fix(wrappers/colmena): ensure purity of evaluation

fix(meta/dns): Add netbox-v2
feat(compute01): Deploy a copy of netbox
2025-03-02 22:20:10 +01:00 · 2025-03-01 17:00:32 +01:00 · 2025-03-01 16:59:55 +01:00 · 2025-03-01 16:55:29 +01:00 · 2025-03-01 16:49:32 +01:00 · 2025-03-01 16:49:32 +01:00
168 changed files with 3290 additions and 3069 deletions
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@ -100,6 +100,28 @@ jobs:
        STORE_USER: admin
      name: Build and cache hypervisor03
      run: nix-shell -A eval-nodes --run cache-node
  netaccess01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: netaccess01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache netaccess01
      run: nix-shell -A eval-nodes --run cache-node
  netcore01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: netcore01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache netcore01
      run: nix-shell -A eval-nodes --run cache-node
  netcore02:
    runs-on: nix
    steps:
--- a/README.md
+++ b/README.md
@ -98,7 +98,7 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
 Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
 ```nix
-(import ../../../keys).mkSecrets [ "host02" ] [
+(import ../../../keys.nix).mkSecrets [ "host02" ] [
  # List of secrets for host02
 ]
 ```
--- a/REUSE.toml
+++ b/REUSE.toml
@ -23,6 +23,12 @@ SPDX-License-Identifier = "EUPL-1.2"
 path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
 precedence = "closest"
 [[annotations]]
 SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2024 Maurice Debray <maurice.debray@dgnum.eu>"]
 SPDX-License-Identifier = "EUPL-1.2"
 path = ["patches/nixpkgs/07-kanidm-groups-module.patch", "patches/nixpkgs/08-kanidm-groups-pkgs.patch"]
 precedence = "closest"
 [[annotations]]
 SPDX-FileCopyrightText = "2024 Maurice Debray <maurice.debray@dgnum.eu>"
 SPDX-License-Identifier = "EUPL-1.2"
--- a/bootstrap.nix
+++ b/bootstrap.nix
@ -0,0 +1,33 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 # SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 let
  unpatchedSources = import ./npins;
  pkgs = import unpatchedSources.nixos-unstable { };
  patch = (import ./lib/nix-patches { patchFile = ./patches; }).base {
    inherit pkgs;
  };
  sources = builtins.mapAttrs (
    k: src:
    patch.applyPatches {
      inherit src;
      name = k;
    }
  ) unpatchedSources;
  overlays.lib = _: lib: { extra = import ./lib/nix-lib { inherit lib; }; };
 in
 {
  inherit overlays sources unpatchedSources;
  pkgs = pkgs // {
    lib = pkgs.lib.extend overlays.lib;
  };
 }
--- a/default.nix
+++ b/default.nix
@ -3,9 +3,13 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 let
  bootstrap = import ./bootstrap.nix;
 in
 {
-  sources ? import ./npins,
+  sources ? bootstrap.sources,
-  pkgs ? import sources.nixos-unstable { },
+  pkgs ? bootstrap.pkgs,
 }:
 let
@ -101,6 +105,16 @@ let
        ];
        copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
      }
      {
        path = [
          "patches/nixpkgs/07-kanidm-groups-module.patch"
          "patches/nixpkgs/08-kanidm-groups-pkgs.patch"
        ];
        copyright = [
          "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
          "2024 Maurice Debray <maurice.debray@dgnum.eu>"
        ];
      }
      {
        path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ];
        copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>";
@ -187,17 +201,11 @@ in
        }))
        pkgs.npins
        pkgs.rage
        # SSO testing
        pkgs.kanidm
        pkgs.freeradius
        pkgs.picocom # for serial access
        # Daemon-less copy closure for Liminix systems.
        (pkgs.callPackage (sources.liminix + "/pkgs/min-copy-closure") { nix = pkgs.lix; })
        # Daemon-less garbage collection for Liminix systems.
        (pkgs.callPackage (sources.liminix + "/pkgs/min-collect-garbage") { nix = pkgs.lix; })
        (pkgs.callPackage ./lib/colmena {
          colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
        })
--- a/hive.nix
+++ b/hive.nix
@ -4,45 +4,26 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 # TODO: change comments to ### \n # [text] \n #
 let
-  sources' = import ./npins;
+  ### Init some tooling
-  # Patch sources directly
+  bootstrap = import ./bootstrap.nix;
  sources =
    builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; }).applyPatches'
      sources';
-  nix-lib = import ./lib/nix-lib;
+  inherit (bootstrap.pkgs) lib;
-  inherit (nix-lib) mapSingleFuse;
+  inherit (lib.extra) mapSingleFuse;
-  patch = import ./lib/nix-patches { patchFile = ./patches; };
+  inherit (bootstrap) sources;
-  nodes' = import ./meta/nodes;
+  ### Let's build meta
-  nodes = builtins.attrNames nodes';
+  metadata = (import ./meta) lib;
-  mkNode = node: {
+  nodes = builtins.attrNames metadata.nodes;
-    deployment.systemType = system node;
+
-  };
+  ### Nixpkgs instanciation
  nixpkgs' = import ./meta/nixpkgs.nix;
  # All supported nixpkgs versions × systems, instanciated
  nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
  # Get the configured nixos version for the node,
  # defaulting to the one defined in meta/nixpkgs
  version = node: nodes'.${node}.nixpkgs.version;
  system = node: nodes'.${node}.nixpkgs.system;
  category = node: nixpkgs'.categories.${system node};
  nodePkgs = node: nixpkgs.${system node}.${version node};
  # Builds a patched version of nixpkgs, only as the source
  mkNixpkgs' =
    v:
    patch.mkNixpkgsSrc rec {
      src = sources'.${name};
      name = "nixos-${v}";
    };
  # Build up the nixpkgs configuration for Liminix embedded systems
  mkLiminixConfig =
@ -62,29 +43,47 @@ let
  mkNixpkgsConfig =
    system:
    {
-      nixos = _: { };
+      nixos = _: { }; # TODO: add nix-pkgs overlay here
      zyxel-nwa50ax = mkLiminixConfig system;
      netconf = _: { };
    }
    .${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation");
  # Instanciates the required nixpkgs version
-  mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);
+  mkSystemNixpkgs =
    system: version: import sources."nixos-${version}" (mkNixpkgsConfig system version);
-  ###
+  # All supported nixpkgs versions × systems, instanciated
  nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
  # Get the configured nixos version for the node,
  # defaulting to the one defined in meta/nixpkgs
  version = node: metadata.nodes.${node}.nixpkgs.version;
  system = node: metadata.nodes.${node}.nixpkgs.system;
  category = node: nixpkgs'.categories.${system node};
  nodePkgs = node: nixpkgs.${system node}.${version node};
  ##########
  # Function to create arguments based on the node
  #
  mkArgs = node: rec {
-    lib = sourcePkgs.lib // {
+    lib = sourcePkgs.lib.extend bootstrap.overlays.lib;
      extra = nix-lib;
    };
    sourcePkgs = nodePkgs node;
-    meta = (import ./meta) lib;
+    meta = metadata;
-    nodeMeta = meta.nodes.${node};
+    nodeMeta = metadata.nodes.${node};
-    nodePath = "machines/${category node}/${nodeMeta.nodeDir}";
+    nodePath = "machines/${category node}/${node}";
  };
  ##########
  # Module for each node (quite empty since almost everything is in the default module)
  #
  mkNode = node: {
    deployment.systemType = system node;
  };
 in
 {
@ -95,7 +94,10 @@ in
    specialArgs = {
      inherit nixpkgs sources;
-      dgn-keys = import ./keys;
+      dgn-keys = import ./lib/keys {
        meta = metadata;
        inherit lib;
      };
    };
    nodeSpecialArgs = mapSingleFuse mkArgs nodes;
@ -219,5 +221,6 @@ in
        };
    };
  };
 }
 // (mapSingleFuse mkNode nodes)
--- a/iso/configuration.nix
+++ b/iso/configuration.nix
@ -5,9 +5,9 @@
 { lib, pkgs, ... }:
 let
-  dgn-keys = import ../keys;
+  dgn-keys = import ../keys.nix;
-  dgn-members = (import ../meta lib).organization.groups.root;
+  dgn-members = (import ../meta lib).config.organization.groups.root;
 in
 {
--- a/keys.nix
+++ b/keys.nix
@ -0,0 +1,13 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 let
  bootstrap = import ./bootstrap.nix;
  inherit (bootstrap.pkgs) lib;
  meta = import ./meta lib;
 in
 import ./lib/keys { inherit meta lib; }
--- a/keys/default.nix
+++ b/keys/default.nix
@ -1,109 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 let
  _sources = import ../npins;
  inherit (import _sources.nixos-unstable { }) lib;
  meta = import ../meta lib;
  inherit (import ../lib/nix-lib) setDefault unique;
 in
 rec {
  # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
  #          If not, you will face an angry maintainer
  _keys = {
    # SSH keys of the nodes
    bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
    build01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYJcEMQpOyKInqtd2/brnSQuzwgv6fNPlTSQx9tcvPu" ];
    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
    hypervisor01 = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
    ];
    hypervisor02 = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
    ];
    hypervisor03 = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
    ];
    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
    tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ];
    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
    web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
    web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
    web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
    # SSH keys of the DGNum members
    agroudiev = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
    ];
    catvayor = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFfIJ8BToZ9EDxBsEJXQhUju7gm+rUDjGCNMvFSZCl1o openpgp:0x5CADCA1B"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdOxx4I8BSbYPdouvuzDepwTwzQzGSBCNIV8TB5dduT openpgp:0xF6018131"
    ];
    cst1 = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
    ];
    ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
    gdd = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
    ];
    jemagius = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
    ];
    luj = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
    ];
    mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
    mdebray = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
    ];
    raito = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
    ];
    thubrecht = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
    ];
  };
  getKeys = ls: builtins.concatLists (builtins.map (member: _keys.${member} or [ ]) ls);
  mkSecrets =
    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
  getNodeKeys' =
    node:
    let
      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
        meta.nodes.${node}.admins ++ [ node ]
      ) meta.nodes.${node}.adminGroups;
    in
    unique (getKeys names);
  getNodeKeys = node: rootKeys ++ getNodeKeys' node;
  # List of keys for the root group
  rootKeys = getKeys meta.organization.groups.root;
  # List of 'machine' keys
  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
  nixosMachineKeys =
    rootKeys
    ++ (getKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == "nixos") meta.nodes)));
 }
--- a/lib/colmena/wrapper.sh.in
+++ b/lib/colmena/wrapper.sh.in
@ -28,4 +28,4 @@ if [[ $1 == 'apply' ]]; then
 	doChecks
 fi
-exec @colmena@ "$@"
+exec @colmena@ --nix-option nix-path "" "$@"
--- a/lib/keys/default.nix
+++ b/lib/keys/default.nix
@ -0,0 +1,51 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 # SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { meta, lib }:
 let
  inherit (lib.extra) setDefault unique;
  getAttr = lib.flip builtins.getAttr;
 in
 rec {
  _memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
  _builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;
  _nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;
  # Get keys of the users
  getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);
  # Get builder keys of the users
  getBuilderKeys = getAttr _builderKeys;
  # Get keys of the ssh server
  getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name);
  # List of keys for the root group
  rootKeys = getMemberKeys meta.organization.groups.root;
  # All admins for a node
  getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;
  # All keys needed for secret encryption
  getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
  # List of keys for all machines wide secrets
  machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
  mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getSecretKeys nodes); };
  mkRootSecrets = setDefault { publicKeys = unique rootKeys; };
  machineKeysBySystem =
    system:
    rootKeys
    ++ (getNodeKeys (
      builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)
    ));
 }
--- a/lib/nix-lib/default.nix
+++ b/lib/nix-lib/default.nix
@ -2,17 +2,13 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
-
+{ lib }:
 let
  # Reimplement optional functions
  _optional =
    default: b: value:
    if b then value else default;
 in
 rec {
-  inherit (import ./nixpkgs.nix)
+  inherit (lib)
    flip
    optionals
    optionalString
    hasPrefix
    recursiveUpdate
    splitString
@ -53,6 +49,24 @@ rec {
    attrsList:
    fuseAttrs (builtins.map f attrsList);
  /*
    Generate an `attrsList` of given size with the generator before fusing
    the resulting list of attribute sets.
    Type: (Int -> attrs) -> Int -> attrs
    Example:
     f = s: { "a${toString s}" = s + s; }
     genFuse f 3
     => { a0 = 0; a1 = 2; a2 = 4; }
  */
  genFuse =
    # Int -> attrs
    f:
    # Int
    size:
    fuseAttrs (builtins.genList f size);
  /*
    Equivalent of lib.singleton but for an attribute set.
@ -112,11 +126,8 @@ rec {
  subAttrs = attrs: builtins.map (subAttr attrs);
-  optionalList = _optional [ ];
+  optionalList = optionals;
  optionalAttrs = _optional { };
  optionalString = _optional "";
  /*
    Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
    sets together.
--- a/lib/nix-lib/nixpkgs.nix
+++ b/lib/nix-lib/nixpkgs.nix
@ -1,468 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 ###
 # Collection of nixpkgs library functions, those are necessary for defining our own lib
 #
 # They have been simplified and builtins are used in some places, instead of lib shims.
 rec {
  /**
    Does the same as the update operator '//' except that attributes are
    merged until the given predicate is verified.  The predicate should
    accept 3 arguments which are the path to reach the attribute, a part of
    the first attribute set and a part of the second attribute set.  When
    the predicate is satisfied, the value of the first attribute set is
    replaced by the value of the second attribute set.
    # Inputs
    `pred`
    : Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
    `lhs`
    : Left attribute set of the merge.
    `rhs`
    : Right attribute set of the merge.
    # Type
    ```
    recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
    ```
    # Examples
    :::{.example}
    ## `lib.attrsets.recursiveUpdateUntil` usage example
    ```nix
    recursiveUpdateUntil (path: l: r: path == ["foo"]) {
      # first attribute set
      foo.bar = 1;
      foo.baz = 2;
      bar = 3;
    } {
      #second attribute set
      foo.bar = 1;
      foo.quz = 2;
      baz = 4;
    }
    => {
      foo.bar = 1; # 'foo.*' from the second set
      foo.quz = 2; #
      bar = 3;     # 'bar' from the first set
      baz = 4;     # 'baz' from the second set
    }
    ```
    :::
  */
  recursiveUpdateUntil =
    pred: lhs: rhs:
    let
      f =
        attrPath:
        builtins.zipAttrsWith (
          n: values:
          let
            here = attrPath ++ [ n ];
          in
          if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
            builtins.head values
          else
            f here values
        );
    in
    f
      [ ]
      [
        rhs
        lhs
      ];
  /**
    A recursive variant of the update operator ‘//’.  The recursion
    stops when one of the attribute values is not an attribute set,
    in which case the right hand side value takes precedence over the
    left hand side value.
    # Inputs
    `lhs`
    : Left attribute set of the merge.
    `rhs`
    : Right attribute set of the merge.
    # Type
    ```
    recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
    ```
    # Examples
    :::{.example}
    ## `lib.attrsets.recursiveUpdate` usage example
    ```nix
    recursiveUpdate {
      boot.loader.grub.enable = true;
      boot.loader.grub.device = "/dev/hda";
    } {
      boot.loader.grub.device = "";
    }
    returns: {
      boot.loader.grub.enable = true;
      boot.loader.grub.device = "";
    }
    ```
    :::
  */
  recursiveUpdate =
    lhs: rhs:
    recursiveUpdateUntil (
      _: lhs: rhs:
      !(builtins.isAttrs lhs && builtins.isAttrs rhs)
    ) lhs rhs;
  /**
    Determine whether a string has given prefix.
    # Inputs
    `pref`
    : Prefix to check for
    `str`
    : Input string
    # Type
    ```
    hasPrefix :: string -> string -> bool
    ```
    # Examples
    :::{.example}
    ## `lib.strings.hasPrefix` usage example
    ```nix
    hasPrefix "foo" "foobar"
    => true
    hasPrefix "foo" "barfoo"
    => false
    ```
    :::
  */
  hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
  /**
    Escape occurrence of the elements of `list` in `string` by
    prefixing it with a backslash.
    # Inputs
    `list`
    : 1\. Function argument
    `string`
    : 2\. Function argument
    # Type
    ```
    escape :: [string] -> string -> string
    ```
    # Examples
    :::{.example}
    ## `lib.strings.escape` usage example
    ```nix
    escape ["(" ")"] "(foo)"
    => "\\(foo\\)"
    ```
    :::
  */
  escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
  /**
    Convert a string `s` to a list of characters (i.e. singleton strings).
    This allows you to, e.g., map a function over each character.  However,
    note that this will likely be horribly inefficient; Nix is not a
    general purpose programming language. Complex string manipulations
    should, if appropriate, be done in a derivation.
    Also note that Nix treats strings as a list of bytes and thus doesn't
    handle unicode.
    # Inputs
    `s`
    : 1\. Function argument
    # Type
    ```
    stringToCharacters :: string -> [string]
    ```
    # Examples
    :::{.example}
    ## `lib.strings.stringToCharacters` usage example
    ```nix
    stringToCharacters ""
    => [ ]
    stringToCharacters "abc"
    => [ "a" "b" "c" ]
    stringToCharacters "🦄"
    => [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
    ```
    :::
  */
  stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
  /**
    Turn a string `s` into an exact regular expression
    # Inputs
    `s`
    : 1\. Function argument
    # Type
    ```
    escapeRegex :: string -> string
    ```
    # Examples
    :::{.example}
    ## `lib.strings.escapeRegex` usage example
    ```nix
    escapeRegex "[^a-z]*"
    => "\\[\\^a-z]\\*"
    ```
    :::
  */
  escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
  /**
    Appends string context from string like object `src` to `target`.
    :::{.warning}
    This is an implementation
    detail of Nix and should be used carefully.
    :::
    Strings in Nix carry an invisible `context` which is a list of strings
    representing store paths. If the string is later used in a derivation
    attribute, the derivation will properly populate the inputDrvs and
    inputSrcs.
    # Inputs
    `src`
    : The string to take the context from. If the argument is not a string,
      it will be implicitly converted to a string.
    `target`
    : The string to append the context to. If the argument is not a string,
      it will be implicitly converted to a string.
    # Type
    ```
    addContextFrom :: string -> string -> string
    ```
    # Examples
    :::{.example}
    ## `lib.strings.addContextFrom` usage example
    ```nix
    pkgs = import <nixpkgs> { };
    addContextFrom pkgs.coreutils "bar"
    => "bar"
    ```
    The context can be displayed using the `toString` function:
    ```nix
    nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
    {
      "/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
    }
    ```
    :::
  */
  addContextFrom = src: target: builtins.substring 0 0 src + target;
  /**
    Cut a string with a separator and produces a list of strings which
    were separated by this separator.
    # Inputs
    `sep`
    : 1\. Function argument
    `s`
    : 2\. Function argument
    # Type
    ```
    splitString :: string -> string -> [string]
    ```
    # Examples
    :::{.example}
    ## `lib.strings.splitString` usage example
    ```nix
    splitString "." "foo.bar.baz"
    => [ "foo" "bar" "baz" ]
    splitString "/" "/usr/local/bin"
    => [ "" "usr" "local" "bin" ]
    ```
    :::
  */
  splitString =
    sep: s:
    let
      splits = builtins.filter builtins.isString (
        builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
      );
    in
    builtins.map (addContextFrom s) splits;
  /**
    Remove duplicate elements from the `list`. O(n^2) complexity.
    # Inputs
    `list`
    : Input list
    # Type
    ```
    unique :: [a] -> [a]
    ```
    # Examples
    :::{.example}
    ## `lib.lists.unique` usage example
    ```nix
    unique [ 3 2 3 4 ]
    => [ 3 2 4 ]
    ```
    :::
  */
  unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
  /**
    Flip the order of the arguments of a binary function.
    # Inputs
    `f`
    : 1\. Function argument
    `a`
    : 2\. Function argument
    `b`
    : 3\. Function argument
    # Type
    ```
    flip :: (a -> b -> c) -> (b -> a -> c)
    ```
    # Examples
    :::{.example}
    ## `lib.trivial.flip` usage example
    ```nix
    flip concat [1] [2]
    => [ 2 1 ]
    ```
    :::
  */
  flip =
    f: a: b:
    f b a;
  /**
    `warn` *`message`* *`value`*
    Print a warning before returning the second argument.
    See [`builtins.warn`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn) (Nix >= 2.23).
    On older versions, the Nix 2.23 behavior is emulated with [`builtins.trace`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn), including the [`NIX_ABORT_ON_WARN`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-abort-on-warn) behavior, but not the `nix.conf` setting or command line option.
    # Inputs
    *`message`* (String)
    : Warning message to print before evaluating *`value`*.
    *`value`* (any value)
    : Value to return as-is.
    # Type
    ```
    String -> a -> a
    ```
  */
  warn =
    # Since Nix 2.23, https://github.com/NixOS/nix/pull/10592
    builtins.warn or (
      let
        mustAbort = builtins.elem (builtins.getEnv "NIX_ABORT_ON_WARN") [
          "1"
          "true"
          "yes"
        ];
      in
      # Do not eta reduce v, so that we have the same strictness as `builtins.warn`.
      msg: v:
      # `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
      assert builtins.isString msg;
      if mustAbort then
        builtins.trace "[1;31mevaluation warning:[0m ${msg}" (
          abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
        )
      else
        builtins.trace "[1;35mevaluation warning:[0m ${msg}" v
    );
 }
--- a/machines/liminix/ap-dev/_configuration.nix
+++ b/machines/liminix/ap-dev/_configuration.nix
@ -1,46 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  modulesPath,
  sourcePkgs,
  name,
  ...
 }:
 {
  imports = [
    "${modulesPath}/wlan.nix"
    "${modulesPath}/network"
    "${modulesPath}/hostapd"
    "${modulesPath}/usteer"
    "${modulesPath}/ssh"
    "${modulesPath}/ntp"
    "${modulesPath}/vlan"
    "${modulesPath}/bridge"
    "${modulesPath}/jitter-rng"
    "${modulesPath}/pki"
    "${modulesPath}/ubus"
    # System-level configuration
    ./system.nix
    # Configures our own WLAN.
    ./wlan.nix
    # Configures our IPv4/IPv6 addresses, e.g. DHCPv4 on VLAN 0, SLAAC on VLAN 3001.
    ./addresses.nix
    # Configures a basic local DNS.
    ./dns.nix
    # Configures our management layer, e.g. SSH server + DGNum FAI keys.
    ./management.nix
    # Configures our recovery system, e.g. a levitation script.
    ./recovery.nix
    # ubus
    ./ipc.nix
    # Metadata on the system for field recovery.
    ./metadata.nix
    # TODO: god that's so a fucking hack.
    (import "${modulesPath}/../devices/zyxel-nwa50ax").module
  ];
  hostname = name;
  nixpkgs.source = sourcePkgs.path;
 }
--- a/machines/liminix/ap-dev/addresses.nix
+++ b/machines/liminix/ap-dev/addresses.nix
@ -1,27 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { config, nodeMeta, ... }:
 let
  svc = config.system.service;
  inherit (nodeMeta.extraNodeSettings) ap-no;
  adminIp = "192.168.1.${builtins.toString (ap-no + 10)}";
 in
 {
  # Our bridging is a bit complicated, therefore, we need iproute2.
  programs.iproute2.enable = true;
  services.admin-ip = svc.network.address.build {
    interface = config.hardware.networkInterfaces.lan;
    address = adminIp;
    prefixLength = 24;
    family = "inet";
  };
  services.admin-defaultroute4 = svc.network.route.build {
    via = "192.168.1.254";
    target = "default";
    dependencies = [ config.services.admin-ip ];
  };
 }
--- a/machines/liminix/ap-dev/dns.nix
+++ b/machines/liminix/ap-dev/dns.nix
@ -1,25 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { pkgs, lib, ... }:
 let
  inherit (pkgs.pseudofile) dir symlink;
  # TODO: imho, DNS should be static and provided by the router?
  dns = [
    "8.8.8.8"
    "8.8.4.4"
    "1.0.0.1"
  ];
  resolvconf = pkgs.writeText "resolv.conf" (
    lib.concatMapStringsSep "\n" (dns: ''echo "nameserver ${dns}" >> resolv.conf'') dns
  );
 in
 {
  # TODO: support dynamic reconfiguration once we are in the target VLAN?
  filesystem = dir {
    etc = dir {
      "resolv.conf" = symlink "${resolvconf}";
    };
  };
 }
--- a/machines/liminix/ap-dev/recovery.nix
+++ b/machines/liminix/ap-dev/recovery.nix
@ -1,53 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  config,
  pkgs,
  modulesPath,
  ...
 }:
 let
  parentConfig = config;
 in
 {
  defaultProfile.packages = [
    # Levitate enable us to mass-reinstall the system on the fly.
    # TODO: Test levitation
    (pkgs.levitate.override {
      config = {
        imports = [
          "${modulesPath}/network"
          "${modulesPath}/ssh"
          "${modulesPath}/hardware.nix"
          "${modulesPath}/kernel"
          "${modulesPath}/outputs/tftpboot.nix"
          "${modulesPath}/outputs.nix"
          # FIXME: DHCP has a hidden deps on this, shoud be done in a more intelligent way upstream
          "${modulesPath}/iproute2.nix"
          (_: {
            # FIXME: DHCP has a hidden deps on this, shoud be done in a more intelligent way upstream
            programs.iproute2.enable = true;
            services = {
              inherit (parentConfig.services)
                sshd
                admin-ip
                admin-defaultroute4
                ;
            };
          })
        ];
        hostname = "${parentConfig.hostname}-live";
        nixpkgs.buildPlatform = builtins.currentSystem;
        defaultProfile.packages = with pkgs; [
          mtdutils
          zyxel-bootconfig
        ];
        # Only keep root, which should inherit from DGN access control's root permissions.
        users.root = config.users.root;
      };
    })
  ];
 }
--- a/machines/liminix/ap-dev/system.nix
+++ b/machines/liminix/ap-dev/system.nix
@ -1,34 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { pkgs, config, ... }:
 let
  svc = config.system.service;
 in
 {
  # Get moar random please
  services = {
    jitter = svc.jitter-rng.build { };
    packet_forwarding = svc.network.forward.build { };
    ntp = config.system.service.ntp.build {
      pools = {
        "pool.ntp.org" = [ "iburst" ];
      };
      dependencies = [ config.services.jitter ];
    };
  };
  boot.tftp = {
    serverip = "192.0.2.10";
    ipaddr = "192.0.2.12";
  };
  defaultProfile.packages = with pkgs; [
    zyxel-bootconfig
    iw
    min-collect-garbage
    ubus
  ];
 }
--- a/machines/liminix/ap-v01/addresses.nix
+++ b/machines/liminix/ap-v01/addresses.nix
@ -1,25 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { config, nodeMeta, ... }:
 let
  svc = config.system.service;
  inherit (nodeMeta.extraNodeSettings) building floor ap-no;
  # FIXME switch to ipv6 tu be able to scale
  adminIp = "10.0.253.${builtins.toString (ap-no + floor * 8 + building * 32 + 2)}";
 in
 {
  services.admin-ip = svc.network.address.build {
    interface = config.services.admin-vlan;
    address = adminIp;
    prefixLength = 24;
    family = "inet";
  };
  services.admin-defaultroute4 = svc.network.route.build {
    via = "10.0.253.1";
    target = "default";
    dependencies = [ config.services.admin-ip ];
  };
 }
--- a/machines/liminix/ap-v01/dns.nix
+++ b/machines/liminix/ap-v01/dns.nix
@ -1,25 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { pkgs, lib, ... }:
 let
  inherit (pkgs.pseudofile) dir symlink;
  # TODO: imho, DNS should be static and provided by the router?
  dns = [
    "8.8.8.8"
    "8.8.4.4"
    "1.0.0.1"
  ];
  resolvconf = pkgs.writeText "resolv.conf" (
    lib.concatMapStringsSep "\n" (dns: ''echo "nameserver ${dns}" >> resolv.conf'') dns
  );
 in
 {
  # TODO: support dynamic reconfiguration once we are in the target VLAN?
  filesystem = dir {
    etc = dir {
      "resolv.conf" = symlink "${resolvconf}";
    };
  };
 }
--- a/machines/liminix/ap-v01/ipc.nix
+++ b/machines/liminix/ap-v01/ipc.nix
@ -1,12 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { config, ... }:
 let
  svc = config.system.service;
 in
 {
  # ubus socket for various needs.
  services.ubus = svc.ubus.build { };
 }
--- a/machines/liminix/ap-v01/lan.nix
+++ b/machines/liminix/ap-v01/lan.nix
@ -1,20 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { config, ... }:
 let
  svc = config.system.service;
 in
 {
  # Our bridging is a bit complicated, therefore, we need iproute2.
  programs.iproute2.enable = true;
  services = {
    admin-vlan = svc.vlan.build {
      ifname = "admin";
      primary = config.hardware.networkInterfaces.lan;
      vid = "3001";
    };
  };
 }
--- a/machines/liminix/ap-v01/management.nix
+++ b/machines/liminix/ap-v01/management.nix
@ -1,17 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { config, ... }:
 let
  svc = config.system.service;
 in
 {
  # SSH keys are handled by the access control module.
  dgn-access-control.enable = true;
  users.root = {
    # TODO: Change this well-known password
    passwd = "$6$Z2MiaMXkpUJRPl2/$fxVE3iD/n208CISM2F6OnWj0Qq0QG2tTQqLCjU80PFJJGIwNLLyOp6SeYH3dH20OvJX1loZRETrThZfIPw.rb/";
  };
  services.sshd = svc.ssh.build { allowRoot = true; };
 }
--- a/machines/liminix/ap-v01/metadata.nix
+++ b/machines/liminix/ap-v01/metadata.nix
@ -1,19 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { pkgs, ... }:
 let
  inherit (pkgs.pseudofile) dir;
 in
 {
  filesystem = dir {
    etc = dir {
      "nixpkgs.version" = {
        type = "f";
        file = "${pkgs.lib.version}";
        mode = "0444";
      };
    };
  };
 }
--- a/machines/liminix/ap-v01/recovery.nix
+++ b/machines/liminix/ap-v01/recovery.nix
@ -1,68 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  config,
  pkgs,
  modulesPath,
  ...
 }:
 let
  svc = config.system.service;
  parentConfig = config;
 in
 {
  defaultProfile.packages = [
    # Levitate enable us to mass-reinstall the system on the fly.
    # TODO: Test levitation
    (pkgs.levitate.override {
      config = {
        imports = [
          "${modulesPath}/network"
          "${modulesPath}/ssh"
          "${modulesPath}/hardware.nix"
          "${modulesPath}/kernel"
          "${modulesPath}/outputs/tftpboot.nix"
          "${modulesPath}/outputs.nix"
          # FIXME: DHCP has a hidden deps on this, shoud be done in a more intelligent way upstream
          "${modulesPath}/iproute2.nix"
          (
            { config, ... }:
            {
              # FIXME: DHCP has a hidden deps on this, shoud be done in a more intelligent way upstream
              programs.iproute2.enable = true;
              services = {
                # In this situation, we fallback to the appro VLAN but keep admin vlan.
                # Simplest DHCPv4 we can find.
                dhcpv4 = svc.network.dhcp.client.build {
                  interface = parentConfig.hardware.networkInterfaces.lan;
                };
                inherit (parentConfig.services)
                  sshd
                  admin-vlan
                  admin-ip
                  admin-defaultroute4
                  ;
                defaultroute4 = svc.network.route.build {
                  via = "$(output ${config.services.dhcpv4} router)";
                  target = "default";
                  dependencies = [ config.services.dhcpv4 ];
                };
              };
            }
          )
        ];
        hostname = "${parentConfig.hostname}-live";
        nixpkgs.buildPlatform = builtins.currentSystem;
        defaultProfile.packages = with pkgs; [
          mtdutils
          zyxel-bootconfig
        ];
        # Only keep root, which should inherit from DGN access control's root permissions.
        users.root = config.users.root;
      };
    })
  ];
 }
--- a/machines/liminix/ap-v01/wlan.nix
+++ b/machines/liminix/ap-v01/wlan.nix
@ -1,131 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  config,
  pkgs,
  lib,
  nodeMeta,
  ...
 }:
 let
  svc = config.system.service;
  inherit (nodeMeta.extraNodeSettings) building floor ap-no;
  hex = x: lib.fixedWidthString 2 "0" (lib.toHexString x);
  mac-1 = "02:5B:6A:${hex (building * 4)}:${hex floor}:${hex ap-no}";
  mac-2 = "02:5B:6A:${hex (building * 4 + 1)}:${hex floor}:${hex ap-no}";
  secrets-1 = {
    ssid = "DGNum 2G";
  };
  secrets-2 = {
    ssid = "DGNum 5G";
  };
  baseParams = {
    country_code = "FR";
    hw_mode = "g";
    channel = 6;
    wmm_enabled = 1;
    ieee80211n = 1;
    ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
    auth_algs = 1;
    wpa = 2;
    wpa_pairwise = "TKIP CCMP";
    rsn_pairwise = "CCMP";
  };
  radiusKeyMgmt = {
    wpa_key_mgmt = "WPA-EAP";
  };
  modernParams = {
    hw_mode = "a";
    he_su_beamformer = 1;
    he_su_beamformee = 1;
    he_mu_beamformer = 1;
    preamble = 1;
    # Allow radar detection.
    ieee80211d = 1;
    ieee80211h = 1;
    ieee80211ac = 1;
    ieee80211ax = 1;
    vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
    vht_oper_chwidth = 1;
    he_oper_chwidth = 1;
    channel = 36; # TODO understand interferences
    vht_oper_centr_freq_seg0_idx = 42;
    he_oper_centr_freq_seg0_idx = 42;
    require_vht = 1;
  };
  clientRadius = {
    ieee8021x = 1;
    eapol_version = 2;
    use_pae_group_addr = 1;
    dynamic_vlan = 3;
    vlan_tagged_interface = "lan";
  };
  externalRadius = {
    # TODO: when we have proper IPAM, set the right value here.
    own_ip_addr = "127.0.0.1";
    nas_identifier = "ap01.dgnum.eu";
    # No DNS here, hostapd do not support this mode.
    auth_server_addr = "129.199.195.129";
    auth_server_port = 1812;
    auth_server_shared_secret =
      let
        secret = builtins.getEnv "RADIUS_SECRET";
      in
      if secret == "" then
        lib.warn "Using a dummy RADIUS secret. Please do not use in production" "DUMMYSECRET"
      else
        secret;
  };
  mkWifiSta =
    params: interface: secrets:
    svc.hostapd.build {
      inherit interface;
      package = pkgs.hostapd-radius;
      params = params // secrets;
      dependencies = [ config.services.jitter ];
    };
 in
 {
  hardware.wlanMacAddresses = {
    wlan0 = mac-1;
    wlan1 = mac-2;
  };
  services = {
    # wlan0 is the 2.4GHz interface.
    hostap-1 = mkWifiSta (
      baseParams // clientRadius // externalRadius // radiusKeyMgmt
    ) config.hardware.networkInterfaces.wlan0 secrets-1;
    hostap-1-ready = svc.hostapd-ready.build {
      interface = config.hardware.networkInterfaces.wlan0;
    };
    # wlan1 is the 5GHz interface, e.g. AX capable.
    hostap-2 = mkWifiSta (
      baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
    ) config.hardware.networkInterfaces.wlan1 secrets-2;
    # Oneshot that waits until the hostapd has set the interface in operational state.
    hostap-2-ready = svc.hostapd-ready.build {
      interface = config.hardware.networkInterfaces.wlan1;
    };
    usteer = svc.usteer.build {
      ifname = "lan";
      dependencies = with config.services; [
        # FIXME: is it the right stuff to depend on
        hostap-1-ready
        hostap-2-ready
        admin-defaultroute4
      ];
    };
  };
 }
--- a/machines/liminix/ap-v01/_configuration.nix
+++ b/machines/liminix/ap-v01/_configuration.nix
@ -5,7 +5,6 @@
 {
  modulesPath,
  sourcePkgs,
  name,
  ...
 }:
 {
@ -13,7 +12,6 @@
    "${modulesPath}/wlan.nix"
    "${modulesPath}/network"
    "${modulesPath}/hostapd"
    "${modulesPath}/usteer"
    "${modulesPath}/ssh"
    "${modulesPath}/ntp"
    "${modulesPath}/vlan"
@ -31,8 +29,6 @@
    ./addresses.nix
    # Configures a basic local DNS.
    ./dns.nix
    # Add ubus daemon
    ./ipc.nix
    # Configures our management layer, e.g. SSH server + DGNum FAI keys.
    ./management.nix
    # Configures our recovery system, e.g. a levitation script.
@ -43,6 +39,6 @@
    (import "${modulesPath}/../devices/zyxel-nwa50ax").module
  ];
-  hostname = name;
+  hostname = "ap01-prototype";
  nixpkgs.source = sourcePkgs.path;
 }
--- a/machines/liminix/ap01/addresses.nix
+++ b/machines/liminix/ap01/addresses.nix
@ -0,0 +1,22 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { config, ... }:
 let
  svc = config.system.service;
 in
 {
  services.dhcpv4 = svc.network.dhcp.client.build {
    interface = config.services.int;
    dependencies = [
      config.services.bridge.components.lan
    ];
  };
  services.defaultroute4 = svc.network.route.build {
    via = "$(output ${config.services.dhcpv4} router)";
    target = "default";
    dependencies = [ config.services.dhcpv4 ];
  };
 }
--- a/machines/liminix/ap01/dns.nix
+++ b/machines/liminix/ap01/dns.nix
@ -0,0 +1,34 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { config, pkgs, ... }:
 let
  inherit (pkgs.liminix.services) oneshot;
  inherit (pkgs.pseudofile) dir symlink;
  inherit (pkgs) serviceFns;
 in
 {
  # TODO: support dynamic reconfiguration once we are in the target VLAN?
  services.resolvconf = oneshot rec {
    name = "resolvconf";
    up = ''
      . ${serviceFns}
      ( in_outputs ${name}
      for i in $(output ${config.services.dhcpv4} dns); do
        echo "nameserver $i" >> resolv.conf
      done
      )
    '';
    dependencies = [
      config.services.dhcpv4
    ];
  };
  filesystem = dir {
    etc = dir {
      "resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf";
    };
  };
 }
--- a/machines/liminix/ap-dev/ipc.nix
+++ b/machines/liminix/ap-dev/ipc.nix
--- a/machines/liminix/ap01/lan.nix
+++ b/machines/liminix/ap01/lan.nix
@ -0,0 +1,43 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { config, ... }:
 let
  svc = config.system.service;
 in
 {
  services.int = svc.bridge.primary.build {
    ifname = "int";
    macAddressFromInterface = config.hardware.networkInterfaces.lan;
  };
  services.bridge = svc.bridge.members.build {
    primary = config.services.int;
    members = {
      lan.member = config.hardware.networkInterfaces.lan;
      wlan0 = {
        member = config.hardware.networkInterfaces.wlan0;
        # Bridge only once hostapd is ready.
        dependencies = [ config.services.hostap-1-ready ];
      };
      wlan1 = {
        member = config.hardware.networkInterfaces.wlan1;
        # Bridge only once hostapd is ready.
        dependencies = [ config.services.hostap-2-ready ];
      };
    };
  };
  # Default VLAN
  # services.vlan-apro = svc.vlan.build {
  #   vlanId = 0;
  #   interface = config.services.int;
  # };
  # # Administration VLAN
  # services.vlan-admin = svc.vlan.build {
  #   vlan = 3001;
  #   interface = config.services.int;
  # };
 }
--- a/machines/liminix/ap-dev/management.nix
+++ b/machines/liminix/ap-dev/management.nix
@ -10,7 +10,6 @@ in
  # SSH keys are handled by the access control module.
  dgn-access-control.enable = true;
  users.root = {
    # TODO: Change this well-known password
    passwd = "$6$Z2MiaMXkpUJRPl2/$fxVE3iD/n208CISM2F6OnWj0Qq0QG2tTQqLCjU80PFJJGIwNLLyOp6SeYH3dH20OvJX1loZRETrThZfIPw.rb/";
  };
  services.sshd = svc.ssh.build { allowRoot = true; };
--- a/machines/liminix/ap-dev/metadata.nix
+++ b/machines/liminix/ap-dev/metadata.nix
--- a/machines/liminix/ap01/recovery.nix
+++ b/machines/liminix/ap01/recovery.nix
@ -0,0 +1,49 @@
 # SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  config,
  pkgs,
  modulesPath,
  ...
 }:
 let
  svc = config.system.service;
 in
 {
  defaultProfile.packages = with pkgs; [
    # Levitate enable us to mass-reinstall the system on the fly.
    (levitate.override {
      config = {
        imports = [
          "${modulesPath}/network"
          "${modulesPath}/ssh"
          "${modulesPath}/hardware.nix"
          "${modulesPath}/kernel"
          "${modulesPath}/outputs/tftpboot.nix"
          "${modulesPath}/outputs.nix"
        ];
        nixpkgs.buildPlatform = builtins.currentSystem;
        services = {
          # In this situation, we fallback to the appro VLAN.
          # TODO: add support for the admin VLAN.
          # Simplest DHCPv4 we can find.
          dhcpv4 = svc.network.dhcp.client.build {
            interface = config.hardware.networkInterfaces.lan;
          };
          inherit (config.services) sshd;
          defaultroute4 = svc.network.route.build {
            via = "$(output ${config.services.dhcpv4} router)";
            target = "default";
            dependencies = [ config.services.dhcpv4 ];
          };
        };
        defaultProfile.packages = [ mtdutils ];
        # Only keep root, which should inherit from DGN access control's root permissions.
        users.root = config.users.root;
      };
    })
  ];
 }
--- a/machines/liminix/ap-v01/system.nix
+++ b/machines/liminix/ap-v01/system.nix
--- a/machines/liminix/ap-dev/wlan.nix
+++ b/machines/liminix/ap-dev/wlan.nix
@ -2,28 +2,14 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-{
+{ config, pkgs, ... }:
  config,
  pkgs,
  lib,
  nodeMeta,
  ...
 }:
 let
  svc = config.system.service;
  inherit (nodeMeta.extraNodeSettings) ap-no;
  hex = x: lib.fixedWidthString 2 "0" (lib.toHexString x);
  mac-1 = "02:5B:6B:00:00:${hex ap-no}";
  mac-2 = "02:5B:6B:01:00:${hex ap-no}";
  secrets-1 = {
-    ssid = "DGNum";
+    ssid = "DGNum 2G (N)";
  };
  secrets-2 = {
-    ssid = "DGNum";
+    ssid = "DGNum 5G (AX)";
  };
  baseParams = {
    country_code = "FR";
@ -36,9 +22,6 @@ let
    wpa = 2;
    wpa_pairwise = "TKIP CCMP";
    rsn_pairwise = "CCMP";
    bss_transition = 1;
    rrm_neighbor_report = 1;
    rrm_beacon_report = 1;
  };
  radiusKeyMgmt = {
@ -59,7 +42,7 @@ let
    vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
    vht_oper_chwidth = 1;
    he_oper_chwidth = 1;
-    channel = 36; # TODO understand interferences
+    channel = 36;
    vht_oper_centr_freq_seg0_idx = 42;
    he_oper_centr_freq_seg0_idx = 42;
    require_vht = 1;
@ -69,7 +52,7 @@ let
    ieee8021x = 1;
    eapol_version = 2;
    use_pae_group_addr = 1;
-    dynamic_vlan = 3;
+    dynamic_vlan = 0;
    vlan_tagged_interface = "lan";
  };
@ -81,14 +64,7 @@ let
    # No DNS here, hostapd do not support this mode.
    auth_server_addr = "129.199.195.129";
    auth_server_port = 1812;
-    auth_server_shared_secret =
+    auth_server_shared_secret = "read it online";
      let
        secret = builtins.getEnv "RADIUS_SECRET";
      in
      if secret == "" then
        lib.warn "Using a dummy RADIUS secret. Please do not use in production" "DUMMYSECRET"
      else
        secret;
  };
  mkWifiSta =
@ -101,22 +77,10 @@ let
    };
 in
 {
  hardware.wlanMacAddresses = {
    wlan0 = mac-1;
    wlan1 = mac-2;
  };
  services = {
    usteer = svc.usteer.build {
      ifname = "lan";
      dependencies = [
        # TODO is it the right stuff to deend on ?
        config.services.hostap-1-ready
        config.services.hostap-2-ready
      ];
    };
    # wlan0 is the 2.4GHz interface.
    hostap-1 = mkWifiSta (
-      baseParams // clientRadius // externalRadius // radiusKeyMgmt
+      baseParams // radiusKeyMgmt
    ) config.hardware.networkInterfaces.wlan0 secrets-1;
    hostap-1-ready = svc.hostapd-ready.build {
      interface = config.hardware.networkInterfaces.wlan0;
--- a/machines/netconf/netaccess01.nix
+++ b/machines/netconf/netaccess01.nix
@ -0,0 +1,29 @@
 # SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  dgn-hardware.model = "EX2300-48P";
  dgn-isp = {
    enable = true;
    AP = [
      "ge-0/0/0"
      "ge-0/0/1"
      "ge-0/0/2"
      "ge-0/0/3"
      "ge-0/0/4"
      "ge-0/0/5"
    ];
    admin-ip = "fd26:baf9:d250:8000::2001/64";
  };
  dgn-interfaces = {
    # netcore02
    "xe-0/1/0".ethernet-switching = {
      interface-mode = "trunk";
      vlans = [ "all" ];
    };
    # debug management
    "me0".inet.addresses = [ "192.168.42.6/24" ];
  };
 }
--- a/machines/netconf/netcore01.nix
+++ b/machines/netconf/netcore01.nix
@ -0,0 +1,36 @@
 # SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  dgn-hardware.model = "EX2300-48P";
  dgn-isp = {
    enable = true;
    admin-ip = "fd26:baf9:d250:8000::100f/64";
  };
  dgn-profiles."hypervisor" = {
    interfaces = [
      "ge-0/0/0"
      "ge-0/0/1"
      "ge-0/0/2"
      "ge-0/0/3"
      "ge-0/0/4"
      "ge-0/0/5"
      "ge-0/0/6"
      "ge-0/0/7"
    ];
    configuration.ethernet-switching = {
      interface-mode = "access";
      vlans = [ "hypervisor" ];
    };
  };
  dgn-interfaces = {
    "xe-0/2/0".ethernet-switching = {
      interface-mode = "trunk";
      vlans = [ "all" ];
    };
    # debug management
    "me0".inet.addresses = [ "192.168.2.2/24" ];
  };
 }
--- a/machines/netconf/netcore02.nix
+++ b/machines/netconf/netcore02.nix
@ -2,76 +2,41 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 let
  #TODO: meta
  vlansPlan = {
    "uplink-cri".id = 223;
    "admin-core" = {
      id = 3000;
      l3-interface = "irb.0";
    };
    "admin-ap".id = 3001;
    "users".id-list = [
      {
        begin = 3045;
        end = 4094;
      }
    ];
    "ap-staging".id = 2000;
  };
  #TODO: additionnal module (always the same for APs)
  AP-staging = {
    poe = true;
    ethernet-switching = {
      interface-mode = "access";
      vlans = [ "ap-staging" ];
    };
  };
 in
 {
  vlans = vlansPlan;
  dgn-hardware.model = "EX2300-48P";
  dgn-isp = {
    enable = true;
    AP = [
      # H1-00
      "ge-0/0/0"
      "ge-0/0/1"
      "ge-0/0/2"
      "ge-0/0/3"
      "ge-0/0/4"
      "ge-0/0/5"
      # H1-01
      "ge-0/0/6"
      "ge-0/0/7"
      "ge-0/0/8"
      "ge-0/0/9"
      "ge-0/0/10"
      "ge-0/0/11"
      # H1-02
      "ge-0/0/12"
      "ge-0/0/13"
      "ge-0/0/14"
      "ge-0/0/15"
      "ge-0/0/16"
      "ge-0/0/17"
    ];
    admin-ip = "fd26:baf9:d250:8000::1001/64";
  };
  dgn-interfaces = {
    # "ge-0/0/0" = AP-staging;
    # "ge-0/0/1" = AP-staging;
    # "ge-0/0/2" = AP-staging;
    # "ge-0/0/3" = AP-staging;
    "ge-0/0/4" = AP-staging;
    # "ge-0/0/5" = AP-staging;
    # "ge-0/0/6" = AP-staging;
    # "ge-0/0/7" = AP-staging;
    # "ge-0/0/8" = AP-staging;
    # "ge-0/0/9" = AP-staging;
    # "ge-0/0/10" = AP-staging;
    # "ge-0/0/11" = AP-staging;
    # "ge-0/0/12" = AP-staging;
    # "ge-0/0/13" = AP-staging;
    # "ge-0/0/14" = AP-staging;
    # "ge-0/0/15" = AP-staging;
    # "ge-0/0/16" = AP-staging;
    # "ge-0/0/17" = AP-staging;
    # oob
    "ge-0/0/42".ethernet-switching = {
      interface-mode = "trunk";
      vlans = [ "all" ];
    };
    # AP de test
    "ge-0/0/43" = {
      poe = true;
      ethernet-switching = {
        interface-mode = "access";
        vlans = [ 4000 ];
      };
    };
    # uplink oob
    "ge-0/0/46".ethernet-switching = {
      interface-mode = "access";
      vlans = [ 222 ];
      rstp = false;
    };
    # ilo
    "ge-0/0/47".ethernet-switching = {
      interface-mode = "access";
@ -95,9 +60,9 @@ in
    };
    # netcore01 (Potos)
    "xe-0/1/2".ethernet-switching = {
-      interface-mode = "access";
+      interface-mode = "trunk";
      vlans = [
-        "ap-staging"
+        "all"
      ];
    };
    # uplink
@ -106,8 +71,7 @@ in
      vlans = [ "uplink-cri" ];
    };
-    # management
+    # debug management
    "me0".inet.addresses = [ "192.168.42.6/24" ];
    "irb".inet6.addresses = [ "fd26:baf9:d250:8000::1001/64" ];
  };
 }
--- a/machines/nixos/bridge01/network.nix
+++ b/machines/nixos/bridge01/network.nix
@ -3,8 +3,17 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-_:
+{
-
+  pkgs,
  utils,
  lib,
  ...
 }:
 let
  inherit (lib)
    getExe'
    ;
 in
 {
  networking = {
    useNetworkd = true;
@ -14,70 +23,84 @@ _:
    firewall.allowedUDPPorts = [ 67 ];
  };
-  systemd.network = {
+  systemd = {
-    networks = {
+    services."arp-resolve-router" = {
-      "10-eno1" = {
+      wantedBy = [ "systemd-networkd.service" ];
-        name = "eno1";
+      after = [ "systemd-networkd-wait-online.service" ];
-        networkConfig = {
+      bindsTo = [ "systemd-networkd-wait-online.service" ];
-          VLAN = [
+      serviceConfig.ExecStart = utils.escapeSystemdExecArgs [
-            "vlan-admin"
+        (getExe' pkgs.iputils "ping")
-            "vlan-uplink-oob"
+        "-c"
-          ];
+        1
        "10.120.33.245"
      ];
          LinkLocalAddressing = false;
          LLDP = false;
          EmitLLDP = false;
          IPv6AcceptRA = false;
          IPv6SendRA = false;
        };
        # address = [ "192.168.222.1/24" ];
      };
      "10-vlan-admin" = {
        name = "vlan-admin";
        # DHCP for the BMC
        networkConfig.DHCPServer = "yes";
        dhcpServerConfig = {
          PoolOffset = 128;
          EmitDNS = false;
          EmitNTP = false;
          EmitSIP = false;
          EmitPOP3 = false;
          EmitSMTP = false;
          EmitLPR = false;
          UplinkInterface = ":none";
        };
        address = [
          "fd26:baf9:d250:8000::ffff/64"
          "192.168.222.1/24"
        ];
      };
      "10-vlan-uplink-oob" = {
        name = "vlan-uplink-oob";
        networkConfig.DHCP = "ipv4";
      };
    };
    network = {
      wait-online.anyInterface = true;
      networks = {
        "10-enp1s0f0" = {
          name = "enp1s0f0";
          # description = "To the switch";
          networkConfig = {
            VLAN = [
              "vlan-admin"
            ];
-    netdevs = {
+            LinkLocalAddressing = false;
-      "10-vlan-admin" = {
+            LLDP = false;
-        netdevConfig = {
+            EmitLLDP = false;
-          Name = "vlan-admin";
+            IPv6AcceptRA = false;
-          Kind = "vlan";
+            IPv6SendRA = false;
          };
        };
-        vlanConfig.Id = 3000;
+        "10-eno1" = {
          name = "eno1";
          # description = "Uplink cri";
          address = [
            "10.120.33.246/30"
            "129.199.195.158/32"
          ];
          routes = [
            {
              PreferredSource = "129.199.195.158";
              Gateway = "10.120.33.245";
            }
          ];
        };
        "10-vlan-admin" = {
          name = "vlan-admin";
          # DHCP for the BMC
          networkConfig.DHCPServer = "yes";
          dhcpServerConfig = {
            PoolOffset = 128;
            EmitDNS = false;
            EmitNTP = false;
            EmitSIP = false;
            EmitPOP3 = false;
            EmitSMTP = false;
            EmitLPR = false;
            UplinkInterface = ":none";
          };
          address = [
            "fd26:baf9:d250:8000::ffff/64"
            "192.168.222.1/24"
          ];
        };
      };
-      "10-vlan-uplink-oob" = {
+      netdevs = {
-        netdevConfig = {
+        "10-vlan-admin" = {
-          Name = "vlan-uplink-oob";
+          netdevConfig = {
-          Kind = "vlan";
+            Name = "vlan-admin";
            Kind = "vlan";
          };
          vlanConfig.Id = 3000;
        };
        vlanConfig.Id = 500;
      };
    };
  };
--- a/machines/nixos/bridge01/secrets/secrets.nix
+++ b/machines/nixos/bridge01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "bridge01" ]
  [
    # List of secrets for bridge01
--- a/machines/nixos/build01/nix-builder.nix
+++ b/machines/nixos/build01/nix-builder.nix
@ -5,6 +5,7 @@
 {
  pkgs,
  lib,
  dgn-keys,
  meta,
  ...
 }:
@ -12,6 +13,14 @@
  config = {
    dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u);
    # FIXME(Raito): this should really go into `dgn-access-control` but I don't
    # know what is the desired architecture for it. Leaving it for the people with opinions™.
    users.groups.nix-builders = { };
    users.users = lib.genAttrs meta.organization.groups.nix-builder (u: {
      extraGroups = [ "nix-builders" ];
      openssh.authorizedKeys.keys = dgn-keys.getBuilderKeys u;
    });
    security.pam.loginLimits = [
      {
        domain = "*";
@ -43,6 +52,10 @@
      nrBuildUsers = 128;
      settings = {
        trusted-users = [
          "@wheel"
          "@nix-builders"
        ];
        keep-outputs = false;
        keep-derivations = false;
        use-cgroups = true;
--- a/machines/nixos/build01/secrets/secrets.nix
+++ b/machines/nixos/build01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "build01" ]
  [
    "forgejo_runners-token_file"
--- a/machines/nixos/compute01/_configuration.nix
+++ b/machines/nixos/compute01/_configuration.nix
@ -25,6 +25,7 @@ lib.extra.mkConfig {
    "kanidm"
    "librenms"
    "mastodon"
    # "netbox"
    "nextcloud"
    "ollama-proxy"
    "outline"
--- a/machines/nixos/compute01/dgsi/default.nix
+++ b/machines/nixos/compute01/dgsi/default.nix
@ -40,6 +40,7 @@ let
      ps.gunicorn
      ps.psycopg
      ps.django-compressor
      ps.django-htmx
      ps.django-import-export
      # Local packages
@ -157,6 +158,8 @@ in
          DGSI_ARCHIVES_ROOT = "/var/lib/django-apps/dgsi/archives";
          DGSI_ARCHIVES_INTERNAL = "_archives";
          DGSI_STAFF_GROUP = "grp_bureau@sso.dgnum.eu";
          DGSI_DATABASES = builtins.toJSON {
            default = {
              ENGINE = "django.db.backends.postgresql";
--- a/machines/nixos/compute01/extranix/default.nix
+++ b/machines/nixos/compute01/extranix/default.nix
@ -4,7 +4,9 @@
 {
  lib,
  meta,
  sources,
  dgn-keys,
  ...
 }:
 let
@ -37,7 +39,7 @@ in
        "DGNum Infrastructure" =
          let
            # prefer a non-patched nixpkgs
-            infra-nixpkgs = (import "${hive-root}/hive.nix").meta.nixpkgs { };
+            infra-nixpkgs = (import "${hive-root}/bootstrap.nix").pkgs;
            infra-modulesPath = "${infra-nixpkgs.path}/nixos/modules/";
          in
          {
@ -45,7 +47,7 @@ in
              "modules/generic"
              "modules/nixos"
            ];
-            ignored-modules = import "${infra-modulesPath}/module-list.nix" ++ [
+            ignored-modules = (import "${infra-modulesPath}/module-list.nix") ++ [
              "${sources.agenix}/modules/age.nix"
              "${sources.arkheon}/module.nix"
              "${sources."microvm.nix"}/nixos-modules/host"
@ -53,20 +55,18 @@ in
              { system.stateVersion = "25.05"; }
            ];
            specialArgs = {
-              inherit sources;
+              inherit meta sources;
-              lib = infra-nixpkgs.lib // {
+              modulesPath = builtins.storePath infra-modulesPath;
                inherit (lib) extra;
              };
              modulesPath = infra-modulesPath;
              pkgs = infra-nixpkgs;
              inherit (infra-nixpkgs) lib;
              name = "nodeName";
              nodeMeta = {
                nix-modules = [ ];
                admins = [ ];
                adminGroups = [ ];
              };
-              meta = {
+              dgn-keys = dgn-keys // {
-                organization.groups.root = [ ];
+                getNodeAdmins = _: [ ];
              };
            };
            path-translations = [
--- a/machines/nixos/compute01/grafana/default.nix
+++ b/machines/nixos/compute01/grafana/default.nix
@ -2,7 +2,12 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-{ config, ... }:
+{
  config,
  pkgs,
  meta,
  ...
 }:
 let
  host = "grafana.dgnum.eu";
@ -62,6 +67,27 @@ in
          auto_assign_org_role = "Admin";
        };
      };
      declarativePlugins = import ./plugins.nix { inherit pkgs; };
      provision = {
        enable = true;
        datasources.settings.datasources = [
          {
            name = "VictoriaLogs";
            type = "victoriametrics-logs-datasource";
            access = "proxy";
            url = "http://${meta.network.storage01.netbirdIp}:9428";
          }
          {
            name = "VictoriaMetrics";
            type = "victoriametrics-metrics-datasource";
            access = "proxy";
            url = "http://${meta.network.storage01.netbirdIp}:8428";
          }
        ];
      };
    };
    postgresql = {
--- a/machines/nixos/compute01/grafana/plugins.nix
+++ b/machines/nixos/compute01/grafana/plugins.nix
@ -0,0 +1,19 @@
 # SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { pkgs, ... }:
 builtins.map pkgs.grafanaPlugins.grafanaPlugin [
  {
    pname = "victoriametrics-logs-datasource";
    version = "0.14.3";
    zipHash = "sha256-g/ntmNyWJ9h/eYpZ0gqiESvVfm2fU6/Ci8R7FHIV7AQ=";
  }
  {
    pname = "victoriametrics-metrics-datasource";
    version = "0.13.1";
    zipHash = "sha256-n1LskeOzp32LZS3PcsRh8FwQVBFVlzczfO2aGbEClSo=";
  }
 ]
--- a/machines/nixos/compute01/kanidm/default.nix
+++ b/machines/nixos/compute01/kanidm/default.nix
@ -14,12 +14,10 @@ let
  inherit (lib)
    attrValues
    catAttrs
    concatLists
    escapeRegex
    concatStringsSep
    mapAttrs'
    nameValuePair
    unique
    ;
  domain = "sso.dgnum.eu";
@ -83,25 +81,16 @@ in
      ) meta.organization.members;
      groups =
-        {
+        (lib.extra.genFuse (id: { "vlan_${builtins.toString (4094 - id)}".memberless = true; }) 850)
        // {
          grp_active.members = catAttrs "username" (attrValues meta.organization.members);
          grp-ext_cri.memberless = true;
        }
        // (mapAttrs' (
          name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
        ) meta.organization.groups)
        // (mapAttrs' (
-          name:
+          name: srv: nameValuePair "grp-admin_${name}" { members = builtins.map usernameFor srv.admins; }
          {
            admins ? [ ],
            adminGroups ? [ ],
          }:
          nameValuePair "grp-admin_${name}" {
            members = unique (
              builtins.map usernameFor (
                admins ++ (concatLists (builtins.map (group: meta.organization.groups.${group}) adminGroups))
              )
            );
          }
        ) meta.organization.services);
      # INFO: The authentication resources declared here can only be for internal services,
@ -155,7 +144,10 @@ in
          displayName = "Netbox [Inventory]";
          enableLegacyCrypto = true;
          originLanding = "https://netbox.dgnum.eu";
-          originUrl = "https://netbox.dgnum.eu/oauth/complete/oidc/";
+          originUrl = [
            "https://netbox.dgnum.eu/oauth/complete/oidc/"
            "https://netbox-v2.dgnum.eu/oauth/complete/oidc/"
          ];
          preferShortUsername = true;
          scopeMaps.grp_active = [
@ -163,6 +155,12 @@ in
            "profile"
            "email"
          ];
          scopeMaps.grp-ext_cri = [
            "openid"
            "profile"
            "email"
          ];
        };
        dgn_outline = {
--- a/machines/nixos/compute01/kanidm/secrets/secrets.nix
+++ b/machines/nixos/compute01/kanidm/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../../keys).mkSecrets
+(import ../../../../../keys.nix).mkSecrets
  [ "compute01" ]
  [
    "kanidm-password_admin"
--- a/machines/nixos/compute01/netbox.nix
+++ b/machines/nixos/compute01/netbox.nix
@ -0,0 +1,74 @@
 # SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  config,
  lib,
  nixpkgs,
  ...
 }:
 let
  EnvironmentFile = [ config.age.secrets."netbox-environment_file".path ];
 in
 {
  services = {
    netbox = {
      enable = true;
      package = nixpkgs.nixos.unstable.netbox_4_1;
      secretKeyFile = "/dev/null";
      listenAddress = "127.0.0.1";
      plugins = p: [ p.netbox-qrcode ];
      settings = {
        ALLOWED_HOSTS = [ "netbox-v2.dgnum.eu" ];
        REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
        PLUGINS = [ "netbox_qrcode" ];
        PLUGINS_CONFIG = {
          netbox_qrcode = {
            custom_text = "DGNum. contact@dgnum.eu";
            font = "Tahoma";
          };
        };
      };
      extraConfig = lib.mkForce ''
        from os import environ as env
        SECRET_KEY = env["SECRET_KEY"]
        SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
        SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
        SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
      '';
    };
  };
  systemd.services = {
    netbox.serviceConfig = {
      inherit EnvironmentFile;
      TimeoutStartSec = 600;
    };
    netbox-housekeeping.serviceConfig = {
      inherit EnvironmentFile;
    };
    netbox-rq.serviceConfig = {
      inherit EnvironmentFile;
    };
  };
  users.users.nginx.extraGroups = [ "netbox" ];
  dgn-web.simpleProxies.netbox = {
    inherit (config.services.netbox) port;
    host = "netbox-v2.dgnum.eu";
    vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
  };
  # dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
  # dgn-backups.postgresDatabases = [ "netbox" ];
 }
--- a/machines/nixos/compute01/nextcloud.nix
+++ b/machines/nixos/compute01/nextcloud.nix
@ -76,7 +76,7 @@ in
      database.createLocally = true;
      configureRedis = true;
-      autoUpdateApps.enable = true;
+      autoUpdateApps.enable = false;
      settings = {
        overwriteprotocol = "https";
--- a/machines/nixos/compute01/secrets/netbox-environment_file
+++ b/machines/nixos/compute01/secrets/netbox-environment_file
--- a/machines/nixos/compute01/secrets/secrets.nix
+++ b/machines/nixos/compute01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "compute01" ]
  [
    # List of secrets for compute01
@ -22,6 +22,7 @@
    "librenms-environment_file"
    "mastodon-extra_env_file"
    "mastodon-smtp-password"
    "netbox-environment_file"
    "nextcloud-adminpass_file"
    "nextcloud-s3_secret_file"
    "outline-oidc_client_secret_file"
--- a/machines/nixos/geo01/secrets/secrets.nix
+++ b/machines/nixos/geo01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "geo01" ]
  [
    # List of secrets for geo01
--- a/machines/nixos/geo02/secrets/secrets.nix
+++ b/machines/nixos/geo02/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "geo02" ]
  [
    # List of secrets for geo02
--- a/machines/nixos/hypervisor01/secrets/secrets.nix
+++ b/machines/nixos/hypervisor01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifer: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "hypervisor01" ]
  [
--- a/machines/nixos/hypervisor02/secrets/secrets.nix
+++ b/machines/nixos/hypervisor02/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifer: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "hypervisor02" ]
  [
--- a/machines/nixos/hypervisor03/secrets/secrets.nix
+++ b/machines/nixos/hypervisor03/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifer: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "hypervisor03" ]
  [
--- a/machines/nixos/rescue01/secrets/secrets.nix
+++ b/machines/nixos/rescue01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "rescue01" ]
  [
    # List of secrets for rescue01
--- a/machines/nixos/storage01/_configuration.nix
+++ b/machines/nixos/storage01/_configuration.nix
@ -23,6 +23,8 @@ lib.extra.mkConfig {
    "peertube"
    "prometheus"
    "redirections"
    "victorialogs"
    "victoriametrics"
  ];
  extraConfig = {
--- a/machines/nixos/storage01/garage.nix
+++ b/machines/nixos/storage01/garage.nix
@ -14,12 +14,14 @@ let
    "lanuit.ens.fr"
    "simi.normalesup.eu"
    "pub.dgnum.eu"
    "actes-administratifs.dgnum.eu"
  ];
  buckets = [
    "monorepo-terraform-state"
    "banda-website"
    "actes-administratifs-website"
    "castopod-dgnum"
    "hackens-website"
    "nuit-website"
--- a/machines/nixos/storage01/prometheus.nix
+++ b/machines/nixos/storage01/prometheus.nix
@ -17,9 +17,9 @@ let
    lib.mapAttrsToList (
      node:
      { config, ... }:
-      lib.optional config.dgn-node-monitoring.enable {
+      lib.optional config.dgn-monitoring.exporters.enable {
        targets = map (p: "${node}.dgnum:${builtins.toString p}") (
-          builtins.attrValues config.dgn-node-monitoring.ports
+          builtins.attrValues config.dgn-monitoring.exporters.ports
        );
        labels = {
          host = node;
--- a/machines/nixos/storage01/secrets/secrets.nix
+++ b/machines/nixos/storage01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "storage01" ]
  [
    # List of secrets for storage01
--- a/machines/nixos/storage01/victoria-metrics.nix
+++ b/machines/nixos/storage01/victoria-metrics.nix
@ -1,20 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 let
  host = "victoria-metrics.dgnum.eu";
  port = 9099;
 in
 {
  services.victoriametrics = {
    enable = true;
    listenAddress = "127.0.0.1:${builtins.toString port}";
  };
  dgn-web.simpleProxies.victoria-metrics = {
    inherit host port;
  };
 }
--- a/machines/nixos/storage01/victorialogs.nix
+++ b/machines/nixos/storage01/victorialogs.nix
@ -0,0 +1,22 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { meta, name, ... }:
 let
  port = 9428;
 in
 {
  services.victorialogs = {
    enable = true;
    flags = {
      retentionPeriod = "4w";
      httpListenAddr = "${meta.network.${name}.netbirdIp}:${builtins.toString port}";
    };
  };
  networking.firewall.interfaces.wt0.allowedTCPPorts = [ port ];
 }
--- a/machines/nixos/storage01/victoriametrics.nix
+++ b/machines/nixos/storage01/victoriametrics.nix
@ -0,0 +1,23 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { meta, name, ... }:
 let
  port = 8428;
 in
 {
  services.victoriametrics = {
    enable = true;
    flags = {
      # INFO: We keep the data for 2 years (24 months)
      retentionPeriod = "24";
      httpListenAddr = "${meta.network.${name}.netbirdIp}:${builtins.toString port}";
    };
  };
  networking.firewall.interfaces.wt0.allowedTCPPorts = [ port ];
 }
--- a/machines/nixos/tower01/secrets/secrets.nix
+++ b/machines/nixos/tower01/secrets/secrets.nix
@ -2,7 +2,8 @@
 #
 # SPDX-License-Identifer: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "tower01" ]
  [
  ]
--- a/machines/nixos/vault01/_configuration.nix
+++ b/machines/nixos/vault01/_configuration.nix
@ -12,6 +12,7 @@ lib.extra.mkConfig {
  enabledServices = [
    # List of services to enable
    "k-radius"
    "monitoring"
    "networking"
    "ups"
    "ulogd"
--- a/machines/nixos/vault01/monitoring/default.nix
+++ b/machines/nixos/vault01/monitoring/default.nix
@ -0,0 +1,9 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  imports = [
    ./victorialogs.nix
  ];
 }
--- a/machines/nixos/vault01/monitoring/victorialogs.nix
+++ b/machines/nixos/vault01/monitoring/victorialogs.nix
@ -0,0 +1,37 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { meta, ... }:
 let
  port = 9428;
 in
 {
  services = {
    nginx = {
      enable = true;
      streamConfig = ''
        server {
          listen 10.0.253.1:${toString port};
          listen ${meta.network.vault01.netbirdIp}:${toString port};
          proxy_pass 127.0.0.1:${toString port};
        }
      '';
    };
    victorialogs = {
      enable = true;
      flags = {
        retentionPeriod = "52w";
        httpListenAddr = "127.0.0.1:${builtins.toString port}";
      };
    };
  };
  networking.firewall.interfaces = {
    wt0.allowedTCPPorts = [ port ];
    vlan-admin-ap.allowedTCPPorts = [ port ];
  };
 }
--- a/machines/nixos/vault01/networking.nix
+++ b/machines/nixos/vault01/networking.nix
@ -303,10 +303,12 @@ in
          ];
          script = ''
            if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
              echo network is up
              ${lib.concatMapStringsSep "\n  " (
                { interfaceName, ... }: "networkctl up ${interfaceName}"
              ) userVlans}
            else
              echo network is down
              ${lib.concatMapStringsSep "\n  " (
                { interfaceName, ... }: "networkctl down ${interfaceName}"
              ) userVlans}
@ -336,18 +338,58 @@ in
      ] ++ userVlans;
      nftables = {
        enable = true;
-        tables.nat = {
+        tables = {
-          family = "ip";
+          nat = {
-          content = ''
+            family = "ip";
-            chain postrouting {
+            content = ''
-              type nat hook postrouting priority 100;
+              chain postrouting {
-              ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.157
+                type nat hook postrouting priority 100;
-              ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
+                ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157
-              ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
+              }
-              ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
+            '';
-              ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
+          };
-            }
+          filter = {
-          '';
+            family = "inet";
            content = ''
              chain forward {
                type filter hook forward priority filter; policy accept;
                ct state vmap {
                  invalid: drop,
                  established: accept,
                  related: accept,
                  new: jump forward_decide,
                  untracked: jump forward_decide,
                };
              }
              chain forward_decide {
                # Block access to vpn
                ip daddr {
                  10.10.17.0/30,
                  100.80.0.0/16,
                } jump forward_reject;
                # And administrative vlans
                ip6 daddr {
                  fd26:baf9:d250::/48,
                } jump forward_reject;
                # These are being deployed, and so are not trusted
                ip saddr 10.0.255.0/24 jump forward_reject;
                # We only forward for ISP clients and our stuff
                ip saddr != 10.0.0.0/16 jump forward_reject;
                # Can talk to us
                ip daddr 10.0.0.0/27 accept;
                # Not others nor CRI
                ip daddr 10.0.0.0/8 jump forward_reject;
              }
              chain forward_reject {
                reject with icmpx type admin-prohibited;
              }
            '';
          };
        };
      };
      firewall = {
@ -355,7 +397,9 @@ in
          67
          1194
        ];
-        checkReversePath = false;
+        # FIXME: I dont't remember why it's here, and it doesn't seems right
        # comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5
        # checkReversePath = false;
      };
    };
--- a/machines/nixos/vault01/secrets/radius-ap-radius-secret_file
+++ b/machines/nixos/vault01/secrets/radius-ap-radius-secret_file
@ -1,32 +1,32 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA TdfYeqsPJBf26CO1Bh74K8qxqR1MX3VUvZ/e73+oDXQ
+-> ssh-ed25519 jIXfPA 2nFaxyP7O4GWU7U3wmET5sNrnFq72b9DEhiKEgWVrFk
-KoA/I5kVXxryQ86qjfzq67Aiar+qDZF9OoF4MsNDqe4
+l8uXfCBkTHogzVoUY0WOYhA99fodoT+N0HunacULydI
-> ssh-ed25519 QlRB9Q ZaPziTdzqf0vCkCiLWAUJbnROaZ7Mz+Xgw1viEMWM2s
+-> ssh-ed25519 QlRB9Q qDalihZE404oPOVHYQR5GIvozXNh4wNxhUa5Zwfz2DU
-I0peAEQPbaXL9eHQ/OraNuqJPCxIwjpxIxhvgAifATY
+X8qvWf7qprbh0xu/uOHGsNLTQc8efYsgveH9R9kZZZw
-> ssh-ed25519 r+nK/Q kgmK60IgdW4QFdKqBQ6S9JmQVoRvpmffVaoNWzfV5Bc
+-> ssh-ed25519 r+nK/Q mksHDhPoKKxQpk4sQPHapdq87EaJmgdmoVxMYjsAang
-ru8etu+7QOmnAoJv8BLtEK0SuDfhB75l525ORrDirvM
+FTYHyxLp4nGOWJu1135yN/lQkGgAD9Jy4JJpMKFktrk
 -> ssh-rsa krWCLQ
-QsgW7OvOB3cOz9MZI1PQ6Fe208WS+Sv/TWcucjD9i28U6Bty1KYeSwMH/zyzLuSe
+jEPt5eWP6NmpOikLhs1uPVo7kxHgg1y7WwdOPyR0z2vpFD2BWGlIi/BvnlE3OO5n
-51TqJTnkb+xGcqw3RvKiM58HMFcl6INmOI8otGxfCQSX7p3/QxiGQBbIgRblxtWB
+jtvDjAauWU0X2JarfdY9mY8MoPjT9qQ/ukxuVAHi5CoL/I1JCqcbuftssYY0B7Ab
-8Jf55hgfh+1+vwTcM+BlBRWz4K581MeQiF2jj6ihfJNwTZ7Q9jNvgzF42znEyZyE
+SMfbyxjK8aIT1/4EQhMoWm0tuIylvgTBagL03Lw5mbyRqDkbpI/6YC9401YjT7Ts
-QTHoR9ROA/HqLgcrui1L7QnBlP1Y9Bt/oMCh4jFwHfcc6NeHF+I6AEeQNAHH9iNX
+dCDGIFAYM2BA7TuJiZr881ypUdU9rlm5rss1ZLMj90jyJPJC4SDYbzE0BoBat9l0
-2+1RsJnQrTM+H204GrpVK78e1B5uCjvq/LeoWSQ3pFD9PwdM6JW2WfkB4FSCriAI
+dYUrYGhGgZ1cDd6D6mPf6H95muiGHIhxaE8c+LdK/rKCSH9Rf6mfn/Ab/xvnaDNn
-7ZAg64qNahyjX+J+KDlrwQ
+GW/WD0EpmdzpWVPby68+KA
-> ssh-ed25519 /vwQcQ MBPiBQdz65VVKMxJDlTCFUfG084K0ZcGpPJc5RKKND4
+-> ssh-ed25519 /vwQcQ 5DoMxdoK+KiHXKwwOpb7/1FZIEzAa/2/1l8yyxey6iw
-jH9fRJ/tcGQpZQ+pGNw9lXcRbPS8LLsuwe4EUsaFGDM
+RzmUkqZQLM5/jDXG9fxhZmfAywgVMjH9Y3O66BnhCSQ
-> ssh-ed25519 0R97PA bvY5a3GO1CfVmCPJwBfFGJcS+Zkr2QRENa0WyzqspGc
+-> ssh-ed25519 0R97PA g+uW/jfwHB3m0AdWxb9vPRjeaowhEx1Uoc2R0CVStlA
-YgxthAE4TIPlweuH8cWaOmVGqomc2yfLdzjO8G8bytw
+m5XvSEVQ8DiA7BSTsxVn6S1zv92CpbyZxSgUI3ObE4c
-> ssh-ed25519 JGx7Ng 11We2girRvmkDm8eWkTZnazm7Ly0tmECFTdSFnBKIQQ
+-> ssh-ed25519 JGx7Ng BtdJpskbfPyywYeFbmQw3HGPTLv5ri6x4bFocr9l6H8
-VQ+jlP1sk+SPkHARgAly9U7W0HVbpvZvxLN4V5l6JwE
+88aFw+MCJLqMU/W/ikYDUZEAi0ImaPVbSc7cAZPbs/I
-> ssh-ed25519 bUjjig Zt2Br6ls9INAJ5aQZ/az+6+rIpDCf/NCJP2zusdggms
+-> ssh-ed25519 5SY7Kg +JUMQfaxl7Orym43LVeqUyno0JfUbVnB+xv7smpdRhE
-3k0NOSVDpbQFEflEvyTzKv1/zXUBVN5ub9jjOe4EybM
+6K+Ewq1FhrXB2eYdljlsYpIfmVv49E4jSBsphgDpRJk
-> ssh-ed25519 +mFdtQ inTgQzJVaYt8JZjtrjVzZzW9PscvBnZWkXIpEQYtdFI
+-> ssh-ed25519 p/Mg4Q AITnEN+Q41fEA2tkvVOKGCDZiuCXanG+qaiF5X4ukiA
-O/Z7ccZam386C6r2UVJS+OMwG8nZ57RmUy+VJEgWJEY
+NvP/HXOliNvi8tngH9PU90E616CPlh/QgkZ052H8wtk
-> ssh-ed25519 5rrg4g ApGMepP+32epekSxCfLGJs6uI38WPjWxtdk+q1Lvx0I
+-> ssh-ed25519 +mFdtQ RuaXIQNZ3s9C27XtpVTExJlAhYDYXRQni+Hwot0wrzU
-huEBiiNzTcz5hPUs+INfDyfeqKtl+mYE38PUizHktyI
+WctqqoGS2hVfOZSU3ihCg5eI7PnxM7dkOJKM9DJ90Wk
-> ssh-ed25519 oRtTqQ QBBeZ0kLMPuDmO0hT7LvMs31WuVZATUSyxtCxgMzHgQ
+-> ssh-ed25519 5rrg4g cAqJQ8z6T46YwzahtcTJxXZHklCGrupVCja5U/g+ZmM
-HooCKv78+xzYnOwaYXbRNVH1XpG1e8tY0PB246nkFU8
+wERu5T6rOi5/0qPSXeOnfA0Szg7/pbYFTW0Ys1yWq40
-> G8<-grease
+-> ssh-ed25519 oRtTqQ NF73c0d1qM4nVt2bEdWTEDjDcz/ZMCObn/7cDZfkVGA
-58RFQqg54Xu8pavoh6wbEnJl7J8XJ5rgaVq1bxokhQ
+Mivm+WWVqAfNs5pLwGmINIsmxlEZi7m7bQIRxGkf3/Q
--- +gYhV/IjEqBw3YKDEeSbepgAIIO6A/BcpsYrwCy+Ezs
+--- 8R1h+xsovrLq+5QI1CoTXc9TBTQugnROZpOAHWBwG1w
-萠%Ｃ7図殤ﾁx盟~YﾖﾜZﾁ{儖情ﾘM<EFBE98>Hﾊ<48>欷ｿXｾ<58>ﾅk@ﾓ9<EFBE93>
+G“Þ"û¤‡ã8ƒÈî‚&NF}x£ksyÖ\£.i§<69>×§F¢‹¯}ê-ÍÁÓšLbì;{
--- a/machines/nixos/vault01/secrets/secrets.nix
+++ b/machines/nixos/vault01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "vault01" ]
  [
    # List of secrets for vault01
--- a/machines/nixos/vault01/ulogd/default.nix
+++ b/machines/nixos/vault01/ulogd/default.nix
@ -57,4 +57,13 @@
      fi
    '';
  };
  environment.defaultPackages = [
    (pkgs.callPackage ./fill-vlan_prefixes.nix {
      inherit (config.networking) vlans-info;
      postgresql = config.services.postgresql.package;
    })
    (pkgs.callPackage ./nat-request-daddr.nix {
      postgresql = config.services.postgresql.package;
    })
  ];
 }
--- a/machines/nixos/vault01/ulogd/fill-vlan_prefixes.nix
+++ b/machines/nixos/vault01/ulogd/fill-vlan_prefixes.nix
@ -0,0 +1,39 @@
 # SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  lib,
  writeShellApplication,
  writeText,
  vlans-info,
  postgresql,
 }:
 let
  inherit (lib) concatMapStringsSep;
  sql-script = writeText "vlan-filling.sql" ''
    DROP TABLE IF EXISTS vlan_prefixes;
    CREATE TABLE vlan_prefixes (
      vlan_id smallint PRIMARY KEY UNIQUE NOT NULL,
      prefix inet NOT NULL
    );
    INSERT INTO vlan_prefixes VALUES
      ${concatMapStringsSep ",\n  " (
        {
          vlan,
          netIP,
          prefixLen,
          ...
        }:
        "(${toString vlan}, inet '${netIP}/${toString prefixLen}')"
      ) vlans-info}
    ;
  '';
 in
 writeShellApplication {
  name = "fill-vlan_prefixes";
  runtimeInputs = [ postgresql ];
  text = ''
    psql -d ulogd -U ulogd -f ${sql-script}
  '';
 }
--- a/machines/nixos/vault01/ulogd/nat-request-daddr.nix
+++ b/machines/nixos/vault01/ulogd/nat-request-daddr.nix
@ -0,0 +1,35 @@
 # SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  writeShellApplication,
  postgresql,
 }:
 writeShellApplication {
  name = "nat-request-daddr";
  runtimeInputs = [ postgresql ];
  text = ''
    TARGET_TIMESTAMP=$2
    TARGET_PREFIX=$1
    psql -d ulogd -U ulogd -c "
      select
        vlan_id,
        reply_ip_daddr_str as used_ip,
        reply_l4_dport as used_port,
        orig_ip_daddr_str as daddr,
        orig_l4_dport as dport,
        flow_start_sec, flow_end_sec
      from ulog2_ct
      join vlan_prefixes on ulog2_ct.orig_ip_saddr_str <<= vlan_prefixes.prefix
        where
        -- if we don't have conn start, we considered it started before the target time
        ( flow_start_sec IS NULL or flow_start_sec <= $TARGET_TIMESTAMP )
        and
        -- similar for conn end
        ( flow_end_sec IS NULL or flow_end_sec >= $TARGET_TIMESTAMP )
        and
        orig_ip_daddr_str <<= inet '$TARGET_PREFIX'
      ;"
  '';
 }
--- a/machines/nixos/web01/secrets/secrets.nix
+++ b/machines/nixos/web01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "web01" ]
  [
    # List of secrets for web01
--- a/machines/nixos/web01/wordpress/default.nix
+++ b/machines/nixos/web01/wordpress/default.nix
@ -61,6 +61,18 @@ in
        languages = [ pkgs.wordpressPackages.languages.fr_FR ];
      };
      "npr.wp.dgnum.eu" = {
        themes = {
          inherit (wp4nix.themes) twentytwentyfive;
        };
        plugins = {
          inherit (wp4nix.plugins) user-role-editor;
        };
        languages = [ pkgs.wordpressPackages.languages.fr_FR ];
      };
    };
  };
--- a/machines/nixos/web02/_configuration.nix
+++ b/machines/nixos/web02/_configuration.nix
@ -13,7 +13,8 @@ lib.extra.mkConfig {
  enabledServices = [
    # List of services to enable
    "cas-eleves"
-    "kadenios"
+    # "kadenios"
    "django-apps"
  ];
  extraConfig = {
@ -21,7 +22,7 @@ lib.extra.mkConfig {
    dgn-access-control.users.root = [ "thubrecht" ];
    # Disable monitoring
-    dgn-node-monitoring.enable = false;
+    dgn-monitoring.enable = false;
    # Enable Postgres databases
    services.postgresql = {
--- a/machines/nixos/web02/django-apps/default.nix
+++ b/machines/nixos/web02/django-apps/default.nix
@ -0,0 +1,22 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  imports = [
    ./kadenios.nix
  ];
  services.django-apps = {
    enable = true;
    webhook = {
      domain = "web02.dj-hooks.dgnum.eu";
      nginx = {
        enableACME = true;
        forceSSL = true;
      };
    };
  };
 }
--- a/machines/nixos/web02/django-apps/kadenios.nix
+++ b/machines/nixos/web02/django-apps/kadenios.nix
@ -0,0 +1,66 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { config, ... }:
 {
  services.django-apps.sites.kadenios = {
    source = "https://git.dgnum.eu/DGNum/kadenios";
    branch = "production";
    domain = "vote.dgnum.eu";
    nginx = {
      enableACME = true;
      forceSSL = true;
    };
    webHookSecret = config.age.secrets."webhook-kadenios_token".path;
    overlays.nix-pkgs = [
      # Required packages
      "authens"
      "django-background-tasks"
      "django-bulma-forms"
      "django-translated-fields"
      "loadcredential"
      # Dependencies
      "python-cas"
    ];
    dependencies = ps: [
      ps.authens
      ps.django
      ps.django-background-tasks
      ps.django-bulma-forms
      ps.django-translated-fields
      ps.gunicorn
      ps.loadcredential
      ps.markdown
      ps.networkx
      ps.numpy
      ps.psycopg
    ];
    environment = {
      KADENIOS_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
      KADENIOS_EMAIL_USE_SSL = true;
      KADENIOS_FROM_EMAIL = "Kadenios <vote@infra.dgnum.eu>";
      KADENIOS_SERVER_EMAIL = "kadenios@infra.dgnum.eu";
    };
    credentials = {
      SECRET_KEY = config.age.secrets."dj_kadenios-secret_key_file".path;
      EMAIL_HOST_PASSWORD = config.age.secrets."dj_kadenios-email_password_file".path;
    };
    extraServices.tasks = {
      script = "python3 manage.py process_tasks";
      serviceConfig = {
        WorkingDirectory = "/var/lib/django-apps/kadenios/source";
      };
    };
  };
 }
--- a/machines/nixos/web02/kadenios/default.nix
+++ b/machines/nixos/web02/kadenios/default.nix
@ -1,190 +0,0 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  config,
  lib,
  pkgs,
  sources,
  ...
 }:
 let
  inherit (lib) mapAttrsToList optionals;
  host = "vote.dgnum.eu";
  port = 9888;
  python3 =
    let
      nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
    in
    pkgs.python3.override {
      packageOverrides = _: _: {
        inherit (nix-pkgs)
          authens
          django-background-tasks
          django-browser-reload
          django-bulma-forms
          django-translated-fields
          loadcredential
          ;
      };
    };
  pythonEnv =
    {
      debug ? false,
    }:
    python3.withPackages (
      ps:
      [
        ps.django
        ps.gunicorn
        ps.markdown
        ps.numpy
        ps.networkx
        ps.psycopg
        ps.authens
        ps.django-background-tasks
        ps.django-bulma-forms
        ps.django-translated-fields
        ps.loadcredential
      ]
      ++ (optionals debug [
        ps.django-browser-reload
        ps.django-debug-toolbar
      ])
    );
  manage = pkgs.writeShellApplication {
    name = "kadenios-manage";
    runtimeInputs = path ++ [
      config.systemd.package
      pkgs.util-linux
    ];
    text = ''
      MainPID=$(systemctl show -p MainPID --value django-kadenios.service)
      nsenter -e -a -t "$MainPID" -G follow -S follow python ${sources.kadenios}/manage.py "$@"
    '';
  };
  staticDrv = pkgs.stdenv.mkDerivation {
    name = "kadenios-static";
    src = sources.kadenios;
    nativeBuildInputs = [ (pythonEnv { debug = true; }) ];
    configurePhase = ''
      export KADENIOS_STATIC_ROOT=$out/static
      export KADENIOS_DEBUG=true
      export CREDENTIALS_DIRECTORY=$(pwd)/.credentials
    '';
    doBuild = false;
    installPhase = ''
      mkdir -p $out/static
      python3 manage.py collectstatic
    '';
  };
  environment = builtins.mapAttrs (_: builtins.toJSON) {
    KADENIOS_ALLOWED_HOSTS = [ "vote.dgnum.eu" ];
    KADENIOS_STATIC_ROOT = staticDrv;
    KADENIOS_DATABASES = {
      default = {
        ENGINE = "django.db.backends.postgresql";
        NAME = "kadenios";
      };
    };
    KADENIOS_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
    KADENIOS_EMAIL_USE_SSL = true;
    KADENIOS_FROM_EMAIL = "Kadenios <vote@infra.dgnum.eu>";
    KADENIOS_SERVER_EMAIL = "kadenios@infra.dgnum.eu";
  };
  path = [ (pythonEnv { }) ];
 in
 {
  environment.systemPackages = [ manage ];
  systemd.services = {
    django-kadenios = {
      description = "ENS simple voting server";
      wantedBy = [ "multi-user.target" ];
      after = [
        "network.target"
        "postgresql.service"
      ];
      serviceConfig = {
        DynamicUser = true;
        LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
          SECRET_KEY = config.age.secrets."kadenios-secret_key_file".path;
          EMAIL_HOST_PASSWORD = config.age.secrets."kadenios-email_password_file".path;
        };
        StateDirectory = "django-kadenios";
        User = "kadenios";
      };
      inherit environment path;
      script = ''
        python3 ${sources.kadenios}/manage.py migrate
        gunicorn app.wsgi --pythonpath ${sources.kadenios} -b 127.0.0.1:${builtins.toString port} --workers=2 --threads=4
      '';
    };
    django-kadenios-tasks = {
      description = "Background tasks worker for Kadenios";
      wantedBy = [ "multi-user.target" ];
      after = [
        "network.target"
        "postgresql.service"
        "django-kadenios.service"
      ];
      serviceConfig = {
        DynamicUser = true;
        LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
          SECRET_KEY = config.age.secrets."kadenios-secret_key_file".path;
          EMAIL_HOST_PASSWORD = config.age.secrets."kadenios-email_password_file".path;
        };
        StateDirectory = "django-kadenios";
        User = "kadenios";
        WorkingDirectory = sources.kadenios;
      };
      inherit environment path;
      script = ''
        python3 manage.py process_tasks
      '';
    };
  };
  dgn-web.simpleProxies.kadenios = {
    inherit host port;
    vhostConfig.locations."/static/".root = staticDrv;
  };
  services.postgresql = {
    ensureDatabases = [ "kadenios" ];
    ensureUsers = [
      {
        name = "kadenios";
        ensureDBOwnership = true;
      }
    ];
  };
 }
--- a/machines/nixos/web02/secrets/bupstash-put_key
+++ b/machines/nixos/web02/secrets/bupstash-put_key
--- a/machines/nixos/web02/secrets/dj_kadenios-email_password_file
+++ b/machines/nixos/web02/secrets/dj_kadenios-email_password_file
--- a/machines/nixos/web02/secrets/dj_kadenios-secret_key_file
+++ b/machines/nixos/web02/secrets/dj_kadenios-secret_key_file
--- a/machines/nixos/web02/secrets/secrets.nix
+++ b/machines/nixos/web02/secrets/secrets.nix
@ -2,11 +2,13 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
  [ "web02" ]
  [
    # List of secrets for web02
    "bupstash-put_key"
    "cas_eleves-secret_key_file"
-    "kadenios-secret_key_file"
+    "dj_kadenios-secret_key_file"
-    "kadenios-email_password_file"
+    "dj_kadenios-email_password_file"
    "webhook-kadenios_token"
  ]
--- a/machines/nixos/web02/secrets/webhook-kadenios_token
+++ b/machines/nixos/web02/secrets/webhook-kadenios_token
@ -0,0 +1,29 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA miVq8rZazx0Y0NYZklZh8ITlY7fOTwbPsAPcHwvJ3jI
 Vs0xx9ulk2++7+DfD+HqhISSvYMtuSJIs9zyGlnW8Wk
 -> ssh-ed25519 QlRB9Q z5TQpHovWNJ+Dq4GEcPfByMpTcTojIamJbU3kNKlmHQ
 U+ZFJ/0TVcfo85xAWYqcnzpMfU0KcY8QJ8jqWlyt1U0
 -> ssh-ed25519 r+nK/Q l5oBCnALC2HSoszpawrJZZUEFHjjGwei4Fd1Y+f7OjI
 PLgEu00ItWIbT3ZSNioZ3oXwBBVQTD/wf8I8akEDNWs
 -> ssh-rsa krWCLQ
 2rt9GmpSxUJSArSOlXKQscrApgLLIWuTo/IXensBP1uCnrpLl4IdcpEJNTs7wtZq
 h4OLCaLDoZvB3ZT3k+CXXXeBqLqz1DdBGo08RgfcUADTsm2Z9LsEyLo0GtHGEFjw
 m1r/VF8githDxaEK52+znr1FG8CE7+DBQAU9ZydhKKjjFS7ckDHw0qFXyGqpyWk4
 KnL7FGPX2z07V3nwauElDbaD1LLt0xHhqqEjmiRskhE2UU6q35IrLyKFHC1VHsFy
 ItsONTu8lDiqXSi7Z5b5Iv+iAWWTtt/glTv3WFa8u7CIahuZIfemr8NzjD2Z+Vxh
 yOEqBKyVgz8sFh1U7CgxCg
 -> ssh-ed25519 /vwQcQ dcnBNyypzMkxHwh76v7bKhGckPjIOL2vP2aDWhB8WxQ
 tTxcMXcLrFhD7u2xTOhsjWErSiCOfsVIDZgJldVePMw
 -> ssh-ed25519 0R97PA stdF6UFkWDCwNUAv+aAetpku7O9XRvtaxafCjok9yhI
 gXVXcwlY4Xue9WGk+WlByXvSgMju+VWKTBTXIngWYvE
 -> ssh-ed25519 JGx7Ng e+Ux4HK63pAM4scQCi4wHTUmo28z105Ok59dlki0OS8
 ulkU6zhXNpa3OswEC005BZ/YIExPysg25a4/O60fcWQ
 -> ssh-ed25519 bUjjig SEnDWloeuVgCGLUJNvsBL1HPYJGBSBhqdDngkQk+KiE
 MYL9SudJNuFyS4Inaod2Xxldi3d/kDwlIT9rVWs8vFc
 -> ssh-ed25519 IY5FSQ TO9BPLBwdlqyKXOBiohCzfZWrTDwqhLjZYeq9rZgH2c
 7Hqrqe+A3wg11H3wg9Cd+6F7mDwsLpzoh70sba32gCw
 -> 1DV;-grease
 9Ul6qKgH063H/HI1op+Gyk2+JRUGHwRG/SlOPTAnvBtq7xEy7yrR4lblBK8bcJNY
 lwmI4xOokAnIveVaPS8SAig
 --- GpJyGpk3QxJljiR6FZw8hdX0dXvEAIPZEZpL6oorLcM
 }o÷ÕŸ¦‘A¹qç ™Ò™ö>áp™€M Õ¬ÍaÂ“zþƒÍT VVƒvI«f®<17>!>µ\Ö-þèÿ
--- a/machines/nixos/web03/django-apps/bocal.nix
+++ b/machines/nixos/web03/django-apps/bocal.nix
@ -8,7 +8,7 @@
  services.django-apps.sites.bocal = {
    source = "https://git.dgnum.eu/DGNum/www-bocal";
    branch = "main";
-    domain = "bocal.webapps.dgnum.eu";
+    domain = "bocal.cof.ens.fr";
    nginx = {
      enableACME = true;
@ -50,8 +50,7 @@
    };
    environment = {
-      BOCAL_ALLOWED_HOSTS = [ "bocal.webapps.dgnum.eu" ];
+      BOCAL_RHOSTS_PATH = "/users/guests/bocal/.rhosts";
      BOCAL_RHOSTS_PATH = "/var/lib/django-apps/bocal/.rhosts";
    };
  };
 }
--- a/machines/nixos/web03/django-apps/ernestophone.nix
+++ b/machines/nixos/web03/django-apps/ernestophone.nix
@ -42,6 +42,7 @@
    credentials = {
      SECRET_KEY = config.age.secrets."dj_ernestophone-secret_key_file".path;
      ACCOUNT_CREATION_PASS = config.age.secrets."dj_ernestophone-password_file".path;
    };
  };
 }
--- a/machines/nixos/web03/django-apps/gestiobds.nix
+++ b/machines/nixos/web03/django-apps/gestiobds.nix
@ -7,8 +7,8 @@
 {
  services.django-apps.sites.gestiobds = {
    source = "https://git.dgnum.eu/DGNum/gestioCOF";
-    branch = "django-apps";
+    branch = "bds-prod";
-    domain = "gestiobds.webapps.dgnum.eu";
+    domain = "gestion.bds.ens.fr";
    nginx = {
      enableACME = true;
@ -46,6 +46,8 @@
    credentials = {
      SECRET_KEY = config.age.secrets."dj_gestiobds-secret_key_file".path;
      SYMPA_PASSWORD = config.age.secrets."dj_gestiobds-sympa_password_file".path;
      SYMPA_USERNAME = config.age.secrets."dj_gestiobds-sympa_username_file".path;
    };
  };
 }
--- a/machines/nixos/web03/django-apps/gestiocof.nix
+++ b/machines/nixos/web03/django-apps/gestiocof.nix
@ -11,8 +11,8 @@ in
 {
  services.django-apps.sites.gestiocof = {
    source = "https://git.dgnum.eu/DGNum/gestioCOF";
-    branch = "cof-staging";
+    branch = "cof-prod";
-    domain = "gestiocof.webapps.dgnum.eu";
+    domain = "cof.ens.fr";
    nginx = {
      enableACME = true;
@ -98,6 +98,9 @@ in
      HCAPTCHA_SECRET = config.age.secrets."dj_gestiocof-hcaptcha_secret_file".path;
      HCAPTCHA_SITEKEY = config.age.secrets."dj_gestiocof-hcaptcha_sitekey_file".path;
      KFETOPEN_TOKEN = config.age.secrets."dj_gestiocof-kfetopen_token_file".path;
      SYMPA_PASSWORD = config.age.secrets."dj_gestiocof-sympa_password_file".path;
      SYMPA_USERNAME = config.age.secrets."dj_gestiocof-sympa_username_file".path;
      EMAIL_HOST = config.age.secrets."dj_gestiocof-email_host_file".path;
    };
    environment = {
@ -112,6 +115,7 @@ in
      GESTIOCOF_CORS_ALLOWED_ORIGINS = [
        "https://${config.services.django-apps.sites.gestiocof.domain}"
      ];
      GESTIOCOF_SERVER_EMAIL = "gestion@cof.ens.fr";
    };
    extraServices.worker = {
@ -122,6 +126,26 @@ in
        SupplementaryGroups = [ "redis-gestiocof" ];
      };
    };
    timers = {
      rappel-negatifs = {
        script = ''
          python3 manage.py sendrappelsnegatifs
        '';
        startAt = "*-*-* 1,13:17:19";
      };
      rappel-bda = {
        script = ''
          python3 manage.py sendrappels
        '';
        startAt = "*-*-* 2,14:17:19";
      };
      manage-reventes = {
        script = ''
          python3 manage.py manage_reventes
        '';
        startAt = "*-*-* *:01..56/5:29";
      };
    };
  };
  services.redis.servers.gestiocof = {
--- a/machines/nixos/web03/django-apps/gestiojeux.nix
+++ b/machines/nixos/web03/django-apps/gestiojeux.nix
@ -8,7 +8,7 @@
  services.django-apps.sites.gestiojeux = {
    source = "https://git.dgnum.eu/DGNum/gestiojeux";
    branch = "production";
-    domain = "gestiojeux.webapps.dgnum.eu";
+    domain = "jeux.cof.ens.fr";
    nginx = {
      enableACME = true;
--- a/machines/nixos/web03/redirections.nix
+++ b/machines/nixos/web03/redirections.nix
@ -6,6 +6,7 @@
  dgn-redirections = {
    permanent = {
      "www.ernestophone.ens.fr" = "ernestophone.ens.fr";
      "www.cof.ens.fr" = "cof.ens.fr";
    };
  };
 }
--- a/machines/nixos/web03/secrets/bupstash-put_key
+++ b/machines/nixos/web03/secrets/bupstash-put_key
--- a/machines/nixos/web03/secrets/dj_annuaire-secret_key_file
+++ b/machines/nixos/web03/secrets/dj_annuaire-secret_key_file
--- a/machines/nixos/web03/secrets/dj_bocal-secret_key_file
+++ b/machines/nixos/web03/secrets/dj_bocal-secret_key_file
@ -1,30 +1,33 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA HF+w4Kuk7Wo2s94SeNxAB3zFZhKNn1fPabJhUK/xGH0
+-> ssh-ed25519 jIXfPA w23oZwRdOmR6ZmJ/u1UVJX3aDjvFlP9J/0DX421EzTk
-KY5tknNrICYq0HTfNRX760OPyWPJ8B4Sasq8BjN9a6k
+GwBhoK4pLMph83ufQSh/DaKtDsQv2Vc/31kN4ahx1O0
-> ssh-ed25519 QlRB9Q OGcCe/S1aIQckJGzt4Wz+DFebTZpNV+YCevnVOPDMXQ
+-> ssh-ed25519 QlRB9Q bx2P8KY31nlurmjEsq6rOGz4RivuubPRr/pwJi8vZR4
-keDckjD4Vjhj3gmQnW0V8nJ1Soubkhb9WP28fsanhMA
+pHUYj6nCuQfv9Y6oJmLqmIWw9rSrb7YgFIGh4/DDBxk
-> ssh-ed25519 r+nK/Q lO6xwuhfQ6gMlJzFBF5J9c2elEg1J3leAt5x1uTYGSk
+-> ssh-ed25519 r+nK/Q xX3R7A7Pq+l98C/4rDzZfLa5IyoW4mS1RXCg8jmCVBg
-HQG0VQXvn72CIOqe6FRGrSX8TIa7sBB3cOZZQzXBl8w
+pZZ91CQNMfv+A9nUGM7FCHt79YsEIP8SA4UZ7NmIYyg
 -> ssh-rsa krWCLQ
-pvF18GVS3dHr2jiss4sn00UqVVM2f/6BmkpYMgAVQ3FNpgnimQGsgCssuBo3Hjrc
+JSYdRpvAP/pb8v9Rviw+DcwTGmlVbes8LNW/Hjjc3eKNYT6f5TR56Ma0C+ZXA8hC
-BTO4v2U6cQ28LTUsruWdPhRChT0zfGRtx1QIn0tPzy3XKUxjt2XkBeblxtLhCHmI
+BiEoDyvV631v7jf1NQENWgOrx8kIaMlJyJlndEUviFesoUXvBsrRVxZkPo9+q8gm
-muQ0yA15bP+aQfZn0dE1Eb4krw1unKWE4f82L/BQ5Y/i1P2rubhyBhBoQRb6atHv
+2jx8uLxRlq04fIh39YOcxayNPU6ZE0k4iV5Sv8bgNdPPsiSDPEcoGh4ptB/L7PqC
-S2EWBafaNr3orbFl9FPMjhWW3WZX/zKJxlu0saN88I6ZU2967mdR4PogMpL9iqST
+qa73mSskFsWLMdkhlF2PmobhFYBbJw76ekctHK4enABJR0wnpw76MB/1xaRysO0Z
-atraraA1jG6mR9Ojloyrf8FG6wTlplDlZk8Sgtg88FD1iHMN1q0DQv1LwRoD3QUa
+cE1yXy0TKPeQ6tBs+TgEbWPdjs7q2cCe78Cx14ob/bDTrSxn1VXxlTSEa+jZ8ES2
-ywIn9MABMufNXQ+jm/DQpw
+aRJM0RnnbulZJMu8vD+ztw
-> ssh-ed25519 /vwQcQ 83MxgOJhIBBGU6IRcTQPtxtyR4MapAxhdKT634w/em4
+-> ssh-ed25519 /vwQcQ +etnXlMmCofk42qEtdvIZyzpdGPTUR44Ur3rNiYpqQY
-scNxodN5j1HXOIPCB3glvc08Gb4wW9gmZ5gkWMCbm4E
+h+hNOOJHWXi4vqsBDudgiQ3BPHVOA1bl+R4d5zCs2g
-> ssh-ed25519 0R97PA LBFUS7zx26+rjiWqVwQ4UBqRxr+3Sx+j+GGrRaBbz08
+-> ssh-ed25519 0R97PA VuTnbuLdQANqvVDvIEOJVFWh3IgOKLHXROxSCx5E0C0
-fnFwvJz36SiKnEoJr+0+enNVcT7wduZUrYe7bWhyxfE
+euVIt58WGFPxL5IgE0Stce7q9MaQCLkWOGpLyxhszJk
-> ssh-ed25519 JGx7Ng iXjAn4Y7+yHASx4ZbIrvFffLzgX52DbQy9hIcTScHAs
+-> ssh-ed25519 JGx7Ng /1DGw0uUQ99aDlw5AdNIKZNZbRSXoxCwJZU4iotnMVA
-6AJZoV33mBryiCaquKTAkw8yB1NQs38QlG2p4LIcoMc
+v9B+dF8KmmVLjYh7IT61p757x+CeJQ0qY+kU69Ced3s
-> ssh-ed25519 bUjjig 0cqMXUVHqhyYhygR7meIyWRr/c7H8ZGB5eO7tTHhRUk
+-> ssh-ed25519 bUjjig tvi0aragAV8TvSAvVVYwgAe4D/iFPy8Hmo5BFIiMigc
-GYKKGB02ElJXpObmBJKF4Bvoswd3o83vvVYIHIpDprg
+ixKZkBQDFDoM3ntd43TPb5gzQmJKiuYHuPRvh+wlLwg
-> ssh-ed25519 VQSaNw xHhzKnYeKxrN2MJz84v7Mjg3Nh69UJ6Q/eAyVAvC3V0
+-> ssh-ed25519 ZIo4kw 4mpL5GIsgcXQH3+DTwo1wBO2IGtwqYX71sSj3HRTUD8
-/bvauGesQw9/tl4DhCNFY9Rq+qWv12O4TcqzdxTCWzk
+FyiH/fpn6rFmw6L1nbxqnlEQwHdgq2kacvkl4dDSpDA
-> T:){{-grease NuQ <}vLGT%
+-> ssh-ed25519 9/PCvA rwGsoEUqcUK/bj0wpo/2GIcPgJPdUCs/y/0MacBXlTQ
-0JSFYPMWs6LXpWacfiHNdwqvs/eHecFwj6cg0eLZEQe96shxy8/WSUBMpgasKufB
+4IRzAh7PgafkdUGOoUnTFZwQwpupt+09tNCuMQPtNow
-Nc4tpfiOVWVRGm4arhunwJ+1sgg37X35PWde89Qpg5g
+-> ssh-ed25519 VQSaNw if6Cp0uuuBCn5/sIEhhiD3Xa3MGOgxNhpA5jk/sNaxk
--- Y6N6GuCpRLdD25EWW+05qbUAadrT3z2Pzc5golCBHJw
+tZLZbxe2EswPA2DOzm1XILWxPJOfvtQEBb3J/g7gOdg
-ßNê¯3'8ú³€@/¨0,zWêS¦‘ï;ßñì)§e<C2A7>ßÉïèÞí
+-> p0A#yj-grease
-qMj’ÏŒrçHB–ÇR2šš–E2H+d%¶Ò–®
+GR/rBHQQMBRnEs3FdKUmaxDXNLeZuXXftbiAi+6dzv4SsZoJ5oqi4UKivc5DYLfO
 C8GywA
 --- XSYpA1AoDYYWRAjVBKAfn9s/nI7d6hE2j57BKVdMQ5Q
 #žSõ/éž5Õn%´ªžô‰w9E‹Œ@Ø¨¦TüMƒýP»?â…œ¡˜(<28>PGrj4$*<2A>Cû èü8´‡¤ô¥Jpt=H`Âî½n‚
--- a/machines/nixos/web03/secrets/dj_ernestophone-admins_file
+++ b/machines/nixos/web03/secrets/dj_ernestophone-admins_file
--- a/machines/nixos/web03/secrets/dj_ernestophone-password_file
+++ b/machines/nixos/web03/secrets/dj_ernestophone-password_file
@ -1,28 +1,32 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA kBFUMktUZ09T8ujSXHRIo4OIWxIiwysmRv+UTiH+02M
+-> ssh-ed25519 jIXfPA EsnCV2WNHwC5zZpIqMiOnpixioiS32MkPW2gvPW0hlA
-TvefF7CMKZIASBYaVQA22PzLr2rgZ3i7Q8ENBOmpQmI
+SdJ0CVIn+xIw851NfAVq2xi4eyIkjE5OBSjWjmXMbrA
-> ssh-ed25519 QlRB9Q 0R2BthIX790DAiL36WPOemUa04tOnN0Drpg6u72j7UE
+-> ssh-ed25519 QlRB9Q pSqgkPUwNF0ahPyz+bRXfnJqlhiis8+JLtGVXMJFkGs
-nFGbwKZvSXo0SpO8AMfAGcZkphcXhX+GoFxYwadNzwQ
+gEovHZ0L9Hf0FxITH7Pw82GmtpSry9AttmYyzOget/g
-> ssh-ed25519 r+nK/Q cs+vGq5RzK/AogpcGjRG3KZjl4fp2Ghhv2ngHjTdvlE
+-> ssh-ed25519 r+nK/Q abHRhq9gLkRJZnW16AkJUNkuDkFx6ZEgcfcPKD7qkl8
-AyXbgDlQbe3HurX7lodUrMZyRSWADSFWmTndnHjh0dY
+TZOo2qI9wtTr5EFyLa7XwcNu9t4TiBTjYFfDcXF5WzY
 -> ssh-rsa krWCLQ
-AnU8JBZXw8xIHA3L+220wCHwddC51Fx+sQx58tYsFg7eVH1NM2PKUr57a7+0KlxH
+NiW6aPN5sW1w8AWe66x5wkyJTYPnPqlmPdwkRMH62Z9rdRGoplPaThh46N1F7iSN
-TkIDMUuBotY4QPA0tzv212wnWaTw9ddV+T+Xe+l7JNyurCQRj1g1gWP3NLYIyYFC
+R7YfTRNy/xcSq612Wf1PbEGtcaEBU4snLwBUMxzgCEf7lLebnBFEv+wM46c6M4Vh
-i/eXHg3XxByQG1BfBSL2nnUEiy6eJ2bLMFsJ9P6baB6hpdEnoFIuGdV4Bg3k/KGl
+sRHm7LJP4EIFtC/OVi4Po3AOxnzWie6sgMtwVO1dxA92F52ANJm85+S9v4LyKf6B
-Zp+Q1a7Ov0l/G7sRCw4WLQtq59otI2lxeKRSonCqSNOmDXyZBr82GMr/BmhebtK4
+3j1CTlQnST4Jz+NFR1lIWkAzawQkrObj1XNw0JjAH5cCFPNX8KJwGPPtRaw6qdE2
-h19K+EXU+Ze57lUf2kDCe0b4RSHbSGU1T1fSEMNcXFV0952r6zO9YClTsQeKl+ev
+NN6boxJRuw015LFoT2REg8hFUj9mvKi1CF7zzAorlU8U5tGsTzWopFaz8sw6uw1e
-1O7xqUhcRXgFUbDYRjTsLw
+hnLDEWU79TB/Ytc9mk+VgQ
-> ssh-ed25519 /vwQcQ AtEImZ61sgC2OzZvDldY7ttRf9I5+zmL2I7hZkmBoTY
+-> ssh-ed25519 /vwQcQ uGDPoAidrjD4YOahlB14fECk3q7JYAgK2U3AwiTZp3Q
-zQiLX4L6t+jZqzAJmN7iuRTeadD1jbs3E/NZZj/25UA
+VMBSpbWgh9/+vNsxb31DztSAmuXQ2OT8PhGY8e5oEyg
-> ssh-ed25519 0R97PA JVheI/2kfdkqgM5Jf/py32lyYLtWjpmcx4zkHYMZl3g
+-> ssh-ed25519 0R97PA dneC7N5KN3lOt+tf+SBVHac5PiFuzah+kxPCL7taES0
-z/+qXmvziQo8yZ6f+2y5XVDv6d/uAghCVDQ9tpLXt54
+2ax/oATQ3RCZJrwa6rhRFjP/Pb83SE/K/JqzkDe4q5s
-> ssh-ed25519 JGx7Ng 41ZgklG6LmM5Mk6BkGWAf8N3j1safWPBKBAHKN2EQG0
+-> ssh-ed25519 JGx7Ng e+gbiPqeQvqH5SsMLtJjO1Yamqf/T3zMx9sZP/lE1WM
-yOiGIHkyoMFI6NQMLCZavCaz+qxAy9jhf+vctWQ2z4k
+ZaLKy2fNia1FOO/8McmHLCTs7mU02UhIEcfnWR8Rmo0
-> ssh-ed25519 bUjjig 0o9QkwuPZPOl/db1sQ9YL50DL1uyZqQ6ICxMEIupQ20
+-> ssh-ed25519 bUjjig YG96Anu4XdeqjveqgPKBg9DXRgQWzbZyqUh4zyp7NW8
-FwFbAYzLUNwoAQNcbcwWckhqRSEicQTe4O4BMK7wHyg
+XOW98Ncs7wa8+J7bdcni1BTvi0yt157YsqS37SyE1UE
-> ssh-ed25519 VQSaNw iaWBGmaWmBxMJILFyob6CyVXyY24edPtT2itTQGP7xM
+-> ssh-ed25519 ZIo4kw 0bsqX9eZWnobso+67zX7mv4NZHN0iLJgREpEAjsSog8
-EGmCuYElC5EgwqXtcXLAy7nNFt75Hl/gAehvfh+0sgg
+chztA4fSI+l/hFC1JG/I8csRjW6nRL5nD8H2BIvKhtc
-> /Wa)P<iw-grease (;ag_e g#LM+oA Y n(M-1K+.
+-> ssh-ed25519 9/PCvA u1TmEMmSAY01VT5KSkHIeGZyFR/AjO04fbdaQMOzWUU
-lWfOmA
+KgNuPOluctxdmyoRQKGhxzUdM+lJYijOTZTppx1x8Ig
--- k01yU9ZR8KIyG0JEfcYoP4iBlvqq7J676oPfDLpbvfs
+-> ssh-ed25519 VQSaNw y6+jgJvBopK1AkLk+FRsd1hOKyYhU3udCmpSqH73F2Y
-ÎD—èŒ<C3A8>Ptáçø4Õ•?6”N|ÐïZƒ³åM/œqo¨[ÄNä
+qZyA/Fe6kxaIaYBtEWdIt69phdcpPgPr6hvHslYGZV8
 -> ~Ef{]c0-grease ]bzX}@u' 23 } pjfN*GE
 cHkSTFWSdWHGclY
 --- 9GRqhQV1hb50rv2MYPgyJBP6eEm5KQUEUNqJnMMMx/0
 j	…·!½DÚ'×(ã°<C3A3>!³€ÉÝˆço&Þˆo)ü½Ô~Ñå
--- a/machines/nixos/web03/secrets/dj_ernestophone-secret_key_file
+++ b/machines/nixos/web03/secrets/dj_ernestophone-secret_key_file
@ -1,29 +1,33 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA hAdsxHTIT08JvDQGzY0Vz+Jxd48Kw3XNpf6TEjiGiTc
+-> ssh-ed25519 jIXfPA iQr5+V3ESwwPQ0N5TWvKPQllxl51JbvY1pQ/LWFoGRM
-hZgLRBDGwpfIFMhTRExY6JJ0poJ+nqrBK8Fy3ukINFI
+mmPi5TEsoKaqqCNR9wFOW9m/ZO+LybILeAr0IltAA6A
-> ssh-ed25519 QlRB9Q AyfmPVVcb9WVzrbyh2KdPQMwPypQ0uq3q6kkPFcMyjw
+-> ssh-ed25519 QlRB9Q uWG5fTIkrcvoZPwTjeUIvUBb9SSw/tqLVXQ5EgPEpA4
-S2h//+6MMnUiBWrznI/1+qS83Gw1vpFmU8Hlma40bdA
+NxUobR435SRYhgtfqeL4nCTyBimMFQDeHkv1EXxyeW0
-> ssh-ed25519 r+nK/Q 741XzH0HZf/y8HR1AQIn+qgn0+L+2kcdPsepRcXx7w8
+-> ssh-ed25519 r+nK/Q mWebzwprS5rda66lWzpTXkeLBJ1cQr92jt1IKiGuhmI
-5aNoPnRTYHB5FTXipQV+8C/s8t1s5/ZF9PwnJfYy8bM
+s5C7BIJioGzDafwDDsBBEy9FfSDLhVI8loGPMI59ITE
 -> ssh-rsa krWCLQ
-HhSOliN7XQZngyyrJ++S2JMBytkPjSt/dEUlJNbJP5n6HY5H7QKqd9rsc4LLu/Hz
+O0u81IdCYXC/caM9tEUD21d06Uq+AEaUWauHd3T4uBzx6k8KxZQsXL7FlmpyHMQy
-BXKC9T3IVeuabMPNOBhE6SiOUejGv/txbMHPMdPTCju6JL4wP/2gqIK696kP62pL
+jWKX3lni54qWZqyGi3AVBWwrdT3C59vAUUtOPsR9BdhuETjuNhUVgOQhfygbpNTP
-CAS/cOZXrHS8etEFkpqSuEVquNIXbivXNHEwFMH/GkNut0SCpafvQHrN1wZdveH5
+Z+1xv/H+6iY4iaijkneUqjO+Zf8XzNiBjV1jxAEgVSMAYfYi2IUKaNGfTCxsf7z6
-rp60R9ULzTzS3ztjEomAt9gWN6s7CtqZEozCMExPTXSW+OmBJprY+/Ae/uxeKZMS
+FbcOZiwKffzF9ml3jRbi0zacy2YfBVA3HLtr0G2konocqB2blx0yQx+CUN66vODT
-x6pscBbZSEazZ476sZCWKTpeej7iFlSrIvLfkwYn9PtKqmaInoM/0F2thkqpVPkZ
+Dg2Rvjvxj/UILT6DHfhSEienmIyRVcEV4FMyDRAqVnSWvY+5rQu7Q193lsdwxu1V
-/pcg11dUQpXJdaIiPEowlg
+imAsspRLp7cLTHO13E7HEQ
-> ssh-ed25519 /vwQcQ m01BxY0nPTfcW0D/iFRbCNbFFp+lE/XLW315aPyNbTM
+-> ssh-ed25519 /vwQcQ D7UkEEde5wt6JLVwgw09YpI1jda5PpseNb3/oYXeuxY
-hiKCfZH9k5GcUAkCJ/+x5V20SCeql8031lOge0Y9WXk
+mAyubu6vZt9WGQz7LN66OFLysMJnggQM3Lzp1WL2WIw
-> ssh-ed25519 0R97PA oGfUKErY65Jd0ZlcVox/HXA3itOI5KImRqDwH+UR6XI
+-> ssh-ed25519 0R97PA KELROPFrMKhwm6qZa3pDGUwL46djU6KXuEvvJdvPVTY
-32BtXjqImmG6TjUKoDU2QaJiMxldZdZoAP9SKPfGuHA
+TLnuP2JD9KWnJyFG/TniJ7SZA8MwEGWRm/slgexr6Ws
-> ssh-ed25519 JGx7Ng FJCtkG+Ig5dC+ftTClgrKtIt/D8s9Dr97eWObbNEZDs
+-> ssh-ed25519 JGx7Ng frq2JO+UyHShB9/ho6SSO4gpm1x5gsT/FWNcce4FejI
-i6tf7p5FDsdTZMJuBNmcTgVnL6eQDZFkjjH7AaBakqE
+0yjxhYvLi6BJCV04liQ8EUfvd/QQDfvQW/+69k81SLI
-> ssh-ed25519 bUjjig mOfri52IdeSNAawjBR5rhvL2eZNlVOwYK6u1uHv98xw
+-> ssh-ed25519 bUjjig V8kyKJYS7AEddNQ/A1dDofL72gZhQx8S7CWXXDhO11M
-nx0Ko3omL+OVq3JHuCIacYfjn96kb78IgyvECEGq0G4
+70GSlCUdlM1C2TtWO34E/AeP6ESA2q/2hiRsG3yKa5M
-> ssh-ed25519 VQSaNw gEQeKOEwwR8QlykdFlo7iqrsmhemiS02v8Kfx2ER9Xc
+-> ssh-ed25519 ZIo4kw Q9v6Hj82FPt0vOADqZZvrA1C5zw5Xi54TdkWFQhY1GY
-jpAEZx64/AXpA8HahtJq9OdcZYbqIFti5mxaPztvul8
+/bbWn0eVMOcKMuxhSlHL5YNBAdNGkOEWDtKFbXfl5kI
-> $5-grease (y&6%5f<
+-> ssh-ed25519 9/PCvA umec3ZH6etHJWPhH350dg89jPisIen+g+V1biOk8uQg
-YSrHrNaXa7b7Ivv1yVP3idg8t4iIdu5NX3hzczFp64bY7Bjp/g7jK+bWnDG26ryd
+nrkdFNMpVaeYmxaXh9f5ZBwxjdPoCbbB0NMIGP6rgJA
-G+fhmUbFuDj8ZtXg6yk
+-> ssh-ed25519 VQSaNw jcBuMSisYemI6teXpAXmIfzmkCnQRUhzR02oIED7mw4
--- YmnVS7kPp6h4pC9u28A32/xh67NwhIXwB1dxolI1DCg
+mRPa20AN2KGqp5Sh5rxqMbTLCd6N3eNNNKRzu1TrBN8
-.¼Zs‡…n}®ì,èémõR€ÏêeÞ)¾bOª¶<C2AA>îÕ¶Ü·†m8¼z£RyúìT/¦@¿CÜÝôW™¨F5ˆ?<ð.[Ö†r¡Ó[°M
+-> ;yNT#P-grease bzX
 MQVFOK4d6Iy4B1TtfEhvVM1nNBec24na1BPH++gbZE1n1dHxyy65O998u1oVml/V
 3PBkae5UTR62Hm/2oSTih/TIfGRSzT+MrjxzkRAxsWFaS+wNx3I8J3/kXg
 --- cevd2eHQSfWzGNPVrJB3XVoqxblBsDQEKKQn2HtbFBc
 ¾‡ÃŽÌ¿ì+^FdÎÍ<C38E>†Õ^yGx·í$åF7<öŽT»¶˜.ƒ0µ	³ºOÇ'“â9Ã•ŽIxÕ³³›ï_ŠóTÎŽ')“†<E2809C>Ý
--- a/Show more
+++ b/Show more