feat(infra): showcase the declarative bucket feature

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
feat(infra): add S3 declarative buckets
2024-10-22 13:32:02 +02:00 · 2024-10-22 13:32:02 +02:00 · 2024-10-22 13:32:02 +02:00
55 changed files with 704 additions and 867 deletions
--- a/.credentials/admin-environment.age
+++ b/.credentials/admin-environment.age
--- a/.credentials/secrets.nix
+++ b/.credentials/secrets.nix
@ -0,0 +1,6 @@
 let
  keys = import ../keys;
 in
 {
  "admin-environment.age".publicKeys = keys.rootKeys;
 }
--- a/.envrc
+++ b/.envrc
@ -1,2 +1 @@
 watch_file workflows/*
 use nix
--- a/.forgejo/workflows/check-meta.yaml
+++ b/.forgejo/workflows/check-meta.yaml
@ -1,21 +1,25 @@
 jobs:
  check_dns:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - name: Check the validity of the DNS configuration
      run: nix-build meta/verify.nix -A dns
  check_meta:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - name: Check the validity of meta options
      run: nix-build meta/verify.nix -A meta
 name: Check meta
 on:
  pull_request:
    branches:
-    - main
+      - main
  push:
    paths:
-    - meta/*
+      - 'meta/*'
 jobs:
  check_meta:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Check the validity of meta options
        run: nix-build meta/verify.nix -A meta
  check_dns:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Check the validity of the DNS configuration
        run: nix-build meta/verify.nix -A dns --no-out-link
--- a/.forgejo/workflows/check-workflows.yaml
+++ b/.forgejo/workflows/check-workflows.yaml
@ -1,16 +0,0 @@
 jobs:
  check_workflows:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - name: Check that the workflows are up to date
      run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
        -eq 0 ]'
 name: Check workflows
 on:
  pull_request:
    branches:
    - main
  push:
    paths:
    - workflows/*
--- a/.forgejo/workflows/ds-fr.yaml
+++ b/.forgejo/workflows/ds-fr.yaml
@ -0,0 +1,56 @@
 name: ds-fr update
 on:
  schedule:
    - cron: "26 18 * * wed"
 jobs:
  npins_update:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
        with:
          token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
      - name: Update DS and open PR if necessary
        run: |
          # Fetch the latest release tag
          VERSION=$(curl -L \
            -H "Accept: application/vnd.github+json" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
          | jq -r '.tag_name')
          # Move to the ds-fr directory
          cd machines/compute01/ds-fr/package
          # Run the update script
          ./update.sh -v "$VERSION"
          if [ ! -z "$(git diff --name-only)" ]; then
            echo "[+] Changes detected, pushing updates."
            git switch -C ds-update
            git add .
            git config user.name "DGNum Chores"
            git config user.email "tech@dgnum.eu"
            git commit --message "chore(ds-fr): Update"
            git push --set-upstream origin ds-update --force
            # Connect to the server with the cli
            tea login add \
              -n dgnum-chores \
              -t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
              -u https://git.dgnum.eu
            # Create a pull request if needed
            # i.e. no PR with the same title exists
            if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
              tea pr create \
                --description "Automatic ds-fr update" \
                --title "chore(ds-fr): Update" \
                --head ds-update
            fi
          fi
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@ -1,119 +0,0 @@
 jobs:
  bridge01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: bridge01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache bridge01
      run: nix-shell -A eval-nodes --run cache-node
  compute01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: compute01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache compute01
      run: nix-shell -A eval-nodes --run cache-node
  geo01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: geo01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache geo01
      run: nix-shell -A eval-nodes --run cache-node
  geo02:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: geo02
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache geo02
      run: nix-shell -A eval-nodes --run cache-node
  rescue01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: rescue01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache rescue01
      run: nix-shell -A eval-nodes --run cache-node
  storage01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: storage01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache storage01
      run: nix-shell -A eval-nodes --run cache-node
  vault01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: vault01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache vault01
      run: nix-shell -A eval-nodes --run cache-node
  web01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: web01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache web01
      run: nix-shell -A eval-nodes --run cache-node
  web02:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: web02
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache web02
      run: nix-shell -A eval-nodes --run cache-node
  web03:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: web03
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache web03
      run: nix-shell -A eval-nodes --run cache-node
 name: Build all the nodes
 on:
  pull_request:
    branches:
    - main
  push:
    branches:
    - main
--- a/.forgejo/workflows/eval.yaml
+++ b/.forgejo/workflows/eval.yaml
@ -0,0 +1,200 @@
 name: build configuration
 on:
  pull_request:
    types: [opened, synchronize, edited, reopened]
    branches:
      - main
  push:
    branches:
      - main
 jobs:
  build_and_cache_compute01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "compute01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_compute01
          path: paths.txt
  build_and_cache_storage01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "storage01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_storage01
          path: paths.txt
  build_and_cache_rescue01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "rescue01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_rescue01
          path: paths.txt
  build_and_cache_geo01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "geo01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_geo01
          path: paths.txt
  build_and_cache_geo02:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "geo02"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_geo02
          path: paths.txt
  build_and_cache_vault01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "vault01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_vault01
          path: paths.txt
  build_and_cache_web01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "web01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web01
          path: paths.txt
  build_and_cache_web02:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "web02"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web02
          path: paths.txt
  build_and_cache_web03:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "web03"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web02
          path: paths.txt
  build_and_cache_bridge01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "bridge01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web02
          path: paths.txt
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -0,0 +1,11 @@
 name: lint
 on: [push, pull_request]
 jobs:
  check:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Run pre-commit on all files
        run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.
--- a/.forgejo/workflows/npins-update.yaml
+++ b/.forgejo/workflows/npins-update.yaml
@ -1,25 +0,0 @@
 jobs:
  npins_update:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - name: Update dependencies and open PR if necessary
      run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n  echo
        \"[+] Changes detected, pushing updates.\"\n\n  git switch -C npins-update\n\
        \n  git add npins\n\n  git config user.name \"DGNum Chores\"\n  git config
        user.email \"tech@dgnum.eu\"\n\n  git commit --message \"chore(npins): Update\"\
        \n  git push --set-upstream origin npins-update --force\n\n  # Connect to
        the server with the cli\n  tea login add \\\n    -n dgnum-chores \\\n    -t
        \"${{ secrets.TEA_DGNUM_CHORES_TOKEN }}\" \\\n    -u https://git.dgnum.eu\n\
        \n  # Create a pull request if needed\n  # i.e. no PR with the same title
        exists\n  if [ -z \"$(tea pr ls -f='title,author' -o simple | grep 'chore(npins):
        Update dgnum-chores')\" ]; then\n    tea pr create \\\n      --description
        \"Automatic npins update\" \\\n      --title \"chore(npins): Update\" \\\n\
        \      --head npins-update\n  fi\nfi\n"
 name: npins update
 on:
  schedule:
  - cron: 25 15 * * *
--- a/.forgejo/workflows/npins.yaml
+++ b/.forgejo/workflows/npins.yaml
@ -1,24 +1,31 @@
-{
+name: npins update
-  name = "npins update";
+on:
-  on.schedule = [
+  schedule:
    # Run at 11 o'clock every wednesday
-    { cron = "25 15 * * *"; }
+    - cron: "25 15 * * *"
  ];
-  jobs.npins_update = {
+jobs:
-    runs-on = "nix";
+  npins_update:
-    steps = [
+    runs-on: nix
-      {
+    steps:
-        uses = "actions/checkout@v3";
+      # - name: Install applications
-        "with" = {
+      #   run: apt-get update && apt-get install sudo
-          depth = 0;
+      #
-          token = "\${{ secrets.TEA_DGNUM_CHORES_TOKEN }}";
+      - uses: actions/checkout@v3
-        };
+        with:
-      }
+          depth: 0
          token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
      #
      # - uses: https://github.com/cachix/install-nix-action@v22
      #   with:
      #     nix_path: nixpkgs=channel:nixos-unstable
-      {
+      # - name: Install tea
-        name = "Update dependencies and open PR if necessary";
+      #   run: |
-        run = ''
+      #     nix-env -f '<nixpkgs>' -i tea
      - name: Update dependencies and open PR if necessary
        run: |
          npins update
          if [ ! -z "$(git diff --name-only)" ]; then
@ -37,7 +44,7 @@
            # Connect to the server with the cli
            tea login add \
              -n dgnum-chores \
-              -t "''${{ secrets.TEA_DGNUM_CHORES_TOKEN }}" \
+              -t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
              -u https://git.dgnum.eu
            # Create a pull request if needed
@ -49,8 +56,3 @@
                --head npins-update
            fi
          fi
        '';
      }
    ];
  };
 }
--- a/.forgejo/workflows/pre-commit.yaml
+++ b/.forgejo/workflows/pre-commit.yaml
@ -1,12 +0,0 @@
 jobs:
  check:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - name: Run pre-commit on all files
      run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
        pre-push --show-diff-on-failure'
 name: Run pre-commit on all files
 on:
 - push
 - pull_request
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,9 @@ result-*
 *.qcow2
 .gcroots
 .pre-commit-config.yaml
 # Ignore Terraform configuration file
 config.tf.json
 # Ignore Terraform stuff
 .terraform
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -0,0 +1,38 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/numtide/secret" {
  version     = "1.2.1"
  constraints = "~> 1.2.1"
  hashes = [
    "h1:t2z3CjxVsXjKb3g59WGkLtvDIR4NzLU7UFEcyAgF2C0=",
    "zh:17cbc7f3b90ee2b3ae5adfc3bd9cb70166a5ffbd8e642e64afa7cb0e32a34bae",
    "zh:5d66ce2aea25fc3c12cec6fc569b8ff314df6d773b9c3449983a4e9cde8347c7",
    "zh:67d02e96bf0d07f2fcf16ce9427a7a26f53e695676405d0c2b815808f950411d",
    "zh:77c3c05681ce199e6b0e2e5a2dfe418f61ae8863d527e7a7d47a9699d912683b",
    "zh:7f37e633b4f94ba9f347cfe68d44f80fe066188feb954b13ee0f621caae4121d",
    "zh:ea16bbe494c6ddd0af7bbea9554474c387517db4e7f0d15513bb29ff893871bc",
  ]
 }
 provider "registry.opentofu.org/raitobezarius/garage" {
  version     = "1.0.3"
  constraints = "~> 1.0.3"
  hashes = [
    "h1:QKbZcU7u9OG1t/h4S3+pXS3sOUfVMmfLTiYh5L5j1rE=",
    "zh:04f220a2baf4bd1bae07888a1c311cacd6076c209de83adbe573525fc50f2ea4",
    "zh:078938d5fa07e024d779c664823427af28935bbeb77e0ff940bac3e7bc41f1e8",
    "zh:2dd58a2d82094a1b07ff1b6de57e4a0d96e1f20abecd4f70a6469079b46b76d9",
    "zh:325da7a74b1c84f934b38134d7c419253292aeed6f6836a2fb37f42d13a8ff67",
    "zh:3ca9230ef87e70691b24fd83d40bb5b6a08f0b91ab26cbb2e692f92155b6d179",
    "zh:45ef683a18a5053c93c691d08f3903fd4918467dfa056b1c274207de8a6aeb74",
    "zh:4c9ee6c34b07c209c5daf1e9ff182f828667e54a90a683bc11cdcea86e4f8ef7",
    "zh:5f0bb6524b2fffa606e0e3585af93dfc31b611c7abf55e4371ae5fc36e85972c",
    "zh:7a3495dc211164c7d4042769c20d7111c767d0fd5908742e0766281c70d7d184",
    "zh:7ce79867cdd4b1f7028da811cd5cb271a46820c79c0328a1221dd3bb6215c631",
    "zh:93278861ee6bcb64e23bd1268f79b02035fba4fca0a98607a98f46abf8dfdf83",
    "zh:937e681beea8b0dd899557f2a194c8128bd8810417ff04954bc9958ff826e980",
    "zh:cae6e1598dd32f23f3900c41e50a6ece7d9456dbd033d855bb238ac21539d67b",
    "zh:f6f7556ba7d5578604290170a709e00140be6d7f8a510a20bce49a9a23d75e5f",
  ]
 }
--- a/default.nix
+++ b/default.nix
@ -41,15 +41,7 @@
 }:
 let
-  inherit (pkgs.lib)
+  git-checks = (import (builtins.storePath sources.git-hooks)).run {
    isFunction
    mapAttrs
    mapAttrs'
    nameValuePair
    removeSuffix
    ;
  git-checks = (import sources.git-hooks).run {
    src = ./.;
    hooks = {
@ -76,24 +68,17 @@ let
    };
  };
-  workflows = (import sources.nix-actions { inherit pkgs; }).install {
+  terranixConfig = import "${sources.terranix}/core" {
-    src = ./.;
+    inherit pkgs;
-
+    strip_nulls = true;
-    workflows = mapAttrs' (
+    terranix_config.imports = [ ./terranix ];
      name: _:
      nameValuePair (removeSuffix ".nix" name) (
        let
          w = import ./workflows/${name};
        in
        if isFunction w then w { inherit (pkgs) lib; } else w
      )
    ) (builtins.readDir ./workflows);
  };
-
+  terranixConfigFile = (pkgs.formats.json { }).generate "config.tf.json" terranixConfig.config;
  scripts = import ./scripts { inherit pkgs; };
 in
 {
  inherit terranixConfigFile terranixConfig;
  nodes = builtins.mapAttrs (
    host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
  ) (import ./meta/nodes.nix);
@ -102,35 +87,63 @@ in
  mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
-  devShell = pkgs.mkShell {
+  shells = {
-    name = "dgnum-infra";
+    default = pkgs.mkShell {
      name = "dgnum-infra";
-    packages = [
+      packages = [
-      (pkgs.nixos-generators.overrideAttrs (_: {
+        (pkgs.writeShellScriptBin "tf" ''
-        version = "1.8.0-unstable";
+          set -eo pipefail
-        src = sources.nixos-generators;
+          ln -snf ${terranixConfigFile} config.tf.json
-      }))
+          exec ${pkgs.lib.getExe pkgs.opentofu} "$@"
-      pkgs.npins
+        '')
        (pkgs.writeShellScriptBin "decryptAndSourceEnvironment" ''
          set -eo pipefail
-      (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
+          # TODO: don't hardcode me.
-      (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
+          SECRET_FILE=".credentials/admin-environment.age"
-      (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
+          IDENTITIES=()
-    ] ++ (builtins.attrValues scripts);
+          for identity in [ "$HOME/.ssh/id_ed25519" "$HOME/.ssh/id_rsa" ]; do
            test -r "$identity" || continue
            IDENTITIES+=(-i)
            IDENTITIES+=("$identity")
          done
-    shellHook = ''
+          test "''${#IDENTITIES[@]}" -eq 0 && echo "[agenix-shell] WARNING: no readable identities found!"
      ${git-checks.shellHook}
      ${workflows.shellHook}
    '';
-    preferLocalBuild = true;
+          test -f "$SECRET_FILE" || echo "[agenix-shell] WARNING: encrypted environment file $SECRET_FILE not found!"
          export eval $(${pkgs.lib.getExe pkgs.rage} --decrypt "''${IDENTITIES[@]}" -o - $SECRET_FILE)
-    ###
+          echo "[agenix-shell] Repository-wide secrets loaded in the environment."
-    # Alternative shells
+        '')
        (pkgs.nixos-generators.overrideAttrs (_: {
          version = "1.8.0-unstable";
          src = builtins.storePath sources.nixos-generators;
        }))
        pkgs.npins
        pkgs.rage
-    passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
+        (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
-      pre-commit.shellHook = git-checks.shellHook;
+        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
-      check-workflows.shellHook = workflows.shellHook;
+        (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
-      eval-nodes.packages = [ scripts.cache-node ];
+
      ] ++ (import ./scripts { inherit pkgs; });
      shellHook = ''
        ${git-checks.shellHook}
        # If we want to export these environments, we need to source it, not call it.
        source $(which decryptAndSourceEnvironment)
      '';
      preferLocalBuild = true;
    };
    pre-commit = pkgs.mkShell {
      name = "pre-commit-shell";
      shellHook = ''
        ${git-checks.shellHook}
      '';
    };
  };
 }
--- a/keys/default.nix
+++ b/keys/default.nix
@ -25,9 +25,6 @@ rec {
    web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
    # SSH keys of the DGNum members
    agroudiev = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
    ];
    catvayor = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
    ];
@ -47,10 +44,8 @@ rec {
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
    ];
    mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
    mdebray = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
    ];
    raito = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
--- a/lib/nix-lib/default.nix
+++ b/lib/nix-lib/default.nix
@ -190,11 +190,8 @@ rec {
    recursiveFuse [
      (enableModules enabledModules)
-      {
+      { imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
        imports =
          (extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
      }
-      (removeAttrs extraConfig [ "imports" ])
+      extraConfig
    ];
 }
--- a/machines/compute01/ds-fr/default.nix
+++ b/machines/compute01/ds-fr/default.nix
@ -1,14 +1,7 @@
-{
+{ config, ... }:
  config,
  pkgs,
  sources,
  ...
 }:
 let
  host = "demarches.dgnum.eu";
  dgn-id = "fca8f72cd60c00e74d7735ec13e4e3a22e8e1244";
 in
 {
  imports = [ ./module.nix ];
@ -18,18 +11,6 @@ in
  services.demarches-simplifiees = {
    enable = true;
    package =
      ((import sources.nix-pkgs { inherit pkgs; }).demarches-simplifiees.override {
        initialDeploymentDate = "20230923";
      }).overrideAttrs
        (old: {
          dsModules = old.dsModules.overrideAttrs {
            prePatch = ''
              ${pkgs.lib.getExe pkgs.git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
            '';
          };
        });
    secretFile = config.age.secrets."ds-fr-secret_file".path;
    initialDeploymentDate = "20230923";
--- a/machines/compute01/stirling-pdf/default.nix
+++ b/machines/compute01/stirling-pdf/default.nix
@ -10,7 +10,7 @@ let
  # - push to a new branch dgn-v0.A.B where A.B is the new version
  # - finally, update the commit hash of the customization patch
-  dgn-id = "d73e347b1cefe23092bfcb2d3f8a23903410203e";
+  dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
  port = 8084;
 in
--- a/machines/storage01/forgejo-runners.nix
+++ b/machines/storage01/forgejo-runners.nix
@ -1,4 +1,10 @@
-{ config, pkgs, ... }:
+{
  config,
  pkgs,
  nixpkgs,
  sources,
  ...
 }:
 let
  url = "https://git.dgnum.eu";
@ -24,6 +30,8 @@ let
        options = "--cpus=4";
      };
    };
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
  services.forgejo-nix-runners = {
@ -35,8 +43,10 @@ in
    tokenFile = config.age.secrets."forgejo_runners-token_file".path;
    dependencies = [
      nix-pkgs.colmena
      pkgs.npins
      pkgs.tea
      nixpkgs.unstable.nixfmt-rfc-style
    ];
    containerOptions = [ "--cpus=4" ];
--- a/machines/storage01/forgejo.nix
+++ b/machines/storage01/forgejo.nix
@ -61,7 +61,6 @@ in
        service = {
          EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
          EMAIL_DOMAIN_BLOCKLIST = "*.shop,*.online,*.store";
          ENABLE_NOTIFY_MAIL = true;
          DISABLE_REGISTRATION = false;
--- a/machines/storage01/tvix-cache/default.nix
+++ b/machines/storage01/tvix-cache/default.nix
@ -135,11 +135,10 @@ in
  systemd.services."tvix-store" = {
    wantedBy = [ "multi-user.target" ];
    environment = {
-      RUST_LOG = "info";
+      RUST_LOG = "debug";
    };
    serviceConfig = {
      UMask = "007";
      LimitNOFILE = 1048576;
      ExecStart = "${package}/bin/multitier-tvix-cache --endpoints-config ${toml.endpoints} --store-composition ${toml.composition}";
      StateDirectory = "tvix-store";
      RuntimeDirectory = "tvix-store";
--- a/machines/web01/metis/default.nix
+++ b/machines/web01/metis/default.nix
@ -6,35 +6,30 @@
 }:
 let
  inherit (lib) mapAttrsToList match;
  metis = import sources.metis { inherit pkgs; };
  inherit (metis) providers;
 in
 {
  services.nginx.virtualHosts."calendrier.dgnum.eu" = {
    enableACME = true;
    forceSSL = true;
-    root = metis.package;
+    root = metis.production;
    locations = lib.mapAttrs' (
-      name: domain:
+      name: value:
      lib.nameValuePair "/cal/${name}/" {
        extraConfig = ''
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_pass https://${domain}/remote.php/dav/public-calendars/;
+          proxy_pass ${value};
        '';
      }
-    ) metis.providers;
+    ) providers;
    extraConfig = ''
      rewrite ^/calendrier(.*)$ $1 permanent;
    '';
  };
  assertions = mapAttrsToList (name: domain: {
    assertion = (match "[a-z-]+" name == [ ]) && (match "[a-z.-]+" domain == [ ]);
    message = "The provider `${name}` associated to the domain `${domain}` seems to have an incorrect definition.";
  }) metis.providers;
 }
--- a/machines/web01/netbox.nix
+++ b/machines/web01/netbox.nix
@ -13,7 +13,7 @@ in
  services = {
    netbox = {
      enable = true;
-      package = nixpkgs.unstable.netbox_4_1;
+      package = nixpkgs.unstable.netbox_3_7;
      secretKeyFile = "/dev/null";
      listenAddress = "127.0.0.1";
      plugins = p: [ p.netbox-qrcode ];
--- a/machines/web01/redirections.nix
+++ b/machines/web01/redirections.nix
@ -29,6 +29,7 @@ in
      "bds.wp.dgnum.eu" = "bds.ens.fr";
      "www.tuteurs.ens.fr" = "tuteurs.ens.fr";
      "www.interq.ens.fr" = "interq.ens.fr";
      "www.lanuit.ens.fr" = "lanuit.ens.fr";
    };
    temporary = {
--- a/machines/web03/django-apps/bocal.nix
+++ b/machines/web03/django-apps/bocal.nix
@ -1,44 +0,0 @@
 { pkgs, sources, ... }:
 let
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
  services.django-apps.sites.bocal = {
    source = "https://git.dgnum.eu/DGNum/www-bocal";
    branch = "main";
    domain = "bocal.webapps.dgnum.eu";
    nginx = {
      enableACME = true;
      forceSSL = true;
    };
    webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
    python = pkgs.python3.override {
      packageOverrides = _: _: { inherit (nix-pkgs) django-cas-ng django-solo loadcredential; };
    };
    dependencies = ps: [
      ps.django
      ps.django-cas-ng
      ps.django-markdownx
      ps.django-solo
      ps.markdown
      ps.pillow
      ps.loadcredential
    ];
    credentials = {
      SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
    };
    environment = {
      DJANGO_SETTINGS_MODULE = "app.settings";
      BOCAL_ALLOWED_HOSTS = [ "bocal.webapps.dgnum.eu" ];
      BOCAL_RHOSTS_PATH = "/var/lib/django-apps/bocal/.rhosts";
    };
  };
 }
--- a/machines/web03/django-apps/default.nix
+++ b/machines/web03/django-apps/default.nix
@ -1,18 +1,14 @@
 {
  imports = [
    ./annuaire.nix
    ./bocal.nix
    ./gestiojeux.nix
    ./interludes.nix
    ./wikiens.nix
  ];
  services.django-apps = {
    enable = true;
    webhook = {
-      domain = "apps-webhook.dgnum.eu";
+      domain = "hooks.webapps.dgnum.eu";
      nginx = {
        enableACME = true;
        forceSSL = true;
--- a/machines/web03/django-apps/interludes.nix
+++ b/machines/web03/django-apps/interludes.nix
@ -1,66 +0,0 @@
 {
  config,
  pkgs,
  sources,
  ...
 }:
 let
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
  services.webhook.extraArgs = [ "-debug" ];
  services.django-apps.sites.interludes = {
    source = "https://git.eleves.ens.fr/dlesbre/site-interludes";
    branch = "master";
    domain = "interludes.ens.fr";
    nginx = {
      enableACME = true;
      forceSSL = true;
      serverAliases = [ "interludes.webapps.dgnum.eu" ];
    };
    webHookSecret = config.age.secrets."webhook-interludes_token".path;
    application = {
      type = "wsgi";
      module = "interludes";
    };
    dbType = "sqlite";
    python = pkgs.python3.override {
      packageOverrides = _: _: { inherit (nix-pkgs) python-cas loadcredential; };
    };
    django = ps: ps.django_4;
    dependencies = ps: [
      ps.loadcredential
      ps.python-ldap
      ps.python-cas
    ];
    credentials = {
      SECRET_KEY = config.age.secrets."dj_interludes-secret_key_file".path;
      EMAIL_HOST_PASSWORD = config.age.secrets."dj_interludes-email_host_password_file".path;
    };
    environment = {
      INTERLUDES_ALLOWED_HOSTS = [
        "interludes.ens.fr"
        "interludes.webapps.dgnum.eu"
      ];
      # E-mail configuration
      INTERLUDES_SERVER_EMAIL = "noreply-interludes-admin@ens.fr";
      INTERLUDES_DEFAULT_FROM_EMAIL = "noreply-interludes@ens.fr";
      INTERLUDES_EMAIL_HOST = "clipper.ens.fr";
      INTERLUDES_EMAIL_PORT = 465;
      INTERLUDES_EMAIL_HOST_USER = "interludes";
      INTERLUDES_DEBUG = false;
    };
  };
 }
--- a/machines/web03/django-apps/wikiens.nix
+++ b/machines/web03/django-apps/wikiens.nix
@ -1,40 +0,0 @@
 { pkgs, sources, ... }:
 let
  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
  services.django-apps.sites.wikiens = {
    source = "https://git.dgnum.eu/DGNum/wiki-eleves";
    branch = "main";
    domain = "wiki.webapps.dgnum.eu";
    nginx = {
      enableACME = true;
      forceSSL = true;
    };
    webHookSecret = builtins.toFile "insecure-secret" "T5hNeDraMivRZLUkrekv&QeM";
    python = pkgs.python3.override {
      packageOverrides = _: _: { inherit (nix-pkgs) django-allauth-ens django-wiki loadcredential; };
    };
    dependencies = ps: [
      ps.django
      ps.django-allauth-ens
      ps.django-wiki
      ps.loadcredential
      ps.tinycss2
    ];
    credentials = {
      SECRET_KEY = builtins.toFile "insecure-key" "insecure-key";
    };
    environment = {
      WIKIENS_ALLOWED_HOSTS = [ "wiki.webapps.dgnum.eu" ];
    };
  };
 }
--- a/machines/web03/secrets/dj_interludes-email_host_password_file
+++ b/machines/web03/secrets/dj_interludes-email_host_password_file
@ -1,29 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA iJSzsbA8RiEhUIyhlKWCASQKoSQstjK4drMYl+PsChw
 8THrknrBu0WGFEb4xTZiJxEY26q7sW83rwViDjyTE24
 -> ssh-ed25519 QlRB9Q e7PRE212Ggt8nO6Bb+BabO85FOARsJGs9cPJmZNI9kg
 ubKIBxI1ZBXttA7TWj401siKNT1HyB+N2MsZ+ldkgb8
 -> ssh-ed25519 r+nK/Q EWV24Emm9hENa+yUAuQpkuJ0uJ0zIv+vRIbWpM4Wtg4
 J59wnHRytgNqpX4+5HaJ9KZ5GvhckgtRK6TzfX7Ci8Y
 -> ssh-rsa krWCLQ
 AvmrzShR+XTpUpKaScoqvgFQ40PTSqh8p383p98xjG5LIz5kqJoWBnxJK7JabBpq
 JkqVeq5XdH5RX4weobieG4KYUV8EDheLfOMXH5BrPgeJO4yhJ1rzH+oHBw4TwvFM
 UvEZEAVgi3G1/suPfJAkO7QRkZjE7fRppEo5RAI0gMlM43YyJavrfqVIqB40Uugk
 h0b0ybChUbKpXlZjqhYAAMN45jTAvW1emO0DMeIk6dbmnbZNdibul8f+NNdWKbI1
 9NN5iH2IzuqTdc6gkE4912hdDeUJ4NZ6x/Fxp1/u3d1z/Yg7daUQUXUIoDX0Hyvb
 +01dH0D/7kzRhEdNLO2NXA
 -> ssh-ed25519 /vwQcQ GAsAj2i65KDQeFhe69YR2ycdGskop1wu3Lzrxp59sTg
 wCSUqEtWv0i6sNg1RVtHI/jZh3VeNX3qtnbagXoNGT4
 -> ssh-ed25519 0R97PA mFZ3q/3jd1guXl8bhRWyYjgsgE4JErJEels6vdmpfCs
 7oIAT0MTsaKxbf26PSDBk7KqfyFgcBq09FGJ9v/rXqE
 -> ssh-ed25519 JGx7Ng tpslfMWMJMUH46EGycbLiXotVdXlP4xmK0slb7XKYS8
 wLLfX4jX4mIxzI8zr2GBlpBcPztTrHqKngi/ON0TExg
 -> ssh-ed25519 bUjjig zLoniLfwKGH9Ctu34103WHBvjIyImtPyKx8O+5UMLUU
 sYsterVGvCg6JWA0z3AO5sSlj9DBfj8u5o5jH9K2xeA
 -> ssh-ed25519 VQSaNw oHzU9Lc/7p+MZAjVylzC63h586vOcffXkkpAi4XB8Q0
 7T8CREpaCxM58KMYW28FY2i+ELjrx3eC3K7xaBy7O6A
 -> (_o61>U-grease .P>ZRrj~ -=7S;N
 6vnQVKKZwp4JowIwVb4klrhaR6NZjwlZYnngVQ0wqVenMZPj9oyhIXthLRqE1Q6/
 k+sGxA
 --- +yT0o8oZJS+32MeUAl8T9zREh31rq77pSVsSoFjHO5A
 è™ñÎ—´ä!î^ûØÖ8Ô‚zøÑaÒÓÐàÔ@Ö¡s\ ˜_ÃÃúoÖö<C396>wõÖ¥Cr)¾€fû¿AÃ'•3D€â
--- a/machines/web03/secrets/dj_interludes-secret_key_file
+++ b/machines/web03/secrets/dj_interludes-secret_key_file
@ -1,29 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA 7v2qJ+2ZSp0tf4m6gcK2ShFF9ulNm/g3aHu3Wqe4Sxo
 ZyVqTqBCK51/U5yxtp23nywprQv46yL90zwx6+DqKRg
 -> ssh-ed25519 QlRB9Q IePmluoRImtaDplOoVqNiwfTQMKF1CuF4M6AzurXGRY
 JjtOeyvARlc9t5Q+LS2+TZwAUgV4Qn2L8SFkw9YLnaU
 -> ssh-ed25519 r+nK/Q LGPI7PmVPnZDQe6Su5MZQauxRHZkBKehyNbMq+BKlGQ
 3RvcfLAFKaScusYKf47zFNAtnot7wySvytuD81s6TwM
 -> ssh-rsa krWCLQ
 xGH7rl+r8L5HEp6JUlAm04ktn9rQsWfBBlSRp7UsOi6ojwCfjjIA91yUrYw8TYRs
 Ci60uoLS7cuMtSE/jQVU/FuVtR5kwjhOkWmQDHrC7rUWb6CufusxPIVJ0xanp3wo
 cc2t+EfSdpVyGIx5N8BEMhQ6sR2EfERHGfUrnKCpcL5hM5L8ZHnVh6CkRBtvZaq0
 Zy44Ob4pqH6fDz7EziM1hBkfg9myN+/Iqfvg5OUnfSrqooLZ8l0gDvGafS5fok91
 uqb0PGDiv6lwzpaj87jKUCaXAF3ag2KAa6j8sbZ4+fSsQeB/jhH7hTlWcAR/oEFW
 fuPQDFKxMucAsPjv1H1iaQ
 -> ssh-ed25519 /vwQcQ +5+xDNQyRwBWXT6c593S01OG9IemNul/81G4ie1hTVg
 Tzkq0toOCqdHOZNPiy/rUrO2eQXTDHi7g+jKbrWU/hU
 -> ssh-ed25519 0R97PA WEMs0phnuvw1kQaqeSkovwFUL6w7J6wh+V7D82NxfDs
 V5npmkeTPVcnaNwDtoy7PqBRllPTuQjvF9Qu14V59os
 -> ssh-ed25519 JGx7Ng 3bty0WCf+ElvPEFt7fSpgYf5MeFUPaZ4vVGWPUAjn0I
 ggl5CgXaUx4T6qbA9EG1oaF9NbfFYye4davm7lKqUvI
 -> ssh-ed25519 bUjjig zFlaOVzFEkPG+J3Yz7alPgSiCVbC/7u/hCTVIP8X/Ho
 3PBIRu9ZKfb9lkzijw6kKjX0ztXBkiwVaQUx8rxuYJc
 -> ssh-ed25519 VQSaNw btusrepFF5Jhl3x2YWs6wVrHwzb6qBXfDXESclQJAXo
 HwfOU3tyP9OsNjTkaMMmJnd4b+0ZfxJLkP6xe5jsAZE
 -> Tp-grease s03Py `u6"4 E|5 _
 3CvcQ6NEZKLY1F6y0cTMQPwV9mJvHB0T7dauvWJAYKkfb95TymqfDYGWwW1veND2
 n1XD/arAJHVwva95K7TaQdsNLPGo8/VePQGUnYqi
 --- qe75UTWqdDd0gGg0nm054SFZ2AgqVBw/bbycvcZSfQY
 ãñêÕ]¹¦zÂg©;Ê¡îñ˜öÓ´0éÅYëÀHãŒ!@ìpö¸T«?£iÞ‰áèÚ>I^ü‚l·o5”¯ë:{¬gJk£vø>€W8ði
--- a/machines/web03/secrets/secrets.nix
+++ b/machines/web03/secrets/secrets.nix
@ -1,6 +1,3 @@
 (import ../../../keys).mkSecrets [ "web03" ] [
  # List of secrets for web03
  "dj_interludes-email_host_password_file"
  "dj_interludes-secret_key_file"
  "webhook-interludes_token"
 ]
--- a/machines/web03/secrets/webhook-interludes_token
+++ b/machines/web03/secrets/webhook-interludes_token
--- a/meta/dns.nix
+++ b/meta/dns.nix
@ -1,7 +1,7 @@
 { lib, dns, ... }:
 let
-  inherit (lib) mapAttrs' nameValuePair optional;
+  inherit (lib) mapAttrs' nameValuePair;
  inherit (lib.extra) fuseAttrs mapSingleFuse;
  inherit (dns.lib.combinators) mx spf ttl;
@ -138,9 +138,7 @@ let
        ];
        web03.dual = [
-          # Django Apps
+          "*.webapps" # Django apps
          "*.webapps"
          "apps-webhook"
        ];
      }
    )
@ -217,19 +215,17 @@ in
        subdomains = mapAttrs' (
          host:
          { site, ... }:
-          let
+          nameValuePair "${host}.${site}" (
-            net = meta.network.${host};
+            with meta.network.${host}.addresses;
-            inherit (net.addresses) ipv4 ipv6;
+            {
-          in
+              A = ipv4;
-          nameValuePair "${host}.${site}" {
+              AAAA = ipv6;
-            A = ipv4;
+              subdomains = {
-            AAAA = ipv6;
+                v4.A = ipv4;
-            subdomains = {
+                v6.AAAA = ipv6;
-              v4.A = ipv4;
+              };
-              v6.AAAA = ipv6;
+            }
-              private.A = optional (net.netbirdIp != null) net.netbirdIp;
+          )
            };
          }
        ) meta.nodes;
      };
    };
--- a/meta/network.nix
+++ b/meta/network.nix
@ -171,7 +171,7 @@
    };
    hostId = "8afc7749";
-    netbirdIp = "100.80.157.46";
+    netbirdIp = null; # web03 is not yet connected to the VPN
  };
  rescue01 = {
--- a/meta/nodes.nix
+++ b/meta/nodes.nix
@ -135,7 +135,7 @@
    nix-modules = [ "services/django-apps" ];
    stateVersion = "24.05";
-    nixpkgs = "unstable";
+    nixpkgs = "24.05";
    vm-cluster = "Hyperviseur NPS";
  };
 }
--- a/meta/organization.nix
+++ b/meta/organization.nix
@ -5,11 +5,6 @@
 {
  members = {
    agroudiev = {
      name = "Antoine Groudiev";
      email = "antoine.groudiev@dgnum.eu";
    };
    catvayor = {
      name = "Lubin Bailly";
      email = "catvayor@dgnum.eu";
@ -39,12 +34,6 @@
      username = "jmalka";
    };
    mboyer = {
      name = "Matthieu Boyer";
      email = "matthieu.boyer@dgnum.eu";
      username = "mboyer02";
    };
    mdebray = {
      name = "Maurice Debray";
      email = "maurice.debray@dgnum.eu";
@ -68,6 +57,7 @@
      "thubrecht"
      "raito"
      "mdebray"
      "luj"
    ];
    # members of this group are root on the fai infrastructure
--- a/modules/dgn-netbox-agent/package.nix
+++ b/modules/dgn-netbox-agent/package.nix
@ -16,8 +16,8 @@ python3.pkgs.buildPythonApplication {
  src = fetchgit {
    url = "https://git.dgnum.eu/DGNum/netbox-agent";
-    rev = "424283239658516feb34c0f68496775350b1bf22";
+    rev = "12ceea413cbb87280713de734b5e1b3e88c00178";
-    hash = "sha256-sp1QVy8AIezR2LRDDYS9G0g0GQRwGKGmEE7ykITPxtY=";
+    hash = "sha256-v6H8/yNUcpHERiyzytR2ZADLiDK2QpzSEmxTP5m9BLE=";
  };
  nativeBuildInputs = with python3.pkgs; [
--- a/npins/sources.json
+++ b/npins/sources.json
@ -59,10 +59,10 @@
      "pre_releases": false,
      "version_upper_bound": null,
      "release_prefix": null,
-      "version": "v1.9.0",
+      "version": "v1.8.2",
-      "revision": "49a4936cee640e27d74baee6fd1278285d29b100",
+      "revision": "0a97c6683ecb8d92ab0ce4c3c39e896e4a3fe388",
-      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0",
+      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.2",
-      "hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388"
+      "hash": "1xivgibk1fa07z4xqxpyha6yyb0pmahf52caf1kgh8zxr231ai1v"
    },
    "dns.nix": {
      "type": "GitRelease",
@ -87,9 +87,9 @@
        "repo": "git-hooks.nix"
      },
      "branch": "master",
-      "revision": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
+      "revision": "3c3e88f0f544d6bb54329832616af7eb971b6be6",
-      "url": "https://github.com/cachix/git-hooks.nix/archive/cd1af27aa85026ac759d5d3fccf650abe7e1bbf0.tar.gz",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/3c3e88f0f544d6bb54329832616af7eb971b6be6.tar.gz",
-      "hash": "1icl4cz33lkr4bz7fvlf3jppmahgpzij81wfa5any3z7w7b5lnxw"
+      "hash": "04pwjz423iq2nkazkys905gvsm5j39722ngavrnx42b8msr5k555"
    },
    "kadenios": {
      "type": "Git",
@ -144,9 +144,9 @@
        "url": "https://git.lix.systems/lix-project/lix.git"
      },
      "branch": "main",
-      "revision": "c859d03013712b349d82ee6223948d6d03e63a8d",
+      "revision": "0ff8f9132552e03497b07e1e5c068660a7a04515",
      "url": null,
-      "hash": "14bn1c3azvnkp1wl28x7y288vpd2gp96nswlnfzrcp13a4ivbbbf"
+      "hash": "0qdaiqp5q2nb0yffc03vhlbd55v1jk3jlxz26prhk0hxddz0xhyq"
    },
    "lix-module": {
      "type": "Git",
@ -155,9 +155,9 @@
        "url": "https://git.lix.systems/lix-project/nixos-module.git"
      },
      "branch": "main",
-      "revision": "691193879d96bdfd1e6ab5ebcca2fadc7604cf34",
+      "revision": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d",
      "url": null,
-      "hash": "1h4f2p6x8vq7bfc20hxk6zz9i4imsjjkmf0m28bzmx6vinxqimj4"
+      "hash": "0jxpqaz12lqibg03iv36sa0shfvamn2yhg937llv3kl4csijd34f"
    },
    "lon": {
      "type": "Git",
@ -178,9 +178,9 @@
        "url": "https://git.dgnum.eu/DGNum/metis"
      },
      "branch": "master",
-      "revision": "ed6fafda45d638b1bafd5deaee098b80156b41e8",
+      "revision": "f631751da44a330c41398356ce2295e17ed45b7b",
      "url": null,
-      "hash": "086spyhn2x1x2h31b0y4an501fdhph1nk64riybqnh6mqjkzlq4m"
+      "hash": "1laclhq6jz9mni4vxsxk3c143c2x478z1lqj115mqyj0d62rz8mg"
    },
    "microvm.nix": {
      "type": "Git",
@ -194,20 +194,6 @@
      "url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
      "hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
    },
    "nix-actions": {
      "type": "GitRelease",
      "repository": {
        "type": "Git",
        "url": "https://git.dgnum.eu/DGNum/nix-actions.git"
      },
      "pre_releases": false,
      "version_upper_bound": null,
      "release_prefix": null,
      "version": "v0.2.2",
      "revision": "b9cb5d6f945d1e3fd7b70d63848c70335e9912e8",
      "url": null,
      "hash": "0m6bw5qlrchsigx7x4nz3xkcn3dnr14k5j0ws9lbggnldnz9qg2w"
    },
    "nix-modules": {
      "type": "Git",
      "repository": {
@ -215,9 +201,9 @@
        "url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
      },
      "branch": "main",
-      "revision": "695cf83c526dd3d78c8ed79b33f80019db4c8019",
+      "revision": "516225dc6958645284b11b74b9ce31e01993341c",
      "url": null,
-      "hash": "0xqv1rx0dnl3r1rhqdahcp8jqv8j9qc1v6xnmfiv0ddh81jd0szj"
+      "hash": "1cxn1m1xf9p7p8a0y8r6iwp08d886k5rmgl947r9d0vg7ah31kmj"
    },
    "nix-patches": {
      "type": "GitRelease",
@ -240,15 +226,15 @@
        "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
      },
      "branch": "main",
-      "revision": "0a4b564221481b5c40a677f8bfd5760f7b3398f8",
+      "revision": "0e80d4dcdd54a75556c0784de55dc139ad4fe797",
      "url": null,
-      "hash": "121fqmr1jvsnnc5marvnsj3ic0w9f11lq3sx9ly197kc5rc1naj3"
+      "hash": "1hlb0cczxq0jrzw4lhmkibnb8skcar0rmny594aqgyikknwzx2qf"
    },
    "nixos-24.05": {
      "type": "Channel",
      "name": "nixos-24.05",
-      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.6668.e8c38b73aeb2/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5809.4eb33fe664af/nixexprs.tar.xz",
-      "hash": "0lhh36z3fvd3b64dz7an08y3c3shb67aj17ny9z28bs21i3dc5yh"
+      "hash": "02hxkkrpf33s6nsqkla1292zw64dqfq9wpkda5hry3vr3fhxwwg4"
    },
    "nixos-generators": {
      "type": "Git",
@ -258,21 +244,21 @@
        "repo": "nixos-generators"
      },
      "branch": "master",
-      "revision": "15a87ccb45e06d24a9fd5f99a49782efe11b23f0",
+      "revision": "dd28a0806e7124fe392c33c9ccaa12f21970401f",
-      "url": "https://github.com/nix-community/nixos-generators/archive/15a87ccb45e06d24a9fd5f99a49782efe11b23f0.tar.gz",
+      "url": "https://github.com/nix-community/nixos-generators/archive/dd28a0806e7124fe392c33c9ccaa12f21970401f.tar.gz",
-      "hash": "0mwllbwinr6cira94347vhzq3jn3zgp28xg6w1ga0ncls7s476q4"
+      "hash": "09226kqddjg1m8m1q9n4l1hsln93hckhj238q0v851wxbwd0qq73"
    },
    "nixos-unstable": {
      "type": "Channel",
      "name": "nixos-unstable",
-      "url": "https://releases.nixos.org/nixos/unstable/nixos-25.05beta708622.5e4fbfb6b3de/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre694395.4c2fcb090b1f/nixexprs.tar.xz",
-      "hash": "18zd6qnn1zmz3pgq2q484lmdk486ncxyp8r5g9c71r9dc8jr5dnc"
+      "hash": "05fszj13lci5gdbn5grn92wd3mzj6f7gy11kqj78xcsg69m2wbrl"
    },
    "nixpkgs": {
      "type": "Channel",
      "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre709559.5083ec887760/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre694416.ccc0c2126893/nixexprs.tar.xz",
-      "hash": "1z912j1lmrg8zp2hpmmi69dls9zlpvqfvdkvh5xc3x6iqkqwn0cd"
+      "hash": "0cn1z4wzps8nfqxzr6l5mbn81adcqy2cy2ic70z13fhzicmxfsbx"
    },
    "proxmox-nixos": {
      "type": "Git",
@ -282,9 +268,9 @@
        "repo": "proxmox-nixos"
      },
      "branch": "main",
-      "revision": "93880e244b528deca89828bc1edf08e23ccc18c4",
+      "revision": "950e4cccac0f942076e8558f7f9f4d496cabfb18",
-      "url": "https://github.com/SaumonNet/proxmox-nixos/archive/93880e244b528deca89828bc1edf08e23ccc18c4.tar.gz",
+      "url": "https://github.com/SaumonNet/proxmox-nixos/archive/950e4cccac0f942076e8558f7f9f4d496cabfb18.tar.gz",
-      "hash": "0dyiv7mvvxc0zygfzfb6zhc0v3s7a9pv8xydprxgqhyy1sajp02h"
+      "hash": "0bhqw42ydc0jfkfqw64xsg518a1pbxnvpqw92nna7lm8mzpxm6d4"
    },
    "signal-irc-bridge": {
      "type": "Git",
@ -308,6 +294,21 @@
      "url": null,
      "hash": "166057469hhxnyqbpd7jjlccdmigzch51616n1d5r617xg0y1mwp"
    },
    "terranix": {
      "type": "GitRelease",
      "repository": {
        "type": "GitHub",
        "owner": "terranix",
        "repo": "terranix"
      },
      "pre_releases": false,
      "version_upper_bound": null,
      "release_prefix": null,
      "version": "2.7.0",
      "revision": "00710f39f38a0a654a2c4fd96cbb988b4f4cedfa",
      "url": "https://api.github.com/repos/terranix/terranix/tarball/2.7.0",
      "hash": "1wsyhsdsjw6xlhpkhaqvia3x0na3nx2vamcb2rbcbdmb7ra1y9f6"
    },
    "wp4nix": {
      "type": "Git",
      "repository": {
@ -316,10 +317,10 @@
        "server": "https://git.helsinki.tools/"
      },
      "branch": "master",
-      "revision": "10c3f658aecc0a54baf062137071b129f3897111",
+      "revision": "f72adfc39c18630b45f8c982910314246d4a8d92",
-      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=10c3f658aecc0a54baf062137071b129f3897111",
+      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=f72adfc39c18630b45f8c982910314246d4a8d92",
-      "hash": "13gbzfrz9vv9iz43bfl67hl11lsmrh524mw6kkjavfwpzw5shm1g"
+      "hash": "08qfaav3vb832dr3r6f2n1ah6zyryvab0dxsaxwi6gk5p3zad3l8"
    }
  },
  "version": 3
-}
+}
--- a/patches/06-netbox-qrcode.patch
+++ b/patches/06-netbox-qrcode.patch
@ -1,70 +0,0 @@
 diff --git a/pkgs/development/python-modules/netbox-qrcode/default.nix b/pkgs/development/python-modules/netbox-qrcode/default.nix
 new file mode 100644
 index 000000000000..b378b839a8dc
 --- /dev/null
 +++ b/pkgs/development/python-modules/netbox-qrcode/default.nix
@@ -0,0 +1,51 @@
 +{ lib
 +, buildPythonPackage
 +, fetchFromGitHub
 +, setuptools
 +, wheel
 +, pillow
 +, qrcode
 +, netbox
 +}:
 +
 +buildPythonPackage rec {
 +  pname = "netbox-qrcode";
 +  version = "0.0.13";
 +  pyproject = true;
 +
 +  src = fetchFromGitHub {
 +    owner = "netbox-community";
 +    repo = "netbox-qrcode";
 +    rev = "v${version}";
 +    hash = "sha256-/labSZyB1SkU/uemuL946RDk8IVEAgCYJY2vrJFney0=";
 +  };
 +
 +  nativeBuildInputs = [
 +    setuptools
 +    wheel
 +  ];
 +
 +  propagatedBuildInputs = [
 +    qrcode
 +    pillow
 +  ];
 +
 +  checkInputs = [
 +    netbox
 +  ];
 +
 +  preFixup = ''
 +    export PYTHONPATH=${netbox}/opt/netbox/netbox:$PYTHONPATH
 +  '';
 +
 +  pythonImportsCheck = [
 +    "netbox_qrcode"
 +  ];
 +
 +  meta = with lib; {
 +    description = "NetBox Plugin for generate QR Codes";
 +    homepage = "https://github.com/netbox-community/netbox-qrcode";
 +    license = licenses.asl20;
 +    maintainers = with maintainers; [ sinavir ];
 +  };
 +}
 diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
 index 9999d745e3ac..b226e0063672 100644
 --- a/pkgs/top-level/python-packages.nix
 +++ b/pkgs/top-level/python-packages.nix
@@ -8989,6 +8989,8 @@ self: super: with self; {
   netbox-reorder-rack = callPackage ../development/python-modules/netbox-reorder-rack { };
 +  netbox-qrcode = callPackage ../development/python-modules/netbox-qrcode { };
 +
   netcdf4 = callPackage ../development/python-modules/netcdf4 { };
   netdata = callPackage ../development/python-modules/netdata { };
--- a/patches/default.nix
+++ b/patches/default.nix
@ -1,11 +1,12 @@
 {
  "nixos-24.05" = [
    # netbox qrcode plugin
    {
-      _type = "static";
+      _type = "commit";
-      path = ./06-netbox-qrcode.patch;
+      sha = "c82191d848e7a37e125ee15c485f32ac01afc0b2";
      hash = "sha256-TooktlqihtULzJJsHvm8EubbUdJZvbDKdIDcYu7Qcig=";
    }
    # nixos/nextcloud: Rename autocreate (a no-op) to verify_bucket_exists
    {
      id = "275165";
      hash = "sha256-9a26V3Pi8yLD3N9+mC1kvJoruxRTp/qOHapnt6VX7pw=";
@ -48,8 +49,9 @@
  "nixos-unstable" = [
    # netbox qrcode plugin
    {
-      _type = "static";
+      _type = "commit";
-      path = ./06-netbox-qrcode.patch;
+      sha = "c82191d848e7a37e125ee15c485f32ac01afc0b2";
      hash = "sha256-TooktlqihtULzJJsHvm8EubbUdJZvbDKdIDcYu7Qcig=";
    }
    # Build netbird-relay
--- a/scripts/cache-node.sh
+++ b/scripts/cache-node.sh
@ -1,9 +1,6 @@
-set -o errexit
+set -eu -o pipefail
 set -o nounset
 set -o pipefail
 shopt -s lastpipe
-drv=$(colmena eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
+drv=$("@colmena@/bin/colmena" eval --instantiate -E "{ nodes, ... }: nodes.${BUILD_NODE}.config.system.build.toplevel")
 # Build the derivation and send it to the great beyond
 nix-store --query --requisites --force-realise --include-outputs "$drv" | grep -v '.*\.drv' >paths.txt
--- a/scripts/check-deployment.sh
+++ b/scripts/check-deployment.sh
@ -1,3 +1,7 @@
 #!/usr/bin/env bash
 #!@bash@/bin/bash
 # shellcheck shell=bash
 set -o errexit
 set -o nounset
 set -o pipefail
@ -16,7 +20,7 @@ Exemple:
 while [[ $# -gt 0 ]]; do
  case "$1" in
-  --help | -h)
+  --help|-h)
    echo "$usage"
    exit 0
    ;;
@ -47,13 +51,13 @@ GIT_TOP_LEVEL=$(git rev-parse --show-toplevel)
 echo "Cloning local main..."
 git clone -q --branch main --single-branch "$GIT_TOP_LEVEL" "$TMP"
-pushd "$TMP" >/dev/null || exit 2
+pushd "$TMP" > /dev/null || exit 2
 ####################
 # Evaluate configs #
 ####################
-colmena_failed() {
+colmena_failed () {
  >&2 echo "Colmena failed. Check your config. Logs:"
  >&2 cat "$COLMENA_LOGS"
  exit 3
@ -64,7 +68,7 @@ COLMENA_LOGS=$(mktemp)
 echo "Evaluating configs..."
 # Disable warning because of '${}'
 # shellcheck disable=SC2016
-RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2>"$COLMENA_LOGS" || colmena_failed)
+RESULTS=$(colmena eval -E '{ nodes, lib, ...}: lib.mapAttrsToList (k: v: { machine = k; path = v.config.system.build.toplevel; drv = v.config.system.build.toplevel.drvPath; domain = "${v.config.networking.hostName}.${v.config.networking.domain}"; }) nodes' 2> "$COLMENA_LOGS" || colmena_failed)
 rm "$COLMENA_LOGS"
 echo "Evaluation finished"
@ -73,48 +77,49 @@ echo "Evaluation finished"
 # retrieve and check current-system #
 #####################################
-retrieve_current_system() {
+retrieve_current_system () {
  # TODO implement a less invasive method
  ssh -n "root@$1" "readlink -f /run/current-system"
 }
 return_status=0
-echo "$RESULTS" | jq -c '.[]' |
+echo "$RESULTS" | @jq@/bin/jq -c '.[]' |
-  while IFS=$'\n' read -r c; do
+while IFS=$'\n' read -r c; do
-    machine=$(echo "$c" | jq -r '.machine')
+  machine=$(echo "$c" | @jq@/bin/jq -r '.machine')
-    if [[ -n ${node-} ]] && [[ "$machine" != "$node" ]]; then
+  if [[ -n ${node-} ]] && [[ "$machine" != "$node" ]]; then
-      echo "Skipping ${machine}"
+    echo "Skipping ${machine}"
-      continue
+    continue
-    fi
+  fi
-    expected_path=$(echo "$c" | jq -r '.path')
+  expected_path=$(echo "$c" | @jq@/bin/jq -r '.path')
-    domain=$(echo "$c" | jq -r '.domain')
+  domain=$(echo "$c" | @jq@/bin/jq -r '.domain')
-    drv_path=$(echo "$c" | jq -r '.drv')
+  drv_path=$(echo "$c" | @jq@/bin/jq -r '.drv')
-    err=0
+  err=0
-    current_path=$(retrieve_current_system "$domain") || err=1
+  current_path=$(retrieve_current_system "$domain") || err=1
-    if [[ "1" == "${err}" ]]; then
+  if [[ "1" == "${err}" ]] ; then
-      echo "❌ failed to contact $domain !"
+    echo "❌ failed to contact $domain !"
-      continue
+    continue
-    fi
+  fi
-    if [ "$expected_path" == "$current_path" ]; then
+  if [ "$expected_path" == "$current_path" ] ; then
-      echo "✅ $machine -> OK"
+    echo "✅ $machine -> OK"
-    elif [[ -n ${diff-} ]]; then
+  elif [[ -n ${diff-} ]] ; then
-      nix-copy-closure --from "root@$domain" "$current_path"
+    nix-copy-closure --from "root@$domain" "$current_path"
-      nix-store -r "$drv_path"
+    nix-store -r "$drv_path"
-      echo "$machine -> error. nvd output:"
+    echo "$machine -> error. nvd output:"
-      nvd diff "$expected_path" "$current_path"
+    @nvd@/bin/nvd  diff "$expected_path" "$current_path"
-      return_status=1
+    return_status=1
-    else
+  else
-      echo "☠️ $machine -> error:"
+    echo "☠️ $machine -> error:"
-      echo "   - Expected system: $expected_path"
+    echo "   - Expected system: $expected_path"
-      echo "   - Current system:  $current_path"
+    echo "   - Current system:  $current_path"
-      return_status=1
+    return_status=1
-    fi
+  fi
-  done
+done
-popd >/dev/null || exit 2
+popd > /dev/null || exit 2
 rm -r "$TMP"
 exit $return_status
--- a/scripts/default.nix
+++ b/scripts/default.nix
@ -1,32 +1,39 @@
-{ pkgs }:
+{ pkgs, ... }:
 let
-  inherit (pkgs.lib) mapAttrs;
+  substitutions = {
-
+    inherit (pkgs)
-  inherit (pkgs)
+      bash
    writeShellApplication
    colmena
    jq
    nvd
    ;
  scripts = {
    cache-node = [ colmena ];
    check-deployment = [
      colmena
-      jq
+      coreutils
      nvd
-    ];
+      git
-    launch-vm = [ colmena ];
+      jq
-    list-nodes = [ jq ];
+      ;
  };
  mkShellScript =
    name:
    (pkgs.substituteAll (
      {
        inherit name;
        src = ./. + "/${name}.sh";
        dir = "/bin/";
        isExecutable = true;
        checkPhase = ''
          ${pkgs.stdenv.shellDryRun} "$target"
        '';
      }
      // substitutions
    ));
  scripts = [
    "cache-node"
    "check-deployment"
    "launch-vm"
    "list-nodes"
  ];
 in
-mapAttrs (
+builtins.map mkShellScript scripts
  name: runtimeInputs:
  writeShellApplication {
    inherit name runtimeInputs;
    text = builtins.readFile ./${name}.sh;
  }
 ) scripts
--- a/scripts/launch-vm.sh
+++ b/scripts/launch-vm.sh
@ -1,35 +1,33 @@
 #!@bash@/bin/bash
 # shellcheck shell=bash
 set -o errexit
 set -o nounset
 set -o pipefail
 shopt -s lastpipe
 MACHINE=""
 HOSTFWD=""
 while getopts 'p:o:h' opt; do
  case "$opt" in
-  p)
+    p)
-    HOSTFWD=",hostfwd=tcp::$OPTARG$HOSTFWD"
+      HOSTFWD=",hostfwd=tcp::$OPTARG$HOSTFWD"
-    ;;
+      ;;
-  o)
+    o)
-    MACHINE="$OPTARG"
+      MACHINE="$OPTARG"
-    ;;
+      ;;
-  h | ?)
+    h|?)
-    echo "Usage: $(basename "$0") [-p hostport-:guestport] -o MACHINE"
+      echo "Usage: $(basename "$0") [-p hostport-:guestport] -o MACHINE"
-    exit 1
+      exit 1
-    ;;
+      ;;
  esac
 done
-shift "$((OPTIND - 1))"
+shift "$((OPTIND -1))"
-if [ -z "$MACHINE" ]; then
+if [ -z "$MACHINE" ]; then echo "-o option needed"; exit 1; fi
  echo "-o option needed"
  exit 1
 fi
-DRV_PATH=$(colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
+DRV_PATH=$(@colmena@/bin/colmena eval --instantiate -E "{nodes, ...}: nodes.$MACHINE.config.system.build.vm")
 echo "Realising $DRV_PATH"
 RESULT=$(nix-store -r "$DRV_PATH")
--- a/scripts/list-nodes.sh
+++ b/scripts/list-nodes.sh
@ -1,8 +1,6 @@
-set -o errexit
+#!@bash@/bin/bash
-set -o nounset
+# shellcheck shell=bash
 set -o pipefail
 shopt -s lastpipe
-cd "$(git rev-parse --show-toplevel)"
+cd $(@git@/bin/git rev-parse --show-toplevel)
-nix-instantiate --strict --eval --json -A nodes | jq .
+nix-instantiate --strict --eval --json -A nodes | @jq@/bin/jq .
--- a/shell.nix
+++ b/shell.nix
@ -1 +1 @@
-(import ./. { }).devShell
+(import ./. { }).shells.default
--- a/terranix/common.nix
+++ b/terranix/common.nix
@ -0,0 +1,7 @@
 {
  # Until we get some kind of KMS operational, store secrets in the state file.
  terraform.required_providers.secret = {
    version = "~> 1.2.1";
    source = "numtide/secret";
  };
 }
--- a/terranix/default.nix
+++ b/terranix/default.nix
@ -0,0 +1,7 @@
 {
  imports = [
    ./common.nix
    ./state.nix
    ./s3.nix
  ];
 }
--- a/terranix/s3.nix
+++ b/terranix/s3.nix
@ -0,0 +1,54 @@
 { lib, ... }:
 let
  inherit (lib) tf;
 in
 {
  # FIXME: add a NixOS module to abstract bucket creation, etc.
  config = {
    terraform.required_providers.garage = {
      version = "~> 1.0.3";
      source = "registry.opentofu.org/RaitoBezarius/garage";
    };
    resource = {
      secret_resource.admin-s3-token.lifecycle.prevent_destroy = true;
      garage_bucket = {
        monorepo-terraform-state = { };
        impress-raito-demo = { };
      };
      garage_bucket_global_alias = {
        monorepo-terraform-state = {
          bucket_id = tf.ref "resource.garage_bucket.monorepo-terraform-state.id";
          alias = "monorepo-terraform-state";
        };
        impress-raito-demo = {
          bucket_id = tf.ref "resource.garage_bucket.impress-raito-demo.id";
          alias = "impress-raito-demo";
        };
      };
      garage_key = {
        raito-dinum-test = {
          name = "raito-dinum-test";
          permissions.create_bucket = false;
        };
      };
      garage_bucket_key = {
        raito-dinum-test = {
          bucket_id = tf.ref "resource.garage_bucket.impress-raito-demo.id";
          access_key_id = tf.ref "resource.garage_key.raito-dinum-test.access_key_id";
          read = true;
          write = true;
          owner = true;
        };
      };
    };
    provider.garage = {
      host = "s3-admin.dgnum.eu";
      scheme = "https";
      token = tf.ref "resource.secret_resource.admin-s3-token.value";
    };
  };
 }
--- a/terranix/state.nix
+++ b/terranix/state.nix
@ -0,0 +1,21 @@
 {
  # We use terraform.backend.s3 directly instead of the type-checked Terranix
  # backend.s3 options. The latter does not support setting arbitrary s3
  # endpoints.
  #
  # Note: currently requires the user to provide AWS_ACCESS_KEY_ID as well as
  # AWS_SECRET_ACCESS_KEY in their environment variables.
  terraform.backend.s3 = {
    endpoints.s3 = "s3.dgnum.eu";
    region = "garage";
    bucket = "monorepo-terraform-state";
    key = "state";
    # It's just a dumb Garage server, don't try to be smart.
    skip_credentials_validation = true;
    skip_region_validation = true;
    skip_requesting_account_id = true;
    skip_metadata_api_check = true;
  };
 }
--- a/workflows/check-meta.nix
+++ b/workflows/check-meta.nix
@ -1,31 +0,0 @@
 {
  name = "Check meta";
  on = {
    pull_request.branches = [ "main" ];
    push.paths = [ "meta/*" ];
  };
  jobs = {
    check_meta = {
      runs-on = "nix";
      steps = [
        { uses = "actions/checkout@v3"; }
        {
          name = "Check the validity of meta options";
          run = "nix-build meta/verify.nix -A meta";
        }
      ];
    };
    check_dns = {
      runs-on = "nix";
      steps = [
        { uses = "actions/checkout@v3"; }
        {
          name = "Check the validity of the DNS configuration";
          run = "nix-build meta/verify.nix -A dns";
        }
      ];
    };
  };
 }
--- a/workflows/check-workflows.nix
+++ b/workflows/check-workflows.nix
@ -1,20 +0,0 @@
 {
  name = "Check workflows";
  on = {
    pull_request.branches = [ "main" ];
    push.paths = [ "workflows/*" ];
  };
  jobs = {
    check_workflows = {
      runs-on = "nix";
      steps = [
        { uses = "actions/checkout@v3"; }
        {
          name = "Check that the workflows are up to date";
          run = "nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l) -eq 0 ]'";
        }
      ];
    };
  };
 }
--- a/workflows/eval-nodes.nix
+++ b/workflows/eval-nodes.nix
@ -1,32 +0,0 @@
 { lib }:
 let
  inherit (lib) attrNames genAttrs;
  nodes = attrNames (builtins.readDir ../machines);
 in
 {
  name = "Build all the nodes";
  on = {
    pull_request.branches = [ "main" ];
    push.branches = [ "main" ];
  };
  jobs = genAttrs nodes (node: {
    runs-on = "nix";
    steps = [
      { uses = "actions/checkout@v3"; }
      {
        name = "Build and cache ${node}";
        run = "nix-shell -A eval-nodes --run cache-node";
        env = {
          STORE_ENDPOINT = "https://tvix-store.dgnum.eu/infra-signing/";
          STORE_USER = "admin";
          STORE_PASSWORD = "\${{ secrets.STORE_PASSWORD }}";
          BUILD_NODE = node;
        };
      }
    ];
  });
 }
--- a/workflows/pre-commit.nix
+++ b/workflows/pre-commit.nix
@ -1,18 +0,0 @@
 {
  name = "Run pre-commit on all files";
  on = [
    "push"
    "pull_request"
  ];
  jobs.check = {
    runs-on = "nix";
    steps = [
      { uses = "actions/checkout@v3"; }
      {
        name = "Run pre-commit on all files";
        run = "nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure'";
      }
    ];
  };
 }
Author	SHA1	Message	Date
Ryan Lahfa	822b4f3b83	feat(infra): showcase the declarative bucket feature All checks were successful Check meta / check_meta (push) Successful in 15s Details Check meta / check_dns (push) Successful in 16s Details lint / check (push) Successful in 26s Details Check meta / check_meta (pull_request) Successful in 16s Details Check meta / check_dns (pull_request) Successful in 16s Details build configuration / build_and_cache_storage01 (pull_request) Successful in 1m17s Details build configuration / build_and_cache_compute01 (pull_request) Successful in 1m35s Details build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m11s Details build configuration / build_and_cache_geo01 (pull_request) Successful in 1m7s Details build configuration / build_and_cache_geo02 (pull_request) Successful in 1m6s Details build configuration / build_and_cache_vault01 (pull_request) Successful in 1m27s Details build configuration / build_and_cache_web02 (pull_request) Successful in 1m4s Details build configuration / build_and_cache_web01 (pull_request) Successful in 1m50s Details build configuration / build_and_cache_web03 (pull_request) Successful in 1m12s Details build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m2s Details lint / check (pull_request) Successful in 23s Details Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-22 13:32:02 +02:00
Ryan Lahfa	33f7a082ce	feat(infra): add S3 declarative buckets A very simple basic support for it, which requires a S3 admin token. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-22 13:32:02 +02:00
Ryan Lahfa	8706116ce4	feat(infra): introduce Terranix This requires the support for monorepo-terraform-state.s3.dgnum.eu being available. `.credentials/` is age-encrypted using only my key for now until we figure out the right mechanism. Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>	2024-10-22 13:32:02 +02:00
`@ -1 +1 @@`
	`(import ./. { }).devShell`	`(import ./. { }).shells.default`