXOIPCB3glvc08Gb4wW9gmZ5gkWMCbm4E
 -> ssh-ed25519 0R97PA LBFUS7zx26+rjiWqVwQ4UBqRxr+3Sx+j+GGrRaBbz08
 fnFwvJz36SiKnEoJr+0+enNVcT7wduZUrYe7bWhyxfE
 -> ssh-ed25519 JGx7Ng iXjAn4Y7+yHASx4ZbIrvFffLzgX52DbQy9hIcTScHAs
 6AJZoV33mBryiCaquKTAkw8yB1NQs38QlG2p4LIcoMc
 -> ssh-ed25519 bUjjig 0cqMXUVHqhyYhygR7meIyWRr/c7H8ZGB5eO7tTHhRUk
 GYKKGB02ElJXpObmBJKF4Bvoswd3o83vvVYIHIpDprg
 -> ssh-ed25519 VQSaNw xHhzKnYeKxrN2MJz84v7Mjg3Nh69UJ6Q/eAyVAvC3V0
 /bvauGesQw9/tl4DhCNFY9Rq+qWv12O4TcqzdxTCWzk
 -> T:){{-grease NuQ <}vLGT%
 0JSFYPMWs6LXpWacfiHNdwqvs/eHecFwj6cg0eLZEQe96shxy8/WSUBMpgasKufB
 Nc4tpfiOVWVRGm4arhunwJ+1sgg37X35PWde89Qpg5g
 --- Y6N6GuCpRLdD25EWW+05qbUAadrT3z2Pzc5golCBHJw
 ßNê¯3'8ú³€@/¨0,zWêS¦‘ï;ßñì)§e<C2A7>ßÉïèÞí
 qMj’ÏŒrçHB–ÇR2šš–E2H+d%¶Ò–®
--- a/machines/web03/secrets/dj_gestiojeux-secret_key_file
+++ b/machines/web03/secrets/dj_gestiojeux-secret_key_file
@ -0,0 +1,30 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA tuq63SvMOBnLOZNkIA5RenFt0DTg6bwCX4zJ8ISYRxc
 B1K+kEO/JC0t2EL+2od+UiVNlzBbpRg29lsp2L1DhHw
 -> ssh-ed25519 QlRB9Q r3M3DQi3xJiP+3nTpwm+2PQipnAaRyaWSH+mb0es6kE
 codqvk7AgptYBRyz2BFVH0FcQ7ebZGGdJ6PJmoWWXTk
 -> ssh-ed25519 r+nK/Q Ah4Oim/N0Tdkz1KPbQiHJQaqx614/jjlMqCxtYqjBy0
 aTrlmm3TbWN6pyDEHf9uGy9H9CyyChXGKL0RZr7U3W4
 -> ssh-rsa krWCLQ
 ZbbBqvj7L2XFfJBCQrn799m7FQDrFDg96Moev+Uab/U5caQoJIljMldkfD7VphEt
 56dyeJ7IdKdnwyt07213ua2gZ8Cmjyffi4b0mYhHkvRI5aSmfUtfiomXU0HkgZvK
 rk4+AVQYXTLZKlGaq5KkTt4i0ltwzjA9ECNirciqi5JmORkUD1T41xBKCSb+7N5b
 34Z/uka+oacxt7q27GnSonyFQIm7/owS4bTWV7vxoWLoOYTJcg4Oki/Op4gE9GkK
 1y4RDpdVsHcRZbi7ewB9UKbvMzH44TN5VJARUf0mFQ/OHUo5IJcm/glS898fSLu/
 mrjVT6XGAmPELB8uaVhSkg
 -> ssh-ed25519 /vwQcQ 2mD6dstuZmOkYlBajNevQkeCYAGWshp0h0F1TzdcJSY
 pzjxW+RZDSqPAHm+c5cMJZOdIfkwTmSLw2BktGh/kHk
 -> ssh-ed25519 0R97PA /vOiTSDwQVYTX+tFuJD0M8Enk+4b0ViZUnrZ/WhUKiI
 83r35uyZ/XELwTXZXzlU1yq+xzsNTUYNwK9aGGlOSAA
 -> ssh-ed25519 JGx7Ng V6Xnn5q1hSvWHjiWtWJAD7as5N2fdtWNKWi3JwhfYgQ
 aL3fX67spVrgguVtNNrfJ20fy3LRaDgMZldw5D1fKuE
 -> ssh-ed25519 bUjjig RdTpxQYpmEtG2Cn1EACf85/ZynfPbZhGfoSF+sfw1AA
 YovrKYRtwRPco3luRBVA0IA1qAq1jKxoS1UdoouhLGE
 -> ssh-ed25519 VQSaNw F4hYo2UaLzV8leVHx/oY9aIcZkZ9Fap5HiuTvZy+Hko
 Qwf9JDKqLXmIzId7gAtG5ERirfwZlQWCV6YiKgbexS4
 -> v>[->`-grease O {|u& 2o9 {w&!Ev
 jZPBNd6e20KQYli80kXK9D+qfmIVbOw9Y0aKXB3uvyNJPWDOoYTbzanjeXLuJdN+
 pB/fgMX7znIg+VP87n2qMR5jFVj/x4g4vNgKTUtglw
 --- j4kt4DFy3r3y6IMvNakNkmlkeb6iHYI5xAK8CZtbPD4
 EWS¦|p^/<2F> Ž?„<7F>Np%‚åeFU/>Ží¸0bccývr(ˆ‰Œº
 “.èýVŸdgðáAÇ±3"® ‡Ù(½\5Ó§q<
--- a/machines/web03/secrets/dj_interludes-email_host_password_file
+++ b/machines/web03/secrets/dj_interludes-email_host_password_file
@ -0,0 +1,29 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA iJSzsbA8RiEhUIyhlKWCASQKoSQstjK4drMYl+PsChw
 8THrknrBu0WGFEb4xTZiJxEY26q7sW83rwViDjyTE24
 -> ssh-ed25519 QlRB9Q e7PRE212Ggt8nO6Bb+BabO85FOARsJGs9cPJmZNI9kg
 ubKIBxI1ZBXttA7TWj401siKNT1HyB+N2MsZ+ldkgb8
 -> ssh-ed25519 r+nK/Q EWV24Emm9hENa+yUAuQpkuJ0uJ0zIv+vRIbWpM4Wtg4
 J59wnHRytgNqpX4+5HaJ9KZ5GvhckgtRK6TzfX7Ci8Y
 -> ssh-rsa krWCLQ
 AvmrzShR+XTpUpKaScoqvgFQ40PTSqh8p383p98xjG5LIz5kqJoWBnxJK7JabBpq
 JkqVeq5XdH5RX4weobieG4KYUV8EDheLfOMXH5BrPgeJO4yhJ1rzH+oHBw4TwvFM
 UvEZEAVgi3G1/suPfJAkO7QRkZjE7fRppEo5RAI0gMlM43YyJavrfqVIqB40Uugk
 h0b0ybChUbKpXlZjqhYAAMN45jTAvW1emO0DMeIk6dbmnbZNdibul8f+NNdWKbI1
 9NN5iH2IzuqTdc6gkE4912hdDeUJ4NZ6x/Fxp1/u3d1z/Yg7daUQUXUIoDX0Hyvb
 +01dH0D/7kzRhEdNLO2NXA
 -> ssh-ed25519 /vwQcQ GAsAj2i65KDQeFhe69YR2ycdGskop1wu3Lzrxp59sTg
 wCSUqEtWv0i6sNg1RVtHI/jZh3VeNX3qtnbagXoNGT4
 -> ssh-ed25519 0R97PA mFZ3q/3jd1guXl8bhRWyYjgsgE4JErJEels6vdmpfCs
 7oIAT0MTsaKxbf26PSDBk7KqfyFgcBq09FGJ9v/rXqE
 -> ssh-ed25519 JGx7Ng tpslfMWMJMUH46EGycbLiXotVdXlP4xmK0slb7XKYS8
 wLLfX4jX4mIxzI8zr2GBlpBcPztTrHqKngi/ON0TExg
 -> ssh-ed25519 bUjjig zLoniLfwKGH9Ctu34103WHBvjIyImtPyKx8O+5UMLUU
 sYsterVGvCg6JWA0z3AO5sSlj9DBfj8u5o5jH9K2xeA
 -> ssh-ed25519 VQSaNw oHzU9Lc/7p+MZAjVylzC63h586vOcffXkkpAi4XB8Q0
 7T8CREpaCxM58KMYW28FY2i+ELjrx3eC3K7xaBy7O6A
 -> (_o61>U-grease .P>ZRrj~ -=7S;N
 6vnQVKKZwp4JowIwVb4klrhaR6NZjwlZYnngVQ0wqVenMZPj9oyhIXthLRqE1Q6/
 k+sGxA
 --- +yT0o8oZJS+32MeUAl8T9zREh31rq77pSVsSoFjHO5A
 è™ñÎ—´ä!î^ûØÖ8Ô‚zøÑaÒÓÐàÔ@Ö¡s\ ˜_ÃÃúoÖö<C396>wõÖ¥Cr)¾€fû¿AÃ'•3D€â
--- a/machines/web03/secrets/dj_interludes-secret_key_file
+++ b/machines/web03/secrets/dj_interludes-secret_key_file
@ -0,0 +1,29 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA 7v2qJ+2ZSp0tf4m6gcK2ShFF9ulNm/g3aHu3Wqe4Sxo
 ZyVqTqBCK51/U5yxtp23nywprQv46yL90zwx6+DqKRg
 -> ssh-ed25519 QlRB9Q IePmluoRImtaDplOoVqNiwfTQMKF1CuF4M6AzurXGRY
 JjtOeyvARlc9t5Q+LS2+TZwAUgV4Qn2L8SFkw9YLnaU
 -> ssh-ed25519 r+nK/Q LGPI7PmVPnZDQe6Su5MZQauxRHZkBKehyNbMq+BKlGQ
 3RvcfLAFKaScusYKf47zFNAtnot7wySvytuD81s6TwM
 -> ssh-rsa krWCLQ
 xGH7rl+r8L5HEp6JUlAm04ktn9rQsWfBBlSRp7UsOi6ojwCfjjIA91yUrYw8TYRs
 Ci60uoLS7cuMtSE/jQVU/FuVtR5kwjhOkWmQDHrC7rUWb6CufusxPIVJ0xanp3wo
 cc2t+EfSdpVyGIx5N8BEMhQ6sR2EfERHGfUrnKCpcL5hM5L8ZHnVh6CkRBtvZaq0
 Zy44Ob4pqH6fDz7EziM1hBkfg9myN+/Iqfvg5OUnfSrqooLZ8l0gDvGafS5fok91
 uqb0PGDiv6lwzpaj87jKUCaXAF3ag2KAa6j8sbZ4+fSsQeB/jhH7hTlWcAR/oEFW
 fuPQDFKxMucAsPjv1H1iaQ
 -> ssh-ed25519 /vwQcQ +5+xDNQyRwBWXT6c593S01OG9IemNul/81G4ie1hTVg
 Tzkq0toOCqdHOZNPiy/rUrO2eQXTDHi7g+jKbrWU/hU
 -> ssh-ed25519 0R97PA WEMs0phnuvw1kQaqeSkovwFUL6w7J6wh+V7D82NxfDs
 V5npmkeTPVcnaNwDtoy7PqBRllPTuQjvF9Qu14V59os
 -> ssh-ed25519 JGx7Ng 3bty0WCf+ElvPEFt7fSpgYf5MeFUPaZ4vVGWPUAjn0I
 ggl5CgXaUx4T6qbA9EG1oaF9NbfFYye4davm7lKqUvI
 -> ssh-ed25519 bUjjig zFlaOVzFEkPG+J3Yz7alPgSiCVbC/7u/hCTVIP8X/Ho
 3PBIRu9ZKfb9lkzijw6kKjX0ztXBkiwVaQUx8rxuYJc
 -> ssh-ed25519 VQSaNw btusrepFF5Jhl3x2YWs6wVrHwzb6qBXfDXESclQJAXo
 HwfOU3tyP9OsNjTkaMMmJnd4b+0ZfxJLkP6xe5jsAZE
 -> Tp-grease s03Py `u6"4 E|5 _
 3CvcQ6NEZKLY1F6y0cTMQPwV9mJvHB0T7dauvWJAYKkfb95TymqfDYGWwW1veND2
 n1XD/arAJHVwva95K7TaQdsNLPGo8/VePQGUnYqi
 --- qe75UTWqdDd0gGg0nm054SFZ2AgqVBw/bbycvcZSfQY
 ãñêÕ]¹¦zÂg©;Ê¡îñ˜öÓ´0éÅYëÀHãŒ!@ìpö¸T«?£iÞ‰áèÚ>I^ü‚l·o5”¯ë:{¬gJk£vø>€W8ði
--- a/machines/web03/secrets/dj_wikiens-secret_key_file
+++ b/machines/web03/secrets/dj_wikiens-secret_key_file
--- a/machines/web03/secrets/secrets.nix
+++ b/machines/web03/secrets/secrets.nix
@ -1,3 +1,14 @@
 (import ../../../keys).mkSecrets [ "web03" ] [
  # List of secrets for web03
  "dj_annuaire-secret_key_file"
  "dj_bocal-secret_key_file"
  "dj_gestiojeux-secret_key_file"
  "dj_interludes-email_host_password_file"
  "dj_interludes-secret_key_file"
  "dj_wikiens-secret_key_file"
  "webhook-annuaire_token"
  "webhook-bocal_token"
  "webhook-gestiojeux_token"
  "webhook-interludes_token"
  "webhook-wikiens_token"
 ]
--- a/machines/web03/secrets/webhook-annuaire_token
+++ b/machines/web03/secrets/webhook-annuaire_token
@ -0,0 +1,29 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA NovhLzllQnEbnI7bno+zDoSRFJyZMfVVYPQMReUIymw
 sefGtZ8fbYVqtKgMhrEj9AlwP70YM5MGkQ+o8Dmfb/Q
 -> ssh-ed25519 QlRB9Q 9mh3vQVo5tPorLYBVCcZUJOlcEftQKA94PxNhh+pDwg
 GXM67qitYqnxbFoHbsfa1lNNLIahPqshosIY7h0fDBA
 -> ssh-ed25519 r+nK/Q BOXck7k9AH+KvmoicI/fmGzWcna0nwnJ+uyteUjIukE
 Hyts1/6EAdruuBilhifl/HwPTWEBe+Kr1RL6SDjHaaM
 -> ssh-rsa krWCLQ
 1ROqUHCkbkEgRTQUha0cVJVAqLu0nvfKik9yI392sbEQYgmpuf7F0gzA97BXcoi3
 2BdZWu/cJ6m6bfMvXdZ04cUjRcNrnpPHsoqie3G9s9p6aa9XIrLO5K6kH7S6f5DZ
 pZdOqfSYldtJKRx7F8k0D/pscN5qB1Tb1x0CIULJVo7uKf9X1MnZwapOOCY2q40U
 Ip2aefr40h3EO7jBlswx2/fB8aqW95BR4JQzJZ/uiIsBUQDqvn39GU7R0JaLdAPB
 6kJXaJ3ORaDDtslcaAVZWLqFbOlINXYHr/mqYNTZMubE4BmNjvJL3aRozQQWraoJ
 q5rDvgwUXVhpGpcaNf4/xw
 -> ssh-ed25519 /vwQcQ FHYnfCad1imFiV5tRIfe9mtJ2ouiu2l19th2UD7j3gw
 Xu+Sk9GEQ9Wyf7iU790yxv80vLYHp2StArPkfRqfRhI
 -> ssh-ed25519 0R97PA etwCsiGmvzufJGMw8aDN+M931lPlE9fTUBQmk0X4DFk
 o6xJbfNjQ3Lko1MSJ9JBu6FefZ8267dZ+vL1Gpd1eH8
 -> ssh-ed25519 JGx7Ng h0XzejD/c5F2M7sWS4vTQL9OoRG73ACwlWCtK51Dcyo
 diMDy201IpwL6Ec+Zb4pH5f1yyMOMHT3jg6yriopCRU
 -> ssh-ed25519 bUjjig 2Oh5FhWfrbA9c5TisXuxasyYF41YOlNdurZR9QowETA
 706/MLiPT9+9xHZPZQYtvKm8zbN5qS/9XJ+TK15etIs
 -> ssh-ed25519 VQSaNw YbtnCoySon7jNBq7IFOl8UfxuJXRjzLrgXp238q4RRE
 10au0QwFP9ntPMU4u2bMl3KLYBIPy09xVoKNLxWvpw0
 -> Vu-grease !oqb p1-QmV
 i1WmaOmxmdAX/se60fnUL41n57c8tN1gnUjjBjSV7GkQGzhKnxTplJTUpifP9Js3
 8D+xe86sN2l2JQ5R9QFOAbsvSa5eXSo
 --- JE+yvBRH9Jz6Sdz46AzWuhVI0kXWObODKSiNWz5L9As
 _n´(I	6ÔÃPèCa\³U¼=é@ “†?6—P[Tò³ñˆjk<6A>0ãrÒ…°“ƒ¼-É(]/³a¿É
õ8¶=é¤i²<69>
--- a/machines/web03/secrets/webhook-bocal_token
+++ b/machines/web03/secrets/webhook-bocal_token
@ -0,0 +1,29 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA Ju7YL9wvvYr9VPLmYtYTniyuj9JTVqe2V8eRLISkIH8
 EJjZPLOhspyyrx7a+fYlPPH+1pr93KzW7E2Ztkic0cY
 -> ssh-ed25519 QlRB9Q X+TAfiEk1d67rkz6CgIO66bBrahY39ZTnmj0cBGGrSo
 kBLFu6DnN7rIzP3mSlPEc+yBN+yU5toLeA069vuNW6g
 -> ssh-ed25519 r+nK/Q wcXXCuAS9bOp3GM6c0pU7sxpylFEHFPmnibQTEwJ1x4
 fR41b7fhZCzuNP1jst3vx3wUjIkBDsz54VzubwNX6+M
 -> ssh-rsa krWCLQ
 ySG+OgB3gMW/ijdWqlGr1LnkfqeFD53ChxkOUfAe4+Z1VsK0FkVaBmqvW38SFMw9
 S4dcOkO6Km8umsaZBZi2QaItm+p8Rf/j7+W2WZPoyoKE1l1KW1ic/wGOY7uqeucn
 YZRq7rWX+DaH2VLbkl12wUlVgYwJGcH6VrpRizbq2z0jcdTak6hgzcXo7WhcNAit
 DY8W8X5Zv34mpj1VO7n2LJs5V7gzfSLq+KVMIi++QphVv2VkFpvaOqlEP2neVXnV
 C3YNJTkVx+R6wANCao+9a5VHC261Bkm81dKgzceW2OCHkwOP6XTbDpj59sMRxRuU
 B7jrvre5S1WZN9jc16Dv/Q
 -> ssh-ed25519 /vwQcQ TW560PIrbJV3ZB55w+EvH2PEYOoYM93x3aaeeShYKE8
 LC6pydBK3yCq/Vs7MUoa0xjDSn3WjRaZuqwvhX24YJQ
 -> ssh-ed25519 0R97PA zyerO6EIwW90XVSBVP3Y/7Q8hK+7uPe6kKENGCdDJRw
 WEpgo8Y64YXnat1OJU5qtpecf+Zu2P2LmB7DEtmUuAU
 -> ssh-ed25519 JGx7Ng 7h4q8ztQ0BFJSfavV4l1pKjbNRZveOPIJG0KF98vh28
 mYcUEL4n2+bkjpvJylIvzXSxoa71YZKMSgN21ONnvko
 -> ssh-ed25519 bUjjig 9wKWtLWD+9LlAOO24iQiOdvpSDIWpL6Xo0Wt3QOLIQY
 Kq2QLFB7E5tiqZQlsn5pZRM52v8XqUyYsvwNHXZspRs
 -> ssh-ed25519 VQSaNw 3tJNtvi0WK9iAzx3Q7Q0Ogj1TGH0Zrm5v0ERhQILBVk
 4232/j+xnbhQpId7ZS6+xAQBDxtumeOp4c1HVeMRqB4
 -> Pug13&(-grease 'w0JG}JF .t`9lMF v)8}4qW
 yRriwE//abKvQgu962F7URbOAiHDFMipnsq22itGkLDvmwIRY6Bi83xOzx72EV4y
 27GNdxQOni+z8NPt0YTskqq4fHfZky/EMFUvXTfteB7izYxEliHLRKA
 --- JNvexaDwzwOIUCxanJRLunfhBh1/PE8ssFCytr8nPjo
 TX¹Þ‚xòšd˜~KS?ìIò…Ceþ—3ÑJõ	¹ŸýCíÓF6qœv~Dùq¢T<>©55€bjˆf›Õ5”ñëã"ø£ÅŽp
--- a/machines/web03/secrets/webhook-gestiojeux_token
+++ b/machines/web03/secrets/webhook-gestiojeux_token
@ -0,0 +1,29 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA dBBF9o4SBTHNv495PFZa6dszbs9nEARwg0EfOlfFwhc
 GkqX8sjLqFHGm4UA+zyVRB7FGGgAxilFYHarEQB0YAk
 -> ssh-ed25519 QlRB9Q DEu91DA+qho3Zs3gSQbWH/hOKUfgP5Qd90+9ZzYs1So
 aIw1ygo/e0tpqW2N27Fl8WRe362ronzqy52vSzD35Tc
 -> ssh-ed25519 r+nK/Q JUurf12UYuJKvKusUh/GOJryFbA8lWaS8v+/pRb0kys
 VsgsBSwjBXTD+tmP3jxCPVeDY7AHVFx5o57y+ubEjts
 -> ssh-rsa krWCLQ
 o08ZnFZIj37p5hpWgl8FXwPwHKjoBD7Z0UxMRsF4CUF0sLOpwVHD4L57hAA8a80S
 063e48OJ5OsrtueqqJwPT+wjXfmEarLUqC+rP0X+JDW8OLwSImBcYC5DQJZLUFSK
 doF8S8Bo0MbuB4eKnXUAJlhdZOk/iqYK8TYuuSIwWQxHwF/fT43hrYIkj6lmqdmG
 IqSXA04KpQFoL15INIAtsnj5xXJlI0gCPp0pxMNUmVyTTrNLfaEiKH191D+Elmjd
 xcdvMX1yzIPI/mI/+/OjeYspijY0XpRHLJ9ljfEK7E2N8IgpyzBx2BzxYhRHoQmi
 6SbZu9Tirw+yv5wv8oIaHA
 -> ssh-ed25519 /vwQcQ M6QID8DMaFMnF97UWwbSYJ7Sh0wvj/fq7cszu82/oHI
 T+aT4NCbVfGXnvPK7w8fbojAwDTE41h40q0tDwnGyhE
 -> ssh-ed25519 0R97PA XyZvyy80nv2tGe1fBzM0LeiIAGuyV22CzBoCPFMMrw8
 9VPiRV3GCWbH1So5LBrjBeRzEtErPM7BwOF/zaD/yGk
 -> ssh-ed25519 JGx7Ng OPlQBKO+Wub+PPMNPoRGWTeSZfGF3kYCD8HLbLbPR0k
 ZhBUT5ig0FnLCau+da9bfEkVjFxfZXG0mXW1o0yZ+JQ
 -> ssh-ed25519 bUjjig T5/dZtIRaXmNg8pajSAM76cVANM7MvQ7f32fz2fEqx0
 +6kRffMJX+8QAOf5jA5acGihgw4q8yJda0EzVGePD+I
 -> ssh-ed25519 VQSaNw InflFPtAwYwQFWqd+KK+ILwMa0XTNkVB+xEMtUXW8Us
 XZ6LVMCpvq+QBo0EHAlnC8uBhQssixTLVCpul6ov4Dk
 -> YKmn+c&-grease EA5d$ ="1d }cP
 3u46NE2SdfO9ugNN/41PeU/65CRgmDiO54B9ZQLNRQtVyyLlcmvaYHCQach+s+Rs
 tE0Gc8MD23hPw5ZhWj0nq7xF8VHtRQSTLQ
 --- UkbfAVgnLkeg6Zdb3bsdPtx9Wh6HOjdB+qmTvrAWFuE
 5_E¼ñ/e)±žÑÊC×7Ú›ÈY<C388>wPŽöTÃ¡št6>l_0:[èP»ÎH5·¼j—<6A>€PË¸â=vèFýÉIÄ4¹ÿÏDìª˜ýp£§
--- a/machines/web03/secrets/webhook-interludes_token
+++ b/machines/web03/secrets/webhook-interludes_token
--- a/machines/web03/secrets/webhook-wikiens_token
+++ b/machines/web03/secrets/webhook-wikiens_token
--- a/meta/dns.nix
+++ b/meta/dns.nix
@ -1,7 +1,7 @@
 { lib, dns, ... }:
 let
-  inherit (lib) mapAttrs' nameValuePair;
+  inherit (lib) mapAttrs' nameValuePair optional;
  inherit (lib.extra) fuseAttrs mapSingleFuse;
  inherit (dns.lib.combinators) mx spf ttl;
@ -138,7 +138,9 @@ let
        ];
        web03.dual = [
-          "*.webapps" # Django apps
+          # Django Apps
          "*.webapps"
          "apps-webhook"
        ];
      }
    )
@ -215,17 +217,19 @@ in
        subdomains = mapAttrs' (
          host:
          { site, ... }:
-          nameValuePair "${host}.${site}" (
+          let
-            with meta.network.${host}.addresses;
+            net = meta.network.${host};
-            {
+            inherit (net.addresses) ipv4 ipv6;
          in
          nameValuePair "${host}.${site}" {
            A = ipv4;
            AAAA = ipv6;
            subdomains = {
              v4.A = ipv4;
              v6.AAAA = ipv6;
              private.A = optional (net.netbirdIp != null) net.netbirdIp;
            };
          }
          )
        ) meta.nodes;
      };
    };
--- a/meta/network.nix
+++ b/meta/network.nix
@ -171,7 +171,7 @@
    };
    hostId = "8afc7749";
-    netbirdIp = null; # web03 is not yet connected to the VPN
+    netbirdIp = "100.80.157.46";
  };
  rescue01 = {
--- a/meta/nodes.nix
+++ b/meta/nodes.nix
@ -135,7 +135,7 @@
    nix-modules = [ "services/django-apps" ];
    stateVersion = "24.05";
-    nixpkgs = "24.05";
+    nixpkgs = "unstable";
    vm-cluster = "Hyperviseur NPS";
  };
 }
--- a/meta/organization.nix
+++ b/meta/organization.nix
@ -5,6 +5,11 @@
 {
  members = {
    agroudiev = {
      name = "Antoine Groudiev";
      email = "antoine.groudiev@dgnum.eu";
    };
    catvayor = {
      name = "Lubin Bailly";
      email = "catvayor@dgnum.eu";
@ -34,6 +39,12 @@
      username = "jmalka";
    };
    mboyer = {
      name = "Matthieu Boyer";
      email = "matthieu.boyer@dgnum.eu";
      username = "mboyer02";
    };
    mdebray = {
      name = "Maurice Debray";
      email = "maurice.debray@dgnum.eu";
@ -57,7 +68,6 @@
      "thubrecht"
      "raito"
      "mdebray"
      "luj"
    ];
    # members of this group are root on the fai infrastructure
--- a/modules/dgn-netbox-agent/default.nix
+++ b/modules/dgn-netbox-agent/default.nix
@ -13,7 +13,7 @@ in
  options.dgn-netbox-agent = {
    enable = lib.mkEnableOption "DGNum netbox agent setup." // {
-      default = true;
+      default = false;
    };
  };
--- a/modules/dgn-netbox-agent/package.nix
+++ b/modules/dgn-netbox-agent/package.nix
@ -16,8 +16,8 @@ python3.pkgs.buildPythonApplication {
  src = fetchgit {
    url = "https://git.dgnum.eu/DGNum/netbox-agent";
-    rev = "12ceea413cbb87280713de734b5e1b3e88c00178";
+    rev = "424283239658516feb34c0f68496775350b1bf22";
-    hash = "sha256-v6H8/yNUcpHERiyzytR2ZADLiDK2QpzSEmxTP5m9BLE=";
+    hash = "sha256-sp1QVy8AIezR2LRDDYS9G0g0GQRwGKGmEE7ykITPxtY=";
  };
  nativeBuildInputs = with python3.pkgs; [
--- a/npins/sources.json
+++ b/npins/sources.json
@ -59,10 +59,10 @@
      "pre_releases": false,
      "version_upper_bound": null,
      "release_prefix": null,
-      "version": "v1.8.2",
+      "version": "v1.9.0",
-      "revision": "0a97c6683ecb8d92ab0ce4c3c39e896e4a3fe388",
+      "revision": "49a4936cee640e27d74baee6fd1278285d29b100",
-      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.2",
+      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0",
-      "hash": "1xivgibk1fa07z4xqxpyha6yyb0pmahf52caf1kgh8zxr231ai1v"
+      "hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388"
    },
    "dns.nix": {
      "type": "GitRelease",
@ -87,9 +87,9 @@
        "repo": "git-hooks.nix"
      },
      "branch": "master",
-      "revision": "3c3e88f0f544d6bb54329832616af7eb971b6be6",
+      "revision": "3308484d1a443fc5bc92012435d79e80458fe43c",
-      "url": "https://github.com/cachix/git-hooks.nix/archive/3c3e88f0f544d6bb54329832616af7eb971b6be6.tar.gz",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/3308484d1a443fc5bc92012435d79e80458fe43c.tar.gz",
-      "hash": "04pwjz423iq2nkazkys905gvsm5j39722ngavrnx42b8msr5k555"
+      "hash": "0qdhcqisil8zhnf600y0vpa1mayrca8z2bja79p4j5vajy7dnx4s"
    },
    "kadenios": {
      "type": "Git",
@ -144,9 +144,9 @@
        "url": "https://git.lix.systems/lix-project/lix.git"
      },
      "branch": "main",
-      "revision": "0ff8f9132552e03497b07e1e5c068660a7a04515",
+      "revision": "66f6dbda32959dd5cf3a9aaba15af72d037ab7ff",
      "url": null,
-      "hash": "0qdaiqp5q2nb0yffc03vhlbd55v1jk3jlxz26prhk0hxddz0xhyq"
+      "hash": "10mfry8k0jab4ngnhvx9d7ia8m7qf4va4395ylwg3qlsxziqvc8z"
    },
    "lix-module": {
      "type": "Git",
@ -155,9 +155,9 @@
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      },
      "branch": "main",
-      "revision": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d",
+      "revision": "aa2846680fa9a2032939d720487942567fd9eb63",
      "url": null,
-      "hash": "0jxpqaz12lqibg03iv36sa0shfvamn2yhg937llv3kl4csijd34f"
+      "hash": "0gb174800sgh6y6sir23nxsx85xrk478hbwqbzyd46ac34clz9wz"
    },
    "lon": {
      "type": "Git",
@ -178,9 +178,9 @@
        "url": "https://git.dgnum.eu/DGNum/metis"
      },
      "branch": "master",
-      "revision": "f631751da44a330c41398356ce2295e17ed45b7b",
+      "revision": "ed6fafda45d638b1bafd5deaee098b80156b41e8",
      "url": null,
-      "hash": "1laclhq6jz9mni4vxsxk3c143c2x478z1lqj115mqyj0d62rz8mg"
+      "hash": "086spyhn2x1x2h31b0y4an501fdhph1nk64riybqnh6mqjkzlq4m"
    },
    "microvm.nix": {
      "type": "Git",
@ -194,6 +194,20 @@
      "url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
      "hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
    },
    "nix-actions": {
      "type": "GitRelease",
      "repository": {
        "type": "Git",
        "url": "https://git.dgnum.eu/DGNum/nix-actions.git"
      },
      "pre_releases": false,
      "version_upper_bound": null,
      "release_prefix": null,
      "version": "v0.2.2",
      "revision": "b9cb5d6f945d1e3fd7b70d63848c70335e9912e8",
      "url": null,
      "hash": "0m6bw5qlrchsigx7x4nz3xkcn3dnr14k5j0ws9lbggnldnz9qg2w"
    },
    "nix-modules": {
      "type": "Git",
      "repository": {
@ -201,9 +215,9 @@
        "url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
      },
      "branch": "main",
-      "revision": "516225dc6958645284b11b74b9ce31e01993341c",
+      "revision": "75e8d70a051dd19d126b5248b62f61d6f8ce4361",
      "url": null,
-      "hash": "1cxn1m1xf9p7p8a0y8r6iwp08d886k5rmgl947r9d0vg7ah31kmj"
+      "hash": "0yx5by3v2cshiidyh27n75lcqy9d1kk5zz5mchmfv63s9p0cjzqn"
    },
    "nix-patches": {
      "type": "GitRelease",
@ -226,15 +240,15 @@
        "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
      },
      "branch": "main",
-      "revision": "0e80d4dcdd54a75556c0784de55dc139ad4fe797",
+      "revision": "fe54340f49449f01c2ee489abf7016d97706eb59",
      "url": null,
-      "hash": "1hlb0cczxq0jrzw4lhmkibnb8skcar0rmny594aqgyikknwzx2qf"
+      "hash": "1sv9nqhzcqn8anqfgf63i2j5qcqzyy4vl0a45rvllv7rhbhw9adq"
    },
    "nixos-24.05": {
      "type": "Channel",
      "name": "nixos-24.05",
-      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5809.4eb33fe664af/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz",
-      "hash": "02hxkkrpf33s6nsqkla1292zw64dqfq9wpkda5hry3vr3fhxwwg4"
+      "hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh"
    },
    "nixos-generators": {
      "type": "Git",
@ -244,21 +258,21 @@
        "repo": "nixos-generators"
      },
      "branch": "master",
-      "revision": "dd28a0806e7124fe392c33c9ccaa12f21970401f",
+      "revision": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
-      "url": "https://github.com/nix-community/nixos-generators/archive/dd28a0806e7124fe392c33c9ccaa12f21970401f.tar.gz",
+      "url": "https://github.com/nix-community/nixos-generators/archive/3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c.tar.gz",
-      "hash": "09226kqddjg1m8m1q9n4l1hsln93hckhj238q0v851wxbwd0qq73"
+      "hash": "12v6lxls3bfkj20rwxy62l8g6zlkhsp29m6wd7764j1wwfwjk274"
    },
    "nixos-unstable": {
      "type": "Channel",
      "name": "nixos-unstable",
-      "url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre694395.4c2fcb090b1f/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta710087.23e89b7da85c/nixexprs.tar.xz",
-      "hash": "05fszj13lci5gdbn5grn92wd3mzj6f7gy11kqj78xcsg69m2wbrl"
+      "hash": "0b695yx17sarr7d3ypb9z6njd0qhiga1682wjxidl053lvx6g33b"
    },
    "nixpkgs": {
      "type": "Channel",
      "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre694416.ccc0c2126893/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz",
-      "hash": "0cn1z4wzps8nfqxzr6l5mbn81adcqy2cy2ic70z13fhzicmxfsbx"
+      "hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd"
    },
    "proxmox-nixos": {
      "type": "Git",
@ -268,9 +282,9 @@
        "repo": "proxmox-nixos"
      },
      "branch": "main",
-      "revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18",
+      "revision": "c6a126238e8f8efc3660b523d314a0074e61fe44",
-      "url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz",
+      "url": "https://github.com/SaumonNet/proxmox-nixos/archive/c6a126238e8f8efc3660b523d314a0074e61fe44.tar.gz",
-      "hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4"
+      "hash": "0apinc8iiqsjazlj3nh75m4w5f93fd53xs4nj1s06qay4nq1h49w"
    },
    "signal-irc-bridge": {
      "type": "Git",
@ -302,9 +316,9 @@
        "server": "https://git.helsinki.tools/"
      },
      "branch": "master",
-      "revision": "f72adfc39c18630b45f8c982910314246d4a8d92",
+      "revision": "cce6f7961eb99fd56a039623c4d9e561d9a98928",
-      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=f72adfc39c18630b45f8c982910314246d4a8d92",
+      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=cce6f7961eb99fd56a039623c4d9e561d9a98928",
-      "hash": "08qfaav3vb832dr3r6f2n1ah6zyryvab0dxsaxwi6gk5p3zad3l8"
+      "hash": "0ggqc92mh4xbsrrdv8j0jl6f3cagwizd93sdl8p8mqpxv9445xrf"
    }
  },
  "version": 3
--- a/patches/01-castopod.patch
+++ b/patches/01-castopod.patch
@ -1,808 +0,0 @@
 From 3b656cbdf40c6056983e95ac5c87839a68571096 Mon Sep 17 00:00:00 2001
 From: Alexander Tomokhov <alexoundos@gmail.com>
 Date: Tue, 3 Oct 2023 22:20:59 +0400
 Subject: [PATCH 1/8] castopod: 1.6.4 -> 1.6.5
 ---
 pkgs/applications/audio/castopod/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/pkgs/applications/audio/castopod/default.nix b/pkgs/applications/audio/castopod/default.nix
 index 9d9f83e2ecce40..83c70f9b36646d 100644
 --- a/pkgs/applications/audio/castopod/default.nix
 +++ b/pkgs/applications/audio/castopod/default.nix
@@ -7,11 +7,11 @@
 }:
 stdenv.mkDerivation {
   pname = "castopod";
 -  version = "1.6.4";
 +  version = "1.6.5";
   src = fetchurl {
 -    url = "https://code.castopod.org/adaures/castopod/uploads/ce56d4f149242f12bedd20f9a2b0916d/castopod-1.6.4.tar.gz";
 -    sha256 = "080jj91yxbn3xsbs0sywzwa2f5in9bp9qi2zwqcfqpaxlq9ga62v";
 +    url = "https://code.castopod.org/adaures/castopod/uploads/5aaaa6cf2edaed25bd7253449e5f8584/castopod-1.6.5.tar.gz";
 +    sha256 = "04gcq2vmfy5aa2fmsm1qqv1k8g024nikmysdrhy33wj460d529b5";
   };
   dontBuild = true;
 From 4cd096c27c52ff9948bc7d9ebc05490147ca9675 Mon Sep 17 00:00:00 2001
 From: Alexander Tomokhov <alexoundos@gmail.com>
 Date: Tue, 3 Oct 2023 22:19:36 +0400
 Subject: [PATCH 2/8] nixos/castopod: fix startup, displaying images, uploads
 up to 500 MiB
 - new maxUploadSize option
 - new dataDir option (with ReadWritePaths systemd support)
 - admin page reports correct free disk space (instead of /nix/store)
 - fix example configuration in documentation
 - now podcast creation and file upload are tested during NixOS test
 - move castopod from audio to web-apps folder
 - verbose logging from the browser test
 ---
 nixos/modules/module-list.nix                 |   2 +-
 .../services/{audio => web-apps}/castopod.md  |  11 +-
 .../services/{audio => web-apps}/castopod.nix |  60 ++--
 nixos/tests/castopod.nix                      | 263 +++++++++++++-----
 pkgs/applications/audio/castopod/default.nix  |  13 +-
 5 files changed, 256 insertions(+), 93 deletions(-)
 rename nixos/modules/services/{audio => web-apps}/castopod.md (72%)
 rename nixos/modules/services/{audio => web-apps}/castopod.nix (80%)
 diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
 index 627427262da632..97043c965400c5 100644
 --- a/nixos/modules/module-list.nix
 +++ b/nixos/modules/module-list.nix
@@ -337,7 +337,6 @@
   ./services/amqp/rabbitmq.nix
   ./services/audio/alsa.nix
   ./services/audio/botamusique.nix
 -  ./services/audio/castopod.nix
   ./services/audio/gmediarender.nix
   ./services/audio/gonic.nix
   ./services/audio/goxlr-utility.nix
@@ -1282,6 +1281,7 @@
   ./services/web-apps/bookstack.nix
   ./services/web-apps/c2fmzq-server.nix
   ./services/web-apps/calibre-web.nix
 +  ./services/web-apps/castopod.nix
   ./services/web-apps/coder.nix
   ./services/web-apps/changedetection-io.nix
   ./services/web-apps/chatgpt-retrieval-plugin.nix
 diff --git a/nixos/modules/services/audio/castopod.md b/nixos/modules/services/web-apps/castopod.md
 similarity index 72%
 rename from nixos/modules/services/audio/castopod.md
 rename to nixos/modules/services/web-apps/castopod.md
 index ee8590737a7c73..f61bf1166a4d24 100644
 --- a/nixos/modules/services/audio/castopod.md
 +++ b/nixos/modules/services/web-apps/castopod.md
@@ -4,6 +4,7 @@ Castopod is an open-source hosting platform made for podcasters who want to enga
 ## Quickstart {#module-services-castopod-quickstart}
 +Configure ACME (https://nixos.org/manual/nixos/unstable/#module-security-acme).
 Use the following configuration to start a public instance of Castopod on `castopod.example.com` domain:
 ```nix
@@ -11,11 +12,11 @@ networking.firewall.allowedTCPPorts = [ 80 443 ];
 services.castopod = {
   enable = true;
   database.createLocally = true;
 -  nginx.virtualHost = {
 -    serverName = "castopod.example.com";
 -    enableACME = true;
 -    forceSSL = true;
 -  };
 +  localDomain = "castopod.example.com";
 +};
 +services.nginx.virtualHosts."castopod.example.com" = {
 +  enableACME = true;
 +  forceSSL = true;
 };
 ```
 diff --git a/nixos/modules/services/audio/castopod.nix b/nixos/modules/services/web-apps/castopod.nix
 similarity index 80%
 rename from nixos/modules/services/audio/castopod.nix
 rename to nixos/modules/services/web-apps/castopod.nix
 index b782b548914795..7c99551c83183f 100644
 --- a/nixos/modules/services/audio/castopod.nix
 +++ b/nixos/modules/services/web-apps/castopod.nix
@@ -4,7 +4,6 @@ let
   fpm = config.services.phpfpm.pools.castopod;
   user = "castopod";
 -  stateDirectory = "/var/lib/castopod";
   # https://docs.castopod.org/getting-started/install.html#requirements
   phpPackage = pkgs.php.withExtensions ({ enabled, all }: with all; [
@@ -29,6 +28,15 @@ in
         defaultText = lib.literalMD "pkgs.castopod";
         description = lib.mdDoc "Which Castopod package to use.";
       };
 +      dataDir = lib.mkOption {
 +        type = lib.types.path;
 +        default = "/var/lib/castopod";
 +        description = lib.mdDoc ''
 +          The path where castopod stores all data. This path must be in sync
 +          with the castopod package (where it is hardcoded during the build in
 +          accordance with its own `dataDir` argument).
 +        '';
 +      };
       database = {
         createLocally = lib.mkOption {
           type = lib.types.bool;
@@ -111,6 +119,18 @@ in
           Options for Castopod's PHP pool. See the documentation on `php-fpm.conf` for details on configuration directives.
         '';
       };
 +      maxUploadSize = lib.mkOption {
 +        type = lib.types.int;
 +        default = 512;
 +        description = lib.mdDoc ''
 +          Maximum supported size for a file upload in MiB. Maximum HTTP body
 +          size is set to this value for nginx and PHP (because castopod doesn't
 +          support chunked uploads yet:
 +          https://code.castopod.org/adaures/castopod/-/issues/330). Note, that
 +          practical upload size limit is smaller. For example, with 512 MiB
 +          setting - around 500 MiB is possible.
 +        '';
 +      };
     };
   };
@@ -120,13 +140,13 @@ in
         sslEnabled = with config.services.nginx.virtualHosts.${cfg.localDomain}; addSSL || forceSSL || onlySSL || enableACME || useACMEHost != null;
         baseURL = "http${lib.optionalString sslEnabled "s"}://${cfg.localDomain}";
       in
 -      lib.mapAttrs (name: lib.mkDefault) {
 +      lib.mapAttrs (_name: lib.mkDefault) {
         "app.forceGlobalSecureRequests" = sslEnabled;
         "app.baseURL" = baseURL;
 -        "media.baseURL" = "/";
 +        "media.baseURL" = baseURL;
         "media.root" = "media";
 -        "media.storage" = stateDirectory;
 +        "media.storage" = cfg.dataDir;
         "admin.gateway" = "admin";
         "auth.gateway" = "auth";
@@ -142,13 +162,13 @@ in
     services.phpfpm.pools.castopod = {
       inherit user;
       group = config.services.nginx.group;
 -      phpPackage = phpPackage;
 +      inherit phpPackage;
       phpOptions = ''
 -        # https://code.castopod.org/adaures/castopod/-/blob/main/docker/production/app/uploads.ini
 +        # https://code.castopod.org/adaures/castopod/-/blob/develop/docker/production/common/uploads.template.ini
         file_uploads = On
         memory_limit = 512M
 -        upload_max_filesize = 500M
 -        post_max_size = 512M
 +        upload_max_filesize = ${toString cfg.maxUploadSize}M
 +        post_max_size = ${toString cfg.maxUploadSize}M
         max_execution_time = 300
         max_input_time = 300
       '';
@@ -165,25 +185,25 @@ in
       path = [ pkgs.openssl phpPackage ];
       script =
         let
 -          envFile = "${stateDirectory}/.env";
 +          envFile = "${cfg.dataDir}/.env";
           media = "${cfg.settings."media.storage"}/${cfg.settings."media.root"}";
         in
         ''
 -          mkdir -p ${stateDirectory}/writable/{cache,logs,session,temp,uploads}
 +          mkdir -p ${cfg.dataDir}/writable/{cache,logs,session,temp,uploads}
           if [ ! -d ${lib.escapeShellArg media} ]; then
             cp --no-preserve=mode,ownership -r ${cfg.package}/share/castopod/public/media ${lib.escapeShellArg media}
           fi
 -          if [ ! -f ${stateDirectory}/salt ]; then
 -            openssl rand -base64 33 > ${stateDirectory}/salt
 +          if [ ! -f ${cfg.dataDir}/salt ]; then
 +            openssl rand -base64 33 > ${cfg.dataDir}/salt
           fi
           cat <<'EOF' > ${envFile}
           ${lib.generators.toKeyValue { } cfg.settings}
           EOF
 -          echo "analytics.salt=$(cat ${stateDirectory}/salt)" >> ${envFile}
 +          echo "analytics.salt=$(cat ${cfg.dataDir}/salt)" >> ${envFile}
           ${if (cfg.database.passwordFile != null) then ''
             echo "database.default.password=$(cat ${lib.escapeShellArg cfg.database.passwordFile})" >> ${envFile}
@@ -192,10 +212,10 @@ in
           ''}
           ${lib.optionalString (cfg.environmentFile != null) ''
 -            cat ${lib.escapeShellArg cfg.environmentFile}) >> ${envFile}
 +            cat ${lib.escapeShellArg cfg.environmentFile} >> ${envFile}
           ''}
 -          php spark castopod:database-update
 +          php ${cfg.package}/share/castopod/spark castopod:database-update
         '';
       serviceConfig = {
         StateDirectory = "castopod";
@@ -204,6 +224,7 @@ in
         RemainAfterExit = true;
         User = user;
         Group = config.services.nginx.group;
 +        ReadWritePaths = cfg.dataDir;
       };
     };
@@ -212,9 +233,7 @@ in
       wantedBy = [ "multi-user.target" ];
       path = [ phpPackage ];
       script = ''
 -        php public/index.php scheduled-activities
 -        php public/index.php scheduled-websub-publish
 -        php public/index.php scheduled-video-clips
 +        php ${cfg.package}/share/castopod/spark tasks:run
       '';
       serviceConfig = {
         StateDirectory = "castopod";
@@ -222,6 +241,8 @@ in
         Type = "oneshot";
         User = user;
         Group = config.services.nginx.group;
 +        ReadWritePaths = cfg.dataDir;
 +        LogLevelMax = "notice"; # otherwise periodic tasks flood the journal
       };
     };
@@ -251,6 +272,7 @@ in
         extraConfig = ''
           try_files $uri $uri/ /index.php?$args;
           index index.php index.html;
 +          client_max_body_size ${toString cfg.maxUploadSize}M;
         '';
         locations."^~ /${cfg.settings."media.root"}/" = {
@@ -278,7 +300,7 @@ in
       };
     };
 -    users.users.${user} = lib.mapAttrs (name: lib.mkDefault) {
 +    users.users.${user} = lib.mapAttrs (_name: lib.mkDefault) {
       description = "Castopod user";
       isSystemUser = true;
       group = config.services.nginx.group;
 diff --git a/nixos/tests/castopod.nix b/nixos/tests/castopod.nix
 index 4435ec617d4e67..2db7aa0bda6507 100644
 --- a/nixos/tests/castopod.nix
 +++ b/nixos/tests/castopod.nix
@@ -4,74 +4,211 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
   meta = with lib.maintainers; {
     maintainers = [ alexoundos misuzu ];
   };
 +
   nodes.castopod = { nodes, ... }: {
 +    # otherwise 500 MiB file upload fails!
 +    virtualisation.diskSize = 512 + 3 * 512;
 +
     networking.firewall.allowedTCPPorts = [ 80 ];
 -    networking.extraHosts = ''
 -      127.0.0.1 castopod.example.com
 -    '';
 +    networking.extraHosts =
 +      lib.strings.concatStringsSep "\n"
 +        (lib.attrsets.mapAttrsToList
 +          (name: _: "127.0.0.1 ${name}")
 +          nodes.castopod.services.nginx.virtualHosts);
 +
     services.castopod = {
       enable = true;
       database.createLocally = true;
       localDomain = "castopod.example.com";
 +      maxUploadSize = 512;
     };
 -    environment.systemPackages =
 -      let
 -        username = "admin";
 -        email = "admin@castood.example.com";
 -        password = "v82HmEp5";
 -        testRunner = pkgs.writers.writePython3Bin "test-runner"
 -          {
 -            libraries = [ pkgs.python3Packages.selenium ];
 -            flakeIgnore = [
 -              "E501"
 -            ];
 -          } ''
 -          from selenium.webdriver.common.by import By
 -          from selenium.webdriver import Firefox
 -          from selenium.webdriver.firefox.options import Options
 -          from selenium.webdriver.support.ui import WebDriverWait
 -          from selenium.webdriver.support import expected_conditions as EC
 -
 -          options = Options()
 -          options.add_argument('--headless')
 -          driver = Firefox(options=options)
 -          try:
 -              driver.implicitly_wait(20)
 -              driver.get('http://castopod.example.com/cp-install')
 -
 -              wait = WebDriverWait(driver, 10)
 -
 -              wait.until(EC.title_contains("installer"))
 -
 -              driver.find_element(By.CSS_SELECTOR, '#username').send_keys(
 -                  '${username}'
 -              )
 -              driver.find_element(By.CSS_SELECTOR, '#email').send_keys(
 -                  '${email}'
 -              )
 -              driver.find_element(By.CSS_SELECTOR, '#password').send_keys(
 -                  '${password}'
 -              )
 -              driver.find_element(By.XPATH, "//button[contains(., 'Finish install')]").click()
 -
 -              wait.until(EC.title_contains("Auth"))
 -
 -              driver.find_element(By.CSS_SELECTOR, '#email').send_keys(
 -                  '${email}'
 -              )
 -              driver.find_element(By.CSS_SELECTOR, '#password').send_keys(
 -                  '${password}'
 -              )
 -              driver.find_element(By.XPATH, "//button[contains(., 'Login')]").click()
 -
 -              wait.until(EC.title_contains("Admin dashboard"))
 -          finally:
 -              driver.close()
 -              driver.quit()
 -        '';
 -      in
 -      [ pkgs.firefox-unwrapped pkgs.geckodriver testRunner ];
   };
 +
 +  nodes.client = { nodes, pkgs, lib, ... }:
 +    let
 +      domain = nodes.castopod.services.castopod.localDomain;
 +
 +      getIP = node:
 +        (builtins.head node.networking.interfaces.eth1.ipv4.addresses).address;
 +
 +      targetPodcastSize = 500 * 1024 * 1024;
 +      lameMp3Bitrate = 348300;
 +      lameMp3FileAdjust = -800;
 +      targetPodcastDuration = toString
 +        ((targetPodcastSize + lameMp3FileAdjust) / (lameMp3Bitrate / 8));
 +      mp3file = with pkgs;
 +        runCommand "gen-castopod.mp3" { nativeBuildInputs = [ sox lame ]; } ''
 +          sox -n -r 48000 -t wav - synth ${targetPodcastDuration} sine 440 `
 +          `| lame --noreplaygain -cbr -q 9 -b 320 - $out
 +          FILESIZE="$(stat -c%s $out)"
 +          [ "$FILESIZE" -gt 0 ]
 +          [ "$FILESIZE" -le "${toString targetPodcastSize}" ]
 +        '';
 +
 +      bannerWidth = 3000;
 +      banner = pkgs.runCommand "gen-castopod-cover.jpg" { } ''
 +        ${pkgs.imagemagick}/bin/magick `
 +        `-background green -bordercolor white -gravity northwest xc:black `
 +        `-duplicate 99 `
 +        `-seed 1 -resize "%[fx:rand()*72+24]" `
 +        `-seed 0 -rotate "%[fx:rand()*360]" -border 6x6 -splice 16x36 `
 +        `-seed 0 -rotate "%[fx:floor(rand()*4)*90]" -resize "150x50!" `
 +        `+append -crop 10x1@ +repage -roll "+%[fx:(t%2)*72]+0" -append `
 +        `-resize ${toString bannerWidth} -quality 1 $out
 +      '';
 +
 +      coverWidth = toString 3000;
 +      cover = pkgs.runCommand "gen-castopod-banner.jpg" { } ''
 +        ${pkgs.imagemagick}/bin/magick `
 +        `-background white -bordercolor white -gravity northwest xc:black `
 +        `-duplicate 99 `
 +        `-seed 1 -resize "%[fx:rand()*72+24]" `
 +        `-seed 0 -rotate "%[fx:rand()*360]" -border 6x6 -splice 36x36 `
 +        `-seed 0 -rotate "%[fx:floor(rand()*4)*90]" -resize "144x144!" `
 +        `+append -crop 10x1@ +repage -roll "+%[fx:(t%2)*72]+0" -append `
 +        `-resize ${coverWidth} -quality 1 $out
 +      '';
 +    in
 +    {
 +      networking.extraHosts =
 +        lib.strings.concatStringsSep "\n"
 +          (lib.attrsets.mapAttrsToList
 +            (name: _: "${getIP nodes.castopod} ${name}")
 +            nodes.castopod.services.nginx.virtualHosts);
 +
 +      environment.systemPackages =
 +        let
 +          username = "admin";
 +          email = "admin@${domain}";
 +          password = "Abcd1234";
 +          podcastTitle = "Some Title";
 +          episodeTitle = "Episode Title";
 +          browser-test = pkgs.writers.writePython3Bin "browser-test"
 +            {
 +              libraries = [ pkgs.python3Packages.selenium ];
 +              flakeIgnore = [ "E124" "E501" ];
 +            } ''
 +            from selenium.webdriver.common.by import By
 +            from selenium.webdriver import Firefox
 +            from selenium.webdriver.firefox.options import Options
 +            from selenium.webdriver.firefox.service import Service
 +            from selenium.webdriver.support.ui import WebDriverWait
 +            from selenium.webdriver.support import expected_conditions as EC
 +            from subprocess import STDOUT
 +            import logging
 +
 +            selenium_logger = logging.getLogger("selenium")
 +            selenium_logger.setLevel(logging.DEBUG)
 +            selenium_logger.addHandler(logging.StreamHandler())
 +
 +            options = Options()
 +            options.add_argument('--headless')
 +            service = Service(log_output=STDOUT)
 +            driver = Firefox(options=options, service=service)
 +            driver = Firefox(options=options)
 +            driver.implicitly_wait(20)
 +
 +            # install ##########################################################
 +
 +            driver.get('http://${domain}/cp-install')
 +
 +            wait = WebDriverWait(driver, 10)
 +
 +            wait.until(EC.title_contains("installer"))
 +
 +            driver.find_element(By.CSS_SELECTOR, '#username').send_keys(
 +                '${username}'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#email').send_keys(
 +                '${email}'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#password').send_keys(
 +                '${password}'
 +            )
 +            driver.find_element(By.XPATH,
 +                                "//button[contains(., 'Finish install')]"
 +            ).click()
 +
 +            wait.until(EC.title_contains("Auth"))
 +
 +            driver.find_element(By.CSS_SELECTOR, '#email').send_keys(
 +                '${email}'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#password').send_keys(
 +                '${password}'
 +            )
 +            driver.find_element(By.XPATH,
 +                                "//button[contains(., 'Login')]"
 +            ).click()
 +
 +            wait.until(EC.title_contains("Admin dashboard"))
 +
 +            # create podcast ###################################################
 +
 +            driver.get('http://${domain}/admin/podcasts/new')
 +
 +            wait.until(EC.title_contains("Create podcast"))
 +
 +            driver.find_element(By.CSS_SELECTOR, '#cover').send_keys(
 +                '${cover}'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#banner').send_keys(
 +                '${banner}'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#title').send_keys(
 +                '${podcastTitle}'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#handle').send_keys(
 +                'some_handle'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#description').send_keys(
 +                'Some description'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#owner_name').send_keys(
 +                'Owner Name'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#owner_email').send_keys(
 +                'owner@email.xyz'
 +            )
 +            driver.find_element(By.XPATH,
 +                                "//button[contains(., 'Create podcast')]"
 +            ).click()
 +
 +            wait.until(EC.title_contains("${podcastTitle}"))
 +
 +            driver.find_element(By.XPATH,
 +                                "//span[contains(., 'Add an episode')]"
 +            ).click()
 +
 +            wait.until(EC.title_contains("Add an episode"))
 +
 +            # upload podcast ###################################################
 +
 +            driver.find_element(By.CSS_SELECTOR, '#audio_file').send_keys(
 +                '${mp3file}'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#cover').send_keys(
 +                '${cover}'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#description').send_keys(
 +                'Episode description'
 +            )
 +            driver.find_element(By.CSS_SELECTOR, '#title').send_keys(
 +                '${episodeTitle}'
 +            )
 +            driver.find_element(By.XPATH,
 +                                "//button[contains(., 'Create episode')]"
 +            ).click()
 +
 +            wait.until(EC.title_contains("${episodeTitle}"))
 +
 +            driver.close()
 +            driver.quit()
 +          '';
 +        in
 +        [ pkgs.firefox-unwrapped pkgs.geckodriver browser-test ];
 +    };
 +
   testScript = ''
     start_all()
     castopod.wait_for_unit("castopod-setup.service")
@@ -79,9 +216,9 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
     castopod.wait_for_unit("nginx.service")
     castopod.wait_for_open_port(80)
     castopod.wait_until_succeeds("curl -sS -f http://castopod.example.com")
 -    castopod.succeed("curl -s http://localhost/cp-install | grep 'Create your Super Admin account' > /dev/null")
 -    with subtest("Create superadmin and log in"):
 -        castopod.succeed("PYTHONUNBUFFERED=1 systemd-cat -t test-runner test-runner")
 +    with subtest("Create superadmin, log in, create and upload a podcast"):
 +        client.succeed(\
 +          "PYTHONUNBUFFERED=1 systemd-cat -t browser-test browser-test")
   '';
 })
 diff --git a/pkgs/applications/audio/castopod/default.nix b/pkgs/applications/audio/castopod/default.nix
 index 83c70f9b36646d..badace09587d2b 100644
 --- a/pkgs/applications/audio/castopod/default.nix
 +++ b/pkgs/applications/audio/castopod/default.nix
@@ -3,7 +3,7 @@
 , ffmpeg-headless
 , lib
 , nixosTests
 -, stateDirectory ? "/var/lib/castopod"
 +, dataDir ? "/var/lib/castopod"
 }:
 stdenv.mkDerivation {
   pname = "castopod";
@@ -20,13 +20,16 @@ stdenv.mkDerivation {
   postPatch = ''
     # not configurable at runtime unfortunately:
     substituteInPlace app/Config/Paths.php \
 -      --replace "__DIR__ . '/../../writable'" "'${stateDirectory}/writable'"
 +      --replace "__DIR__ . '/../../writable'" "'${dataDir}/writable'"
 -    # configuration file must be writable, place it to ${stateDirectory}
 +    substituteInPlace modules/Admin/Controllers/DashboardController.php \
 +      --replace "disk_total_space('./')" "disk_total_space('${dataDir}')"
 +
 +    # configuration file must be writable, place it to ${dataDir}
     substituteInPlace modules/Install/Controllers/InstallController.php \
 -      --replace "ROOTPATH" "'${stateDirectory}/'"
 +      --replace "ROOTPATH" "'${dataDir}/'"
     substituteInPlace public/index.php spark \
 -      --replace "DotEnv(ROOTPATH)" "DotEnv('${stateDirectory}')"
 +      --replace "DotEnv(ROOTPATH)" "DotEnv('${dataDir}')"
     # ffmpeg is required for Video Clips feature
     substituteInPlace modules/MediaClipper/VideoClipper.php \
 From 45d43fe39fa3167d5cf7ba9a2cb9fcd6fbe2c5c3 Mon Sep 17 00:00:00 2001
 From: Alexander Tomokhov <alexoundos@gmail.com>
 Date: Mon, 11 Dec 2023 09:00:26 +0400
 Subject: [PATCH 3/8] nixos/castopod: little documentation fix
 ---
 nixos/modules/services/web-apps/castopod.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/nixos/modules/services/web-apps/castopod.nix b/nixos/modules/services/web-apps/castopod.nix
 index 7c99551c83183f..11cf4b36aeb385 100644
 --- a/nixos/modules/services/web-apps/castopod.nix
 +++ b/nixos/modules/services/web-apps/castopod.nix
@@ -126,9 +126,10 @@ in
           Maximum supported size for a file upload in MiB. Maximum HTTP body
           size is set to this value for nginx and PHP (because castopod doesn't
           support chunked uploads yet:
 -          https://code.castopod.org/adaures/castopod/-/issues/330). Note, that
 -          practical upload size limit is smaller. For example, with 512 MiB
 -          setting - around 500 MiB is possible.
 +          https://code.castopod.org/adaures/castopod/-/issues/330).
 +
 +          Note, that practical upload size limit is smaller. For example, with
 +          512 MiB setting - around 500 MiB is possible.
         '';
       };
     };
 From 4aafd48b7e76748eaf0ff7409b12b455d1db31ec Mon Sep 17 00:00:00 2001
 From: sinavir <sinavir@sinavir.fr>
 Date: Fri, 23 Feb 2024 22:02:10 +0100
 Subject: [PATCH 4/8] castopod: 1.6.5 -> 1.10.3
 ---
 pkgs/applications/audio/castopod/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/pkgs/applications/audio/castopod/default.nix b/pkgs/applications/audio/castopod/default.nix
 index badace09587d2b..438f1d728f9624 100644
 --- a/pkgs/applications/audio/castopod/default.nix
 +++ b/pkgs/applications/audio/castopod/default.nix
@@ -10,8 +10,8 @@ stdenv.mkDerivation {
   version = "1.6.5";
   src = fetchurl {
 -    url = "https://code.castopod.org/adaures/castopod/uploads/5aaaa6cf2edaed25bd7253449e5f8584/castopod-1.6.5.tar.gz";
 -    sha256 = "04gcq2vmfy5aa2fmsm1qqv1k8g024nikmysdrhy33wj460d529b5";
 +    url = "https://code.castopod.org/adaures/castopod/uploads/2bb52d4607a772ac8b397efa3559a3ae/castopod-1.10.3.tar.gz";
 +    sha256 = "0w1yl14v3aajm089vwpq9wkiibv3w312y004ggdbf7xwzsrmjs51";
   };
   dontBuild = true;
 From 6205595efbdcc2f3440022b4ff7258e2f50a6427 Mon Sep 17 00:00:00 2001
 From: sinavir <sinavir@sinavir.fr>
 Date: Fri, 23 Feb 2024 22:27:24 +0100
 Subject: [PATCH 6/8] nixos/castopod: use LoadCredentials
 ---
 nixos/modules/services/web-apps/castopod.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
 diff --git a/nixos/modules/services/web-apps/castopod.nix b/nixos/modules/services/web-apps/castopod.nix
 index 11cf4b36aeb385..042fb3954d2b73 100644
 --- a/nixos/modules/services/web-apps/castopod.nix
 +++ b/nixos/modules/services/web-apps/castopod.nix
@@ -67,6 +67,8 @@ in
           description = lib.mdDoc ''
             A file containing the password corresponding to
             [](#opt-services.castopod.database.user).
 +
 +            This file is loaded using systemd LoadCredentials.
           '';
         };
       };
@@ -93,6 +95,8 @@ in
           Environment file to inject e.g. secrets into the configuration.
           See [](https://code.castopod.org/adaures/castopod/-/blob/main/.env.example)
           for available environment variables.
 +
 +          This file is loaded using systemd LoadCredentials.
         '';
       };
       configureNginx = lib.mkOption {
@@ -207,19 +211,23 @@ in
           echo "analytics.salt=$(cat ${cfg.dataDir}/salt)" >> ${envFile}
           ${if (cfg.database.passwordFile != null) then ''
 -            echo "database.default.password=$(cat ${lib.escapeShellArg cfg.database.passwordFile})" >> ${envFile}
 +            echo "database.default.password=$(cat "$CREDENTIALS_DIRECTORY/dbpasswordfile)" >> ${envFile}
           '' else ''
             echo "database.default.password=" >> ${envFile}
           ''}
           ${lib.optionalString (cfg.environmentFile != null) ''
 -            cat ${lib.escapeShellArg cfg.environmentFile} >> ${envFile}
 +            cat "$CREDENTIALS_DIRECTORY/envfile" >> ${envFile}
           ''}
           php ${cfg.package}/share/castopod/spark castopod:database-update
         '';
       serviceConfig = {
         StateDirectory = "castopod";
 +        LoadCredential = lib.optional (cfg.environmentFile != null)
 +          "envfile:${cfg.environmentFile}"
 +        ++ (lib.optional (cfg.database.passwordFile != null)
 +          "dbpasswordfile:${cfg.database.passwordFile}");
         WorkingDirectory = "${cfg.package}/share/castopod";
         Type = "oneshot";
         RemainAfterExit = true;
 From 9b03fc35a30671e5d4146bbcbe6b5536fa9baacc Mon Sep 17 00:00:00 2001
 From: sinavir <sinavir@sinavir.fr>
 Date: Sat, 2 Mar 2024 18:01:54 +0100
 Subject: [PATCH 7/8] nixos/castopod: build mp3 in the test
 ---
 nixos/tests/castopod.nix | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)
 diff --git a/nixos/tests/castopod.nix b/nixos/tests/castopod.nix
 index 2db7aa0bda6507..2bdc6941c23815 100644
 --- a/nixos/tests/castopod.nix
 +++ b/nixos/tests/castopod.nix
@@ -37,14 +37,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
       targetPodcastDuration = toString
         ((targetPodcastSize + lameMp3FileAdjust) / (lameMp3Bitrate / 8));
       mp3file = with pkgs;
 -        runCommand "gen-castopod.mp3" { nativeBuildInputs = [ sox lame ]; } ''
 -          sox -n -r 48000 -t wav - synth ${targetPodcastDuration} sine 440 `
 -          `| lame --noreplaygain -cbr -q 9 -b 320 - $out
 -          FILESIZE="$(stat -c%s $out)"
 -          [ "$FILESIZE" -gt 0 ]
 -          [ "$FILESIZE" -le "${toString targetPodcastSize}" ]
 -        '';
 -
 +        runCommand ;
       bannerWidth = 3000;
       banner = pkgs.runCommand "gen-castopod-cover.jpg" { } ''
         ${pkgs.imagemagick}/bin/magick `
@@ -185,7 +178,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
             # upload podcast ###################################################
             driver.find_element(By.CSS_SELECTOR, '#audio_file').send_keys(
 -                '${mp3file}'
 +                '/tmp/podcast.mp3'
             )
             driver.find_element(By.CSS_SELECTOR, '#cover').send_keys(
                 '${cover}'
@@ -206,7 +199,23 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
             driver.quit()
           '';
         in
 -        [ pkgs.firefox-unwrapped pkgs.geckodriver browser-test ];
 +        [
 +          pkgs.firefox-unwrapped
 +          pkgs.geckodriver
 +          browser-test
 +          (pkgs.writeShellApplication {
 +            name = "build-mp3";
 +            runtimeInputs = with pkgs; [ sox lame ];
 +            text = ''
 +              out=/tmp/podcast.mp3
 +              sox -n -r 48000 -t wav - synth ${targetPodcastDuration} sine 440 `
 +              `| lame --noreplaygain -cbr -q 9 -b 320 - $out
 +              FILESIZE="$(stat -c%s $out)"
 +              [ "$FILESIZE" -gt 0 ]
 +              [ "$FILESIZE" -le "${toString targetPodcastSize}" ]
 +            '';
 +          })
 +        ];
     };
   testScript = ''
@@ -217,6 +226,8 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
     castopod.wait_for_open_port(80)
     castopod.wait_until_succeeds("curl -sS -f http://castopod.example.com")
 +    client.succeed("build-mp3")
 +
     with subtest("Create superadmin, log in, create and upload a podcast"):
         client.succeed(\
           "PYTHONUNBUFFERED=1 systemd-cat -t browser-test browser-test")
 From 538281e8be427f820371f4005e991e0281872e12 Mon Sep 17 00:00:00 2001
 From: sinavir <sinavir@sinavir.fr>
 Date: Sat, 2 Mar 2024 18:04:35 +0100
 Subject: [PATCH 8/8] nixos/castopod: Increase test timeouts
 ---
 nixos/tests/castopod.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/nixos/tests/castopod.nix b/nixos/tests/castopod.nix
 index 2bdc6941c23815..2c5c745f7da0df 100644
 --- a/nixos/tests/castopod.nix
 +++ b/nixos/tests/castopod.nix
@@ -105,7 +105,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
             driver.get('http://${domain}/cp-install')
 -            wait = WebDriverWait(driver, 10)
 +            wait = WebDriverWait(driver, 20)
             wait.until(EC.title_contains("installer"))
--- a/patches/03-nextcloud.patch
+++ b/patches/03-nextcloud.patch
@ -1,28 +0,0 @@
 --- a/nixos/modules/services/web-apps/nextcloud.nix
 +++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -131,6 +131,7 @@
     (mkRemovedOptionModule [ "services" "nextcloud" "disableImagemagick" ] ''
       Use services.nextcloud.enableImagemagick instead.
     '')
 +    (mkRenamedOptionModule [ "services" "nextcloud" "config" "objectstore" "s3" "autocreate" ] [ "services" "nextcloud" "config" "objectstore" "s3" "verify_bucket_exists" ])
   ];
   options.services.nextcloud = {
@@ -487,7 +487,7 @@
               The name of the S3 bucket.
             '';
           };
 -          autocreate = mkOption {
 +          verify_bucket_exists = mkOption {
             type = types.bool;
             description = lib.mdDoc ''
               Create the objectstore if it does not exist.
@@ -820,7 +820,7 @@
               'class' => '\\OC\\Files\\ObjectStore\\S3',
               'arguments' => [
                 'bucket' => '${s3.bucket}',
 -                'autocreate' => ${boolToString s3.autocreate},
 +                'verify_bucket_exists' => ${boolToString s3.verify_bucket_exists},
                 'key' => '${s3.key}',
                 'secret' => nix_read_secret('${s3.secretFile}'),
                 ${optionalString (s3.hostname != null) "'hostname' => '${s3.hostname}',"}
--- a/patches/default.nix
+++ b/patches/default.nix
@ -1,12 +1,19 @@
-{
+let
-  "nixos-24.05" = [
+  local = path: {
-    # netbox qrcode plugin
+    _type = "static";
-    {
+    inherit path;
-      _type = "commit";
+  };
-      sha = "c82191d848e7a37e125ee15c485f32ac01afc0b2";
+in
      hash = "sha256-TooktlqihtULzJJsHvm8EubbUdJZvbDKdIDcYu7Qcig=";
    }
 {
  lix = [
    (local ./lix/01-disable-installChecks.patch)
  ];
  "nixos-24.05" = [
    (local ./nixpkgs/06-netbox-qrcode.patch)
    # nixos/nextcloud: Rename autocreate (a no-op) to verify_bucket_exists
    {
      id = "275165";
      hash = "sha256-9a26V3Pi8yLD3N9+mC1kvJoruxRTp/qOHapnt6VX7pw=";
@ -20,10 +27,7 @@
    }
    # Crabfit: don't depend on all google-fonts
-    {
+    (local ./nixpkgs/04-crabfit-karla.patch)
      _type = "static";
      path = ./04-crabfit-karla.patch;
    }
    # nixos/kanidm: add basic provisioning
    {
@ -48,16 +52,9 @@
  "nixos-unstable" = [
    # netbox qrcode plugin
-    {
+    (local ./nixpkgs/06-netbox-qrcode.patch)
      _type = "commit";
      sha = "c82191d848e7a37e125ee15c485f32ac01afc0b2";
      hash = "sha256-TooktlqihtULzJJsHvm8EubbUdJZvbDKdIDcYu7Qcig=";
    }
    # Build netbird-relay
-    {
+    (local ./nixpkgs/05-netbird-relay.patch)
      _type = "static";
      path = ./05-netbird-relay.patch;
    }
  ];
 }
--- a/patches/lix/01-disable-installChecks.patch
+++ b/patches/lix/01-disable-installChecks.patch
--- a/patches/nixpkgs/04-crabfit-karla.patch
+++ b/patches/nixpkgs/04-crabfit-karla.patch
--- a/patches/nixpkgs/05-netbird-relay.patch
+++ b/patches/nixpkgs/05-netbird-relay.patch
--- a/patches/nixpkgs/06-netbox-qrcode.patch
+++ b/patches/nixpkgs/06-netbox-qrcode.patch
@ -0,0 +1,70 @@
 diff --git a/pkgs/development/python-modules/netbox-qrcode/default.nix b/pkgs/development/python-modules/netbox-qrcode/default.nix
 new file mode 100644
 index 000000000000..b378b839a8dc
 --- /dev/null
 +++ b/pkgs/development/python-modules/netbox-qrcode/default.nix
@@ -0,0 +1,51 @@
 +{ lib
 +, buildPythonPackage
 +, fetchFromGitHub
 +, setuptools
 +, wheel
 +, pillow
 +, qrcode
 +, netbox
 +}:
 +
 +buildPythonPackage rec {
 +  pname = "netbox-qrcode";
 +  version = "0.0.13";
 +  pyproject = true;
 +
 +  src = fetchFromGitHub {
 +    owner = "netbox-community";
 +    repo = "netbox-qrcode";
 +    rev = "v${version}";
 +    hash = "sha256-/labSZyB1SkU/uemuL946RDk8IVEAgCYJY2vrJFney0=";
 +  };
 +
 +  nativeBuildInputs = [
 +    setuptools
 +    wheel
 +  ];
 +
 +  propagatedBuildInputs = [
 +    qrcode
 +    pillow
 +  ];
 +
 +  checkInputs = [
 +    netbox
 +  ];
 +
 +  preFixup = ''
 +    export PYTHONPATH=${netbox}/opt/netbox/netbox:$PYTHONPATH
 +  '';
 +
 +  pythonImportsCheck = [
 +    "netbox_qrcode"
 +  ];
 +
 +  meta = with lib; {
 +    description = "NetBox Plugin for generate QR Codes";
 +    homepage = "https://github.com/netbox-community/netbox-qrcode";
 +    license = licenses.asl20;
 +    maintainers = with maintainers; [ sinavir ];
 +  };
 +}
 diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
 index 9999d745e3ac..b226e0063672 100644
 --- a/pkgs/top-level/python-packages.nix
 +++ b/pkgs/top-level/python-packages.nix
@@ -8989,6 +8989,8 @@ self: super: with self; {
   netbox-reorder-rack = callPackage ../development/python-modules/netbox-reorder-rack { };
 +  netbox-qrcode = callPackage ../development/python-modules/netbox-qrcode { };
 +
   netcdf4 = callPackage ../development/python-modules/netcdf4 { };
   netdata = callPackage ../development/python-modules/netdata { };
--- a/scripts/cache-node.sh
+++ b/scripts/cache-node.sh
@ -1,6 +1,9 @@
-set -eu -o pipefail
+set -o errexit
 set -o nounset
 set -o pipefail
 shopt -s lastpipe
-drv=$("@colmena@/bin/colmena" eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
+drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
 # Build the derivation and send it to the great beyond
 nix-store --query --requisites --force-realise --include-outputs "$drv" | grep -v '.*\.drv' >paths.txt
--- a/scripts/check-deployment.sh
+++ b/scripts/check-deployment.sh
@ -1,7 +1,3 @@
 #!/usr/bin/env bash
 #!@bash@/bin/bash
 # shellcheck shell=bash
 set -o errexit
 set -o nounset
 set -o pipefail
@ -82,19 +78,18 @@ retrieve_current_system () {
  ssh -n "root@$1" "readlink -f /run/current-system"
 }
 return_status=0
-echo "$RESULTS" | @jq@/bin/jq -c '.[]' |
+echo "$RESULTS" | jq -c '.[]' |
  while IFS=$'\n' read -r c; do
-  machine=$(echo "$c" | @jq@/bin/jq -r '.machine')
+    machine=$(echo "$c" | jq -r '.machine')
    if [[ -n ${node-} ]] && [[ "$machine" != "$node" ]]; then
      echo "Skipping ${machine}"
      continue
    fi
-  expected_path=$(echo "$c" | @jq@/bin/jq -r '.path')
+    expected_path=$(echo "$c" | jq -r '.path')
-  domain=$(echo "$c" | @jq@/bin/jq -r '.domain')
+    domain=$(echo "$c" | jq -r '.domain')
-  drv_path=$(echo "$c" | @jq@/bin/jq -r '.drv')
+    drv_path=$(echo "$c" | jq -r '.drv')
    err=0
    current_path=$(retrieve_current_system "$domain") || err=1
@ -109,7 +104,7 @@ while IFS=$'\n' read -r c; do
      nix-copy-closure --from "root@$domain" "$current_path"
      nix-store -r "$drv_path"
      echo "$machine -> error. nvd output:"
-    @nvd@/bin/nvd  diff "$expected_path" "$current_path"
+      nvd diff "$expected_path" "$current_path"
      return_status=1
    else
      echo "☠️ $machine -> error:"
--- a/scripts/default.nix
+++ b/scripts/default.nix
@ -1,39 +1,32 @@
-{ pkgs, ... }:
+{ pkgs }:
 let
-  substitutions = {
+  inherit (pkgs.lib) mapAttrs;
  inherit (pkgs)
-      bash
+    writeShellApplication
    colmena
      coreutils
      nvd
      git
    jq
    nvd
    ;
  };
-  mkShellScript =
+  scripts = {
-    name:
+    cache-node = [ colmena ];
-    (pkgs.substituteAll (
+    check-deployment = [
-      {
+      colmena
-        inherit name;
+      jq
-        src = ./. + "/${name}.sh";
+      nvd
        dir = "/bin/";
        isExecutable = true;
        checkPhase = ''
          ${pkgs.stdenv.shellDryRun} "$target"
        '';
      }
      // substitutions
    ));
  scripts = [
    "cache-node"
    "check-deployment"
    "launch-vm"
    "list-nodes"
    ];
    launch-vm = [ colmena ];
    list-nodes = [ jq ];
  };
 in
-builtins.map mkShellScript scripts
+mapAttrs (
  name: runtimeInputs:
  writeShellApplication {
    inherit name runtimeInputs;
    text = builtins.readFile ./${name}.sh;
  }
 ) scripts
--- a/scripts/launch-vm.sh
+++ b/scripts/launch-vm.sh
@ -1,8 +1,7 @@
 #!@bash@/bin/bash
 # shellcheck shell=bash
 set -o errexit
 set -o nounset
 set -o pipefail
 shopt -s lastpipe
 MACHINE=""
 HOSTFWD=""
@ -25,9 +24,12 @@ while getopts 'p:o:h' opt; do
 done
 shift "$((OPTIND - 1))"
-if [ -z "$MACHINE" ]; then echo "-o option needed"; exit 1; fi
+if [ -z "$MACHINE" ]; then
  echo "-o option needed"
  exit 1
 fi
-DRV_PATH=$(@colmena@/bin/colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
+DRV_PATH=$(colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
 echo "Realising $DRV_PATH"
 RESULT=$(nix-store -r "$DRV_PATH")
--- a/scripts/list-nodes.sh
+++ b/scripts/list-nodes.sh
@ -1,6 +1,8 @@
-#!@bash@/bin/bash
+set -o errexit
-# shellcheck shell=bash
+set -o nounset
 set -o pipefail
 shopt -s lastpipe
-cd $(@git@/bin/git rev-parse --show-toplevel)
+cd "$(git rev-parse --show-toplevel)"
-nix-instantiate --strict --eval --json -A nodes | @jq@/bin/jq .
+nix-instantiate --strict --eval --json -A nodes | jq .
--- a/shell.nix
+++ b/shell.nix
@ -1 +1 @@
-(import ./. { }).shells.default
+(import ./. { }).devShell
--- a/workflows/check-meta.nix
+++ b/workflows/check-meta.nix
@ -0,0 +1,31 @@
 {
  name = "Check meta";
  on = {
    pull_request.branches = [ "main" ];
    push.paths = [ "meta/*" ];
  };
  jobs = {
    check_meta = {
      runs-on = "nix";
      steps = [
        { uses = "actions/checkout@v3"; }
        {
          name = "Check the validity of meta options";
          run = "nix-build meta/verify.nix -A meta";
        }
      ];
    };
    check_dns = {
      runs-on = "nix";
      steps = [
        { uses = "actions/checkout@v3"; }
        {
          name = "Check the validity of the DNS configuration";
          run = "nix-build meta/verify.nix -A dns";
        }
      ];
    };
  };
 }
--- a/workflows/check-workflows.nix
+++ b/workflows/check-workflows.nix
@ -0,0 +1,20 @@
 {
  name = "Check workflows";
  on = {
    pull_request.branches = [ "main" ];
    push.paths = [ "workflows/*" ];
  };
  jobs = {
    check_workflows = {
      runs-on = "nix";
      steps = [
        { uses = "actions/checkout@v3"; }
        {
          name = "Check that the workflows are up to date";
          run = "nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l) -eq 0 ]'";
        }
      ];
    };
  };
 }
--- a/workflows/eval-nodes.nix
+++ b/workflows/eval-nodes.nix
@ -0,0 +1,32 @@
 { lib }:
 let
  inherit (lib) attrNames genAttrs;
  nodes = attrNames (builtins.readDir ../machines);
 in
 {
  name = "Build all the nodes";
  on = {
    pull_request.branches = [ "main" ];
    push.branches = [ "main" ];
  };
  jobs = genAttrs nodes (node: {
    runs-on = "nix";
    steps = [
      { uses = "actions/checkout@v3"; }
      {
        name = "Build and cache ${node}";
        run = "nix-shell -A eval-nodes --run cache-node";
        env = {
          STORE_ENDPOINT = "https://tvix-store.dgnum.eu/infra-signing/";
          STORE_USER = "admin";
          STORE_PASSWORD = "\${{ secrets.STORE_PASSWORD }}";
          BUILD_NODE = node;
        };
      }
    ];
  });
 }
--- a/.forgejo/workflows/npins.yaml
+++ b/.forgejo/workflows/npins.yaml
@ -1,31 +1,24 @@
-name: npins update
+{
-on:
+  name = "npins update";
-  schedule:
+  on.schedule = [
    # Run at 11 o'clock every wednesday
-    - cron: "25 15 * * *"
+    { cron = "25 15 * * *"; }
  ];
-jobs:
+  jobs.npins_update = {
-  npins_update:
+    runs-on = "nix";
-    runs-on: nix
+    steps = [
-    steps:
+      {
-      # - name: Install applications
+        uses = "actions/checkout@v3";
-      #   run: apt-get update && apt-get install sudo
+        "with" = {
-      #
+          depth = 0;
-      - uses: actions/checkout@v3
+          token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
-        with:
+        };
-          depth: 0
+      }
          token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
      #
      # - uses: https://github.com/cachix/install-nix-action@v22
      #   with:
      #     nix_path: nixpkgs=channel:nixos-unstable
-      # - name: Install tea
+      {
-      #   run: |
+        name = "Update dependencies and open PR if necessary";
-      #     nix-env -f '<nixpkgs>' -i tea
+        run = ''
      - name: Update dependencies and open PR if necessary
        run: |
          npins update
          if [ ! -z "$(git diff --name-only)" ]; then
@ -44,7 +37,7 @@ jobs:
            # Connect to the server with the cli
            tea login add \
              -n dgnum-chores \
-              -t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
+              -t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
              -u https://git.dgnum.eu
            # Create a pull request if needed
@ -56,3 +49,8 @@ jobs:
                --head npins-update
            fi
          fi
        '';
      }
    ];
  };
 }
--- a/workflows/pre-commit.nix
+++ b/workflows/pre-commit.nix
@ -0,0 +1,18 @@
 {
  name = "Run pre-commit on all files";
  on = [
    "push"
    "pull_request"
  ];
  jobs.check = {
    runs-on = "nix";
    steps = [
      { uses = "actions/checkout@v3"; }
      {
        name = "Run pre-commit on all files";
        run = "nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure'";
      }
    ];
  };
 }
`@ -1 +1 @@`
	`(import ./. { }).shells.default`	`(import ./. { }).devShell`