fix(vault01): Fixed MTU of br0

fix(build01/nix-builder): Use dgn-access-control
fix(meta/nodes): Don't duplicate imported modules
2025-01-10 19:37:54 +01:00 · 2025-01-10 19:26:24 +01:00 · 2025-01-10 09:37:58 +01:00 · 2025-01-09 23:08:08 +01:00 · 2025-01-09 22:04:02 +01:00 · 2025-01-09 21:16:03 +01:00
71 changed files with 1844 additions and 1048 deletions
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@ -21,6 +21,17 @@ jobs:
        STORE_USER: admin
      name: Build and cache bridge01
      run: nix-shell -A eval-nodes --run cache-node
+  build01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: build01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache build01
+      run: nix-shell -A eval-nodes --run cache-node
  compute01:
    runs-on: nix
    steps:
--- a/README.md
+++ b/README.md
@ -98,7 +98,7 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
 Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :

 ```nix
-(import ../../../keys.nix).mkSecrets [ "host02" ] [
+(import ../../../keys).mkSecrets [ "host02" ] [
  # List of secrets for host02
 ]
 ```
--- a/default.nix
+++ b/default.nix
@ -4,8 +4,8 @@
 # SPDX-License-Identifier: EUPL-1.2

 {
-  sources ? import ./sources.nix,
-  pkgs ? sources.bootstrapNixpkgs,
+  sources ? import ./npins,
+  pkgs ? import sources.nixpkgs { },
 }:

 let
--- a/hive.nix
+++ b/hive.nix
@ -4,25 +4,44 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-# TODO: change comments to ### \n # [text] \n #
-
 let
-  ### Init some tooling
+  sources' = import ./npins;

-  sources = import ./sources.nix;
+  # Patch sources directly
+  sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
+    .applyPatches' sources';

-  lib = sources.fullLib;
+  nix-lib = import ./lib/nix-lib;
+  inherit (nix-lib) mapSingleFuse;

-  inherit (lib.extra) mapSingleFuse;
+  patch = import ./lib/nix-patches { patchFile = ./patches; };

-  ### Let's build meta
-  meta = (import ./meta) lib;
+  nodes' = import ./meta/nodes;
+  nodes = builtins.attrNames nodes';

-  nodes = builtins.attrNames meta.nodes;
-
-  ### Nixpkgs instanciation
+  mkNode = node: {
+    deployment.systemType = system node;
+  };

  nixpkgs' = import ./meta/nixpkgs.nix;
+  # All supported nixpkgs versions × systems, instanciated
+  nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
+
+  # Get the configured nixos version for the node,
+  # defaulting to the one defined in meta/nixpkgs
+  version = node: nodes'.${node}.nixpkgs.version;
+  system = node: nodes'.${node}.nixpkgs.system;
+  category = node: nixpkgs'.categories.${system node};
+
+  nodePkgs = node: nixpkgs.${system node}.${version node};
+
+  # Builds a patched version of nixpkgs, only as the source
+  mkNixpkgs' =
+    v:
+    patch.mkNixpkgsSrc rec {
+      src = sources'.${name};
+      name = "nixos-${v}";
+    };

  # Build up the nixpkgs configuration for Liminix embedded systems
  mkLiminixConfig =
@ -42,47 +61,29 @@ let
  mkNixpkgsConfig =
    system:
    {
-      nixos = _: { overlays = [ (import "${sources.nix-pkgs}/overlay.nix").default ]; };
+      nixos = _: { };
      zyxel-nwa50ax = mkLiminixConfig system;
      netconf = _: { };
    }
    .${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation");

  # Instanciates the required nixpkgs version
-  mkSystemNixpkgs =
-    system: version: import sources."nixos-${version}" (mkNixpkgsConfig system version);
+  mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);

-  # All supported nixpkgs versions × systems, instanciated
-  nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
-
-  # Get the configured nixos version for the node,
-  # defaulting to the one defined in meta/nixpkgs
-  version = node: meta.nodes.${node}.nixpkgs.version;
-  system = node: meta.nodes.${node}.nixpkgs.system;
-  category = node: nixpkgs'.categories.${system node};
-
-  nodePkgs = node: nixpkgs.${system node}.${version node};
-
-  ##########
-  # Function to create arguments based on the node 
+  ###
+  # Function to create arguments based on the node
  #
  mkArgs = node: rec {
-    lib = sourcePkgs.lib.extend sources.libOverlay;
+    lib = sourcePkgs.lib // {
+      extra = nix-lib;
+    };

    sourcePkgs = nodePkgs node;
-    inherit meta;
+    meta = (import ./meta) lib;

    nodeMeta = meta.nodes.${node};
    nodePath = "machines/${category node}/${node}";
  };
-
-  ##########
-  # Module for each node (quite empty since almost everything is in the default module)
-  #
-  mkNode = node: {
-    deployment.systemType = system node;
-  };
-
 in

 {
@ -93,7 +94,7 @@ in
    specialArgs = {
      inherit nixpkgs sources;

-      dgn-keys = import ./lib/keys { inherit meta lib; };
+      dgn-keys = import ./keys;
    };

    nodeSpecialArgs = mapSingleFuse mkArgs nodes;
@ -217,6 +218,5 @@ in
        };
    };
  };
-
 }
 // (mapSingleFuse mkNode nodes)
--- a/iso/configuration.nix
+++ b/iso/configuration.nix
@ -5,9 +5,9 @@
 { lib, pkgs, ... }:

 let
-  dgn-keys = import ../keys.nix;
+  dgn-keys = import ../keys;

-  dgn-members = (import ../meta lib).config.organization.groups.root;
+  dgn-members = (import ../meta lib).organization.groups.root;
 in

 {
--- a/keys.nix
+++ b/keys.nix
@ -1,13 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-let
-  sources = import ./sources.nix;
-
-  lib = sources.fullLib;
-
-  meta = (import ../meta lib).config;
-
-in
-import ./lib/keys { inherit meta lib; }
--- a/keys/default.nix
+++ b/keys/default.nix
@ -0,0 +1,109 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  _sources = import ../npins;
+
+  inherit (import _sources.nixpkgs { }) lib;
+
+  meta = import ../meta lib;
+
+  getAttr = flip builtins.getAttr;
+
+  inherit (import ../lib/nix-lib) flip setDefault unique;
+in
+
+rec {
+  # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
+  #          If not, you will face an angry maintainer
+  _keys = {
+    # SSH keys of the nodes
+    bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
+    build01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYJcEMQpOyKInqtd2/brnSQuzwgv6fNPlTSQx9tcvPu" ];
+    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
+    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
+    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
+    hypervisor01 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
+    ];
+    hypervisor02 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
+    ];
+    hypervisor03 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
+    ];
+    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
+    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
+    tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ];
+    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
+    web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
+    web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
+    web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
+
+    # SSH keys of the DGNum members
+    agroudiev = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
+    ];
+    catvayor = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
+    ];
+    cst1 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
+    ];
+    ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
+    gdd = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
+    ];
+    jemagius = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
+    ];
+    luj = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
+    ];
+    mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
+    mdebray = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
+    ];
+    raito = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
+    ];
+    thubrecht = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
+    ];
+  };
+
+  getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
+
+  mkSecrets =
+    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
+
+  getNodeKeys' =
+    node:
+    let
+      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
+        meta.nodes.${node}.admins ++ [ node ]
+      ) meta.nodes.${node}.adminGroups;
+    in
+    unique (getKeys names);
+
+  getNodeKeys = node: rootKeys ++ getNodeKeys' node;
+
+  # List of keys for the root group
+  rootKeys = getKeys meta.organization.groups.root;
+
+  # List of 'machine' keys
+  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
+
+  nixosMachineKeys =
+    rootKeys
+    ++ (getKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == "nixos") meta.nodes)));
+}
--- a/lib/keys/default.nix
+++ b/lib/keys/default.nix
@ -1,46 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
-# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
-# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-{ meta, lib }:
-let
-  inherit (lib.extra) setDefault unique;
-
-  getAttr = lib.flip builtins.getAttr;
-in
-rec {
-
-  _memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
-  _nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;
-
-  # Get keys of the users
-  getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);
-
-  # Get keys of the ssh server
-  getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name);
-
-  # List of keys for the root group
-  rootKeys = getMemberKeys meta.organization.groups.root;
-
-  # All keys that can access a node
-  getNodeKeys' =
-    node:
-    let
-      names = meta.nodes.${node}.admins;
-    in
-    unique (getMemberKeys names ++ getNodeKeys [ node ]);
-
-  # List of keys for all machines wide secrets
-  machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
-
-  mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getNodeKeys' nodes); };
-
-  machineKeysBySystem =
-    system:
-    rootKeys
-    ++ (getNodeKeys (
-      builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)
-    ));
-}
--- a/lib/nix-lib/default.nix
+++ b/lib/nix-lib/default.nix
@ -2,13 +2,17 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
-{ lib }:
+
+let
+  # Reimplement optional functions
+  _optional =
+    default: b: value:
+    if b then value else default;
+in

 rec {
-  inherit (lib)
+  inherit (import ./nixpkgs.nix)
    flip
-    optionals
-    optionalString
    hasPrefix
    recursiveUpdate
    splitString
@ -108,8 +112,11 @@ rec {

  subAttrs = attrs: builtins.map (subAttr attrs);

-  optionalList = optionals;
+  optionalList = _optional [ ];

+  optionalAttrs = _optional { };
+
+  optionalString = _optional "";
  /*
    Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
    sets together.
--- a/lib/nix-lib/nixpkgs.nix
+++ b/lib/nix-lib/nixpkgs.nix
@ -0,0 +1,466 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+###
+# Collection of nixpkgs library functions, those are necessary for defining our own lib
+#
+# They have been simplified and builtins are used in some places, instead of lib shims.
+
+rec {
+  /**
+    Does the same as the update operator '//' except that attributes are
+    merged until the given predicate is verified.  The predicate should
+    accept 3 arguments which are the path to reach the attribute, a part of
+    the first attribute set and a part of the second attribute set.  When
+    the predicate is satisfied, the value of the first attribute set is
+    replaced by the value of the second attribute set.
+
+    # Inputs
+
+    `pred`
+
+    : Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdateUntil` usage example
+
+    ```nix
+    recursiveUpdateUntil (path: l: r: path == ["foo"]) {
+      # first attribute set
+      foo.bar = 1;
+      foo.baz = 2;
+      bar = 3;
+    } {
+      #second attribute set
+      foo.bar = 1;
+      foo.quz = 2;
+      baz = 4;
+    }
+
+    => {
+      foo.bar = 1; # 'foo.*' from the second set
+      foo.quz = 2; #
+      bar = 3;     # 'bar' from the first set
+      baz = 4;     # 'baz' from the second set
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdateUntil =
+    pred: lhs: rhs:
+    let
+      f =
+        attrPath:
+        builtins.zipAttrsWith (
+          n: values:
+          let
+            here = attrPath ++ [ n ];
+          in
+          if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
+            builtins.head values
+          else
+            f here values
+        );
+    in
+    f [ ] [
+      rhs
+      lhs
+    ];
+
+  /**
+    A recursive variant of the update operator ‘//’.  The recursion
+    stops when one of the attribute values is not an attribute set,
+    in which case the right hand side value takes precedence over the
+    left hand side value.
+
+    # Inputs
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdate` usage example
+
+    ```nix
+    recursiveUpdate {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "/dev/hda";
+    } {
+      boot.loader.grub.device = "";
+    }
+
+    returns: {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "";
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdate =
+    lhs: rhs:
+    recursiveUpdateUntil (
+      _: lhs: rhs:
+      !(builtins.isAttrs lhs && builtins.isAttrs rhs)
+    ) lhs rhs;
+
+  /**
+    Determine whether a string has given prefix.
+
+    # Inputs
+
+    `pref`
+    : Prefix to check for
+
+    `str`
+    : Input string
+
+    # Type
+
+    ```
+    hasPrefix :: string -> string -> bool
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.hasPrefix` usage example
+
+    ```nix
+    hasPrefix "foo" "foobar"
+    => true
+    hasPrefix "foo" "barfoo"
+    => false
+    ```
+
+    :::
+  */
+  hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
+
+  /**
+    Escape occurrence of the elements of `list` in `string` by
+    prefixing it with a backslash.
+
+    # Inputs
+
+    `list`
+    : 1\. Function argument
+
+    `string`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    escape :: [string] -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escape` usage example
+
+    ```nix
+    escape ["(" ")"] "(foo)"
+    => "\\(foo\\)"
+    ```
+
+    :::
+  */
+  escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
+
+  /**
+    Convert a string `s` to a list of characters (i.e. singleton strings).
+    This allows you to, e.g., map a function over each character.  However,
+    note that this will likely be horribly inefficient; Nix is not a
+    general purpose programming language. Complex string manipulations
+    should, if appropriate, be done in a derivation.
+    Also note that Nix treats strings as a list of bytes and thus doesn't
+    handle unicode.
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    stringToCharacters :: string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.stringToCharacters` usage example
+
+    ```nix
+    stringToCharacters ""
+    => [ ]
+    stringToCharacters "abc"
+    => [ "a" "b" "c" ]
+    stringToCharacters "🦄"
+    => [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
+    ```
+
+    :::
+  */
+  stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
+
+  /**
+    Turn a string `s` into an exact regular expression
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    escapeRegex :: string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escapeRegex` usage example
+
+    ```nix
+    escapeRegex "[^a-z]*"
+    => "\\[\\^a-z]\\*"
+    ```
+
+    :::
+  */
+  escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
+
+  /**
+    Appends string context from string like object `src` to `target`.
+
+    :::{.warning}
+    This is an implementation
+    detail of Nix and should be used carefully.
+    :::
+
+    Strings in Nix carry an invisible `context` which is a list of strings
+    representing store paths. If the string is later used in a derivation
+    attribute, the derivation will properly populate the inputDrvs and
+    inputSrcs.
+
+    # Inputs
+
+    `src`
+    : The string to take the context from. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    `target`
+    : The string to append the context to. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    # Type
+
+    ```
+    addContextFrom :: string -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.addContextFrom` usage example
+
+    ```nix
+    pkgs = import <nixpkgs> { };
+    addContextFrom pkgs.coreutils "bar"
+    => "bar"
+    ```
+
+    The context can be displayed using the `toString` function:
+
+    ```nix
+    nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
+    {
+      "/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
+    }
+    ```
+
+    :::
+  */
+  addContextFrom = src: target: builtins.substring 0 0 src + target;
+
+  /**
+    Cut a string with a separator and produces a list of strings which
+    were separated by this separator.
+
+    # Inputs
+
+    `sep`
+    : 1\. Function argument
+
+    `s`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    splitString :: string -> string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.splitString` usage example
+
+    ```nix
+    splitString "." "foo.bar.baz"
+    => [ "foo" "bar" "baz" ]
+    splitString "/" "/usr/local/bin"
+    => [ "" "usr" "local" "bin" ]
+    ```
+
+    :::
+  */
+  splitString =
+    sep: s:
+    let
+      splits = builtins.filter builtins.isString (
+        builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
+      );
+    in
+    builtins.map (addContextFrom s) splits;
+
+  /**
+    Remove duplicate elements from the `list`. O(n^2) complexity.
+
+    # Inputs
+
+    `list`
+
+    : Input list
+
+    # Type
+
+    ```
+    unique :: [a] -> [a]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.lists.unique` usage example
+
+    ```nix
+    unique [ 3 2 3 4 ]
+    => [ 3 2 4 ]
+    ```
+
+    :::
+  */
+  unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
+
+  /**
+    Flip the order of the arguments of a binary function.
+
+    # Inputs
+
+    `f`
+
+    : 1\. Function argument
+
+    `a`
+
+    : 2\. Function argument
+
+    `b`
+
+    : 3\. Function argument
+
+    # Type
+
+    ```
+    flip :: (a -> b -> c) -> (b -> a -> c)
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.trivial.flip` usage example
+
+    ```nix
+    flip concat [1] [2]
+    => [ 2 1 ]
+    ```
+
+    :::
+  */
+  flip =
+    f: a: b:
+    f b a;
+
+  /**
+    `warn` *`message`* *`value`*
+
+    Print a warning before returning the second argument.
+
+    See [`builtins.warn`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn) (Nix >= 2.23).
+    On older versions, the Nix 2.23 behavior is emulated with [`builtins.trace`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn), including the [`NIX_ABORT_ON_WARN`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-abort-on-warn) behavior, but not the `nix.conf` setting or command line option.
+
+    # Inputs
+
+    *`message`* (String)
+
+    : Warning message to print before evaluating *`value`*.
+
+    *`value`* (any value)
+
+    : Value to return as-is.
+
+    # Type
+
+    ```
+    String -> a -> a
+    ```
+  */
+  warn =
+    # Since Nix 2.23, https://github.com/NixOS/nix/pull/10592
+    builtins.warn or (
+      let
+        mustAbort = builtins.elem (builtins.getEnv "NIX_ABORT_ON_WARN") [
+          "1"
+          "true"
+          "yes"
+        ];
+      in
+      # Do not eta reduce v, so that we have the same strictness as `builtins.warn`.
+      msg: v:
+      # `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
+      assert builtins.isString msg;
+      if mustAbort then
+        builtins.trace "[1;31mevaluation warning:[0m ${msg}" (
+          abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
+        )
+      else
+        builtins.trace "[1;35mevaluation warning:[0m ${msg}" v
+    );
+}
--- a/machines/nixos/bridge01/secrets/secrets.nix
+++ b/machines/nixos/bridge01/secrets/secrets.nix
@ -2,6 +2,6 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "bridge01" ] [
+(import ../../../../keys).mkSecrets [ "bridge01" ] [
  # List of secrets for bridge01
 ]
--- a/machines/nixos/build01/_configuration.nix
+++ b/machines/nixos/build01/_configuration.nix
@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    "dgn-forgejo-runners"
+  ];
+
+  enabledServices = [
+    "nix-builder"
+  ];
+
+  extraConfig = {
+    dgn-forgejo-runners = {
+      nbRunners = 16;
+      dataDirectory = "/data";
+    };
+
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
--- a/machines/nixos/build01/_hardware-configuration.nix
+++ b/machines/nixos/build01/_hardware-configuration.nix
@ -0,0 +1,59 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "nvme"
+        "megaraid_sas"
+        "ehci_pci"
+        "ahci"
+        "usbhid"
+        "sd_mod"
+      ];
+      kernelModules = [ "dm-snapshot" ];
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/fed99278-0916-4d9c-b974-c7125d3557b3";
+      fsType = "xfs";
+    };
+
+    "/data" = {
+      device = "/dev/disk/by-uuid/69b62f16-7db1-4720-a115-fd3b8dafe123";
+      fsType = "xfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/1372-46EA";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/34b9e0ab-c579-4293-849c-78f5093cf35a"; }
+  ];
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/machines/nixos/build01/nix-builder.nix
+++ b/machines/nixos/build01/nix-builder.nix
@ -0,0 +1,64 @@
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  pkgs,
+  lib,
+  meta,
+  ...
+}:
+{
+  config = {
+    dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u);
+
+    security.pam.loginLimits = [
+      {
+        domain = "*";
+        item = "nofile";
+        type = "-";
+        value = "20480";
+      }
+    ];
+
+    systemd.services.nix-daemon.serviceConfig = {
+      MemoryAccounting = true;
+      MemoryMax = "450G";
+      MemoryHigh = "440G";
+      MemorySwapMax = "2G";
+      ManagedOOMSwap = "kill";
+      ManagedOOMMemoryPressure = "kill";
+      MemoryPressureWatch = "on";
+    };
+
+    nix = {
+      gc = {
+        automatic = true;
+        dates = lib.mkForce "*:45";
+        options = lib.mkForce ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
+
+        randomizedDelaySec = "1800";
+      };
+
+      nrBuildUsers = 128;
+
+      settings = {
+        keep-outputs = false;
+        keep-derivations = false;
+        use-cgroups = true;
+        http-connections = 0;
+        auto-allocate-uids = true;
+        cores = 0;
+        max-jobs = 8;
+        fsync-metadata = true;
+        experimental-features = [
+          "auto-allocate-uids"
+          # "ca-derivations" this feature is really extremely broken.
+          "cgroups"
+          "fetch-closure"
+          "impure-derivations"
+        ];
+      };
+    };
+  };
+}
--- a/machines/nixos/build01/secrets/forgejo_runners-token_file
+++ b/machines/nixos/build01/secrets/forgejo_runners-token_file
@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA plGvUUrRbdkfNyD4UGIjjkv3Ktu4iqL4dImFZzWnqWA
+asE0N7d6lqnOFJWoU+V1bCLhlD5oFAkjs9HSM+ps6Ak
+-> ssh-ed25519 QlRB9Q hagbD6do4gKBuRBN8m8cDL6K0RFmiJwpvJOtAaPKXnA
+9727tWz+PhGm/bycXUUQHV3YqeXc0AD/mM1DvTrBLC4
+-> ssh-ed25519 r+nK/Q bnu+1g77I2LLnXNHZWMkIrgJpxpwJ1ZYgdAL4HE6hCo
+cDLyOiULyjO9s6PACs6Ou6m5h0XcDzbdc7o2P7OAizQ
+-> ssh-rsa krWCLQ
+X8SpFIBmd7LOnJqI+V3MWlaYB8f4Mron5IKYZGrqRPWzLrrkAkJsr1QdV4K9vepe
+zQsHecw8VvCKQesAKFrKTZxF8oXvoJU3GP5q9IVISLuEv8nLxgyhhLqQQqPVWLbC
+0nGGtbke2Xw2QXgUpoe6GdZ53Neg2BShUmV6SYoGeTwdxGmuL6nFH7UMzwsKWLW5
+95CoXfRyp4oxV7FQscuewPL+tNHXh6DoeW8Qlr3rxxgJkCSNMp+EchZJZOroGmtd
+SQb2SgFs712x9han1vNR7Dn3o270xa/AVldmjRBNvDGyNefItb20OP4n3bWSK3b1
+ejR3mZyP5SU2+Pr6navc0w
+-> ssh-ed25519 /vwQcQ NQSD4lKvM7uWm0deYyc22DC7/IGYve0XB9Zg8yOY5GE
+hpDWSKnlW6BtyKlXXS1anB78CvK+mnsm3BOxht7mL4Y
+-> ssh-ed25519 0R97PA i4DSi49b4vQpt3hjiHPn0/H9MzyvHz0OEPJXcvn+G1M
+C9uEKNTPRK8f4d2AYnPqDwTqDOV0SHmG/x/529l3YLA
+-> ssh-ed25519 JGx7Ng 5WgVespkMD/X/67sBoF2RbG+YXu06UuSozHrLJSn2xE
+pISCxxw/Hg9GBxh33gW6JO2mLKrdvSUVb6+AHMHwTtE
+-> ssh-ed25519 bUjjig 14Ocpj1tCsZ5lZQ32wDHsO9iFkrNi8wZS8NUhQ5HEh0
+ZbX31ejXuqmgKD1EcmH/B0zo1CeORzJn+QjrRuWNxh0
+-> ssh-ed25519 oRtTqQ dSGSGECezsXdDeyFcOSLIvKT0jdOs2d73/dRAeBuJjc
+2O/CXEu0rV5EdAewyvdA5XfLXMQvzEEtl8lPsBqICqk
+-> ssh-ed25519 IxxZqA BbHNkDUiEoWcwGjjrkFbOHCXvq2gEd8Rv7tt3p8fXHA
+yJsvxku/Kz26jTTEtuoHDLGO/gUotw/QZc+UwxCIwKE
+-> Tqc#'yq%-grease b
+X3iOhNF2FNp0ImC6uLsqjT1pAbNPBIxUCXLivDKbVIZYoBhtrLpQRJXoWK7GEakA
+8TkORCQQUYZIlNqu2Psfbi0
+--- 19Nolty0dET6QnYlxtieiluPP9R3HbrhEn5EDuFu/s4
+“˜?l÷6r] úfBžo<ŸŒ9Ç‰5M+Ší7íNõÏ¹äô%
Ñ.èœELÄ˜âÂÒw§¾snÑáã¬nšN
-×ØÌ¯pñûëËŠÓ
--- a/machines/nixos/build01/secrets/secrets.nix
+++ b/machines/nixos/build01/secrets/secrets.nix
@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2025 La Délégation Générale Numérique <contact@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+(import ../../../../keys).mkSecrets [ "build01" ] [
+  "forgejo_runners-token_file"
+]
--- a/machines/nixos/compute01/dgsi/default.nix
+++ b/machines/nixos/compute01/dgsi/default.nix
@ -14,7 +14,30 @@
 let
  inherit (lib) toLower;

-  pythonEnv = pkgs.python312.withPackages (
+  python =
+    let
+      python3 = pkgs.python312;
+      nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
+    in
+    python3.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs)
+          django-allauth
+          django-allauth-cas
+          django-browser-reload
+          django-bulma-forms
+          django-sass-processor
+          django-sass-processor-dart-sass
+          django-unfold
+          pykanidm
+          python-cas
+          loadcredential
+          xlwt
+          ;
+      };
+    };
+
+  pythonEnv = python.withPackages (
    ps:
    [
      ps.django
--- a/machines/nixos/compute01/kanidm/default.nix
+++ b/machines/nixos/compute01/kanidm/default.nix
@ -44,8 +44,6 @@ let
  usernameFor = member: meta.organization.members.${member}.username;
 in
 {
-  nixpkgs.config.permittedInsecurePackages = [ "kanidm-1.3.3" ];
-
  services.kanidm = {
    enableServer = true;

--- a/machines/nixos/compute01/kanidm/secrets/secrets.nix
+++ b/machines/nixos/compute01/kanidm/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../../keys.nix).mkSecrets [ "compute01" ] [
+(import ../../../../../keys).mkSecrets [ "compute01" ] [
  "kanidm-password_admin"
  "kanidm-password_idm_admin"
 ]
--- a/machines/nixos/compute01/secrets/secrets.nix
+++ b/machines/nixos/compute01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "compute01" ] [
+(import ../../../../keys).mkSecrets [ "compute01" ] [
  # List of secrets for compute01
  "arkheon-env_file"
  "bupstash-put_key"
--- a/machines/nixos/geo01/secrets/secrets.nix
+++ b/machines/nixos/geo01/secrets/secrets.nix
@ -2,6 +2,6 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "geo01" ] [
+(import ../../../../keys).mkSecrets [ "geo01" ] [
  # List of secrets for geo01
 ]
--- a/machines/nixos/geo02/secrets/secrets.nix
+++ b/machines/nixos/geo02/secrets/secrets.nix
@ -2,6 +2,6 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "geo02" ] [
+(import ../../../../keys).mkSecrets [ "geo02" ] [
  # List of secrets for geo02
 ]
--- a/machines/nixos/hypervisor01/secrets/secrets.nix
+++ b/machines/nixos/hypervisor01/secrets/secrets.nix
@ -2,6 +2,6 @@
 #
 # SPDX-License-Identifer: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "hypervisor01" ] [
+(import ../../../../keys).mkSecrets [ "hypervisor01" ] [

 ]
--- a/machines/nixos/hypervisor02/secrets/secrets.nix
+++ b/machines/nixos/hypervisor02/secrets/secrets.nix
@ -2,6 +2,6 @@
 #
 # SPDX-License-Identifer: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "hypervisor02" ] [
+(import ../../../../keys).mkSecrets [ "hypervisor02" ] [

 ]
--- a/machines/nixos/hypervisor03/secrets/secrets.nix
+++ b/machines/nixos/hypervisor03/secrets/secrets.nix
@ -2,6 +2,6 @@
 #
 # SPDX-License-Identifer: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "hypervisor03" ] [
+(import ../../../../keys).mkSecrets [ "hypervisor03" ] [

 ]
--- a/machines/nixos/rescue01/secrets/secrets.nix
+++ b/machines/nixos/rescue01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "rescue01" ] [
+(import ../../../../keys).mkSecrets [ "rescue01" ] [
  # List of secrets for rescue01
  "stateless-uptime-kuma-password"
 ]
--- a/machines/nixos/storage01/_configuration.nix
+++ b/machines/nixos/storage01/_configuration.nix
@ -9,6 +9,7 @@ lib.extra.mkConfig {
    # List of modules to enable
    "dgn-backups"
    "dgn-web"
+    "dgn-forgejo-runners"
  ];

  enabledServices = [
--- a/machines/nixos/storage01/forgejo-runners.nix
+++ b/machines/nixos/storage01/forgejo-runners.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-{ config, pkgs, ... }:
+_:

 let
  url = "https://git.dgnum.eu";
@ -30,22 +30,10 @@ let
    };
 in
 {
-  services.forgejo-nix-runners = {
-    enable = true;
-
-    inherit url;
-
-    storePath = "/data/slow";
-    tokenFile = config.age.secrets."forgejo_runners-token_file".path;
-
-    dependencies = [
-      pkgs.npins
-      pkgs.tea
-    ];
-
-    containerOptions = [ "--cpus=4" ];
-
+  dgn-forgejo-runners = {
    nbRunners = 6;
+    nbCpus = 4;
+    dataDirectory = "/data/slow";
  };

  services.gitea-actions-runner.instances = builtins.mapAttrs (_: mkRunner) {
@ -63,23 +51,4 @@ in
      labels = [ "debian-latest:docker://node:20-bookworm" ];
    };
  };
-
-  virtualisation = {
-    podman = {
-      enable = true;
-
-      defaultNetwork.settings = {
-        dns_enable = true;
-        ipv6_enabled = true;
-      };
-    };
-
-    containers.storage.settings = {
-      storage = {
-        driver = "overlay";
-        graphroot = "/data/slow/containers/storage";
-        runroot = "/run/containers/storage";
-      };
-    };
-  };
 }
--- a/machines/nixos/storage01/forgejo.nix
+++ b/machines/nixos/storage01/forgejo.nix
@ -79,8 +79,7 @@ in
        "cron.git_gc_repos".ENABLED = true;
        "cron.update_checker".ENABLED = false;
      };
-
-      mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
+      secrets.mailer.PASSWD = config.age.secrets."forgejo-mailer_password_file".path;
    };
  };

--- a/machines/nixos/storage01/secrets/secrets.nix
+++ b/machines/nixos/storage01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "storage01" ] [
+(import ../../../../keys).mkSecrets [ "storage01" ] [
  # List of secrets for storage01
  "bupstash-put_key"
  "forgejo-mailer_password_file"
--- a/machines/nixos/tower01/secrets/secrets.nix
+++ b/machines/nixos/tower01/secrets/secrets.nix
@ -2,6 +2,6 @@
 #
 # SPDX-License-Identifer: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "tower01" ] [
+(import ../../../../keys).mkSecrets [ "tower01" ] [

 ]
--- a/machines/nixos/vault01/networking.nix
+++ b/machines/nixos/vault01/networking.nix
@ -207,6 +207,7 @@ in
            IPv6AcceptRA = false;
            IPv6SendRA = false;
          };
+          linkConfig.MTUBytes = 1500;
        };
        "50-wg0" = {
          name = "wg0";
--- a/machines/nixos/vault01/secrets/secrets.nix
+++ b/machines/nixos/vault01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "vault01" ] [
+(import ../../../../keys).mkSecrets [ "vault01" ] [
  # List of secrets for vault01
  "radius-auth_token_file"
  "radius-ca_pem_file"
--- a/machines/nixos/web01/secrets/secrets.nix
+++ b/machines/nixos/web01/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "web01" ] [
+(import ../../../../keys).mkSecrets [ "web01" ] [
  # List of secrets for web01
  "acme-certs_secret"
  "bupstash-put_key"
--- a/machines/nixos/web02/cas-eleves/default.nix
+++ b/machines/nixos/web02/cas-eleves/default.nix
@ -19,13 +19,22 @@ let

  port = 9889;

-  python3 = pkgs.python312.override {
-    packageOverrides = _: prev: {
-      django-cas-server = prev.django-cas-server.overridePythonAttrs (_: {
-        patches = [ ./01-pytest-cas.patch ];
-      });
+  python3 =
+    let
+      nix-pkgs = import sources.nix-pkgs {
+        inherit pkgs;
+        python3 = pkgs.python312;
+      };
+    in
+    pkgs.python312.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs) django-browser-reload django-bulma-forms loadcredential;
+
+        django-cas-server = nix-pkgs.django-cas-server.overridePythonAttrs (_: {
+          patches = [ ./01-pytest-cas.patch ];
+        });
+      };
    };
-  };

  pythonEnv = python3.withPackages (ps: [
    ps.django
--- a/machines/nixos/web02/kadenios/default.nix
+++ b/machines/nixos/web02/kadenios/default.nix
@ -16,11 +16,28 @@ let
  host = "vote.dgnum.eu";
  port = 9888;

+  python3 =
+    let
+      nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+    in
+    pkgs.python3.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs)
+          authens
+          django-background-tasks
+          django-browser-reload
+          django-bulma-forms
+          django-translated-fields
+          loadcredential
+          ;
+      };
+    };
+
  pythonEnv =
    {
      debug ? false,
    }:
-    pkgs.python3.withPackages (
+    python3.withPackages (
      ps:
      [
        ps.django
--- a/machines/nixos/web02/secrets/secrets.nix
+++ b/machines/nixos/web02/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "web02" ] [
+(import ../../../../keys).mkSecrets [ "web02" ] [
  # List of secrets for web02
  "cas_eleves-secret_key_file"
  "kadenios-secret_key_file"
--- a/machines/nixos/web03/django-apps/annuaire.nix
+++ b/machines/nixos/web03/django-apps/annuaire.nix
@ -3,10 +3,16 @@
 # SPDX-License-Identifier: EUPL-1.2

 {
+  pkgs,
+  sources,
  config,
  ...
 }:

+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+in
+
 {
  services.django-apps.sites.annuaire = {
    source = "https://git.dgnum.eu/DGNum/annuaire-eleves";
@ -20,6 +26,10 @@

    webHookSecret = config.age.secrets."webhook-annuaire_token".path;

+    python = pkgs.python3.override {
+      packageOverrides = _: _: { inherit (nix-pkgs) authens loadcredential; };
+    };
+
    dependencies = ps: [
      ps.django
      ps.pillow
--- a/machines/nixos/web03/django-apps/bocal.nix
+++ b/machines/nixos/web03/django-apps/bocal.nix
@ -3,10 +3,16 @@
 # SPDX-License-Identifier: EUPL-1.2

 {
+  pkgs,
+  sources,
  config,
  ...
 }:

+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+in
+
 {
  services.django-apps.sites.bocal = {
    source = "https://git.dgnum.eu/DGNum/www-bocal";
@ -20,6 +26,10 @@

    webHookSecret = config.age.secrets."webhook-bocal_token".path;

+    python = pkgs.python3.override {
+      packageOverrides = _: _: { inherit (nix-pkgs) django-cas-ng django-solo loadcredential; };
+    };
+
    dependencies = ps: [
      ps.django
      ps.django-cas-ng
--- a/machines/nixos/web03/django-apps/ernestophone.nix
+++ b/machines/nixos/web03/django-apps/ernestophone.nix
@ -3,10 +3,16 @@
 # SPDX-License-Identifier: EUPL-1.2

 {
+  pkgs,
+  sources,
  config,
  ...
 }:

+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+in
+
 {
  services.django-apps.sites.ernestophone = {
    source = "https://git.dgnum.eu/DGNum/ernestophone.ens.fr";
@ -25,6 +31,17 @@

    webHookSecret = config.age.secrets."webhook-ernestophone_token".path;

+    python = pkgs.python3.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs)
+          django-avatar
+          django-cas-ng
+          django-solo
+          loadcredential
+          ;
+      };
+    };
+
    dependencies = ps: [
      ps.django
      ps.django-avatar
--- a/machines/nixos/web03/django-apps/gestiojeux.nix
+++ b/machines/nixos/web03/django-apps/gestiojeux.nix
@ -3,10 +3,16 @@
 # SPDX-License-Identifier: EUPL-1.2

 {
+  pkgs,
+  sources,
  config,
  ...
 }:

+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+in
+
 {
  services.django-apps.sites.gestiojeux = {
    source = "https://git.dgnum.eu/DGNum/gestiojeux";
@ -25,8 +31,18 @@
      module = "gestiojeux";
    };

-    django = ps: ps.django_4;
+    python = pkgs.python3.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs)
+          django-autoslug
+          django-cas-ng
+          loadcredential
+          markdown-icons
+          ;
+      };
+    };

+    django = ps: ps.django_4;
    dependencies = ps: [
      ps.django-autoslug
      ps.loadcredential
--- a/machines/nixos/web03/django-apps/interludes.nix
+++ b/machines/nixos/web03/django-apps/interludes.nix
@ -4,9 +4,15 @@

 {
  config,
+  pkgs,
+  sources,
  ...
 }:

+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+in
+
 {
  services.webhook.extraArgs = [ "-debug" ];
  services.django-apps.sites.interludes = {
@ -30,6 +36,10 @@

    dbType = "sqlite";

+    python = pkgs.python3.override {
+      packageOverrides = _: _: { inherit (nix-pkgs) python-cas loadcredential; };
+    };
+
    django = ps: ps.django_4;
    dependencies = ps: [
      ps.loadcredential
--- a/machines/nixos/web03/django-apps/wikiens.nix
+++ b/machines/nixos/web03/django-apps/wikiens.nix
@ -3,10 +3,16 @@
 # SPDX-License-Identifier: EUPL-1.2

 {
+  pkgs,
+  sources,
  config,
  ...
 }:

+let
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
+in
+
 {
  services.django-apps.sites.wikiens = {
    source = "https://git.dgnum.eu/DGNum/wiki-eleves";
@ -20,6 +26,17 @@

    webHookSecret = config.age.secrets."webhook-wikiens_token".path;

+    python = pkgs.python3.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs)
+          django-allauth
+          django-allauth-ens
+          django-wiki
+          loadcredential
+          ;
+      };
+    };
+
    dependencies =
      ps:
      [
--- a/machines/nixos/web03/secrets/secrets.nix
+++ b/machines/nixos/web03/secrets/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ "web03" ] [
+(import ../../../../keys).mkSecrets [ "web03" ] [
  # List of secrets for web03
  "bupstash-put_key"
  "dj_annuaire-secret_key_file"
--- a/meta/default.nix
+++ b/meta/default.nix
@ -12,9 +12,11 @@ lib:
 (lib.evalModules {
  modules = [
    ./options.nix
-    ./network.nix
-    ./nodes
-    ./organization.nix
+    {
+      network = import ./network.nix;
+      nodes = import ./nodes;
+      organization = import ./organization.nix;
+    }
  ];
  class = "dgnumMeta";
 }).config
--- a/meta/network.nix
+++ b/meta/network.nix
@ -6,287 +6,304 @@
 # SPDX-License-Identifier: EUPL-1.2

 {
-  network = {
-    bridge01 = {
-      hostId = "f57f3ba0";
+  bridge01 = {
+    hostId = "f57f3ba0";

-      interfaces = { };
-      netbirdIp = null;
-    };
+    interfaces = { };
+    netbirdIp = null;
+  };

-    compute01 = {
-      interfaces = {
-        eno1 = {
-          ipv4 = [
-            {
-              address = "129.199.146.147";
-              prefixLength = 24;
-            }
-            {
-              address = "192.168.1.147";
-              prefixLength = 24;
-            }
-          ];
+  build01 = {
+    interfaces = {
+      enp35s0f0np0 = {
+        ipv4 = [
+          {
+            address = "10.0.254.21";
+            prefixLength = 24;
+          }
+        ];

-          gateways = [ "129.199.146.254" ];
-          enableDefaultDNS = true;
-        };
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
      };
-
-      hostId = "8df60941";
-      netbirdIp = "100.80.75.197";
    };

-    geo01 = {
-      interfaces = {
-        eno1 = {
-          ipv4 = [
-            {
-              address = "129.199.210.194";
-              prefixLength = 24;
-            }
-          ];
+    hostId = "adb676ce";
+    netbirdIp = "100.80.31.249";
+  };

-          gateways = [ "129.199.210.254" ];
+  compute01 = {
+    interfaces = {
+      eno1 = {
+        ipv4 = [
+          {
+            address = "129.199.146.147";
+            prefixLength = 24;
+          }
+          {
+            address = "192.168.1.147";
+            prefixLength = 24;
+          }
+        ];

-          dns = [
-            "129.199.96.11"
-            "129.199.72.99"
-          ];
-        };
+        gateways = [ "129.199.146.254" ];
+        enableDefaultDNS = true;
      };
-
-      hostId = "b88fee0c";
-      netbirdIp = "100.80.8.66";
    };

-    geo02 = {
-      interfaces = {
-        eno1 = {
-          ipv4 = [
-            {
-              address = "129.199.210.69";
-              prefixLength = 24;
-            }
-          ];
+    hostId = "8df60941";
+    netbirdIp = "100.80.75.197";
+  };

-          gateways = [ "129.199.210.254" ];
+  geo01 = {
+    interfaces = {
+      eno1 = {
+        ipv4 = [
+          {
+            address = "129.199.210.194";
+            prefixLength = 24;
+          }
+        ];

-          dns = [
-            "129.199.96.11"
-            "129.199.72.99"
-          ];
-        };
+        gateways = [ "129.199.210.254" ];
+
+        dns = [
+          "129.199.96.11"
+          "129.199.72.99"
+        ];
      };
-
-      hostId = "45d65237";
-      netbirdIp = "100.80.233.249";
    };

-    hypervisor01 = {
-      interfaces = {
-        eno4 = {
-          ipv4 = [
-            {
-              address = "10.0.254.11";
-              prefixLength = 24;
-            }
-          ];
+    hostId = "b88fee0c";
+    netbirdIp = "100.80.8.66";
+  };

-          gateways = [ "10.0.254.1" ];
-          enableDefaultDNS = true;
-        };
+  geo02 = {
+    interfaces = {
+      eno1 = {
+        ipv4 = [
+          {
+            address = "129.199.210.69";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.210.254" ];
+
+        dns = [
+          "129.199.96.11"
+          "129.199.72.99"
+        ];
      };
-
-      hostId = "4dbbd76a";
-      netbirdIp = "100.80.242.115";
    };

-    hypervisor02 = {
-      interfaces = {
-        eno4 = {
-          ipv4 = [
-            {
-              address = "10.0.254.12";
-              prefixLength = 24;
-            }
-          ];
+    hostId = "45d65237";
+    netbirdIp = "100.80.233.249";
+  };

-          gateways = [ "10.0.254.1" ];
-          enableDefaultDNS = true;
-        };
+  hypervisor01 = {
+    interfaces = {
+      eno4 = {
+        ipv4 = [
+          {
+            address = "10.0.254.11";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
      };
-
-      hostId = "d0b48483";
-      netbirdIp = "100.80.37.202";
    };

-    hypervisor03 = {
-      interfaces = {
-        eno4 = {
-          ipv4 = [
-            {
-              address = "10.0.254.13";
-              prefixLength = 24;
-            }
-          ];
+    hostId = "4dbbd76a";
+    netbirdIp = "100.80.242.115";
+  };

-          gateways = [ "10.0.254.1" ];
-          enableDefaultDNS = true;
-        };
+  hypervisor02 = {
+    interfaces = {
+      eno4 = {
+        ipv4 = [
+          {
+            address = "10.0.254.12";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
      };
-
-      hostId = "1c407ea8";
-      netbirdIp = "100.80.58.178";
    };

-    rescue01 = {
-      interfaces = {
-        ens18 = {
-          ipv6 = [
-            {
-              address = "2a01:e0a:de4:a0e1:2d73:2a7e:18db:5728";
-              prefixLength = 64;
-            }
-          ];
+    hostId = "d0b48483";
+    netbirdIp = "100.80.37.202";
+  };

-          ipv4 = [
-            {
-              address = "192.168.0.232";
-              prefixLength = 21;
-            }
-          ];
-          gateways = [ "192.168.0.1" ];
-          enableDefaultDNS = true;
-        };
+  hypervisor03 = {
+    interfaces = {
+      eno4 = {
+        ipv4 = [
+          {
+            address = "10.0.254.13";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "10.0.254.1" ];
+        enableDefaultDNS = true;
      };
-
-      addresses.ipv4 = [ "82.67.34.230" ];
-
-      hostId = "007f0200";
-      netbirdIp = "100.80.97.140";
    };

-    storage01 = {
-      interfaces = {
-        eno1 = {
-          ipv4 = [
-            {
-              address = "129.199.146.148";
-              prefixLength = 24;
-            }
-            {
-              address = "192.168.1.148";
-              prefixLength = 24;
-            }
-          ];
+    hostId = "1c407ea8";
+    netbirdIp = "100.80.58.178";
+  };

-          gateways = [ "129.199.146.254" ];
-          enableDefaultDNS = true;
-        };
+  rescue01 = {
+    interfaces = {
+      ens18 = {
+        ipv6 = [
+          {
+            address = "2a01:e0a:de4:a0e1:2d73:2a7e:18db:5728";
+            prefixLength = 64;
+          }
+        ];
+
+        ipv4 = [
+          {
+            address = "192.168.0.232";
+            prefixLength = 21;
+          }
+        ];
+        gateways = [ "192.168.0.1" ];
+        enableDefaultDNS = true;
      };
-
-      hostId = "d4e7c369";
-      netbirdIp = "100.80.156.154";
    };

-    tower01 = {
-      interfaces = {
-        eno2 = {
-          ipv4 = [
-            {
-              address = "129.199.210.119";
-              prefixLength = 24;
-            }
-          ];
+    addresses.ipv4 = [ "82.67.34.230" ];

-          gateways = [ "129.199.210.254" ];
+    hostId = "007f0200";
+    netbirdIp = "100.80.97.140";
+  };

-          dns = [
-            "129.199.96.11"
-            "129.199.72.99"
-          ];
-        };
+  storage01 = {
+    interfaces = {
+      eno1 = {
+        ipv4 = [
+          {
+            address = "129.199.146.148";
+            prefixLength = 24;
+          }
+          {
+            address = "192.168.1.148";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.146.254" ];
+        enableDefaultDNS = true;
      };
-
-      hostId = "7874d06e";
-      netbirdIp = "100.80.185.124";
    };

-    vault01 = {
-      interfaces = {
-        vlan-uplink-cri = {
-          ipv4 = [
-            {
-              # see also machines/vault01/networking.nix
-              address = "129.199.195.129";
-              prefixLength = 32;
-            }
-          ];
-          gateways = [ ];
-          enableDefaultDNS = true;
-        };
+    hostId = "d4e7c369";
+    netbirdIp = "100.80.156.154";
+  };
+
+  tower01 = {
+    interfaces = {
+      eno2 = {
+        ipv4 = [
+          {
+            address = "129.199.210.119";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.210.254" ];
+
+        dns = [
+          "129.199.96.11"
+          "129.199.72.99"
+        ];
      };
-
-      hostId = "e83b600d";
-      netbirdIp = "100.80.255.180";
    };

-    web01 = {
-      interfaces = {
-        ens3 = {
-          ipv4 = [
-            {
-              address = "129.199.129.53";
-              prefixLength = 24;
-            }
-          ];
+    hostId = "7874d06e";
+    netbirdIp = "100.80.185.124";
+  };

-          gateways = [ "129.199.129.1" ];
-          enableDefaultDNS = true;
-        };
+  vault01 = {
+    interfaces = {
+      vlan-uplink-cri = {
+        ipv4 = [
+          {
+            # see also machines/vault01/networking.nix
+            address = "129.199.195.129";
+            prefixLength = 32;
+          }
+        ];
+        gateways = [ ];
+        enableDefaultDNS = true;
      };
-
-      hostId = "050df79e";
-      netbirdIp = "100.80.77.90";
    };

-    web02 = {
-      interfaces = {
-        ens3 = {
-          ipv4 = [
-            {
-              address = "129.199.129.235";
-              prefixLength = 24;
-            }
-          ];
+    hostId = "e83b600d";
+    netbirdIp = "100.80.255.180";
+  };

-          gateways = [ "129.199.129.1" ];
-          enableDefaultDNS = true;
-        };
+  web01 = {
+    interfaces = {
+      ens3 = {
+        ipv4 = [
+          {
+            address = "129.199.129.53";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.129.1" ];
+        enableDefaultDNS = true;
      };
-
-      hostId = "b431ca10";
-      netbirdIp = null; # web02 is not to be connected on the VPN
    };

-    web03 = {
-      interfaces = {
-        enp1s0 = {
-          ipv4 = [
-            {
-              address = "129.199.129.223";
-              prefixLength = 24;
-            }
-          ];
+    hostId = "050df79e";
+    netbirdIp = "100.80.77.90";
+  };

-          gateways = [ "129.199.129.1" ];
-          enableDefaultDNS = true;
-        };
+  web02 = {
+    interfaces = {
+      ens3 = {
+        ipv4 = [
+          {
+            address = "129.199.129.235";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.129.1" ];
+        enableDefaultDNS = true;
      };
-
-      hostId = "8afc7749";
-      netbirdIp = "100.80.157.46";
    };
+
+    hostId = "b431ca10";
+    netbirdIp = null; # web02 is not to be connected on the VPN
+  };
+
+  web03 = {
+    interfaces = {
+      enp1s0 = {
+        ipv4 = [
+          {
+            address = "129.199.129.223";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.129.1" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "8afc7749";
+    netbirdIp = "100.80.157.46";
  };
 }
--- a/meta/nodes/default.nix
+++ b/meta/nodes/default.nix
@ -2,10 +2,9 @@
 # SPDX-FileContributor: Ryan Lahfa <ryan.lahfa@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
-{
-  imports = [
-    ./liminix.nix
-    ./nixos.nix
-    ./netconf.nix
-  ];
-}
+
+builtins.foldl' (nodes: path: nodes // import path) { } [
+  ./liminix.nix
+  ./nixos.nix
+  ./netconf.nix
+]
--- a/meta/nodes/liminix.nix
+++ b/meta/nodes/liminix.nix
@ -16,19 +16,17 @@
 # }

 {
-  nodes = {
-    ap01 = {
-      site = "unknown";
-      adminGroups = [ "fai" ];
+  ap01 = {
+    site = "unknown";
+    adminGroups = [ "fai" ];

-      hashedPassword = "$y$j9T$DMOQEWOYFHjNS0myrXp4x/$MG33VSdXGvib.99eN.AbvyVdNNJw4ERjAwK4.ULJe/A";
+    hashedPassword = "$y$j9T$DMOQEWOYFHjNS0myrXp4x/$MG33VSdXGvib.99eN.AbvyVdNNJw4ERjAwK4.ULJe/A";

-      stateVersion = null;
+    stateVersion = null;

-      nixpkgs = {
-        system = "zyxel-nwa50ax";
-        version = "24.05";
-      };
+    nixpkgs = {
+      system = "zyxel-nwa50ax";
+      version = "24.05";
    };
  };
 }
--- a/meta/nodes/netconf.nix
+++ b/meta/nodes/netconf.nix
@ -2,50 +2,48 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
-  nodes = {
-    netcore02 = {
-      site = "hyp01";
+  netcore02 = {
+    site = "hyp01";

-      hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
+    hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";

-      stateVersion = null;
+    stateVersion = null;

-      adminGroups = [ "fai" ];
+    adminGroups = [ "fai" ];

-      deployment = {
-        targetHost = "fd26:baf9:d250:8000::1001";
-        sshOptions = [
-          "-J"
-          "root@vault01.hyp01.infra.dgnum.eu"
-        ];
-      };
-
-      nixpkgs = {
-        version = "24.05"; # FIXME: meaningless
-        system = "netconf";
-      };
+    deployment = {
+      targetHost = "fd26:baf9:d250:8000::1001";
+      sshOptions = [
+        "-J"
+        "root@vault01.hyp01.infra.dgnum.eu"
+      ];
+    };
+
+    nixpkgs = {
+      version = "24.05"; # FIXME: meaningless
+      system = "netconf";
    };
-    #  netaccess01 = {
-    #    site = "hyp02";
-    #
-    #    hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
-    #
-    #    stateVersion = null;
-    #
-    #    adminGroups = [ "fai" ];
-    #
-    #    deployment = {
-    #      targetHost = "fd26:baf9:d250:8000::2001";
-    #      sshOptions = [
-    #        "-J"
-    #        "root@vault01.hyp01.infra.dgnum.eu"
-    #      ];
-    #    };
-    #
-    #    nixpkgs = {
-    #      version = "24.05"; # FIXME: meaningless
-    #      system = "netconf";
-    #    };
-    #  };
  };
+  #  netaccess01 = {
+  #    site = "hyp02";
+  #
+  #    hashedPassword = "$6$BKetIIfT$JVyE0B7F4O.fJwQFu5jVrVExAZROrEMLW5HkDkhjMShJ9cRIgxSm2VM9OThDowsnLmAewqDN7eAY.EQt4UR4U0";
+  #
+  #    stateVersion = null;
+  #
+  #    adminGroups = [ "fai" ];
+  #
+  #    deployment = {
+  #      targetHost = "fd26:baf9:d250:8000::2001";
+  #      sshOptions = [
+  #        "-J"
+  #        "root@vault01.hyp01.infra.dgnum.eu"
+  #      ];
+  #    };
+  #
+  #    nixpkgs = {
+  #      version = "24.05"; # FIXME: meaningless
+  #      system = "netconf";
+  #    };
+  #  };
 }
--- a/meta/nodes/nixos.nix
+++ b/meta/nodes/nixos.nix
@ -26,270 +26,252 @@
  - luj01 -> VM de Luj
 */
 {
-  nodes = {
-    bridge01 = {
-      site = "hyp01";
+  bridge01 = {
+    site = "hyp01";

-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
+    hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5";

-      hashedPassword = "$y$j9T$EPJdz70kselouXAVUmAH01$8nYbUBY9NPTMfYigegY0qFSdxJwhqzW8sFacDqEYCP5";
+    stateVersion = "24.05";

-      stateVersion = "24.05";
+    adminGroups = [ "fai" ];

-      adminGroups = [ "fai" ];
-
-      deployment = {
-        targetHost = "fd26:baf9:d250:8000::ffff";
-        sshOptions = [
-          "-J"
-          "root@vault01.hyp01.infra.dgnum.eu"
-        ];
-      };
-
-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-    };
-
-    compute01 = {
-      site = "pav01";
-
-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
-
-      hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C";
-
-      stateVersion = "23.05";
-      nix-modules = [ "services/stirling-pdf" ];
-
-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-    };
-
-    geo01 = {
-      site = "oik01";
-      deployment.tags = [ "geo" ];
-
-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
-
-      hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8";
-
-      deployment.targetHost = "geo01.dgnum";
-
-      stateVersion = "24.05";
-
-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-    };
-
-    geo02 = {
-      site = "oik01";
-      deployment.tags = [ "geo" ];
-
-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
-
-      hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA";
-
-      deployment.targetHost = "geo02.dgnum";
-
-      stateVersion = "24.05";
-
-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-    };
-
-    hypervisor01 = {
-      site = "pot01";
-
-      hashedPassword = "$y$j9T$Yw.M.epJj/sakb4Gq/9WV0$P85aQPo/FmFM1.ap413UL3vlGk3mavHwmaALKKDd4n.";
-
-      stateVersion = "24.11";
-
-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-
-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr" ];
-
-      adminGroups = [ "hypervisors" ];
-
-      deployment = {
-        targetHost = "hypervisor01.dgnum";
-      };
-    };
-
-    hypervisor02 = {
-      site = "pot01";
-
-      hashedPassword = "$y$j9T$Zu98DVlKq7KP5GmIHOwBy1$Bd7W6LstWDm8zjbZ9JSPLnhMFPmZgmU4e7t7u6EhavA";
-
-      stateVersion = "24.11";
-
-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-
-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S" ];
-
-      adminGroups = [ "hypervisors" ];
-
-      deployment = {
-        targetHost = "hypervisor02.dgnum";
-      };
-    };
-
-    hypervisor03 = {
-      site = "pot01";
-
-      hashedPassword = "$y$j9T$plTv9.UwmkTODagd4docj0$3zd35wPSsamygiYngwfDGICapKbx5UbzyLBhAwOUSfC";
-
-      stateVersion = "24.11";
-
-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI" ];
-
-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-
-      adminGroups = [ "hypervisors" ];
-
-      deployment = {
-        targetHost = "hypervisor03.dgnum";
-      };
-    };
-
-    rescue01 = {
-      site = "luj01";
-
-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
-
-      deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";
-
-      hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC";
-
-      stateVersion = "23.11";
-      vm-cluster = "Hyperviseur Luj";
-
-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-    };
-
-    storage01 = {
-      site = "pav01";
-
-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
-
-      hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8";
-
-      stateVersion = "23.11";
-
-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-
-      nix-modules = [
-        "services/forgejo-nix-runners"
-        "services/netbird/server.nix"
+    deployment = {
+      targetHost = "fd26:baf9:d250:8000::ffff";
+      sshOptions = [
+        "-J"
+        "root@vault01.hyp01.infra.dgnum.eu"
      ];
    };

-    tower01 = {
-      site = "oik01";
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+  };

-      hashedPassword = "$y$j9T$axihKDa.CrYcyoamJWxBq1$bl4TfropTrwLqMy6XK0DKkWRyx9b74kyI/ukE8X5iiD";
+  build01 = {
+    site = "pot01";

-      sshKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z"
-      ];
+    hashedPassword = "$y$j9T$n83qOn1OkQhFwQe50tPM11$jZ1tvgqMTcp4HLGEfJmTMsf0NnRUYQkzco9vibWTpU2";

-      stateVersion = "24.11";
+    stateVersion = "24.11";

-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
-
-      admins = [ "ecoppens" ];
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
    };

-    vault01 = {
-      site = "hyp01";
-      deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
+    admins = [ "ecoppens" ];

-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
+    deployment = {
+      targetHost = "build01.dgnum";
+    };
+  };

-      hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1";
+  compute01 = {
+    site = "pav01";

-      stateVersion = "23.11";
+    hashedPassword = "$y$j9T$2nxZHq84G7fWvWMEaGavE/$0ADnmD9qMpXJJ.rWWH9086EakvZ3wAg0mSxZYugOf3C";

-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
+    stateVersion = "23.05";
+    nix-modules = [ "services/stirling-pdf" ];

-      adminGroups = [ "fai" ];
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+  };
+
+  geo01 = {
+    site = "oik01";
+    deployment.tags = [ "geo" ];
+
+    hashedPassword = "$y$j9T$2XmDpJu.QLhV57yYCh5Lf1$LK.X0HKB02Q0Ujvhj5nIofW2IRrIAL/Uxnvl9AXM1L8";
+
+    stateVersion = "24.05";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+  };
+
+  geo02 = {
+    site = "oik01";
+    deployment.tags = [ "geo" ];
+
+    hashedPassword = "$y$j9T$Q4fbMpSm9beWu4DPNAR9t0$dx/1pH4GPY72LpS5ZiECXAZFDdxwmIywztsX.qo2VVA";
+
+    stateVersion = "24.05";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+  };
+
+  hypervisor01 = {
+    site = "pot01";
+
+    hashedPassword = "$y$j9T$Yw.M.epJj/sakb4Gq/9WV0$P85aQPo/FmFM1.ap413UL3vlGk3mavHwmaALKKDd4n.";
+
+    stateVersion = "24.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
    };

-    web01 = {
-      site = "rat01";
+    adminGroups = [ "hypervisors" ];

-      deployment.tags = [ "web" ];
+    deployment = {
+      targetHost = "hypervisor01.dgnum";
+    };
+  };

-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
+  hypervisor02 = {
+    site = "pot01";

-      hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
+    hashedPassword = "$y$j9T$Zu98DVlKq7KP5GmIHOwBy1$Bd7W6LstWDm8zjbZ9JSPLnhMFPmZgmU4e7t7u6EhavA";

-      stateVersion = "23.05";
-      vm-cluster = "Hyperviseur NPS";
+    stateVersion = "24.11";

-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
    };

-    web02 = {
-      site = "rat01";
+    adminGroups = [ "hypervisors" ];

-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
+    deployment = {
+      targetHost = "hypervisor02.dgnum";
+    };
+  };

-      hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5";
+  hypervisor03 = {
+    site = "pot01";

-      stateVersion = "24.05";
-      vm-cluster = "Hyperviseur NPS";
+    hashedPassword = "$y$j9T$plTv9.UwmkTODagd4docj0$3zd35wPSsamygiYngwfDGICapKbx5UbzyLBhAwOUSfC";

-      nixpkgs = {
-        version = "24.05";
-        system = "nixos";
-      };
+    stateVersion = "24.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
    };

-    web03 = {
-      site = "rat01";
+    adminGroups = [ "hypervisors" ];

-      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
+    deployment = {
+      targetHost = "hypervisor03.dgnum";
+    };
+  };

-      hashedPassword = "$y$j9T$Un/tcX5SPKNXG.sy/BcTa.$kyNHELjb1GAOWnauJfcjyVi5tacWcuEBKflZDCUC6x4";
+  rescue01 = {
+    site = "luj01";

-      stateVersion = "24.05";
-      vm-cluster = "Hyperviseur NPS";
+    deployment.targetHost = "v6.rescue01.luj01.infra.dgnum.eu";

-      nixpkgs = {
-        version = "24.11";
-        system = "nixos";
-      };
+    hashedPassword = "$y$j9T$nqoMMu/axrD0m8AlUFdbs.$UFVmIdPAOHBe2jJv5HJJTcDgINC7LTnSGRQNs9zS1mC";
+
+    stateVersion = "23.11";
+    vm-cluster = "Hyperviseur Luj";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+  };
+
+  storage01 = {
+    site = "pav01";
+
+    hashedPassword = "$y$j9T$tvRu1EJ9MwDSvEm0ogwe70$bKSw6nNteN0L3NOy2Yix7KlIvO/oROQmQ.Ynq002Fg8";
+
+    stateVersion = "23.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    nix-modules = [
+      "services/netbird/server.nix"
+    ];
+  };
+
+  tower01 = {
+    site = "oik01";
+
+    hashedPassword = "$y$j9T$axihKDa.CrYcyoamJWxBq1$bl4TfropTrwLqMy6XK0DKkWRyx9b74kyI/ukE8X5iiD";
+
+    stateVersion = "24.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    admins = [ "ecoppens" ];
+  };
+
+  vault01 = {
+    site = "hyp01";
+    deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
+
+    hashedPassword = "$y$j9T$5osXVNxCDxu3jIndcyh7G.$UrjiDRpMu3W59tKHLGNdLWllZh.4p8IM4sBS5SrNrN1";
+
+    stateVersion = "23.11";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+
+    adminGroups = [ "fai" ];
+  };
+
+  web01 = {
+    site = "rat01";
+
+    deployment.tags = [ "web" ];
+
+    hashedPassword = "$y$j9T$9YqXO93VJE/GP3z8Sh4h51$hrBsEPL2O1eP/wBZTrNT8XV906V4JKbQ0g04IWBcyd2";
+
+    stateVersion = "23.05";
+    vm-cluster = "Hyperviseur NPS";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
+    };
+  };
+
+  web02 = {
+    site = "rat01";
+
+    hashedPassword = "$y$j9T$p42UVNy78PykkQOjPwXNJ/$B/zCUOrHXVSFGUY63wnViMiSmU2vCWsiX0y62qqgNQ5";
+
+    stateVersion = "24.05";
+    vm-cluster = "Hyperviseur NPS";
+
+    nixpkgs = {
+      version = "24.05";
+      system = "nixos";
+    };
+  };
+
+  web03 = {
+    site = "rat01";
+
+    hashedPassword = "$y$j9T$Un/tcX5SPKNXG.sy/BcTa.$kyNHELjb1GAOWnauJfcjyVi5tacWcuEBKflZDCUC6x4";
+
+    stateVersion = "24.05";
+    vm-cluster = "Hyperviseur NPS";
+
+    nixpkgs = {
+      version = "24.11";
+      system = "nixos";
    };
  };
 }
--- a/meta/options.nix
+++ b/meta/options.nix
@ -22,8 +22,6 @@ let
    ints
    listOf
    nullOr
-    positive
-    singleLineStr
    str
    submodule
    unspecified
@ -44,22 +42,6 @@ let
      };
    };

-  vpnKeyType = submodule {
-    options = {
-      id = mkOption {
-        type = positive;
-        description = ''
-          Unique ID that will be  used to guess IP address
-        '';
-      };
-      key = mkOption {
-        type = str;
-        description = ''
-          Public key of the user for this VPN
-        '';
-      };
-    };
-  };
  org = config.organization;
  nixpkgs = import ./nixpkgs.nix;
 in
@ -95,24 +77,6 @@ in
                    WARNING: Must be the same as the ens login!
                  '';
                };
-
-                sshKeys = lib.mkOption {
-                  type = listOf singleLineStr;
-                  description = ''
-                    A list of verbatim OpenSSH public keys that should be added to the
-                    user's authorized keys.
-                  '';
-                  example = [
-                    "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
-                    "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
-                  ];
-                };
-
-                vpnKeys = mkOption {
-                  type = attrsOf vpnKeyType;
-                  default = { };
-                  description = "Attribute sets to define vpn keys of the user";
-                };
              };
            }
          )
@ -215,18 +179,6 @@ in
                '';
              };

-              sshKeys = lib.mkOption {
-                type = listOf singleLineStr;
-                default = [ ];
-                description = ''
-                  A list of verbatim OpenSSH public keys used by the machine ssh server.
-                '';
-                example = [
-                  "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
-                  "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
-                ];
-              };
-
              admins = mkOption {
                type = listOf str;
                default = [ ];
@ -377,13 +329,6 @@ in
                  IP address of the node in the netbird network.
                '';
              };
-
-              vpnKeys = mkOption {
-                type = attrsOf vpnKeyType;
-                default = { };
-                description = "Attribute sets to define vpn keys of the machine";
-
-              };
            };

            config =
@ -469,6 +414,12 @@ in
        (membersExists (
          name: "A member of the external service ${name} admins was not found in the members list."
        ) org.external)
+
+        # Check that all members have ssh keys
+        (builtins.map (name: {
+          assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
+          message = "No ssh keys found for ${name}.";
+        }) members)
      ];
    };
 }
--- a/meta/organization.nix
+++ b/meta/organization.nix
@ -13,156 +13,129 @@
 */

 {
-  organization = {
-    members = {
-      agroudiev = {
-        name = "Antoine Groudiev";
-        email = "antoine.groudiev@dgnum.eu";
-        sshKeys = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
-        ];
-      };
-
-      catvayor = {
-        name = "Lubin Bailly";
-        email = "catvayor@dgnum.eu";
-        username = "lbailly";
-        sshKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
-        ];
-      };
-
-      cst1 = {
-        name = "Constantin Gierczak--Galle";
-        email = "cst1@dgnum.eu";
-        username = "cgierczakgalle";
-        sshKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
-        ];
-      };
-
-      ecoppens = {
-        name = "Elias Coppens";
-        email = "ecoppens@dgnum.eu";
-        sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
-      };
-
-      jemagius = {
-        name = "Jean-Marc Gailis";
-        email = "jm@dgnum.eu";
-        username = "jgailis";
-        sshKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
-        ];
-      };
-
-      luj = {
-        name = "Julien Malka";
-        email = "luj@dgnum.eu";
-        username = "jmalka";
-        sshKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
-        ];
-      };
-
-      mboyer = {
-        name = "Matthieu Boyer";
-        email = "matthieu.boyer@dgnum.eu";
-        username = "mboyer02";
-        sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
-      };
-
-      mdebray = {
-        name = "Maurice Debray";
-        email = "maurice.debray@dgnum.eu";
-        sshKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
-        ];
-      };
-
-      raito = {
-        name = "Ryan Lahfa";
-        email = "ryan@dgnum.eu";
-        username = "rlahfa";
-        sshKeys = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
-        ];
-      };
-
-      thubrecht = {
-        name = "Tom Hubrecht";
-        email = "tom.hubrecht@dgnum.eu";
-        sshKeys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
-        ];
-      };
+  members = {
+    agroudiev = {
+      name = "Antoine Groudiev";
+      email = "antoine.groudiev@dgnum.eu";
    };

-    groups = {
-      # members of this group are root on all nodes
-      root = [
-        "thubrecht"
-        "raito"
-        "mdebray"
-      ];
-
-      # members of this group are root on the fai infrastructure
-      fai = [
-        "catvayor"
-        "ecoppens"
-      ];
-
-      lab = [
-        "catvayor"
-        "cst1"
-        "ecoppens"
-      ];
-
-      hypervisors = [
-        "catvayor"
-        "ecoppens"
-      ];
+    catvayor = {
+      name = "Lubin Bailly";
+      email = "catvayor@dgnum.eu";
+      username = "lbailly";
    };

-    external = {
-      dns = [
-        "thubrecht"
-        "raito"
-      ];
-
-      email = [ "raito" ];
-
-      irc = [ "raito" ];
+    cst1 = {
+      name = "Constantin Gierczak--Galle";
+      email = "cst1@dgnum.eu";
+      username = "cgierczakgalle";
    };

-    services = {
-      # Démarches Normaliennes
-      ds-fr.admins = [
-        "thubrecht"
-        "jemagius"
-      ];
+    ecoppens = {
+      name = "Elias Coppens";
+      email = "ecoppens@dgnum.eu";
+    };

-      # Cloud DGNum
-      nextcloud.admins = [
-        "thubrecht"
-        "raito"
-      ];
+    jemagius = {
+      name = "Jean-Marc Gailis";
+      email = "jm@dgnum.eu";
+      username = "jgailis";
+    };

-      # Netbox DGNum
-      netbox.adminGroups = [
-        "root"
-        "fai"
-      ];
+    luj = {
+      name = "Julien Malka";
+      email = "luj@dgnum.eu";
+      username = "jmalka";
+    };

-      # Videos DGNum
-      peertube.admins = [ "thubrecht" ];
+    mboyer = {
+      name = "Matthieu Boyer";
+      email = "matthieu.boyer@dgnum.eu";
+      username = "mboyer02";
+    };
+
+    mdebray = {
+      name = "Maurice Debray";
+      email = "maurice.debray@dgnum.eu";
+    };
+
+    raito = {
+      name = "Ryan Lahfa";
+      email = "ryan@dgnum.eu";
+      username = "rlahfa";
+    };
+
+    thubrecht = {
+      name = "Tom Hubrecht";
+      email = "tom.hubrecht@dgnum.eu";
    };
  };
+
+  groups = {
+    # members of this group are root on all nodes
+    root = [
+      "thubrecht"
+      "raito"
+      "mdebray"
+    ];
+
+    # members of this group are root on the fai infrastructure
+    fai = [
+      "catvayor"
+      "ecoppens"
+    ];
+
+    lab = [
+      "catvayor"
+      "cst1"
+      "ecoppens"
+    ];
+
+    hypervisors = [
+      "catvayor"
+      "ecoppens"
+    ];
+
+    nix-builder = [
+      "catvayor"
+      "ecoppens"
+      "mdebray"
+      "raito"
+      "thubrecht"
+    ];
+  };
+
+  external = {
+    dns = [
+      "thubrecht"
+      "raito"
+    ];
+
+    email = [ "raito" ];
+
+    irc = [ "raito" ];
+  };
+
+  services = {
+    # Démarches Normaliennes
+    ds-fr.admins = [
+      "thubrecht"
+      "jemagius"
+    ];
+
+    # Cloud DGNum
+    nextcloud.admins = [
+      "thubrecht"
+      "raito"
+    ];
+
+    # Netbox DGNum
+    netbox.adminGroups = [
+      "root"
+      "fai"
+    ];
+
+    # Videos DGNum
+    peertube.admins = [ "thubrecht" ];
+  };
 }
--- a/meta/verify.nix
+++ b/meta/verify.nix
@ -6,8 +6,8 @@
 # Nix expression to check if meta module is evaluating correctly.
 # To do so run `nix-build ./verify.nix`
 let
-  sources = import ../sources.nix;
-  pkgs = sources.bootstrapNixpkgs;
+  sources = import ../npins;
+  pkgs = import sources.nixpkgs { };

  dns = import sources."dns.nix" { inherit pkgs; };
 in
@ -32,7 +32,9 @@ in
      import ./dns.nix {
        inherit dns;

-        lib = sources.fullLib;
+        lib = pkgs.lib // {
+          extra = import ../lib/nix-lib;
+        };
      }
    )
  );
--- a/modules/liminix/dgn-access-control.nix
+++ b/modules/liminix/dgn-access-control.nix
@ -56,7 +56,7 @@ in
    # Admins have root access to the node
    dgn-access-control.users.root = mkDefault admins;
    users = builtins.mapAttrs (_: members: {
-      openssh.authorizedKeys.keys = dgn-keys.getMemberKeys members;
+      openssh.authorizedKeys.keys = dgn-keys.getKeys members;
    }) cfg.users;
  };
 }
--- a/modules/netconf/dgn-access-control.nix
+++ b/modules/netconf/dgn-access-control.nix
@ -56,7 +56,7 @@ in
    dgn-access-control.root = mkDefault admins;
    system = {
      root-authentication = {
-        ssh-keys = dgn-keys.getMemberKeys cfg.root;
+        ssh-keys = dgn-keys.getKeys cfg.root;
        hashedPasswd = nodeMeta.hashedPassword;
      };
      services.ssh.root-login = mkDefault "deny-password";
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -21,6 +21,7 @@
      "dgn-console"
      "dgn-chatops"
      "dgn-firewall"
+      "dgn-forgejo-runners"
      "dgn-hardware"
      "dgn-netbox-agent"
      "dgn-network"
@ -43,6 +44,7 @@
      [
        "age-secrets"
        "services/bupstash"
+        "services/forgejo-nix-runners"
        "services/reaction"
        "services/systemd-notify"
      ]
--- a/modules/nixos/dgn-access-control.nix
+++ b/modules/nixos/dgn-access-control.nix
@ -58,7 +58,8 @@ in
    users.users = builtins.mapAttrs (
      username: members:
      {
-        openssh.authorizedKeys.keys = dgn-keys.getMemberKeys members;
+        isNormalUser = lib.mkIf (username != "root") true;
+        openssh.authorizedKeys.keys = dgn-keys.getKeys members;
      }
      // optionalAttrs (username == "root") { inherit (nodeMeta) hashedPassword; }
    ) cfg.users;
--- a/modules/nixos/dgn-backups/default.nix
+++ b/modules/nixos/dgn-backups/default.nix
@ -114,7 +114,7 @@ in
        access = [
          {
            repo = "default";
-            keys = dgn-keys.getNodeKeys [
+            keys = dgn-keys.getKeys [
              "compute01"
              "storage01"
              "vault01"
@ -131,7 +131,7 @@ in
    };

    programs.ssh.knownHosts =
-      lib.extra.mapFuse (host: { "${host}.dgnum".publicKey = builtins.head dgn-keys._nodeKeys.${host}; })
+      lib.extra.mapFuse (host: { "${host}.dgnum".publicKey = builtins.head dgn-keys._keys.${host}; })
        [
          "compute01"
          "geo01"
--- a/modules/nixos/dgn-backups/keys/secrets.nix
+++ b/modules/nixos/dgn-backups/keys/secrets.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-(import ../../../../keys.nix).mkSecrets [ ] [
+(import ../../../../keys).mkSecrets [ ] [
  "compute01.key"
  "storage01.key"
  "web01.key"
--- a/modules/nixos/dgn-forgejo-runners.nix
+++ b/modules/nixos/dgn-forgejo-runners.nix
@ -0,0 +1,91 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+# SPDX-FileContributor: Elias Coppens <elias@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  lib,
+  pkgs,
+  name,
+  ...
+}:
+
+let
+  inherit (lib) mkEnableOption mkIf mkOption;
+
+  inherit (lib.types) int nullOr str;
+
+  cfg = config.dgn-forgejo-runners;
+in
+{
+  options.dgn-forgejo-runners = {
+    enable = mkEnableOption "forgejo-nix-runners for the DGNum forge";
+
+    nbRunners = mkOption {
+      type = int;
+      description = ''
+        Number of runners to spawn.
+      '';
+    };
+
+    nbCpus = mkOption {
+      type = nullOr int;
+      default = null;
+      description = ''
+        Maximum number of cores available for each runner.
+        When set to null, there will be no restriction.
+      '';
+    };
+
+    dataDirectory = mkOption {
+      type = str;
+      description = ''
+        Base directory to store data for runners.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    services.forgejo-nix-runners = {
+      enable = true;
+
+      url = "https://git.dgnum.eu";
+
+      storePath = cfg.dataDirectory;
+      tokenFile = config.age.secrets."forgejo_runners-token_file".path;
+      names = [
+        "on-${name}"
+      ];
+
+      dependencies = [
+        pkgs.npins
+        pkgs.tea
+      ];
+
+      containerOptions = lib.optional (cfg.nbCpus != null) "--cpus=${builtins.toString cfg.nbCpus}";
+
+      inherit (cfg) nbRunners;
+    };
+
+    virtualisation = {
+      podman = {
+        enable = true;
+
+        defaultNetwork.settings = {
+          dns_enable = true;
+          ipv6_enabled = true;
+        };
+      };
+
+      containers.storage.settings = {
+        storage = {
+          driver = "overlay";
+          graphroot = "${cfg.dataDirectory}/containers/storage";
+          runroot = "/run/containers/storage";
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/dgn-netbox-agent/secrets/secrets.nix
+++ b/modules/nixos/dgn-netbox-agent/secrets/secrets.nix
@ -2,4 +2,4 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-{ netbox-agent.publicKeys = (import ../../../../keys.nix).machineKeysBySystem "nixos"; }
+{ netbox-agent.publicKeys = (import ../../../../keys).nixosMachineKeys; }
--- a/modules/nixos/dgn-notify/mail
+++ b/modules/nixos/dgn-notify/mail
@ -1,55 +1,56 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA tqrbtRQ1sOAfNdcydUswVCvTPlMOyxJk7KIWuVo0zTo
-8NlgzrKyFh4K5NreS0CmBNQ2ZmiLZYpD+fhbqNX/aAQ
-> ssh-ed25519 QlRB9Q 9so2ZMz5fmmbqRpwEtJ0/u7iV+MLLLkDgODMfu6rdyo
-mYpFyrEI3p5uIvogAeTTgC+bHNHBx+eR6VGKMx8hIQk
-> ssh-ed25519 r+nK/Q ldIiggaMYAi9twBQpG5w6EA1stvDYgznDytN/zN0IDM
-bOqzUc4m/pecyG+6jv8HilAJKJS5ywiagv1IN3DMtEM
+-> ssh-ed25519 jIXfPA uwfDbp6deCl1ZuO/9HWEghRdmx6C48WYfrUSprsUhGw
+/ram5+hhFm4otCrfe8ikxazml7GlXydSLnV6Gx88eeA
+-> ssh-ed25519 QlRB9Q k5ASPvydXiyyIhcviZWBMrKBT5UQeY68Lvs7OSYVH0U
+VQD2FHyF76l+OI87JUvgz+4ZIpYZbTmojWr6w+0Ce4M
+-> ssh-ed25519 r+nK/Q PKv1jnfLjPoevbENLT+BDrkzhngXmtDiepSDKZPPvXg
+Egz1qIKAoYwM9WnRIsxaVcMVnZQ4ejBZB2tWvuqPZto
 -> ssh-rsa krWCLQ
-OypBhkIZl8NGjojPR0Lg0A3SG9BhkA9oocO1zQqGh+gJdO1X8O3m5cIdxu7Ggw8s
-RE+B41TWwEfOV0KfRdOBoVxTLYg027f5/EnlU0G5igGUCDt6vDgyScLsYkdiPUYs
-7otyfXpCwM5eKpHV6q1qne91BjGXOiUpIPnlaOKXFvNkvNlihz9D1uw+n9vnsKGS
-fb9jYX3fACcInbdnNOKeDSUE6+e6wj/ijOwGT8pL5X4cYmGslhfqk4WLubJIUoGx
-6TTD0Qh0tiaWlbHJU6jB/Iv0zQgXDBvOCasN6Nlln+PYQnQ8N0gDRkQ8Eq+eKA2d
-19komclluvh6zNZQHXod/g
-> ssh-ed25519 /vwQcQ l8YLbHxqW4Ynk9ElKIws+Z/cVvdYa9E/ELOt1gIkXww
-nENmHEF5A73imF1H0m+Zn7Fzf2EFTyRPX8HTkgfWvLk
-> ssh-ed25519 0R97PA FVqDeagt+Q8qXxLNaSU5AttATiVmHyQlZT2mv7ETshs
-XG9/OKfvS/Q1yHHHexCeJ3/5HTu/oe8O5lIZJouANv0
-> ssh-ed25519 JGx7Ng xuF0PD3YtE8kqWBH+OnxI+Qw6AQZ9Ib53xpSm9NMrGs
-wLVrBPL4KKWf5AKIN7MZfIAzOoaeqnf7XswaSt8UHKQ
-> ssh-ed25519 bUjjig 1Ekic+sPi08+xo5Lx38SsIN78ODOaJJpuMPorgelIn4
-icUH+He/zxMhoDsakE8lJ1BCkeuwm3izXVnugQrxoCk
-> ssh-ed25519 DqHxWQ oQ1K9/CaOXBCqckeGC2M8rXtPiOSFFetK51+LU5NLGw
-zX2MVGKe7jdoPfJhWHd3M0cJ9uczWyyUqzFOZhP8DCM
-> ssh-ed25519 tDqJRg btCKh9SJuHDiGIQu3FNf3a04p6Qm9EYoTOMaxBFFbCs
-xsGNb+7jXb5MJbnNAJBZRwBvd7a0uFk8cZWWz0xPLKE
-> ssh-ed25519 9pVK7Q bjH8hNGrjV1euwfetjy+P7FmmVEqg+D2VsyIbPN6dBM
-Ut+81wp4IaHYgR7mjAHiPi3uC5K5l/wLrtUEwxxhVs0
-> ssh-ed25519 /BRpBQ nYOgDzHkeh2T3vcC0c3X+/5GPmn4AOavPaLtluG9/X8
-yLeebplBqT7cbo7mgZJvbqVOf1SPFFAs/P8lwVUBjnE
-> ssh-ed25519 t0vvHQ R14ScgZyALLYI9VQXC9ulRiIT6pKeNjsUETqmf39Ajk
-8sATMxF2qt2ZquQkL8lUjtYYCE/c6HAV7CzVBXgAlzY
-> ssh-ed25519 E6cGqw 0kdE7TYnCGGB6laGnB67OFIdI5pKo9k/4M2hSZB8dVg
-6ZbKr6REXl2e589LDQjTdXAOSxKo+Crzb/qU3UiT7Fo
-> ssh-ed25519 EEPmeQ iKAT49L0Ps0DPUc/jHZ1eYPQvkouTbEaMMT1WgGgNGU
-5tO5/612OXfDVgPkC+pObQJP/EqIljq1Sb5/sEQpKOo
-> ssh-ed25519 +MNHsw +XV+vFgYZBjgS+MKcIx1YaZgV34konYI5r2okZWcpE0
-xBVIa8Zep/eRgD2gjPooTS5oQuzgjRxw3cvUrVhbFLM
-> ssh-ed25519 rHotTw kpkPh9yUnPayJBCiUihPbSMIGiCMNV3Q9EX/GqrDuEY
-9U+MZrgXh8wWMr+YA+OFHzVtVoiNXusQIAKHSIv5dy4
-> ssh-ed25519 NaIdrw P7GGMkwEt5ueKMBok+EpEmuomOQtWMGjqShy2zMcziY
-D38Akh4B2IIhiMHm9L4BAlXkqtmRHBFNYnq7MBxuLEw
-> ssh-ed25519 +mFdtQ q0Ry7jtJzq6UfKDbzfovl5KBjdJtOKxlzMBKOBt/wl4
-5LE2G25RaXJSNC88AUKZVsec9f6kRMTrRJH0f+rHjiw
-> ssh-ed25519 0IVRbA E9wi9oRwNigFI5Gx6rOzdQRmLsaG7bADK0JwevQnHHk
-R3ssmspGUasfQCiak6mbelWszIEfgBhoUSwTmVAZVHo
-> ssh-ed25519 IY5FSQ XecGNqCa7W77aVxHu2PMyGP3kjJaIuMkPu/uxxmcTWM
-XBswdNeVgQzf1dHC7epw/R4aR+aPM/D6Ojfemv6h3Zw
-> ssh-ed25519 VQSaNw W9s97+9Zp9HHHLujy3AfY6AmhXG06zubbKmzuHfI32E
-6sBZ/SCxyOAYxusVng5xTp2FIWP46svn9jHrGdDoITY
-> QywF>>&-grease
-an4MLFRuHd5YzvAuctEATrgtHX6ptlOPxRnGyFsIZEx4CVadG8bEn4+aPF64Bvxy
-RXa8
--- fF16JxCEn1JKV0R0onxLmfe1SJViPsfwcW/aNzakOlI
-™dØë¦\YjÐÙ\¡:ìls–ZV¸¦©ë
ñ‹¶÷È"é³‰]…wOpì4àŒƒeÔÅ9¨Ï±üB9<42>
+JxjsWDFX9cqlYYj8XfEz6WlO9xHM6Kjz/Bdkl0E9vRjP8RohPGvGjMwWTv5rAmYf
+n4yMTfau5BNq04WOUoHEz+TJBLwgdGs0yLVrqauLVSSquNxNFaTDN7wIoq3YJ1sP
+66bqP7KqKfgYM+wPg07pnhEVm4T6io9IiH5D4utupSQGBGtXBNWeoORW2Q4XgqBg
+n5pPM+EIqCAGIH+iotKzQLAtn3JaxXBliY69JYXZ9m6eKonTGOnltLgAnkslEIm9
+qwArShZ5YKcEfO9QMioUnbiZU9MV+61ybq16ilWn2MfSUTXS4OBAtJxz6uu093D8
+jmGuhxzXKhB48P/frH/hRQ
+-> ssh-ed25519 /vwQcQ riG1XuW1BCD0xyVeRSgBNrnVmnzL13eor65GEr6AxgM
+N08UbQEOhWsAZyazEN59ztZ7XcXpxSVS2i5m2on1R5k
+-> ssh-ed25519 0R97PA abXQZeB5lRIGNdR/a0uh0o6nU62ZgJgP/Ifo2Sa8VkQ
+dP2djzaPrNoXAs7Wf9hPQ7cAi2lABLfm/XNW7x3G4XM
+-> ssh-ed25519 JGx7Ng bgExR1n+lL4Nth44hAlaPwJyTOJnX0HzzTV13UCvEBg
+rEjfzKhpwMUQCAxX8u7duZeZURdwtEwtE9rngMYMA5M
+-> ssh-ed25519 bUjjig bAhLFnqdVKEzST6m7NWGeqInuNQyclLYFNzjBJOEmmE
+rVRcUfyfMG2EpIucz65bOuC1PVuNjKU285czNjKwJ2k
+-> ssh-ed25519 DqHxWQ j0yUDi5WL76b9ywKcBA0TAX6ilQMXApiPWMgDFucxHc
+8NynFQxLhhvyMLeHY7jBxvEGkbDeItSN9GxyMvpCmJo
+-> ssh-ed25519 IxxZqA 7fkr+YUngEszyOXKf5ba26X08LALDEZh1YdP2lmBD1s
+qQhTzEV7K0AIRcNQHrBmGjViBfxMhfTc74ez4oRYz88
+-> ssh-ed25519 tDqJRg 3lNl0f4EI5iGfkOEwgsdbuqFH/Ii7aSLC/ZTPXVPejc
+0NiYrCEhLaQF2zycyNT358CKVnhPLU5bibKZONWiISs
+-> ssh-ed25519 9pVK7Q r7ug0wHYoccWduiMCC8nbPB0zKTUOJHJGuL6Cex0r38
+SJZ2al16eRaKR02RIAJeRtlwjqIsGO5kpyaKRq9BsRg
+-> ssh-ed25519 /BRpBQ 98rwPrpOBbpjz38FEArCgEv1MqXWsak65tRrfQykrHA
+nfzNG899bAb8dltFR9QrJ4Zb/xX5BL+vSQDD5vC/a2A
+-> ssh-ed25519 t0vvHQ +XZLiLJdJqMxRf6CZwJoS75uQ5b9BxToBUsscsvjCgs
+0IsEB8Q7ZVMzbQMUXVbHdBIC3bcAlhtKHrsjENMvNss
+-> ssh-ed25519 E6cGqw wYdLb3oelo2KDUrh9oDfxN26d/zLPZysKHTp8rxMnEY
+yJ5I2PL32is3cgrh06XRpITykFL282pmhEvCTLRAhQA
+-> ssh-ed25519 EEPmeQ CQLZuD21cKyZOWJZxrEl2N4GnT/3nfkyv5GjK+aveCQ
+XMUaUgHw6mnFh9AEHTn/sRRe1VFGcKRjK4Ib1cNyFns
+-> ssh-ed25519 +MNHsw Ir6Ev8iz1/jyOJJF6boc5T+yjzCtx+L7VtuPFua8WGA
+1sjWSysDuMJ9/hxaYRWF8so6TsdC/ZpLuK1r2AC/st0
+-> ssh-ed25519 rHotTw 33l1xN6i1ST04iKhrtEdMNyGZyrEdJKjNma+Qat9p34
+FgdTjE9NpeR41h49lEbxNAuMTZyvZSVaYyT9PJEn+mU
+-> ssh-ed25519 NaIdrw OO+OV7X39UdIhust47t7/JOpWmRtxS5MeOFGkKoaKmw
+gaFE7kl9BQWMMolgkc3Q8HtaD2YlV+vRNyO2Q8FM6fI
+-> ssh-ed25519 +mFdtQ YahBCDKX2N+mkYLQAlKPpd2ZypIDSMOqzO0+UcCH6wU
+IH0q2uTCo8OtF6IQGynKLe7rh4T12kSROuLr2dteoVM
+-> ssh-ed25519 0IVRbA Cvpi2cd3tVS3DL18C1OZsA0wHBxCCV2vWEhAu4L3CiE
+kIu/v9xU+0xfZ1ntnDY73GvPM6DfdXOK/nWoYp0d9o4
+-> ssh-ed25519 IY5FSQ SAp5chelp2ahomzr9SIkaKLHQUA5BnHSwUzWrqJdpUc
+CfEu14yiOq1KvU52zqYme6CTjhdykRNuhQIi2dgqKh0
+-> ssh-ed25519 VQSaNw ApDOYnJwe1LC5EKjBmSrsXvr73D1bG/MlTzJXEBQWGA
+1DtCyWFGlmrRdv01bqOPfL/jufaYLzrtNF2GGHpGuuY
+-> ~s)%%W-grease <vT lar/&
+qKU8Y2viz71kG8JlAT6i/UWF
+--- 3nsxdyr8AeVlK8l2fhXVZldrw5d0gu4+GWadkNHp9Lc
+f-kp;<3B>1QŸªaZ¦¦X<02>º”/M@NCD¶€ª‚<C2AA>¶Þ2Š4‡ÔÌÑ°vðÑG¯ó7ý@Sôì)?#
--- a/modules/nixos/dgn-notify/secrets.nix
+++ b/modules/nixos/dgn-notify/secrets.nix
@ -2,4 +2,4 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-{ mail.publicKeys = (import ../../../keys.nix).machineKeysBySystem "nixos"; }
+{ mail.publicKeys = (import ../../../keys).nixosMachineKeys; }
--- a/modules/nixos/dgn-records/__arkheon-token_file
+++ b/modules/nixos/dgn-records/__arkheon-token_file
@ -1,55 +1,57 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA Fg3/a46Mon39gTFeQkn0wtxbwsTzeBUNyEAaNHd27hQ
-A78ImPc4lST6bAeBmWiWxoICV4JVCJVAmKuQJySerHs
-> ssh-ed25519 QlRB9Q P1C+ZzsB4oAWkwIq2zcaqoukMMo+yFwk9g6Al32fCWM
-G+M9cYya5pX64/oEbvpvha2qbQg4y8frl1i18ZIG6fY
-> ssh-ed25519 r+nK/Q r4kctDRssAYznMRxHJqu7/GoBHyibP4xWdua6KYnpU0
-l5KS9reXjT2P5iUCe0swZmK/m9Vg7VvtrK4L/TaEuAI
+-> ssh-ed25519 jIXfPA sb7nmDkbVrutjmrkaUKnEfWlU4lWm7qQmD6OWcb/qHo
+GdZ/AyZS75kXiG7XbS2x+sz2LCzrEZYL7PpOPZ8g8qc
+-> ssh-ed25519 QlRB9Q yZkNZ2UOSM7LJbBU9qWcloWPceARFVFIQoEIAfEUsUw
+F6x/QjToEmfLka6LAZxsuOTrKG93EHmFEiiCBiPBdvk
+-> ssh-ed25519 r+nK/Q TSh3AgdlSZP4FOVka4/KTa9Z/nuwRRZl3mGw1uKTUhs
+fvtdpPW+zsgBHAQrvkWc7heHE56gPZwMEPOpz+fxbh0
 -> ssh-rsa krWCLQ
-g+zPwOWXgd06McsOCwo2QjAQF7B7t8oCf5eA5K79Om/X63VAqakts3ilwOt9SgZk
-yQYa72TP67nyljLO4tPG7u/aKIBIwitGXIIYs+ZNLq9Q0ciWvzVAhsLsfi9yE7AF
-I3tnL03fES2v5sbKes/JulBQl+87065YZr67TNWRY9f7a0XQZtfewP0vOxxfJsSy
-RYBpztlzAGkaWXtqk2291x7yGhKsQWXmUhxx4KqyPs+KvFm1d4GglalFjhySzCkG
-Rc7Flg1ukru3Bd1/fieOWpr3DyDBQ8pZyS4gIUYLB7xcy2t1JI/U3egTQTPBCSgy
-PwoWgyQ7lGLRIarTMRa1JQ
-> ssh-ed25519 /vwQcQ FOpyMB3qDu3HpjqsH2VVpInqlvJlZD35y/XNf8RkSXU
-ZUxuGbwH1XtE9Da+L7SjfoYinjq0cAwsHsDaz2u5Lrg
-> ssh-ed25519 0R97PA kphmpWyiMaxGmUAH4rvFUjtf0mvseVkPPBlMqKNE3lA
-F1cgXiz2UjCHU0MeS5DryvOBtxW/1DIsjw28uQ1nd3A
-> ssh-ed25519 JGx7Ng ejW0Pf2cwsitmVLY8jJUaHZ/6Qhfxa7fnYWoaWYISWk
-awOvJwkkFdXuc/ikZTX6512zG91FCi+0n7KaYrULO3E
-> ssh-ed25519 bUjjig 2Gw2h1bx0TRc6CmRjY8GPgtSHRs5rl/lg394JKiWBlA
-yvltWHak7XMXBmBmlelE4pF5y1saRaQJmV5IUxzaPyo
-> ssh-ed25519 DqHxWQ gh/5iRZQbmbvwWGtah4b9MK3DNe4+UNiHoXPYnw0sEQ
-z/nbwMWAjsBRAzTMSS/9dPzXe1st8mQWiUlZnVmtcCw
-> ssh-ed25519 tDqJRg 0GBbdUBhJxdCICdp6WtgXW2GXfQskuxanzucrKRoBns
-AW0jVC8Y8lbhycDgLzPu40kQtgb7OI7fyycLldXknwc
-> ssh-ed25519 9pVK7Q +aOx8mN/HX4F7SdNdJZjMRWiy6SIhqFkWYIo+I24cTI
-IQCd6tA+bUDlnW9JsxVE02EBKj38yYDybBe24PxXr68
-> ssh-ed25519 /BRpBQ 8UN2aIKUhi3JLhnOoOs38+a9qx+UhDnV5tYlWVF8d24
-FkScXVvXdhFbDGs2Ks0BYfj9nJpAUVPz6OhX7vkOTmI
-> ssh-ed25519 t0vvHQ wDCpgqimo5goEB9Gj5/QGQ98nTEkKy/qHyxPg3NA6Ss
-sielO8aAj9ke+nZL+F/zyMUzUPn1LjtKrSkAoMW6YYE
-> ssh-ed25519 E6cGqw zbwhYf2zKgjdymEjG0sVuqQQ/CgCDnSlT72OrAUFSiw
-B70dyGna1SRXvf5SLJCiZGeBiXwS9nf3LPTBkG/3fGs
-> ssh-ed25519 EEPmeQ 06lIugc0LbiXVFwbV/6GKbSnlac0ROIVNmgS2Q9MM2A
-KTUmdmSXZT2D4oQQpO1qNsdOn5sH70ameln6i7Itb+A
-> ssh-ed25519 +MNHsw OMAS3ud2K1+JGVytqHp9P/i+r4apcb91Dyc+tTudpQ8
-V6T+VPSvRZ21nVtDeRkOsuP62bECSGcIm8vO3JADxVQ
-> ssh-ed25519 rHotTw JAc7ZlrFGL+DXq07YrmqY4lS5Pib31RoRTT6o7zJH04
-Y1qLn6nWk7FfkrWIiBBd7BHHp5WXHTZfq734DMUlB74
-> ssh-ed25519 NaIdrw ZWfEZfhiXxkq6P6H2kbiVZiiPxH13Cehk+2ti9fYx08
-gMlI5Da2cgP7m2pZnHpwJiA7BVVtZgNyZnPkYqhBYHQ
-> ssh-ed25519 +mFdtQ GZQpMTZySkDwDvzpWou8nfvAtYco/v4xF+YU7LYjAAI
-deNceVs+tUxiQy2JHcoOd/w6KLYnxuDwrIPoVWJ66Vo
-> ssh-ed25519 0IVRbA S917NcJZ75oqjwGMMwknUFcHYJ2TCkEt331mpOZ5DxI
-khoDidhLjy1wIs+qGAfx/qH+t4ROB71QeiiUmnpZ1s8
-> ssh-ed25519 IY5FSQ 2HjLcN2RK/dtAeHXUTu/Du4LiBH4SxpG0d6f7QCa61Y
-ql6B8ZZzEaz+Czb0TRT8pF1KD7dhEv0XE9k9IJ9AgBo
-> ssh-ed25519 VQSaNw aAcXlRKzMgw847XeDTqnh+4XvApVIE183gJ2O42eohE
-wndgsI85eDc+i+CBPmo2ym5koIvTMS9mOuWdLvLM3Qs
-> lm-grease -KjCZ 46y2wU x1
-1iP6
--- MthoOm+rboJhFyo+SKFlPfwT9V3VeaKl5xQ2gs0W2ns
-;Ö<>ÓÖ"b/‚éðÙ*ü}ýeÁ½g}âLšq
-zGŠ~Q.í_àX{½ËìA	ùþó²ëöË
+J3PRXa0ojIn7T4bsFYnhERqGH4bLSSRyMm4X85iuGkhjldW/qVIs3EsGUeyLKWwY
+prvS1uwGY4qGbNgEaj0MhoZobhn9V3oiTAmlepl2tHgwMFqDi0Dagym4DBKhYaym
+ezG4GvOSEQOFAhroGK7FscUeziQilfXMAGX88JrJQVM/wz5c2e4ZJmAc5sBzo1mj
+D/ko6/KazOokbCO89wjjUYLzwM82aJKHgGZElNKOx2fcpi23ZIlIERbqcTUgxnVS
+ifgfSHcggEP47UldzfuH09Lfz8YTDqpebhufWkVhnvdJRYahrkNC+vPqBFXwqK8F
+xCVq7a8AkHK1LfDSfm041g
+-> ssh-ed25519 /vwQcQ Lclbvme60sst7vG3OT+SK/BWPBJlMPBuijzX5a41xQY
+iqI9+kIOEja/uAHP3YxCXOAH94IbVbArTD/zzpEWATI
+-> ssh-ed25519 0R97PA tvNEZpxUdaDrLOhuTnp/tuta75aInxweI6u55lts9Fw
+hd0OB8wSMhqyLPyy3dshVLjwXk/iqRhW/CK0v9EkMKs
+-> ssh-ed25519 JGx7Ng 11MGDeZVC6uXrb6x7xH1DDaUS9hEkY4cgFd6UqwuVWI
+HsLCmr749be0M6o8od+cxqEF6fcsqjZttczwNxzU8ZU
+-> ssh-ed25519 bUjjig stqKeXyQYQ4rrPUoFAJ07hfIyNp32BbITxUavwsvFR4
+oeDwDiSyXD803qDruxzJhgQ9ckfQoisJjVzq/S1CvUg
+-> ssh-ed25519 DqHxWQ zGJoJNznwsrVy1hELu5Zd08xPpnCRPms5JUjnuEFB0A
+DS1GEfaNSSz8BD0VqYEpEU5retLzy6EAF0ZEMbcZzys
+-> ssh-ed25519 IxxZqA qPdVGKGRIErFLQsV8LH8UFElhV32XdTw8PmT2HdQVTE
+rZzFPIx7iO1RT6cHu8AeO6FYLMsZn8UMjpqf2K3R9Ds
+-> ssh-ed25519 tDqJRg BfjsSuGW3EteYrTAtpVJNrdoNdpGKuYOxHU0ZNBUYUM
+wlMXOu/IVNFyghhyd/HnBud8b+VwgqZ3vG8Ceqx2DV8
+-> ssh-ed25519 9pVK7Q pPA/PzPfmC4VNLqcqgb1LwfJ68q7LffBAqaRP3YJGmw
+RJBpLt3WzJoNxsbAby/XVB0bWlHqw5ZwSHT47PQeJ2M
+-> ssh-ed25519 /BRpBQ 9irIejQQmwv9p1n/N82JPcQlRkMgCPsoeqvrEH24QUs
+WV1CGQiitxqJOj+2V/AA3R9NevcNKCohiEV4ssDEKwA
+-> ssh-ed25519 t0vvHQ vEuLV5mD3BkRQc0h2wg1l4UVj/ORVC5sz1SSqt6gD2Q
+voKXQa3QwUt9yN4OD2Kq58iI/pjNJxRZCHYOWr3mojM
+-> ssh-ed25519 E6cGqw wqCRvdwHzeZNFG73mnCxP6dY8HFLnUd0q3QMHxC9lTk
+D0bqFDUQSgHgwrfluCnJ0FQ8+Bwtho0jGXdF7Mdepj8
+-> ssh-ed25519 EEPmeQ cgyB/xXkZYjS9rqDE5saVVWaZCqWA1KieSwupV8sJ3U
+6NSDsrPTVP0AfLf2R7SYCu175u3AvSl6/9KyI5ZZr4Y
+-> ssh-ed25519 +MNHsw yQYlre+4ZPx0sfdC6iObUu4AyUT/QFCR9nVMDe93PVw
+0fqncmEgXK8UFoWr+S45imxC4zi1rYTmzp5aiPWqcJM
+-> ssh-ed25519 rHotTw 4P96tfTWGWu6sNpnhQS2pOncXTJDBY/0LIMJH6MZ9ws
+HJ9yHwUv613F3Xj0s1l2e1CY2ca9jqrwKvjjrfr+BRE
+-> ssh-ed25519 NaIdrw e+Mk++x9jtnYuH76OXRohKUKELiLRW7DBPmD4Kw0uhE
+P84wmJvkSnM68JmMS24xrilAsqJ0PzsqgmvWIDh2TYA
+-> ssh-ed25519 +mFdtQ YE1hcu3vCq1QHr38JEhU+pLZy+NuxzjSk8O64CYqakI
+SNsqng6gjqR8m+KO+RQqt0gbXeGdfHNjvfVncmKD3DQ
+-> ssh-ed25519 0IVRbA Zw0Sq8NnSluum9p9RPO906gKnXLPlOAWwjIDuYt5oSQ
+6jUZKI7yu6ThE1behgXMqO5beNj2Gap2rGhlSn8vrA8
+-> ssh-ed25519 IY5FSQ qo7pkpJsNQ3vdedlPJIfXpmjHwcEyiuu90TEoay0Xz8
+zbqt1vojiiYfLnh3ChxHwG9mn3d5D2HrQlUJTlGRB+M
+-> ssh-ed25519 VQSaNw nsL5mErC5CJgd4EZKs4ZPb4BINCZMGAhkFr3Z/5vSk0
+vk3vhlydKtsWDCUmO6+fj231tEzNp+5vovLO0Wr7Aqs
+-> @=-grease bI=Z 'IEY&[|q $&(!B z'y\s855
+yNfimzcHFAcfpv7UmfYWh/CAXuUP8mSMxI9w29AI+W7ykCKwWXv9ixLensYRinoo
+vmoBfW/f9aQr
+--- M790Aym/OBexvX+HZK7Hom3HRpLr8ACf4LzYJdSsR8c
+h8ÖÿƒíÃúÑy`¡Œ;ú™ÊÖæ”º±TØ“ÉÚ<áD{–mÉ,Xô´Š_®§ÅíF"šþ]£¦”"
--- a/modules/nixos/dgn-records/secrets.nix
+++ b/modules/nixos/dgn-records/secrets.nix
@ -2,4 +2,4 @@
 #
 # SPDX-License-Identifier: EUPL-1.2

-{ __arkheon-token_file.publicKeys = (import ../../../keys.nix).machineKeysBySystem "nixos"; }
+{ __arkheon-token_file.publicKeys = (import ../../../keys).nixosMachineKeys; }
--- a/modules/nixos/django-apps/default.nix
+++ b/modules/nixos/django-apps/default.nix
@ -392,6 +392,10 @@ in
      webhook = {
        enable = true;

+        package = pkgs.webhook.overrideAttrs (old: {
+          patches = (old.patches or [ ]) ++ [ ./01-webhook.patch ];
+        });
+
        # extraArgs = [ "-debug" ];

        # Only listen on localhost
--- a/npins/default.nix
+++ b/npins/default.nix
@ -42,6 +42,7 @@ let
      builtins.fetchGit {
        inherit (repository) url;
        rev = revision;
+        allRefs = true;
        # hash = hash;
      };

--- a/npins/sources.json
+++ b/npins/sources.json
@ -237,9 +237,9 @@
        "url": "https://git.hubrecht.ovh/hubrecht/nix-modules"
      },
      "branch": "dgnum",
-      "revision": "f3bfda88cf5ca652baa8577da491f9427d98fe5e",
+      "revision": "5cc5d497565cae685bd2eb91606016791c3a9313",
      "url": null,
-      "hash": "1jh8wqlz1bv3b5crfhyvqnh4gjjsyzvs3q0iys6iwq0l337ddgvx"
+      "hash": "09is2zl9570ql1sw250mhpjj8mz2ggy3jx1kvyn6dh2817mv77dc"
    },
    "nix-pkgs": {
      "type": "Git",
--- a/patches/default.nix
+++ b/patches/default.nix
@ -35,12 +35,4 @@ in
    # Build netbird-relay
    (local ./nixpkgs/05-netbird-relay.patch)
  ];
-
-  "agenix" = [
-    {
-      _type = "url";
-      url = "https://github.com/ryantm/agenix/pull/292.patch";
-      hash = "sha256-e45hiHF0HbCYb+3RRhy+8nNIFvefb6SZSN3xcl1mpvI=";
-    }
-  ];
 }
--- a/sources.nix
+++ b/sources.nix
@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
-# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
-# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-let
-  unpatchedSources = import ./npins;
-
-  bootstrapNixpkgs = import unpatchedSources.nixpkgs { };
-
-  patch = (import ./lib/nix-patches { patchFile = ./patches; }).base {
-    pkgs = bootstrapNixpkgs;
-  };
-
-  sources = builtins.mapAttrs (
-    k: src:
-    patch.applyPatches {
-      inherit src;
-      name = k;
-    }
-  ) unpatchedSources;
-
-  libOverlay = final: _: {
-    extra = import ./lib/nix-lib { lib = final; };
-  };
-in
-sources
-// {
-
-  inherit
-    bootstrapNixpkgs
-    libOverlay
-    unpatchedSources
-    ;
-
-  fullLib = bootstrapNixpkgs.lib.extend libOverlay;
-}
--- a/workflows/eval-nodes.nix
+++ b/workflows/eval-nodes.nix
@ -7,7 +7,7 @@
 let
  inherit (lib) attrNames genAttrs;

-  nodes = attrNames (import ../meta lib).nodes;
+  nodes = attrNames (import ../meta/nodes);
 in

 {
Author	SHA1	Message	Date
Elias Coppens	1447ec9eb8	fix(vault01): Fixed MTU of br0 All checks were successful Build all the nodes / hypervisor03 (pull_request) Successful in 1m37s Details Build all the nodes / bridge01 (pull_request) Successful in 1m55s Details Build all the nodes / geo02 (pull_request) Successful in 1m55s Details Build all the nodes / ap01 (push) Successful in 31s Details Build all the nodes / rescue01 (pull_request) Successful in 2m1s Details Build all the nodes / tower01 (pull_request) Successful in 1m38s Details Build all the nodes / web03 (pull_request) Successful in 1m56s Details Build all the nodes / web02 (pull_request) Successful in 2m5s Details Build all the nodes / vault01 (pull_request) Successful in 2m8s Details Build all the nodes / netcore02 (push) Successful in 32s Details Build all the nodes / compute01 (pull_request) Successful in 3m12s Details Build all the nodes / storage01 (pull_request) Successful in 2m24s Details Build all the nodes / web01 (pull_request) Successful in 2m20s Details Build all the nodes / bridge01 (push) Successful in 1m43s Details Build all the nodes / build01 (push) Successful in 1m43s Details Build all the nodes / geo01 (push) Successful in 1m48s Details Build all the nodes / hypervisor03 (push) Successful in 1m34s Details Build all the nodes / geo02 (push) Successful in 1m55s Details Build all the nodes / compute01 (push) Successful in 2m9s Details Build all the nodes / hypervisor01 (push) Successful in 2m3s Details Build the shell / build-shell (push) Successful in 26s Details Build all the nodes / hypervisor02 (push) Successful in 2m7s Details Run pre-commit on all files / pre-commit (push) Successful in 23s Details Build all the nodes / rescue01 (push) Successful in 2m4s Details Build all the nodes / storage01 (push) Successful in 1m51s Details Build all the nodes / tower01 (push) Successful in 1m43s Details Build all the nodes / vault01 (push) Successful in 1m56s Details Build all the nodes / web02 (push) Successful in 1m42s Details Build all the nodes / web03 (push) Successful in 1m40s Details Build all the nodes / web01 (push) Successful in 2m12s Details	2025-01-10 19:37:54 +01:00
sinavir	07d226a06e	fix(build01/nix-builder): Use dgn-access-control All checks were successful Build the shell / build-shell (push) Successful in 26s Details Build all the nodes / netcore02 (push) Successful in 32s Details Build all the nodes / ap01 (push) Successful in 33s Details Run pre-commit on all files / pre-commit (push) Successful in 23s Details Build all the nodes / geo01 (push) Successful in 1m34s Details Build all the nodes / tower01 (push) Successful in 1m39s Details Build all the nodes / hypervisor02 (push) Successful in 1m46s Details Build all the nodes / hypervisor03 (push) Successful in 1m46s Details Build all the nodes / bridge01 (push) Successful in 1m55s Details Build all the nodes / geo02 (push) Successful in 1m59s Details Build all the nodes / vault01 (push) Successful in 1m59s Details Build all the nodes / web02 (push) Successful in 1m58s Details Build all the nodes / rescue01 (push) Successful in 2m0s Details Build all the nodes / hypervisor01 (push) Successful in 2m6s Details Build all the nodes / web03 (push) Successful in 2m4s Details Build all the nodes / compute01 (push) Successful in 2m17s Details Build all the nodes / build01 (push) Successful in 2m18s Details Build all the nodes / storage01 (push) Successful in 2m23s Details Build all the nodes / web01 (push) Successful in 2m56s Details	2025-01-10 19:26:24 +01:00
Tom Hubrecht	4b30fb8a36	fix(meta/nodes): Don't duplicate imported modules All checks were successful Build all the nodes / ap01 (push) Successful in 33s Details Build all the nodes / netcore02 (push) Successful in 23s Details Run pre-commit on all files / pre-commit (push) Successful in 24s Details Build the shell / build-shell (push) Successful in 53s Details Build all the nodes / web02 (push) Successful in 1m56s Details Build all the nodes / web03 (push) Successful in 1m56s Details Build all the nodes / bridge01 (push) Successful in 2m16s Details Build all the nodes / tower01 (push) Successful in 2m6s Details Build all the nodes / geo01 (push) Successful in 2m13s Details Build all the nodes / geo02 (push) Successful in 2m13s Details Build all the nodes / build01 (push) Successful in 2m27s Details Build all the nodes / hypervisor03 (push) Successful in 2m17s Details Build all the nodes / rescue01 (push) Successful in 2m22s Details Build all the nodes / storage01 (push) Successful in 2m34s Details Build all the nodes / hypervisor01 (push) Successful in 2m36s Details Build all the nodes / compute01 (push) Successful in 2m51s Details Build all the nodes / hypervisor02 (push) Successful in 2m54s Details Build all the nodes / web01 (push) Successful in 2m59s Details Build all the nodes / vault01 (push) Successful in 3m16s Details	2025-01-10 09:37:58 +01:00
soyouzpanda	8cfc0001b9	feat(build01): Init Some checks failed Check meta / check_meta (push) Successful in 15s Details Check meta / check_dns (push) Successful in 31s Details Build all the nodes / ap01 (push) Successful in 33s Details Build all the nodes / netcore02 (push) Successful in 41s Details Build all the nodes / rescue01 (push) Has been cancelled Details Build all the nodes / web03 (push) Has been cancelled Details Build all the nodes / hypervisor01 (push) Has been cancelled Details Build all the nodes / build01 (push) Has been cancelled Details Build all the nodes / storage01 (push) Has been cancelled Details Build all the nodes / geo02 (push) Has been cancelled Details Build all the nodes / tower01 (push) Has been cancelled Details Build all the nodes / bridge01 (push) Has been cancelled Details Build all the nodes / geo01 (push) Has been cancelled Details Build all the nodes / compute01 (push) Has been cancelled Details Build all the nodes / web02 (push) Has been cancelled Details Build all the nodes / hypervisor02 (push) Has been cancelled Details Build all the nodes / web01 (push) Has been cancelled Details Build all the nodes / vault01 (push) Has been cancelled Details Build all the nodes / hypervisor03 (push) Has been cancelled Details Run pre-commit on all files / pre-commit (push) Has been cancelled Details Build the shell / build-shell (push) Has been cancelled Details Build all the nodes / web02 (pull_request) Successful in 2m15s Details Build all the nodes / hypervisor03 (pull_request) Successful in 2m20s Details Build all the nodes / storage01 (pull_request) Successful in 2m26s Details Build all the nodes / geo01 (pull_request) Successful in 2m26s Details Build all the nodes / vault01 (pull_request) Successful in 2m28s Details Build all the nodes / hypervisor01 (pull_request) Successful in 2m35s Details Build all the nodes / web03 (pull_request) Successful in 2m33s Details Build all the nodes / web01 (pull_request) Successful in 2m49s Details Build all the nodes / compute01 (pull_request) Successful in 2m59s Details	2025-01-09 23:08:08 +01:00
sinavir	d474e39b92	fix(kanidm): Remove useless nixpkgs config for old kanidm All checks were successful Build all the nodes / netcore02 (push) Successful in 20s Details Run pre-commit on all files / pre-commit (push) Successful in 25s Details Build all the nodes / ap01 (push) Successful in 33s Details Build the shell / build-shell (push) Successful in 32s Details Build all the nodes / web03 (push) Successful in 1m38s Details Build all the nodes / bridge01 (push) Successful in 1m40s Details Build all the nodes / hypervisor01 (push) Successful in 1m44s Details Build all the nodes / storage01 (push) Successful in 1m45s Details Build all the nodes / hypervisor03 (push) Successful in 1m47s Details Build all the nodes / rescue01 (push) Successful in 1m57s Details Build all the nodes / hypervisor02 (push) Successful in 1m57s Details Build all the nodes / compute01 (push) Successful in 2m22s Details Build all the nodes / tower01 (push) Successful in 2m55s Details Build all the nodes / geo02 (push) Successful in 2m57s Details Build all the nodes / geo01 (push) Successful in 2m59s Details Build all the nodes / web02 (push) Successful in 2m59s Details Build all the nodes / vault01 (push) Successful in 3m8s Details Build all the nodes / web01 (push) Successful in 3m37s Details	2025-01-09 22:04:02 +01:00
sinavir	ea5c0787d7	fix(forgejo): Renamed option mailerPasswordFile All checks were successful Build all the nodes / netcore02 (push) Successful in 23s Details Run pre-commit on all files / pre-commit (push) Successful in 25s Details Build the shell / build-shell (push) Successful in 48s Details Build all the nodes / ap01 (push) Successful in 1m21s Details Build all the nodes / geo02 (push) Successful in 1m58s Details Build all the nodes / geo01 (push) Successful in 2m0s Details Build all the nodes / tower01 (push) Successful in 2m5s Details Build all the nodes / hypervisor03 (push) Successful in 2m8s Details Build all the nodes / storage01 (push) Successful in 2m12s Details Build all the nodes / web03 (push) Successful in 2m12s Details Build all the nodes / hypervisor01 (push) Successful in 2m13s Details Build all the nodes / bridge01 (push) Successful in 2m21s Details Build all the nodes / hypervisor02 (push) Successful in 2m23s Details Build all the nodes / rescue01 (push) Successful in 2m28s Details Build all the nodes / web02 (push) Successful in 2m35s Details Build all the nodes / vault01 (push) Successful in 2m44s Details Build all the nodes / web01 (push) Successful in 2m48s Details Build all the nodes / compute01 (push) Successful in 2m59s Details	2025-01-09 21:16:03 +01:00