fix(vault01): Fixed MTU of br0

fix(build01/nix-builder): Use dgn-access-control
fix(meta/nodes): Don't duplicate imported modules
2025-01-10 19:37:54 +01:00 · 2025-01-10 19:26:24 +01:00 · 2025-01-10 09:37:58 +01:00 · 2025-01-09 23:08:08 +01:00 · 2025-01-09 22:04:02 +01:00 · 2025-01-09 21:16:03 +01:00
37 changed files with 1809 additions and 324 deletions
--- a/.forgejo/workflows/eval-nodes.yaml
+++ b/.forgejo/workflows/eval-nodes.yaml
@ -21,6 +21,17 @@ jobs:
        STORE_USER: admin
      name: Build and cache bridge01
      run: nix-shell -A eval-nodes --run cache-node
  build01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: build01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache build01
      run: nix-shell -A eval-nodes --run cache-node
  compute01:
    runs-on: nix
    steps:
@ -120,6 +131,17 @@ jobs:
        STORE_USER: admin
      name: Build and cache storage01
      run: nix-shell -A eval-nodes --run cache-node
  tower01:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
    - env:
        BUILD_NODE: tower01
        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
        STORE_USER: admin
      name: Build and cache tower01
      run: nix-shell -A eval-nodes --run cache-node
  vault01:
    runs-on: nix
    steps:
--- a/.forgejo/workflows/npins-update.yaml
+++ b/.forgejo/workflows/npins-update.yaml
@ -1,5 +1,10 @@
 env:
  GIT_AUTHOR_EMAIL: chores@mail.hubrecht.ovh
  GIT_AUTHOR_NAME: HT Chores
  GIT_COMMITTER_EMAIL: chores@mail.hubrecht.ovh
  GIT_COMMITTER_NAME: HT Chores
 jobs:
-  npins_update:
+  agenix:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
@ -7,22 +12,898 @@ jobs:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
-        GIT_AUTHOR_EMAIL: tech@dgnum.eu
+        GIT_UPDATE_BRANCH: npins-updates/agenix
-        GIT_AUTHOR_NAME: DGNum Chores
+      name: Switch to a new branch
-        GIT_COMMITTER_EMAIL: tech@dgnum.eu
+      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
-        GIT_COMMITTER_NAME: DGNum Chores
+        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
-      name: Update dependencies and open PR if necessary
+        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
-      run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n  echo
+        \nfi\n"
-        \"[+] Changes detected, pushing updates.\"\n\n  git switch -C npins-update\n\
+    - env:
-        \n  git add npins\n\n  git commit --message \"chore(npins): Update\"\n  git
+        COMMIT_MESSAGE: 'chore(npins): Update agenix'
-        push --set-upstream origin npins-update --force\n\n  # Connect to the server
+        GIT_UPDATE_BRANCH: npins-updates/agenix
-        with the cli\n  tea login add \\\n    -n dgnum-chores \\\n    -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
+      name: Open a PR if updates are present
-        }}\" \\\n    -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n\
+      run: "npins update agenix\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
-        \  # i.e. no PR with the same title exists\n  if [ -z \"$(tea pr ls -f='title,author'
+        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
-        -o simple | grep 'chore(npins): Update dgnum-chores')\" ]; then\n    tea pr
+        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
-        create \\\n      --description \"Automatic npins update\" \\\n      --title
+        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
-        \"chore(npins): Update\" \\\n      --head npins-update\n  fi\nfi\n"
+        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
-name: npins update
+        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  arkheon:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/arkheon
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update arkheon'
        GIT_UPDATE_BRANCH: npins-updates/arkheon
      name: Open a PR if updates are present
      run: "npins update arkheon\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  cas-eleves:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/cas-eleves
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update cas-eleves'
        GIT_UPDATE_BRANCH: npins-updates/cas-eleves
      name: Open a PR if updates are present
      run: "npins update cas-eleves\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  cgroup-exporter:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/cgroup-exporter
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update cgroup-exporter'
        GIT_UPDATE_BRANCH: npins-updates/cgroup-exporter
      name: Open a PR if updates are present
      run: "npins update cgroup-exporter\n\nif [ ! -z \"$(git diff --name-only)\"
        ]; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\
        \n  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  colmena:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/colmena
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update colmena'
        GIT_UPDATE_BRANCH: npins-updates/colmena
      name: Open a PR if updates are present
      run: "npins update colmena\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  dgsi:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/dgsi
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update dgsi'
        GIT_UPDATE_BRANCH: npins-updates/dgsi
      name: Open a PR if updates are present
      run: "npins update dgsi\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n \
        \ echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n \
        \ if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  disko:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/disko
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update disko'
        GIT_UPDATE_BRANCH: npins-updates/disko
      name: Open a PR if updates are present
      run: "npins update disko\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  dns_nix:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/dns.nix
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update dns.nix'
        GIT_UPDATE_BRANCH: npins-updates/dns.nix
      name: Open a PR if updates are present
      run: "npins update dns.nix\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  git-hooks:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/git-hooks
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update git-hooks'
        GIT_UPDATE_BRANCH: npins-updates/git-hooks
      name: Open a PR if updates are present
      run: "npins update git-hooks\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  kadenios:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/kadenios
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update kadenios'
        GIT_UPDATE_BRANCH: npins-updates/kadenios
      name: Open a PR if updates are present
      run: "npins update kadenios\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  kahulm:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/kahulm
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update kahulm'
        GIT_UPDATE_BRANCH: npins-updates/kahulm
      name: Open a PR if updates are present
      run: "npins update kahulm\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  liminix:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/liminix
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update liminix'
        GIT_UPDATE_BRANCH: npins-updates/liminix
      name: Open a PR if updates are present
      run: "npins update liminix\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  linkal:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/linkal
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update linkal'
        GIT_UPDATE_BRANCH: npins-updates/linkal
      name: Open a PR if updates are present
      run: "npins update linkal\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  lix:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/lix
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update lix'
        GIT_UPDATE_BRANCH: npins-updates/lix
      name: Open a PR if updates are present
      run: "npins update lix\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n  echo
        \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n  if [ -n
        \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n    git push
        --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\n    git push
        -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the server with the
        cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  lix-module:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/lix-module
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update lix-module'
        GIT_UPDATE_BRANCH: npins-updates/lix-module
      name: Open a PR if updates are present
      run: "npins update lix-module\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  lon:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/lon
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update lon'
        GIT_UPDATE_BRANCH: npins-updates/lon
      name: Open a PR if updates are present
      run: "npins update lon\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n  echo
        \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n  if [ -n
        \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n    git push
        --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\n    git push
        -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the server with the
        cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  metis:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/metis
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update metis'
        GIT_UPDATE_BRANCH: npins-updates/metis
      name: Open a PR if updates are present
      run: "npins update metis\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  microvm_nix:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/microvm.nix
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update microvm.nix'
        GIT_UPDATE_BRANCH: npins-updates/microvm.nix
      name: Open a PR if updates are present
      run: "npins update microvm.nix\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  nix-actions:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/nix-actions
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update nix-actions'
        GIT_UPDATE_BRANCH: npins-updates/nix-actions
      name: Open a PR if updates are present
      run: "npins update nix-actions\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  nix-modules:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/nix-modules
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update nix-modules'
        GIT_UPDATE_BRANCH: npins-updates/nix-modules
      name: Open a PR if updates are present
      run: "npins update nix-modules\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  nix-pkgs:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/nix-pkgs
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update nix-pkgs'
        GIT_UPDATE_BRANCH: npins-updates/nix-pkgs
      name: Open a PR if updates are present
      run: "npins update nix-pkgs\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  nix-reuse:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/nix-reuse
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update nix-reuse'
        GIT_UPDATE_BRANCH: npins-updates/nix-reuse
      name: Open a PR if updates are present
      run: "npins update nix-reuse\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  nixos-24_05:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/nixos-24.05
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update nixos-24.05'
        GIT_UPDATE_BRANCH: npins-updates/nixos-24.05
      name: Open a PR if updates are present
      run: "npins update nixos-24.05\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  nixos-24_11:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/nixos-24.11
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update nixos-24.11'
        GIT_UPDATE_BRANCH: npins-updates/nixos-24.11
      name: Open a PR if updates are present
      run: "npins update nixos-24.11\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  nixos-generators:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/nixos-generators
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update nixos-generators'
        GIT_UPDATE_BRANCH: npins-updates/nixos-generators
      name: Open a PR if updates are present
      run: "npins update nixos-generators\n\nif [ ! -z \"$(git diff --name-only)\"\
        \ ]; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n  git add
        npins\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  nixos-unstable:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/nixos-unstable
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update nixos-unstable'
        GIT_UPDATE_BRANCH: npins-updates/nixos-unstable
      name: Open a PR if updates are present
      run: "npins update nixos-unstable\n\nif [ ! -z \"$(git diff --name-only)\" ];
        then\n  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\
        \n  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  nixpkgs:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/nixpkgs
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update nixpkgs'
        GIT_UPDATE_BRANCH: npins-updates/nixpkgs
      name: Open a PR if updates are present
      run: "npins update nixpkgs\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  proxmox-nixos:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/proxmox-nixos
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update proxmox-nixos'
        GIT_UPDATE_BRANCH: npins-updates/proxmox-nixos
      name: Open a PR if updates are present
      run: "npins update proxmox-nixos\n\nif [ ! -z \"$(git diff --name-only)\" ];
        then\n  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\
        \n  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  signal-irc-bridge:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/signal-irc-bridge
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update signal-irc-bridge'
        GIT_UPDATE_BRANCH: npins-updates/signal-irc-bridge
      name: Open a PR if updates are present
      run: "npins update signal-irc-bridge\n\nif [ ! -z \"$(git diff --name-only)\"\
        \ ]; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n  git add
        npins\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  stateless-uptime-kuma:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/stateless-uptime-kuma
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update stateless-uptime-kuma'
        GIT_UPDATE_BRANCH: npins-updates/stateless-uptime-kuma
      name: Open a PR if updates are present
      run: "npins update stateless-uptime-kuma\n\nif [ ! -z \"$(git diff --name-only)\"\
        \ ]; then\n  echo \"[+] Changes detected, pushing updates.\"\n\n  git add
        npins\n\n  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
  wp4nix:
    runs-on: nix
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
    - env:
        GIT_UPDATE_BRANCH: npins-updates/wp4nix
      name: Switch to a new branch
      run: "if git ls-remote --exit-code --heads origin \"refs/heads/$GIT_UPDATE_BRANCH\"\
        ; then\n  git switch \"$GIT_UPDATE_BRANCH\"\n  git rebase main\n  echo \"\
        EXISTING_BRANCH=1\" >> $GITHUB_ENV\nelse\n  git switch -C \"$GIT_UPDATE_BRANCH\"\
        \nfi\n"
    - env:
        COMMIT_MESSAGE: 'chore(npins): Update wp4nix'
        GIT_UPDATE_BRANCH: npins-updates/wp4nix
      name: Open a PR if updates are present
      run: "npins update wp4nix\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n\
        \  echo \"[+] Changes detected, pushing updates.\"\n\n  git add npins\n\n\
        \  if [ -n \"$EXISTING_BRANCH\" ]; then\n    git commit --amend --no-edit\n\
        \    git push --force\n  else\n    git commit --message \"$COMMIT_MESSAGE\"\
        \n    git push -u origin \"$GIT_UPDATE_BRANCH\"\n  fi\n\n  # Connect to the
        server with the cli\n  tea login add -n dgnum-chores -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
        }}\" -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n  # i.e.
        no PR with the same title exists\n  if [ -z $(tea pr ls -f='title,author'
        -o simple | grep \"$COMMIT_MESSAGE dgnum-chores\") ]; then\n    tea pr create
        --description \"Automatic npins update\" --title \"$COMMIT_MESSAGE\" --head
        \"$GIT_UPDATE_BRANCH\"\n  fi\nfi\n"
 name: Update dependencies
 on:
  schedule:
-  - cron: 25 15 * * *
+  - cron: 5 16 * * 6
--- a/keys/default.nix
+++ b/keys/default.nix
@ -5,7 +5,9 @@
 let
  _sources = import ../npins;
-  meta = import ../meta (import _sources.nixpkgs { }).lib;
+  inherit (import _sources.nixpkgs { }) lib;
  meta = import ../meta lib;
  getAttr = flip builtins.getAttr;
@ -18,6 +20,7 @@ rec {
  _keys = {
    # SSH keys of the nodes
    bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
    build01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYJcEMQpOyKInqtd2/brnSQuzwgv6fNPlTSQx9tcvPu" ];
    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
@ -32,6 +35,7 @@ rec {
    ];
    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
    tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ];
    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
    web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
    web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
@ -98,4 +102,8 @@ rec {
  # List of 'machine' keys
  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
  nixosMachineKeys =
    rootKeys
    ++ (getKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == "nixos") meta.nodes)));
 }
--- a/machines/nixos/build01/_configuration.nix
+++ b/machines/nixos/build01/_configuration.nix
@ -0,0 +1,26 @@
 # SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { lib, ... }:
 lib.extra.mkConfig {
  enabledModules = [
    "dgn-forgejo-runners"
  ];
  enabledServices = [
    "nix-builder"
  ];
  extraConfig = {
    dgn-forgejo-runners = {
      nbRunners = 16;
      dataDirectory = "/data";
    };
    services.netbird.enable = true;
  };
  root = ./.;
 }
--- a/machines/nixos/build01/_hardware-configuration.nix
+++ b/machines/nixos/build01/_hardware-configuration.nix
@ -0,0 +1,59 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot = {
    initrd = {
      availableKernelModules = [
        "xhci_pci"
        "nvme"
        "megaraid_sas"
        "ehci_pci"
        "ahci"
        "usbhid"
        "sd_mod"
      ];
      kernelModules = [ "dm-snapshot" ];
    };
    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/fed99278-0916-4d9c-b974-c7125d3557b3";
      fsType = "xfs";
    };
    "/data" = {
      device = "/dev/disk/by-uuid/69b62f16-7db1-4720-a115-fd3b8dafe123";
      fsType = "xfs";
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/1372-46EA";
      fsType = "vfat";
      options = [
        "fmask=0022"
        "dmask=0022"
      ];
    };
  };
  swapDevices = [
    { device = "/dev/disk/by-uuid/34b9e0ab-c579-4293-849c-78f5093cf35a"; }
  ];
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/nixos/build01/nix-builder.nix
+++ b/machines/nixos/build01/nix-builder.nix
@ -0,0 +1,64 @@
 # SPDX-FileCopyrightText: 2025 Elias Coppens <elias@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  pkgs,
  lib,
  meta,
  ...
 }:
 {
  config = {
    dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u);
    security.pam.loginLimits = [
      {
        domain = "*";
        item = "nofile";
        type = "-";
        value = "20480";
      }
    ];
    systemd.services.nix-daemon.serviceConfig = {
      MemoryAccounting = true;
      MemoryMax = "450G";
      MemoryHigh = "440G";
      MemorySwapMax = "2G";
      ManagedOOMSwap = "kill";
      ManagedOOMMemoryPressure = "kill";
      MemoryPressureWatch = "on";
    };
    nix = {
      gc = {
        automatic = true;
        dates = lib.mkForce "*:45";
        options = lib.mkForce ''--max-freed "$((128 * 1024**3 - 1024 * $(df -P -k /nix/store | tail -n 1 | ${pkgs.gawk}/bin/awk '{ print $4 }')))"'';
        randomizedDelaySec = "1800";
      };
      nrBuildUsers = 128;
      settings = {
        keep-outputs = false;
        keep-derivations = false;
        use-cgroups = true;
        http-connections = 0;
        auto-allocate-uids = true;
        cores = 0;
        max-jobs = 8;
        fsync-metadata = true;
        experimental-features = [
          "auto-allocate-uids"
          # "ca-derivations" this feature is really extremely broken.
          "cgroups"
          "fetch-closure"
          "impure-derivations"
        ];
      };
    };
  };
 }
--- a/machines/nixos/build01/secrets/forgejo_runners-token_file
+++ b/machines/nixos/build01/secrets/forgejo_runners-token_file
@ -0,0 +1,31 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA plGvUUrRbdkfNyD4UGIjjkv3Ktu4iqL4dImFZzWnqWA
 asE0N7d6lqnOFJWoU+V1bCLhlD5oFAkjs9HSM+ps6Ak
 -> ssh-ed25519 QlRB9Q hagbD6do4gKBuRBN8m8cDL6K0RFmiJwpvJOtAaPKXnA
 9727tWz+PhGm/bycXUUQHV3YqeXc0AD/mM1DvTrBLC4
 -> ssh-ed25519 r+nK/Q bnu+1g77I2LLnXNHZWMkIrgJpxpwJ1ZYgdAL4HE6hCo
 cDLyOiULyjO9s6PACs6Ou6m5h0XcDzbdc7o2P7OAizQ
 -> ssh-rsa krWCLQ
 X8SpFIBmd7LOnJqI+V3MWlaYB8f4Mron5IKYZGrqRPWzLrrkAkJsr1QdV4K9vepe
 zQsHecw8VvCKQesAKFrKTZxF8oXvoJU3GP5q9IVISLuEv8nLxgyhhLqQQqPVWLbC
 0nGGtbke2Xw2QXgUpoe6GdZ53Neg2BShUmV6SYoGeTwdxGmuL6nFH7UMzwsKWLW5
 95CoXfRyp4oxV7FQscuewPL+tNHXh6DoeW8Qlr3rxxgJkCSNMp+EchZJZOroGmtd
 SQb2SgFs712x9han1vNR7Dn3o270xa/AVldmjRBNvDGyNefItb20OP4n3bWSK3b1
 ejR3mZyP5SU2+Pr6navc0w
 -> ssh-ed25519 /vwQcQ NQSD4lKvM7uWm0deYyc22DC7/IGYve0XB9Zg8yOY5GE
 hpDWSKnlW6BtyKlXXS1anB78CvK+mnsm3BOxht7mL4Y
 -> ssh-ed25519 0R97PA i4DSi49b4vQpt3hjiHPn0/H9MzyvHz0OEPJXcvn+G1M
 C9uEKNTPRK8f4d2AYnPqDwTqDOV0SHmG/x/529l3YLA
 -> ssh-ed25519 JGx7Ng 5WgVespkMD/X/67sBoF2RbG+YXu06UuSozHrLJSn2xE
 pISCxxw/Hg9GBxh33gW6JO2mLKrdvSUVb6+AHMHwTtE
 -> ssh-ed25519 bUjjig 14Ocpj1tCsZ5lZQ32wDHsO9iFkrNi8wZS8NUhQ5HEh0
 ZbX31ejXuqmgKD1EcmH/B0zo1CeORzJn+QjrRuWNxh0
 -> ssh-ed25519 oRtTqQ dSGSGECezsXdDeyFcOSLIvKT0jdOs2d73/dRAeBuJjc
 2O/CXEu0rV5EdAewyvdA5XfLXMQvzEEtl8lPsBqICqk
 -> ssh-ed25519 IxxZqA BbHNkDUiEoWcwGjjrkFbOHCXvq2gEd8Rv7tt3p8fXHA
 yJsvxku/Kz26jTTEtuoHDLGO/gUotw/QZc+UwxCIwKE
 -> Tqc#'yq%-grease b
 X3iOhNF2FNp0ImC6uLsqjT1pAbNPBIxUCXLivDKbVIZYoBhtrLpQRJXoWK7GEakA
 8TkORCQQUYZIlNqu2Psfbi0
 --- 19Nolty0dET6QnYlxtieiluPP9R3HbrhEn5EDuFu/s4
 “˜?l÷6r] úfBžo<ŸŒ9Ç‰5M+Ší7íNõÏ¹äô%
Ñ.èœELÄ˜âÂÒw§¾snÑáã¬nšN
-×ØÌ¯pñûëËŠÓ
--- a/machines/nixos/build01/secrets/secrets.nix
+++ b/machines/nixos/build01/secrets/secrets.nix
@ -0,0 +1,7 @@
 # SPDX-FileCopyrightText: 2025 La Délégation Générale Numérique <contact@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 (import ../../../../keys).mkSecrets [ "build01" ] [
  "forgejo_runners-token_file"
 ]
--- a/machines/nixos/compute01/extranix/default.nix
+++ b/machines/nixos/compute01/extranix/default.nix
@ -92,7 +92,7 @@ in
        title = "DGNum module documentation";
        languageCode = "en-us";
        params = {
-          release_current_stable = "infra-DGNum";
+          release_current_stable = "DGNum-Infrastructure";
          logo = "images/dgnum.png";
          footer_credits_line = ''
            Based on <a href="https://github.com/mipmip/home-manager-option-search">Home Manager Option Search</a>
--- a/machines/nixos/compute01/kanidm/default.nix
+++ b/machines/nixos/compute01/kanidm/default.nix
@ -44,8 +44,6 @@ let
  usernameFor = member: meta.organization.members.${member}.username;
 in
 {
  nixpkgs.config.permittedInsecurePackages = [ "kanidm-1.3.3" ];
  services.kanidm = {
    enableServer = true;
--- a/machines/nixos/storage01/_configuration.nix
+++ b/machines/nixos/storage01/_configuration.nix
@ -9,6 +9,7 @@ lib.extra.mkConfig {
    # List of modules to enable
    "dgn-backups"
    "dgn-web"
    "dgn-forgejo-runners"
  ];
  enabledServices = [
--- a/machines/nixos/storage01/forgejo-runners.nix
+++ b/machines/nixos/storage01/forgejo-runners.nix
@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-{ config, pkgs, ... }:
+_:
 let
  url = "https://git.dgnum.eu";
@ -30,22 +30,10 @@ let
    };
 in
 {
-  services.forgejo-nix-runners = {
+  dgn-forgejo-runners = {
    enable = true;
    inherit url;
    storePath = "/data/slow";
    tokenFile = config.age.secrets."forgejo_runners-token_file".path;
    dependencies = [
      pkgs.npins
      pkgs.tea
    ];
    containerOptions = [ "--cpus=4" ];
    nbRunners = 6;
    nbCpus = 4;
    dataDirectory = "/data/slow";
  };
  services.gitea-actions-runner.instances = builtins.mapAttrs (_: mkRunner) {
@ -63,23 +51,4 @@ in
      labels = [ "debian-latest:docker://node:20-bookworm" ];
    };
  };
  virtualisation = {
    podman = {
      enable = true;
      defaultNetwork.settings = {
        dns_enable = true;
        ipv6_enabled = true;
      };
    };
    containers.storage.settings = {
      storage = {
        driver = "overlay";
        graphroot = "/data/slow/containers/storage";
        runroot = "/run/containers/storage";
      };
    };
  };
 }
--- a/machines/nixos/storage01/forgejo.nix
+++ b/machines/nixos/storage01/forgejo.nix
@ -79,8 +79,7 @@ in
        "cron.git_gc_repos".ENABLED = true;
        "cron.update_checker".ENABLED = false;
      };
-
+      secrets.mailer.PASSWD = config.age.secrets."forgejo-mailer_password_file".path;
      mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
    };
  };
--- a/machines/nixos/storage01/garage.nix
+++ b/machines/nixos/storage01/garage.nix
@ -62,7 +62,9 @@ in
      db_engine = "lmdb";
-      replication_mode = "none"; # TODO: deprecated
+      consistency_mode = "consistent";
      replication_factor = 1;
      compression_level = 7;
      rpc_bind_addr = "[::]:${toString ports.rpc}";
--- a/machines/nixos/tower01/_configuration.nix
+++ b/machines/nixos/tower01/_configuration.nix
@ -0,0 +1,17 @@
 # SPDX-FileCopyrightText: 2024 Elias Coppens <elias@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 { lib, ... }:
 lib.extra.mkConfig {
  enabledModules = [ ];
  enabledServices = [ ];
  extraConfig = {
    services.netbird.enable = true;
  };
  root = ./.;
 }
--- a/machines/nixos/tower01/_hardware-configuration.nix
+++ b/machines/nixos/tower01/_hardware-configuration.nix
@ -0,0 +1,120 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot = {
    initrd = {
      availableKernelModules = [
        "ehci_pci"
        "ahci"
        "mpt3sas"
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [ ];
      luks.devices = {
        rootfs01 = {
          device = "/dev/disk/by-label/rootfs01";
          keyFile = "/dev/zero";
          keyFileSize = 1;
        };
        rootfs02 = {
          device = "/dev/disk/by-label/rootfs02";
          keyFile = "/dev/zero";
          keyFileSize = 1;
        };
        slow0101 = {
          device = "/dev/disk/by-label/slow0101";
          keyFile = "/dev/zero";
          keyFileSize = 1;
        };
        slow0102 = {
          device = "/dev/disk/by-label/slow0102";
          keyFile = "/dev/zero";
          keyFileSize = 1;
        };
        slow0201 = {
          device = "/dev/disk/by-label/slow0201";
          keyFile = "/dev/zero";
          keyFileSize = 1;
        };
        slow0202 = {
          device = "/dev/disk/by-label/slow0202";
          keyFile = "/dev/zero";
          keyFileSize = 1;
        };
        slow0301 = {
          device = "/dev/disk/by-label/slow0301";
          keyFile = "/dev/zero";
          keyFileSize = 1;
        };
        slow0302 = {
          device = "/dev/disk/by-label/slow0302";
          keyFile = "/dev/zero";
          keyFileSize = 1;
        };
      };
    };
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
  };
  fileSystems = {
    "/" = {
      device = "rootfs";
      fsType = "zfs";
    };
    # boot1 = boot partition (primary)
    # boot2 = boot partition (backup)
    "/boot1" = {
      device = "/dev/disk/by-uuid/1965-5D59";
      fsType = "vfat";
      options = [
        "fmask=0022"
        "dmask=0022"
      ];
    };
    "/boot2" = {
      device = "/dev/disk/by-uuid/19C4-49E1";
      fsType = "vfat";
      options = [
        "fmask=0022"
        "dmask=0022"
      ];
    };
    "/nix" = {
      device = "rootfs/nix";
      fsType = "zfs";
    };
    "/var" = {
      device = "rootfs/var";
      fsType = "zfs";
    };
  };
  swapDevices = [
    { device = "/dev/disk/by-uuid/7614fa12-c6a7-456e-9620-eb9c0e025140"; }
    { device = "/dev/disk/by-uuid/eb0aef44-b264-4f94-b847-3ad5dcc19ffd"; }
  ];
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/nixos/tower01/secrets/secrets.nix
+++ b/machines/nixos/tower01/secrets/secrets.nix
@ -0,0 +1,7 @@
 # SPDX-FileCopyrightText: 2024 La Délégation Générale Numérique <context@dgnum.eu>
 #
 # SPDX-License-Identifer: EUPL-1.2
 (import ../../../../keys).mkSecrets [ "tower01" ] [
 ]
--- a/machines/nixos/vault01/networking.nix
+++ b/machines/nixos/vault01/networking.nix
@ -58,7 +58,10 @@ let
            LinkLocalAddressing = "no";
            DHCPServer = "yes";
          };
-          linkConfig.Promiscuous = true;
+          linkConfig = {
            Promiscuous = true;
            MTUBytes = 1500;
          };
          addresses = [
            {
              Address = "${servIP}/27";
@ -134,7 +137,10 @@ let
      Id = 2001;
      address = [ "10.0.254.1/24" ];
-      extraNetwork.networkConfig.DHCPServer = "yes";
+      extraNetwork = {
        networkConfig.DHCPServer = "yes";
        linkConfig.MTUBytes = 1500;
      };
    };
  } // builtins.listToAttrs (map mkUserVlan userVlans);
 in
@ -176,6 +182,7 @@ in
            IPv6AcceptRA = false;
            IPv6SendRA = false;
          };
          linkConfig.MTUBytes = 1504;
        };
        "50-gretap1" = {
          name = "gretap1";
@ -200,6 +207,7 @@ in
            IPv6AcceptRA = false;
            IPv6SendRA = false;
          };
          linkConfig.MTUBytes = 1500;
        };
        "50-wg0" = {
          name = "wg0";
--- a/machines/nixos/web02/cas-eleves/default.nix
+++ b/machines/nixos/web02/cas-eleves/default.nix
@ -14,6 +14,9 @@ let
  inherit (lib) mapAttrsToList;
  host = "cas.eleves.ens.fr";
  src = sources.cas-eleves;
  port = 9889;
  python3 =
@ -49,7 +52,7 @@ let
  staticDrv = pkgs.stdenv.mkDerivation {
    name = "cas_eleves-static";
-    src = sources.cas-eleves;
+    inherit src;
    nativeBuildInputs = [ pythonEnv ];
@ -85,13 +88,12 @@ in
        };
        StateDirectory = "django-cas-eleves";
        User = "cas_server";
-        WorkingDirectory = sources.cas-eleves;
+        WorkingDirectory = src;
      };
      environment = {
        CE_ALLOWED_HOSTS = builtins.toJSON [
-          "cas-eleves.dgnum.eu"
+          host
          "cas.eleves.ens.fr"
        ];
        CE_STATIC_ROOT = staticDrv;
      };
@ -99,8 +101,8 @@ in
      path = [ pythonEnv ];
      script = ''
        python3 manage.py loaddata patterns
        python3 manage.py migrate
        python3 manage.py loaddata patterns
        gunicorn app.wsgi --pythonpath ${sources.cas-eleves} -b 127.0.0.1:${builtins.toString port} --workers=2 --threads=4
      '';
    };
@ -118,7 +120,7 @@ in
        };
        StateDirectory = "django-cas-eleves";
        User = "cas_server";
-        WorkingDirectory = sources.cas-eleves;
+        WorkingDirectory = src;
      };
      path = [ pythonEnv ];
--- a/meta/network.nix
+++ b/meta/network.nix
@ -13,6 +13,25 @@
    netbirdIp = null;
  };
  build01 = {
    interfaces = {
      enp35s0f0np0 = {
        ipv4 = [
          {
            address = "10.0.254.21";
            prefixLength = 24;
          }
        ];
        gateways = [ "10.0.254.1" ];
        enableDefaultDNS = true;
      };
    };
    hostId = "adb676ce";
    netbirdIp = "100.80.31.249";
  };
  compute01 = {
    interfaces = {
      eno1 = {
@ -189,6 +208,29 @@
    netbirdIp = "100.80.156.154";
  };
  tower01 = {
    interfaces = {
      eno2 = {
        ipv4 = [
          {
            address = "129.199.210.119";
            prefixLength = 24;
          }
        ];
        gateways = [ "129.199.210.254" ];
        dns = [
          "129.199.96.11"
          "129.199.72.99"
        ];
      };
    };
    hostId = "7874d06e";
    netbirdIp = "100.80.185.124";
  };
  vault01 = {
    interfaces = {
      vlan-uplink-cri = {
--- a/meta/nodes/nixos.nix
+++ b/meta/nodes/nixos.nix
@ -49,6 +49,25 @@
    };
  };
  build01 = {
    site = "pot01";
    hashedPassword = "$y$j9T$n83qOn1OkQhFwQe50tPM11$jZ1tvgqMTcp4HLGEfJmTMsf0NnRUYQkzco9vibWTpU2";
    stateVersion = "24.11";
    nixpkgs = {
      version = "24.11";
      system = "nixos";
    };
    admins = [ "ecoppens" ];
    deployment = {
      targetHost = "build01.dgnum";
    };
  };
  compute01 = {
    site = "pav01";
@ -177,11 +196,25 @@
    };
    nix-modules = [
      "services/forgejo-nix-runners"
      "services/netbird/server.nix"
    ];
  };
  tower01 = {
    site = "oik01";
    hashedPassword = "$y$j9T$axihKDa.CrYcyoamJWxBq1$bl4TfropTrwLqMy6XK0DKkWRyx9b74kyI/ukE8X5iiD";
    stateVersion = "24.11";
    nixpkgs = {
      version = "24.11";
      system = "nixos";
    };
    admins = [ "ecoppens" ];
  };
  vault01 = {
    site = "hyp01";
    deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
--- a/meta/organization.nix
+++ b/meta/organization.nix
@ -95,6 +95,14 @@
      "catvayor"
      "ecoppens"
    ];
    nix-builder = [
      "catvayor"
      "ecoppens"
      "mdebray"
      "raito"
      "thubrecht"
    ];
  };
  external = {
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -21,6 +21,7 @@
      "dgn-console"
      "dgn-chatops"
      "dgn-firewall"
      "dgn-forgejo-runners"
      "dgn-hardware"
      "dgn-netbox-agent"
      "dgn-network"
@ -43,6 +44,7 @@
      [
        "age-secrets"
        "services/bupstash"
        "services/forgejo-nix-runners"
        "services/reaction"
        "services/systemd-notify"
      ]
--- a/modules/nixos/dgn-access-control.nix
+++ b/modules/nixos/dgn-access-control.nix
@ -58,6 +58,7 @@ in
    users.users = builtins.mapAttrs (
      username: members:
      {
        isNormalUser = lib.mkIf (username != "root") true;
        openssh.authorizedKeys.keys = dgn-keys.getKeys members;
      }
      // optionalAttrs (username == "root") { inherit (nodeMeta) hashedPassword; }
--- a/modules/nixos/dgn-firewall/default.nix
+++ b/modules/nixos/dgn-firewall/default.nix
@ -3,9 +3,9 @@
 # SPDX-License-Identifier: EUPL-1.2
 {
-  pkgs,
+  config,
  lib,
-  name,
+  pkgs,
  ...
 }:
@ -13,6 +13,7 @@ let
  inherit (lib)
    concatStringsSep
    length
    optionalAttrs
    replicate
    splitString
    ;
@ -85,7 +86,9 @@ in
      stop = [ (nft "delete table inet reaction") ];
-      streams = streams'.default // (streams'.${name} or { });
+      streams = {
        inherit (streams') ssh;
      } // (optionalAttrs config.services.nginx.enable { inherit (streams') ai-crawlers; });
    };
  };
 }
--- a/modules/nixos/dgn-firewall/streams.nix
+++ b/modules/nixos/dgn-firewall/streams.nix
@ -23,8 +23,46 @@ let
      cmd = act "delete";
    };
  };
 in
 {
  ai-crawlers = {
    cmd = [
      "tail"
      "-n0"
      "-f"
      "/var/log/nginx/access.log"
    ];
    filters.bots = {
      regex = builtins.map (name: ''^<ip>.*"[^"]*${name}[^"]*"$'') [
        "AI2Bot"
        "Amazonbot"
        "Applebot"
        "Applebot-Extended"
        "Bytespider"
        "CCBot"
        "ChatGPT-User"
        "ClaudeBot"
        "Diffbot"
        "DuckAssistBot"
        "FacebookBot"
        "GPTBot"
        "Google-Extended"
        "Kangaroo Bot"
        "Meta-ExternalAgent"
        "Meta-ExternalFetcher"
        "OAI-SearchBot"
        "PerplexityBot"
        "Timpibot"
        "Webzio-Extended"
        "YouBot"
        "omgili"
      ];
      actions = ban "720h";
    };
  };
  available = {
  ssh = {
    cmd = journalctl "sshd";
@ -42,9 +80,4 @@ let
      };
    };
  };
  };
 in
 builtins.mapAttrs (_: builtins.foldl' (a: s: a // { ${s} = available.${s}; }) { }) {
  default = [ "ssh" ];
 }
--- a/modules/nixos/dgn-forgejo-runners.nix
+++ b/modules/nixos/dgn-forgejo-runners.nix
@ -0,0 +1,91 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 # SPDX-FileContributor: Elias Coppens <elias@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
 {
  config,
  lib,
  pkgs,
  name,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib.types) int nullOr str;
  cfg = config.dgn-forgejo-runners;
 in
 {
  options.dgn-forgejo-runners = {
    enable = mkEnableOption "forgejo-nix-runners for the DGNum forge";
    nbRunners = mkOption {
      type = int;
      description = ''
        Number of runners to spawn.
      '';
    };
    nbCpus = mkOption {
      type = nullOr int;
      default = null;
      description = ''
        Maximum number of cores available for each runner.
        When set to null, there will be no restriction.
      '';
    };
    dataDirectory = mkOption {
      type = str;
      description = ''
        Base directory to store data for runners.
      '';
    };
  };
  config = mkIf cfg.enable {
    services.forgejo-nix-runners = {
      enable = true;
      url = "https://git.dgnum.eu";
      storePath = cfg.dataDirectory;
      tokenFile = config.age.secrets."forgejo_runners-token_file".path;
      names = [
        "on-${name}"
      ];
      dependencies = [
        pkgs.npins
        pkgs.tea
      ];
      containerOptions = lib.optional (cfg.nbCpus != null) "--cpus=${builtins.toString cfg.nbCpus}";
      inherit (cfg) nbRunners;
    };
    virtualisation = {
      podman = {
        enable = true;
        defaultNetwork.settings = {
          dns_enable = true;
          ipv6_enabled = true;
        };
      };
      containers.storage.settings = {
        storage = {
          driver = "overlay";
          graphroot = "${cfg.dataDirectory}/containers/storage";
          runroot = "/run/containers/storage";
        };
      };
    };
  };
 }
--- a/modules/nixos/dgn-netbox-agent/secrets/netbox-agent
+++ b/modules/nixos/dgn-netbox-agent/secrets/netbox-agent
@ -1,53 +1,55 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA zyp8jIQ/BGlaOe2hCYdO2/jpiCJO/yASFn2v4yxF3XE
+-> ssh-ed25519 jIXfPA AoV8xDKiLKK+BAtfkB+pNkHZLDIEGw7JyNTTtvayBwA
-tnajUOFI/LeiRRK2+XEmgAhU8PfyerYDPZ3CASAx6uE
+HfIw7XZFDOYSjBVtP103shjsP/1ObTxJr6Aa4CiaTLU
-> ssh-ed25519 QlRB9Q GTRAu+AUZ2MJs3ZaZR8GcS8U2xyGR0mx1FB78TmVhik
+-> ssh-ed25519 QlRB9Q Ctz/5A3UkDcAZ4nukgqE5oiUOa7taQAE1HSanyAEJh0
-PmenwNgQQUd6JWgUU1zmJWF+Lek4QwCKc0MzD/iLGUE
+coUvmMgmewvtJJJrKJhqBCHpmZiOJxYUEWjKzULO10E
-> ssh-ed25519 r+nK/Q 2cOo2pK5KN0keAbW62MaC0/wDysciEZPgY8+3vhx30s
+-> ssh-ed25519 r+nK/Q iuEli8ApCKNau1Ugl/bpeQcW9ONQGi8NtvWWJpLHGDU
-ZmjX2vi9qYOVWtctWcEt95l2kBlZH1uNLFUdUxSHyus
+VMf6rdc0jjRY3ccMwoyf2omLklZanhbxrBeNVfN+l6o
 -> ssh-rsa krWCLQ
-xNCMgSxO8SA2rQqU14RD2TU5PQyssMlWomoA9VjoT6FsYZleRd7nPeABYqlnzUNj
+UcotJT8W4HRBV4IQiqlgPZnZnd/htvZiZyT3XNdhs2PBHbMWdG/86EQMUg4VH9yQ
-wWk3obSp3AO+NNscnmFrAijYQl0C+hBBplsgEyQ87j60s0ReAZGaURbrxRJr0dr/
+MduYfcr53BUq0usGIWaz/fKCTTTNvnbtu3FnnMpYjsraTomR4sY8JoCabl3v6jWA
-2JBrPtQ7tiSQYRZG9DH6ASUYrlVCB3Vq18OOa+os8PpqyL6Q6pglx0ePY1wx9irG
+UNYEcE5+5Nttx8NhYOK3AIi6xId2JUU9ju7/TnIbQzJgSNeF742EymAOKPT0+RB2
-6qj54LAR34C+uOi620LZuJ3YhZYIp0blmxqrXGeVTY1c7mmELKCdslFpiBvKE5jf
+XlMKbvLqoqW50JpYu1NZMJX0ZRv7BtlwdCUzh5AMpTHT26JaWQDD4sx0OquCKfOY
-71Lj6ihc5Z5kJxi0vPXMXkuGXtmlIr57dre2XWhynuXq9sLj0KEE0GVQa/vMV3Hd
+d652PN1goGXTruQJE8zk8eln8575hFlze6cBSXEg7gZjDnKHIFZMZTHWss26MzHV
-4/ATD4bbpkzwkfZIlL1LRQ
+R8AnyF7o6IZ2SMBkk91vhg
-> ssh-ed25519 /vwQcQ 63EfH8Eu6Rdyz01sN7yfpaQpxJ2w4VqzQRWMw3AMSAk
+-> ssh-ed25519 /vwQcQ iHmADnr9AGlGgDADay5pgIz/QhmWWtFKhHvP9L08ZFQ
-bj1CFYkCOcoMtuq/mC+vn9YM8aM9rLClcGo1rpytN7k
+w63c1jKC/lI90DhmXpIi3//fq9ZfVzWMqrmQXZyT48o
-> ssh-ed25519 0R97PA gOIroiigdZxulsng29mz0o3gLYnMb5YjmBOmTd9UvHw
+-> ssh-ed25519 0R97PA Gd1UrJXNWN20iosx5GVhXFaYipVHSES+dhk/M/Z9oV0
-mgvgYedm7U1y5BlRcvPEZhHpPEnczungDuBAEGcJwMw
+myKtTzEmBlFeiwXmhJoF0v+A/Rvx8q1AilR1Dh4w4uA
-> ssh-ed25519 JGx7Ng FeQyBpbGZ2WGztFXBpJ5uYXIPIEJqnf2FedleYRQJUc
+-> ssh-ed25519 JGx7Ng gHJNedmJ7UdIwhqq1tWxGa4cX0LcZ/VaenKM2J9F7lo
-SzbinTIdwa1pvc9AZSWj2GRR86hD+SHY63QzBSv4D3I
+Oq7wjxPALgXglkCCoNO4UvR2vzJGmPHFDHeOqktVuwg
-> ssh-ed25519 5SY7Kg BgCKJrxjRS8QNCndIfySdq2u+hv3Q7Dg/hToWOE8e3g
+-> ssh-ed25519 bUjjig CRXtLDeT7jqwKLpaO4/63JnetInAQkaIkE6mxc5N1UI
-/rKzCb9fdZTEwTP1/QW4vn1ewQDn5TtV4Ui3MwChdB8
+gMYkaaGu7xpZx7KvZ6P3WMoOozF2Agmyl7B69H5nppc
-> ssh-ed25519 p/Mg4Q ftfpqvy3TuWoq+Hcmt+oYiJ1GhwYvR+GDh3MzVsfv3s
+-> ssh-ed25519 DqHxWQ otOMVwImeWqKrTFEdIJyPlYSopD6k6hFamQPpt2nLBE
-I2dj0FSRGfoBqwSetdKz9NX11zUeHxIizmjctYrmjD8
+CxNSm1/LMwP0zqg17yXVRIdiZ63pDm6qIS8wP/dKCD4
-> ssh-ed25519 DqHxWQ Zs+uNTp/4plSisoBzUpnvlZXLrbYphYvaeogHCyg4As
+-> ssh-ed25519 tDqJRg v30xkeXkoFPYKs4Dfi37CEgyv3hv574fotA77gusoxs
-hvXMQNPnJK7ZQrkYIyHW07rWd06QkNpiNuL3oUXxoQo
+eL7E6XA/MEgiYAiQPXu4oEFTNExWWwZY82neLzGw5vk
-> ssh-ed25519 tDqJRg hMw/doebsExNtZ9oC1OFrnWOsiPOKh3D76RPfw0If00
+-> ssh-ed25519 9pVK7Q hXrymfnHQQixF0ov9Kt4wkeCr7aIKju3rFd7KB+zeAg
-p5dxioeIt558deMFrRiTMxYocmP6p8kTk/nzSb5yuPA
+6FlfRrh/KSOpbcmNzdG7DuSX9vtZbWNMk27WJjSG23g
-> ssh-ed25519 9pVK7Q mctwqK3IkQdbeajO9mbvejtG85rFXTmFdptrzIzP9Cc
+-> ssh-ed25519 /BRpBQ f3ydj4vyxTBOjOcOLVQvFh2l2p+Ugmj3kZMFSikbbFU
-sVG1NKMmTR0Sf60hvPJ4QRypmBT4a6yUZ+gyp/Xf+EQ
+/5+bHomn/HADptsbxi4pdK+qxc3HA+2NETRKhJKYGx8
-> ssh-ed25519 /BRpBQ C6CjF9H+x1fd2s4sjHw0IzKpNvbnr3H0tnxJdwzrzlQ
+-> ssh-ed25519 t0vvHQ m8IWCX3aEQmx8YXy48zMxDyujTLtJyApVapU5I1LKi4
-gcrSM7NoHqeFdsTAWpO23cfAISile0uVEHu4fBvqwME
+YFoCQX0jPMi55tsD+uNvHofawW+MXgoP1nhflZdKKIo
-> ssh-ed25519 /x+F2Q t6mrvde1VJP7ARlwQAFOQxg6Uu2+GDDzN8GG/F/C5zA
+-> ssh-ed25519 E6cGqw 4qwrLGLPM+hDxoMPdNnp63D1ntx8zNb8/Fyo/3qyySs
-z3jOcIvHjH4TgiMHqABBU5t9bilBtv5rBKHJLMp9CaA
+k51U+tHb8KPmWMzhrZceUivFJKg3gzCAGpqCvDyc3xs
-> ssh-ed25519 +MNHsw 5FBjw08c8F2wqrJe8KfWdn5bjzYmXXqLpVIozq8c8WE
+-> ssh-ed25519 EEPmeQ ccgkj2wETQMmyOVNl0elsPPN2DvIgEooDOI41rJ+/C0
-47oEgYMsl6/JtL1JqOOajHdB22gIdIGhhtcchUK7ZX4
+mYWPULU3MyHpz6j28FbIDHhp1VeH4WRipiG/AkWp3iw
-> ssh-ed25519 rHotTw 4/W5DKJCc18KOcJQ1s4DveOVEjf5oy3HeQF5AThpvFM
+-> ssh-ed25519 +MNHsw E4HK1QIJb4e0HzJNFJoHWhIM0PAz1UMEfFGRbIbwEXU
-vG9LsTXTFk6TLHNDDS3qtirjm7iyZnhN+FM++xU0qGI
+yi3ecinlgUVuMbzFTC5u/R7NNr+knaHnw7zhXo4U9kM
-> ssh-ed25519 +mFdtQ bh0b+b2J2dg9hpBVYM3hDUwJOO/xi+dcH41abtVjt2E
+-> ssh-ed25519 rHotTw hBtzSPFVlxHmakQaj/kJGGZ9vcLoM3DjwL6xj+gC+Xo
-NPU1M+fXjOSROEWY73hftAniWUpr0ymbfo8mqZTPC/M
+w4XbILzfS84Igno8z1EfjJRbYlQvvIpRlMVXt/+CYU4
-> ssh-ed25519 0IVRbA ioMW4UYJ+kKlZBdf430FHnbqdw3BcwWSr2RmOHCv+hA
+-> ssh-ed25519 NaIdrw 3ODbuYhG3Ts572UCdq8fUSc9frKeXlINUdVhy8LFnVU
-qw0VDAu93LSEZqhs9nRTCMGWsXKjxK65VfkKJbUU5fY
+3nvYZhuRKXm5EHd1KM4uO+3irxQDLHMdN76MhPFpvR0
-> ssh-ed25519 IY5FSQ 1aD4KWKITo+88CEwuTKq1QH+Pf5qoOXlI+EY2FX9IG4
+-> ssh-ed25519 +mFdtQ VSTpZ8+P5jbyuuOojTKzIo6YmW4adRbG0rssUEocgho
-KzOGMeIxLypf7S6WeUM4Zr/S/g9HWXHBGcKkgHMLRJc
+ZwnC32ywtC6c1cebe2XF9t8x9TTRtt2B4ZlqM/4gOzg
-> ssh-ed25519 VQSaNw fCt2YDODTAtamSSYH+RNIpWAQ53WPwOeR92rHa89QBE
+-> ssh-ed25519 0IVRbA 3rhK2KihTYJDysIANlpZLYCbRguv1QOCbKgdocPWDEk
-2KAY4EgfxnNxvQGV4lgoGT+sb4nJV1eE50GHRljngEo
+d3pvvkhNxXcNZ1HwUiyquEspwLibyYGKCZrwz5B2T8g
-> x!p-grease Qza ,IU!}' (fMHX0~ m
+-> ssh-ed25519 IY5FSQ p4+vtg7SON1fIn6fUOhnd2Rxt+9eVEqls48IIBBOqkw
-DGgaSNyr7o+hl8p9viIHBbTdiTdY79TgFsTdM2oBJAqT5P/LkFzg8TYNsH04eReH
+EkjceamiQDQLRRuxQt3mG9WQ96F3XSAAktKg9twGwhY
-dmTu9wjN2OM
+-> ssh-ed25519 VQSaNw sk0bsPgWlMBXk7DI7aDBuWZ4cNsQOVnpQmBJinqXd1k
--- +/E2Y1+KnzcreXm8DtJE39wR4dVL6vneloVFzK33c8Y
+G8DAz80agW6qCDcLVewfxZTkae/JzaFDcenlFHTYjPA
-T|ïá+¡ÆTÔŒÄ
+-> \cr-;-grease DZ^oMD&2 GB%w]p #g_
-vÎ§“8»,OÔ¸lžÇ±z)/0<30>>hkJMèl	öÝ®GØßûGÜ>lU¯1Ÿ}€Š¤£T<C2A3>ÞhèÅý,åÎ8Åç%ßÓ¤lQ‰
+HMU4jwh6dkuPjOepUsLjSvO9JXRa5X5TUMVOdrYcv39jNvDnx8S+BJAs6BBVhOPh
-ëb©,@
+csvWfFwTPA
 --- UEkzkRDhvHIrTFs2UXLTuJZY/ILa9uTI3QdkNQrKbHw
 Ài´:®¢-äámlZšP 9{A‹’Ò€ˆ‰~*…#Å:.j/¾ê“µ‚B`KÓ5^P(u“õÒt³¶DûG_…®%¡‘èûG€s]ðŸÁßÞB{àws³¶V8e2<65><32>aXÓ$”ô2M
--- a/modules/nixos/dgn-netbox-agent/secrets/secrets.nix
+++ b/modules/nixos/dgn-netbox-agent/secrets/secrets.nix
@ -2,4 +2,4 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-{ netbox-agent.publicKeys = (import ../../../keys).machineKeys; }
+{ netbox-agent.publicKeys = (import ../../../../keys).nixosMachineKeys; }
--- a/modules/nixos/dgn-notify/mail
+++ b/modules/nixos/dgn-notify/mail
@ -1,50 +1,56 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA zVe/xwQCEtVnX8qWShePzBmhfQbENRMn8XgPzEqb1gY
+-> ssh-ed25519 jIXfPA uwfDbp6deCl1ZuO/9HWEghRdmx6C48WYfrUSprsUhGw
-CFa4qXtY8lBlSIxnWVbejVta8BFYmsCtp9TdXXexZYE
+/ram5+hhFm4otCrfe8ikxazml7GlXydSLnV6Gx88eeA
-> ssh-ed25519 QlRB9Q 3EJeDSBkwJU2LaKHygG/a0tfFRXcp8SNJBxyhIOwBDU
+-> ssh-ed25519 QlRB9Q k5ASPvydXiyyIhcviZWBMrKBT5UQeY68Lvs7OSYVH0U
-PI63A4YJFC1XTNPbl73SBlUMV25o0ZeojAr8tr5mtlY
+VQD2FHyF76l+OI87JUvgz+4ZIpYZbTmojWr6w+0Ce4M
-> ssh-ed25519 r+nK/Q /4HQCHPBBk7lD2mwJOMEmTeRpPGnPgTcL+htNRvkxkk
+-> ssh-ed25519 r+nK/Q PKv1jnfLjPoevbENLT+BDrkzhngXmtDiepSDKZPPvXg
-oXLQoX+AK8zn82wsnLHK4BOpK3gn5lThWiFXh8+rxUU
+Egz1qIKAoYwM9WnRIsxaVcMVnZQ4ejBZB2tWvuqPZto
 -> ssh-rsa krWCLQ
-ox5TBB9buXII2U32S/XpQVdr3r87p9lt/7WwELq//ik7vf4B6mZPbYvIV05JZ5bO
+JxjsWDFX9cqlYYj8XfEz6WlO9xHM6Kjz/Bdkl0E9vRjP8RohPGvGjMwWTv5rAmYf
-4f5khDdw+q1bbniDCBH2aPKM0ni3wBdLkT3jwdQBL5imSQuly/cFMdvVwSTuwN9k
+n4yMTfau5BNq04WOUoHEz+TJBLwgdGs0yLVrqauLVSSquNxNFaTDN7wIoq3YJ1sP
-8smSavsUYK5q5xgE49oMYJBAhNVGFI7NKlx7/a3VaVybsLAnzp3AeWy1o5BB1fKT
+66bqP7KqKfgYM+wPg07pnhEVm4T6io9IiH5D4utupSQGBGtXBNWeoORW2Q4XgqBg
-7Emt88ht4lymL/gyxSMLT5Dreb5Sm+AcE+gYAK92OnX4Z1k8FqETppTKZDuoZUmv
+n5pPM+EIqCAGIH+iotKzQLAtn3JaxXBliY69JYXZ9m6eKonTGOnltLgAnkslEIm9
-hJPpylXw7/YJU7Q0CluwtcGWFaTuE6AT0IrlCdY3NuMGA9IfpVsZr1kocdq2qB02
+qwArShZ5YKcEfO9QMioUnbiZU9MV+61ybq16ilWn2MfSUTXS4OBAtJxz6uu093D8
-90/yy51Ulwhfhiy1/3mlfw
+jmGuhxzXKhB48P/frH/hRQ
-> ssh-ed25519 /vwQcQ SGCKP+4m5p9SiYnU3vL0QaKp/3+yztZ0snZ6os+mUAo
+-> ssh-ed25519 /vwQcQ riG1XuW1BCD0xyVeRSgBNrnVmnzL13eor65GEr6AxgM
-ZEVgV6jo7tRdM1KxQJ2UJRDEYaiQy9PYzaeSAstHYFQ
+N08UbQEOhWsAZyazEN59ztZ7XcXpxSVS2i5m2on1R5k
-> ssh-ed25519 0R97PA Bblz2DxUIBovbFqHhwGSRrs3Hbc1vNMtn8SK976YYAU
+-> ssh-ed25519 0R97PA abXQZeB5lRIGNdR/a0uh0o6nU62ZgJgP/Ifo2Sa8VkQ
-FtEsqOUChH+uzFuTsATraNyyJXXdkesmbe8T+LeK9nU
+dP2djzaPrNoXAs7Wf9hPQ7cAi2lABLfm/XNW7x3G4XM
-> ssh-ed25519 JGx7Ng 3umTe7hK60ghA4fXbapBRjjJ9K6hXLfV5kQrBzwsmS8
+-> ssh-ed25519 JGx7Ng bgExR1n+lL4Nth44hAlaPwJyTOJnX0HzzTV13UCvEBg
-oRBFSJsVStw2ul6JxdJuan18GriwYF+d8asKXnWDpZA
+rEjfzKhpwMUQCAxX8u7duZeZURdwtEwtE9rngMYMA5M
-> ssh-ed25519 5SY7Kg Ft714PG5dVVJWHu0aJh+wdT04vSb/vlDVsWmUhdjUXw
+-> ssh-ed25519 bUjjig bAhLFnqdVKEzST6m7NWGeqInuNQyclLYFNzjBJOEmmE
-qY7OJduSibFheBQOrGnSFUOhou/WyyY/M5tAYGvaTJI
+rVRcUfyfMG2EpIucz65bOuC1PVuNjKU285czNjKwJ2k
-> ssh-ed25519 p/Mg4Q u6ES8PpiDb1OY97sMQ/kL6sTIjBhDk1aqoIEd0I5BgA
+-> ssh-ed25519 DqHxWQ j0yUDi5WL76b9ywKcBA0TAX6ilQMXApiPWMgDFucxHc
-pbX1Wk+5aTbf5rU2JM0rf4SR/fJGLKcDcqLF1yDXbiE
+8NynFQxLhhvyMLeHY7jBxvEGkbDeItSN9GxyMvpCmJo
-> ssh-ed25519 DqHxWQ n8qHGzdwY1RfajPN+oZV0Ps44rqbW5tcUFSSPbyZmAw
+-> ssh-ed25519 IxxZqA 7fkr+YUngEszyOXKf5ba26X08LALDEZh1YdP2lmBD1s
-EAK0hA/94/ZxBz0iNaTl2RlpswiO+2eIWugozHrZZfw
+qQhTzEV7K0AIRcNQHrBmGjViBfxMhfTc74ez4oRYz88
-> ssh-ed25519 tDqJRg RAEIORbyHLRNkm+mFsq07E1uzbEEIBQ3eG+kpyXLLG0
+-> ssh-ed25519 tDqJRg 3lNl0f4EI5iGfkOEwgsdbuqFH/Ii7aSLC/ZTPXVPejc
-1S7gL5WgXiFZxgH6kSp1zANafDTEKsC4Wo4kT8oB7b8
+0NiYrCEhLaQF2zycyNT358CKVnhPLU5bibKZONWiISs
-> ssh-ed25519 9pVK7Q p7tGHwbC3CWap6feMXq2twGHkyszLP0EKwhW4McAoj4
+-> ssh-ed25519 9pVK7Q r7ug0wHYoccWduiMCC8nbPB0zKTUOJHJGuL6Cex0r38
-7F0zZEON8H2H+v0XRCOiYeUuhJBRUVkFoEP+Cz4vHZo
+SJZ2al16eRaKR02RIAJeRtlwjqIsGO5kpyaKRq9BsRg
-> ssh-ed25519 /BRpBQ stXNcOvGwPBPz8TtLhQUVgpcvu4BtfUACAZtrEI0eGY
+-> ssh-ed25519 /BRpBQ 98rwPrpOBbpjz38FEArCgEv1MqXWsak65tRrfQykrHA
-FN2yFmvc3GhMGNTUCT+XMr1qsfLvmjHIkYoi5B3MDsE
+nfzNG899bAb8dltFR9QrJ4Zb/xX5BL+vSQDD5vC/a2A
-> ssh-ed25519 /x+F2Q fmGbMAGFJbjR0zVdJqsigKQ28nbDq8Zx1FsgviLWqHc
+-> ssh-ed25519 t0vvHQ +XZLiLJdJqMxRf6CZwJoS75uQ5b9BxToBUsscsvjCgs
-+v09rkeHZTvFQLaXfOnFaZMBc2G2BD5dXWYg/Nlx2Og
+0IsEB8Q7ZVMzbQMUXVbHdBIC3bcAlhtKHrsjENMvNss
-> ssh-ed25519 +MNHsw KqIxZ4L1aoqLevCwx6Zp0jBHfTOU7WdrE0UN56/xARE
+-> ssh-ed25519 E6cGqw wYdLb3oelo2KDUrh9oDfxN26d/zLPZysKHTp8rxMnEY
-OwQ2/WUEfl/oXxfbv5rlLu4OOdrACzPfSS6HfcLpi60
+yJ5I2PL32is3cgrh06XRpITykFL282pmhEvCTLRAhQA
-> ssh-ed25519 rHotTw hwCwUHi/xbAQaWt26kOn3/QSP0m0ZKRdIYs55TDMLSM
+-> ssh-ed25519 EEPmeQ CQLZuD21cKyZOWJZxrEl2N4GnT/3nfkyv5GjK+aveCQ
-DCvnBearzyPQ6ErYuawsyobpMsD9SSEhkVmFKyp5jUI
+XMUaUgHw6mnFh9AEHTn/sRRe1VFGcKRjK4Ib1cNyFns
-> ssh-ed25519 +mFdtQ ZlEsxLPDfy29aIQ9eNsRkZCHSeRmX8+GsuGtikQF4ms
+-> ssh-ed25519 +MNHsw Ir6Ev8iz1/jyOJJF6boc5T+yjzCtx+L7VtuPFua8WGA
-n1N2xQb4oRWaJgLtrXMFasc8u516e1M4Q/qLNLA0e0A
+1sjWSysDuMJ9/hxaYRWF8so6TsdC/ZpLuK1r2AC/st0
-> ssh-ed25519 0IVRbA keVcQ4Vx3Avd97N89nUklRnGMABBenHIi+aufVoTABU
+-> ssh-ed25519 rHotTw 33l1xN6i1ST04iKhrtEdMNyGZyrEdJKjNma+Qat9p34
-yrsC1OitS6sqbUsaIaWeU8vYGOQm9afFfc6DprB8Whc
+FgdTjE9NpeR41h49lEbxNAuMTZyvZSVaYyT9PJEn+mU
-> ssh-ed25519 IY5FSQ npdYCAEfVSpuDNMZnWS469BgvivTKHRKtEAtxmxDZl8
+-> ssh-ed25519 NaIdrw OO+OV7X39UdIhust47t7/JOpWmRtxS5MeOFGkKoaKmw
-gOB1vpBO8ZqtLVwxCj8V/KrWgnYmZGn5QQJzMhiHH4A
+gaFE7kl9BQWMMolgkc3Q8HtaD2YlV+vRNyO2Q8FM6fI
-> ssh-ed25519 VQSaNw S3dSnOPVQdMcz1dJYai0DvZATuMBDsG/+a0sJBDc/iE
+-> ssh-ed25519 +mFdtQ YahBCDKX2N+mkYLQAlKPpd2ZypIDSMOqzO0+UcCH6wU
-Q1gl1nIpDESMvTBX03i4lStAtdWqlTkVABHZ3cqocDE
+IH0q2uTCo8OtF6IQGynKLe7rh4T12kSROuLr2dteoVM
-> t-grease bvZAq
+-> ssh-ed25519 0IVRbA Cvpi2cd3tVS3DL18C1OZsA0wHBxCCV2vWEhAu4L3CiE
-NTQBWWf5UW4zsTEEt7rgmTv+B2rFIk/8WwQPrC/s59Ik
+kIu/v9xU+0xfZ1ntnDY73GvPM6DfdXOK/nWoYp0d9o4
--- 46n57xU0XlDQgUM0vIYveqDifz57FrTcRwCEpoh62+4
+-> ssh-ed25519 IY5FSQ SAp5chelp2ahomzr9SIkaKLHQUA5BnHSwUzWrqJdpUc
-[›07Æ~Þ3dïálÃÅô!f›ãš4ÐHßA‘‡íœ÷<C593>9
×ò@d»BÌ&½L‰{aãþm…X2ã’D‰Å´
+CfEu14yiOq1KvU52zqYme6CTjhdykRNuhQIi2dgqKh0
 -> ssh-ed25519 VQSaNw ApDOYnJwe1LC5EKjBmSrsXvr73D1bG/MlTzJXEBQWGA
 1DtCyWFGlmrRdv01bqOPfL/jufaYLzrtNF2GGHpGuuY
 -> ~s)%%W-grease <vT lar/&
 qKU8Y2viz71kG8JlAT6i/UWF
 --- 3nsxdyr8AeVlK8l2fhXVZldrw5d0gu4+GWadkNHp9Lc
 f-kp;<3B>1QŸªaZ¦¦X<02>º”/M@NCD¶€ª‚<C2AA>¶Þ2Š4‡ÔÌÑ°vðÑG¯ó7ý@Sôì)?#
--- a/modules/nixos/dgn-notify/secrets.nix
+++ b/modules/nixos/dgn-notify/secrets.nix
@ -2,4 +2,4 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-{ mail.publicKeys = (import ../../../keys).machineKeys; }
+{ mail.publicKeys = (import ../../../keys).nixosMachineKeys; }
--- a/modules/nixos/dgn-records/__arkheon-token_file
+++ b/modules/nixos/dgn-records/__arkheon-token_file
@ -1,50 +1,57 @@
 age-encryption.org/v1
-> ssh-ed25519 jIXfPA YaucboAId6lgc1Y/jV6hLyovkJQnMBnKhJ2QWAci53U
+-> ssh-ed25519 jIXfPA sb7nmDkbVrutjmrkaUKnEfWlU4lWm7qQmD6OWcb/qHo
-Q8RUPu4GUC5QbzTROgL9xaG3BUWO1QU/q1p0/yimBQ0
+GdZ/AyZS75kXiG7XbS2x+sz2LCzrEZYL7PpOPZ8g8qc
-> ssh-ed25519 QlRB9Q y1tbd/81NoECRtKwOw41Tlls5y+WSu2jGmeOlC939VM
+-> ssh-ed25519 QlRB9Q yZkNZ2UOSM7LJbBU9qWcloWPceARFVFIQoEIAfEUsUw
-DT1zZgWJkkIWRWxzfu4VgiGpV8CioaDKnVemowH59N4
+F6x/QjToEmfLka6LAZxsuOTrKG93EHmFEiiCBiPBdvk
-> ssh-ed25519 r+nK/Q dDmGkZ3Y7xAzZGKvGIyIdhD+P0tkV6SMPx3UxphoTXo
+-> ssh-ed25519 r+nK/Q TSh3AgdlSZP4FOVka4/KTa9Z/nuwRRZl3mGw1uKTUhs
-tkanRbPfu3/cuMPoTrcWBlNcu6RmK+txif+9aIRLy+s
+fvtdpPW+zsgBHAQrvkWc7heHE56gPZwMEPOpz+fxbh0
 -> ssh-rsa krWCLQ
-IZGpFoWjQuQzqkS2KbpVr+fP7NLPhyaxS4yQroVEkPEZnXx2c6eH3ul218zytZld
+J3PRXa0ojIn7T4bsFYnhERqGH4bLSSRyMm4X85iuGkhjldW/qVIs3EsGUeyLKWwY
-YRBCxiCtV6VfOB2N2QGuiK7YCGl6oUfN1DePy0jPrGKsnvWBitTuqzADiGQB7aSI
+prvS1uwGY4qGbNgEaj0MhoZobhn9V3oiTAmlepl2tHgwMFqDi0Dagym4DBKhYaym
-ie7GgblPpi4q3ovJPgf7Bs+Mi2dKW5hiD8Jnped7rEW7SEnESkQa3Cx22Ww/UYcW
+ezG4GvOSEQOFAhroGK7FscUeziQilfXMAGX88JrJQVM/wz5c2e4ZJmAc5sBzo1mj
-9Uj7ZaDVVbP0ZWyc41HdoJwEnV6MYMRnXUJ/qrLMCIvRaYk8UdiCDgco+XxqAnbs
+D/ko6/KazOokbCO89wjjUYLzwM82aJKHgGZElNKOx2fcpi23ZIlIERbqcTUgxnVS
-iyUqCvz8iVNsWbJxK+7jJHXp0dQJRciHzSGStIVRSGx4gvuXOGjsuBMjfwoq1XoR
+ifgfSHcggEP47UldzfuH09Lfz8YTDqpebhufWkVhnvdJRYahrkNC+vPqBFXwqK8F
-5PE3BnP/atHZg3CkQcC2eA
+xCVq7a8AkHK1LfDSfm041g
-> ssh-ed25519 /vwQcQ WL0PdIIsSWzw+ar2QNXCp7Xs1NH9gUk2fSPskGC9o2I
+-> ssh-ed25519 /vwQcQ Lclbvme60sst7vG3OT+SK/BWPBJlMPBuijzX5a41xQY
-+kHedFsYHgpsGfILtywJaIrTRj8HtHZvVyhtbRhKYC0
+iqI9+kIOEja/uAHP3YxCXOAH94IbVbArTD/zzpEWATI
-> ssh-ed25519 0R97PA +G7wUHF6NJimsAxe6M9RVVTa3GLPoW1bhsgMsWXKNC8
+-> ssh-ed25519 0R97PA tvNEZpxUdaDrLOhuTnp/tuta75aInxweI6u55lts9Fw
-i++lKoe8hFFb1rilkO9lcwBJujRqFsLGDOPvbaiz6Nw
+hd0OB8wSMhqyLPyy3dshVLjwXk/iqRhW/CK0v9EkMKs
-> ssh-ed25519 JGx7Ng o66YGXN0uMC2qZo1tVcEMOa4SwxNZaf4HvnGsgzlqjo
+-> ssh-ed25519 JGx7Ng 11MGDeZVC6uXrb6x7xH1DDaUS9hEkY4cgFd6UqwuVWI
-Tc4KMMrnJbybrNIkhEJz42PVHc3fVMFFSs96lKsEKCA
+HsLCmr749be0M6o8od+cxqEF6fcsqjZttczwNxzU8ZU
-> ssh-ed25519 5SY7Kg P8Xp9wVJDcPdj3uSiq0yLnLMDInMeFs6XX30VwlXWlg
+-> ssh-ed25519 bUjjig stqKeXyQYQ4rrPUoFAJ07hfIyNp32BbITxUavwsvFR4
-uJfxXOZl8EX8fjRsHZ61JMKFpYksZJucZwVaRJs7qW8
+oeDwDiSyXD803qDruxzJhgQ9ckfQoisJjVzq/S1CvUg
-> ssh-ed25519 p/Mg4Q yUyxue7Oda0b+CjdF9VfUCliWyzXNOsVPH7OFoHzWCw
+-> ssh-ed25519 DqHxWQ zGJoJNznwsrVy1hELu5Zd08xPpnCRPms5JUjnuEFB0A
-+zi+TSojvSc+VDXZG8XXSsTezxKRNC2XHc/hGGv4baM
+DS1GEfaNSSz8BD0VqYEpEU5retLzy6EAF0ZEMbcZzys
-> ssh-ed25519 DqHxWQ 7Vnq/xidbguw/PkZPUOTHUBTe8/x4PvTjCusUe10jio
+-> ssh-ed25519 IxxZqA qPdVGKGRIErFLQsV8LH8UFElhV32XdTw8PmT2HdQVTE
-7Sl1MptpElvEA9VUj7JiVGuEWC0F3aA2rgYvfIchOB0
+rZzFPIx7iO1RT6cHu8AeO6FYLMsZn8UMjpqf2K3R9Ds
-> ssh-ed25519 tDqJRg udOCDV4/vszObNxcQhJ6iGiDkxgZlrBDyKt3MbibMx4
+-> ssh-ed25519 tDqJRg BfjsSuGW3EteYrTAtpVJNrdoNdpGKuYOxHU0ZNBUYUM
-CDDd0LNCCdYvEww/h8q2z4f5QtjnL+kJsnPFtlbiD28
+wlMXOu/IVNFyghhyd/HnBud8b+VwgqZ3vG8Ceqx2DV8
-> ssh-ed25519 9pVK7Q DXqkIewHGpUUDtL2ivAoFwY/HCjoQXjxoHGPGkuFfH0
+-> ssh-ed25519 9pVK7Q pPA/PzPfmC4VNLqcqgb1LwfJ68q7LffBAqaRP3YJGmw
-JZ7xC2kdtnRNq8WADL2SNw/Ukezu1s4TuUbQnbP8L4o
+RJBpLt3WzJoNxsbAby/XVB0bWlHqw5ZwSHT47PQeJ2M
-> ssh-ed25519 /BRpBQ 9j1+wzO733ej03ra8LQOkpOyvY63UCbO9sfT6bV6+zs
+-> ssh-ed25519 /BRpBQ 9irIejQQmwv9p1n/N82JPcQlRkMgCPsoeqvrEH24QUs
-2F0UjpAqgCK5JS0y0kkHX30EV8JCcjhnJ1NkW06ww4w
+WV1CGQiitxqJOj+2V/AA3R9NevcNKCohiEV4ssDEKwA
-> ssh-ed25519 /x+F2Q wYchtMn7MCGllfiFwTrycdLEY3dl297ns26PHs7l320
+-> ssh-ed25519 t0vvHQ vEuLV5mD3BkRQc0h2wg1l4UVj/ORVC5sz1SSqt6gD2Q
-feRd57Z5k6iJ71JRHud0wyYWo3O56q4rrYZt5y3aoqA
+voKXQa3QwUt9yN4OD2Kq58iI/pjNJxRZCHYOWr3mojM
-> ssh-ed25519 +MNHsw FHfvx1FQWcsRlKrFF0SRcVZ+XG6LXBwIMcPCVeu/ZCg
+-> ssh-ed25519 E6cGqw wqCRvdwHzeZNFG73mnCxP6dY8HFLnUd0q3QMHxC9lTk
-w9fZGhZpEJHlf8JPcbWcNoAO9S06hi15LZxkv1dJUWk
+D0bqFDUQSgHgwrfluCnJ0FQ8+Bwtho0jGXdF7Mdepj8
-> ssh-ed25519 rHotTw QDcThfb0AJMQBfQDbbtqm6z7BGxC4/sBioprElUTXFA
+-> ssh-ed25519 EEPmeQ cgyB/xXkZYjS9rqDE5saVVWaZCqWA1KieSwupV8sJ3U
-2JOFoMLcVhMoGzZDDNOTL3PBWsqVnrFx8o/W/cWuzl0
+6NSDsrPTVP0AfLf2R7SYCu175u3AvSl6/9KyI5ZZr4Y
-> ssh-ed25519 +mFdtQ tWg17VH1Q4gQj/1IK9yrxjw4kRPzsp4dDHFwDKYxvDE
+-> ssh-ed25519 +MNHsw yQYlre+4ZPx0sfdC6iObUu4AyUT/QFCR9nVMDe93PVw
-9H4ohD3XN4Xtk15SsZQf5k0db+yIVcWp4EV5jKsZgHI
+0fqncmEgXK8UFoWr+S45imxC4zi1rYTmzp5aiPWqcJM
-> ssh-ed25519 0IVRbA rkMPsBgVEaiYtaBN5JzHNCPFYFKr/7dqoY+RX19+03o
+-> ssh-ed25519 rHotTw 4P96tfTWGWu6sNpnhQS2pOncXTJDBY/0LIMJH6MZ9ws
-baQK5t5sG8WabaCuMTZ2ZIfMTRH0jQU4l7JEyJ6H+LU
+HJ9yHwUv613F3Xj0s1l2e1CY2ca9jqrwKvjjrfr+BRE
-> ssh-ed25519 IY5FSQ c1+2+CMJFMw/iF2XNx5ma28KhwdKKQ9dNC1nBvFz/B0
+-> ssh-ed25519 NaIdrw e+Mk++x9jtnYuH76OXRohKUKELiLRW7DBPmD4Kw0uhE
-3AE1FQq+//dNIQfuW9BHcpfNbGn724Ydq7aJc95KmmY
+P84wmJvkSnM68JmMS24xrilAsqJ0PzsqgmvWIDh2TYA
-> ssh-ed25519 VQSaNw t9yLak0T7FO8hgGrPWFeR3Jw0D6cPxjR5LOIcMnAmgo
+-> ssh-ed25519 +mFdtQ YE1hcu3vCq1QHr38JEhU+pLZy+NuxzjSk8O64CYqakI
-869SBp0nM5v/9+Xjib6rkmmelhTBfXcyuHiAXh08AWo
+SNsqng6gjqR8m+KO+RQqt0gbXeGdfHNjvfVncmKD3DQ
-> r32t]I\-grease ka<*
+-> ssh-ed25519 0IVRbA Zw0Sq8NnSluum9p9RPO906gKnXLPlOAWwjIDuYt5oSQ
-nkxH0w1aQ64
+6jUZKI7yu6ThE1behgXMqO5beNj2Gap2rGhlSn8vrA8
--- LlTR5EcQzCLJ5trkQcomW0+soQoec/IZZNW+g5dyOo0
+-> ssh-ed25519 IY5FSQ qo7pkpJsNQ3vdedlPJIfXpmjHwcEyiuu90TEoay0Xz8
-M"ÏLm“õh]ñÖa£uq±ýÏ4ßÏ+ö“9;Ð¤ˆÇ-Z±L»¯H0o1»Eâ<>
+zbqt1vojiiYfLnh3ChxHwG9mn3d5D2HrQlUJTlGRB+M
 -> ssh-ed25519 VQSaNw nsL5mErC5CJgd4EZKs4ZPb4BINCZMGAhkFr3Z/5vSk0
 vk3vhlydKtsWDCUmO6+fj231tEzNp+5vovLO0Wr7Aqs
 -> @=-grease bI=Z 'IEY&[|q $&(!B z'y\s855
 yNfimzcHFAcfpv7UmfYWh/CAXuUP8mSMxI9w29AI+W7ykCKwWXv9ixLensYRinoo
 vmoBfW/f9aQr
 --- M790Aym/OBexvX+HZK7Hom3HRpLr8ACf4LzYJdSsR8c
 h8ÖÿƒíÃúÑy`¡Œ;ú™ÊÖæ”º±TØ“ÉÚ<áD{–mÉ,Xô´Š_®§ÅíF"šþ]£¦”"
--- a/modules/nixos/dgn-records/secrets.nix
+++ b/modules/nixos/dgn-records/secrets.nix
@ -2,4 +2,4 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-{ __arkheon-token_file.publicKeys = (import ../../../keys).machineKeys; }
+{ __arkheon-token_file.publicKeys = (import ../../../keys).nixosMachineKeys; }
--- a/modules/nixos/extranix/default.nix
+++ b/modules/nixos/extranix/default.nix
@ -12,6 +12,8 @@ let
  inherit (lib)
    attrNames
    concatMapStringsSep
    concatStringsSep
    escapeXML
    filter
    getExe
    hasPrefix
@ -20,6 +22,7 @@ let
    importJSON
    mapAttrs'
    mapAttrsToList
    mkDefault
    mkEnableOption
    mkIf
    mkOption
@ -100,13 +103,13 @@ let
            type
            readOnly
            loc
            description
            ;
          descriptionHTML = pkgs.runCommand "option-${title}.html" { } ''
-            ${getExe pkgs.pandoc} -f markdown ${pkgs.writeText "option-${title}.md" val.description} > $out
+            ${getExe pkgs.pandoc} -f markdown-raw_html ${pkgs.writeText "option-${title}.md" val.description} > $out
          '';
-          example = val.example.text or "";
+          description = escapeXML val.description;
-          default = val.default.text or "";
+          example = escapeXML (val.example.text or "");
          default = escapeXML (val.default.text or "");
          declarations = map path-translation val.declarations;
        }) filtered-opts;
      };
@ -238,13 +241,14 @@ in
  };
  config = mkIf cfg.enable {
    services = {
-      extranix = {
+      extranix.settings = {
        settings = {
        theme = "extranix-options-search";
-          params.releases = mapAttrsToList (name: _: {
+        params = {
          releases = mapAttrsToList (name: _: {
            inherit name;
            value = sanitizeDerivationName name;
          }) cfg.modules;
          release_current_stable = mkDefault (head (attrNames options-files));
        };
      };
      nginx = {
@ -252,5 +256,21 @@ in
        virtualHosts.${cfg.host}.locations."/".alias = "${webroot}/";
      };
    };
    assertions = [
      {
        assertion = cfg.modules != { };
        message = ''
          `services.extranix` can't be enabled without any modules to document.
        '';
      }
      {
        assertion = options-files ? ${cfg.settings.params.release_current_stable};
        message = ''
          `services.extranix.settings.params.release_current_stable` should be the
          `sanitizeDerivationName` of a key of `services.extranix.modules`, here one of:
            + ${concatStringsSep "\n  + " (attrNames options-files)}
        '';
      }
    ];
  };
 }
--- a/npins/default.nix
+++ b/npins/default.nix
@ -42,6 +42,7 @@ let
      builtins.fetchGit {
        inherit (repository) url;
        rev = revision;
        allRefs = true;
        # hash = hash;
      };
--- a/npins/sources.json
+++ b/npins/sources.json
@ -234,26 +234,12 @@
      "type": "Git",
      "repository": {
        "type": "Git",
-        "url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
+        "url": "https://git.hubrecht.ovh/hubrecht/nix-modules"
      },
-      "branch": "main",
+      "branch": "dgnum",
-      "revision": "75e8d70a051dd19d126b5248b62f61d6f8ce4361",
+      "revision": "5cc5d497565cae685bd2eb91606016791c3a9313",
      "url": null,
-      "hash": "0yx5by3v2cshiidyh27n75lcqy9d1kk5zz5mchmfv63s9p0cjzqn"
+      "hash": "09is2zl9570ql1sw250mhpjj8mz2ggy3jx1kvyn6dh2817mv77dc"
    },
    "nix-patches": {
      "type": "GitRelease",
      "repository": {
        "type": "Git",
        "url": "https://git.hubrecht.ovh/hubrecht/nix-patches"
      },
      "pre_releases": false,
      "version_upper_bound": null,
      "release_prefix": null,
      "version": "v0.5.0",
      "revision": "e11ba20945f4a867f09d84343c37328288f274b4",
      "url": null,
      "hash": "1c6cc44pwlg3ky6cnwhkml8ci77fw3sgjhwvqg0f6igxxf2fqv9v"
    },
    "nix-pkgs": {
      "type": "Git",
@ -261,10 +247,10 @@
        "type": "Git",
        "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
      },
-      "branch": "main",
+      "branch": "dgnum",
-      "revision": "cc01e1c2a6ecb1e38fde35ee54995a6a639fb057",
+      "revision": "304abd514dfe07bce4b368b1f384bfd598d61183",
      "url": null,
-      "hash": "17a9vlwrk9365ccyl7a5xspqsn9wizcpwdpvr3qdimvq4fpwhjal"
+      "hash": null
    },
    "nix-reuse": {
      "type": "GitRelease",
--- a/workflows/npins-update.nix
+++ b/workflows/npins-update.nix
@ -2,63 +2,92 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
-{ nix-actions, ... }:
+{ lib, nix-actions, ... }:
 let
  inherit (nix-actions.lib) secret;
  inherit (lib) genAttrs mapAttrs' nameValuePair;
  dependencies = builtins.attrNames (import ../npins);
 in
 {
-  name = "npins update";
+  name = "Update dependencies";
  on.schedule = [
-    # Run at 15:25 everyday
+    # Run every saturday
-    { cron = "25 15 * * *"; }
+    { cron = "5 16 * * 6"; }
  ];
-  jobs.npins_update = {
+  # Global environment, necessary for rebases and commits
  env = rec {
    GIT_AUTHOR_NAME = "HT Chores";
    GIT_AUTHOR_EMAIL = "chores@mail.hubrecht.ovh";
    GIT_COMMITTER_NAME = GIT_AUTHOR_NAME;
    GIT_COMMITTER_EMAIL = GIT_AUTHOR_EMAIL;
  };
  jobs = mapAttrs' (name: nameValuePair (builtins.replaceStrings [ "." ] [ "_" ] name)) (
    genAttrs dependencies (name: {
      runs-on = "nix";
      steps = [
        (nix-actions.steps.checkout {
          fetch-depth = 0;
-        token = nix-actions.lib.secret "TEA_DGNUM_CHORES_TOKEN";
+          token = secret "TEA_DGNUM_CHORES_TOKEN";
        })
        {
-        name = "Update dependencies and open PR if necessary";
+          env.GIT_UPDATE_BRANCH = "npins-updates/${name}";
          name = "Switch to a new branch";
          run = # bash
            ''
-            npins update
+              if git ls-remote --exit-code --heads origin "refs/heads/$GIT_UPDATE_BRANCH"; then
                git switch "$GIT_UPDATE_BRANCH"
                git rebase main
                echo "EXISTING_BRANCH=1" >> $GITHUB_ENV
              else
                git switch -C "$GIT_UPDATE_BRANCH"
              fi
            '';
        }
        {
          env = {
            GIT_UPDATE_BRANCH = "npins-updates/${name}";
            COMMIT_MESSAGE = "chore(npins): Update ${name}";
          };
          name = "Open a PR if updates are present";
          run = # bash
            ''
              npins update ${name}
              if [ ! -z "$(git diff --name-only)" ]; then
                echo "[+] Changes detected, pushing updates."
              git switch -C npins-update
                git add npins
-              git commit --message "chore(npins): Update"
+                if [ -n "$EXISTING_BRANCH" ]; then
-              git push --set-upstream origin npins-update --force
+                  git commit --amend --no-edit
                  git push --force
                else
                  git commit --message "$COMMIT_MESSAGE"
                  git push -u origin "$GIT_UPDATE_BRANCH"
                fi
                # Connect to the server with the cli
-              tea login add \
+                tea login add -n dgnum-chores -t "${secret "TEA_DGNUM_CHORES_TOKEN"}" -u https://git.dgnum.eu
                -n dgnum-chores \
                -t "${nix-actions.lib.secret "TEA_DGNUM_CHORES_TOKEN"}" \
                -u https://git.dgnum.eu
                # Create a pull request if needed
                # i.e. no PR with the same title exists
-              if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(npins): Update dgnum-chores')" ]; then
+                if [ -z $(tea pr ls -f='title,author' -o simple | grep "$COMMIT_MESSAGE dgnum-chores") ]; then
-                tea pr create \
+                  tea pr create --description "Automatic npins update" --title "$COMMIT_MESSAGE" --head "$GIT_UPDATE_BRANCH"
                  --description "Automatic npins update" \
                  --title "chore(npins): Update" \
                  --head npins-update
                fi
              fi
            '';
        env = {
          GIT_AUTHOR_NAME = "DGNum Chores";
          GIT_AUTHOR_EMAIL = "tech@dgnum.eu";
          GIT_COMMITTER_NAME = "DGNum Chores";
          GIT_COMMITTER_EMAIL = "tech@dgnum.eu";
        };
        }
      ];
-  };
+    })
  );
 }