fix(wrappers/colmena): ensure purity of evaluation

This is similar to extraServices but without the partOf, upheldBy and
wantedBy settings.

.forgejo/workflows/eval-nodes.yaml

@@ -100,6 +100,28 @@ jobs:
         STORE_USER: admin
       name: Build and cache hypervisor03
       run: nix-shell -A eval-nodes --run cache-node
+  netaccess01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: netaccess01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache netaccess01
+      run: nix-shell -A eval-nodes --run cache-node
+  netcore01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: netcore01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache netcore01
+      run: nix-shell -A eval-nodes --run cache-node
   netcore02:
     runs-on: nix
     steps:

README.md

@@ -98,7 +98,7 @@ The general metadata is declared in `meta/nodes.nix`, the main values to declare
 Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
 
 ```nix
-(import ../../../keys).mkSecrets [ "host02" ] [
+(import ../../../keys.nix).mkSecrets [ "host02" ] [
   # List of secrets for host02
 ]
 ```

REUSE.toml

@@ -23,6 +23,12 @@ SPDX-License-Identifier = "EUPL-1.2"
 path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/01-pretalx-environment-file.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
 precedence = "closest"
 
+[[annotations]]
+SPDX-FileCopyrightText = ["2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>", "2024 Maurice Debray <maurice.debray@dgnum.eu>"]
+SPDX-License-Identifier = "EUPL-1.2"
+path = ["patches/nixpkgs/07-kanidm-groups-module.patch", "patches/nixpkgs/08-kanidm-groups-pkgs.patch"]
+precedence = "closest"
+
 [[annotations]]
 SPDX-FileCopyrightText = "2024 Maurice Debray <maurice.debray@dgnum.eu>"
 SPDX-License-Identifier = "EUPL-1.2"

bootstrap.nix

@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  unpatchedSources = import ./npins;
+
+  pkgs = import unpatchedSources.nixos-unstable { };
+
+  patch = (import ./lib/nix-patches { patchFile = ./patches; }).base {
+    inherit pkgs;
+  };
+
+  sources = builtins.mapAttrs (
+    k: src:
+    patch.applyPatches {
+      inherit src;
+      name = k;
+    }
+  ) unpatchedSources;
+
+  overlays.lib = _: lib: { extra = import ./lib/nix-lib { inherit lib; }; };
+in
+
+{
+  inherit overlays sources unpatchedSources;
+
+  pkgs = pkgs // {
+    lib = pkgs.lib.extend overlays.lib;
+  };
+}

default.nix

@@ -3,9 +3,13 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
+let
+  bootstrap = import ./bootstrap.nix;
+in
+
 {
-  sources ? import ./npins,
+  sources ? bootstrap.sources,
-  pkgs ? import sources.nixos-unstable { },
+  pkgs ? bootstrap.pkgs,
 }:
 
 let
@@ -101,6 +105,16 @@ let
         ];
         copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
       }
+      {
+        path = [
+          "patches/nixpkgs/07-kanidm-groups-module.patch"
+          "patches/nixpkgs/08-kanidm-groups-pkgs.patch"
+        ];
+        copyright = [
+          "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
+          "2024 Maurice Debray <maurice.debray@dgnum.eu>"
+        ];
+      }
       {
         path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ];
         copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>";

hive.nix

@@ -4,45 +4,26 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
+# TODO: change comments to ### \n # [text] \n #
+
 let
-  sources' = import ./npins;
+  ### Init some tooling
 
-  # Patch sources directly
+  bootstrap = import ./bootstrap.nix;
-  sources =
-    builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; }).applyPatches'
-      sources';
 
-  nix-lib = import ./lib/nix-lib;
+  inherit (bootstrap.pkgs) lib;
-  inherit (nix-lib) mapSingleFuse;
+  inherit (lib.extra) mapSingleFuse;
 
-  patch = import ./lib/nix-patches { patchFile = ./patches; };
+  inherit (bootstrap) sources;
 
-  nodes' = import ./meta/nodes;
+  ### Let's build meta
-  nodes = builtins.attrNames nodes';
+  metadata = (import ./meta) lib;
 
-  mkNode = node: {
+  nodes = builtins.attrNames metadata.nodes;
-    deployment.systemType = system node;
+
-  };
+  ### Nixpkgs instanciation
 
   nixpkgs' = import ./meta/nixpkgs.nix;
-  # All supported nixpkgs versions × systems, instanciated
-  nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
-
-  # Get the configured nixos version for the node,
-  # defaulting to the one defined in meta/nixpkgs
-  version = node: nodes'.${node}.nixpkgs.version;
-  system = node: nodes'.${node}.nixpkgs.system;
-  category = node: nixpkgs'.categories.${system node};
-
-  nodePkgs = node: nixpkgs.${system node}.${version node};
-
-  # Builds a patched version of nixpkgs, only as the source
-  mkNixpkgs' =
-    v:
-    patch.mkNixpkgsSrc rec {
-      src = sources'.${name};
-      name = "nixos-${v}";
-    };
 
   # Build up the nixpkgs configuration for Liminix embedded systems
   mkLiminixConfig =
@@ -62,29 +43,47 @@ let
   mkNixpkgsConfig =
     system:
     {
-      nixos = _: { };
+      nixos = _: { }; # TODO: add nix-pkgs overlay here
       zyxel-nwa50ax = mkLiminixConfig system;
       netconf = _: { };
     }
     .${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation");
 
   # Instanciates the required nixpkgs version
-  mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);
+  mkSystemNixpkgs =
+    system: version: import sources."nixos-${version}" (mkNixpkgsConfig system version);
 
-  ###
+  # All supported nixpkgs versions × systems, instanciated
+  nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
+
+  # Get the configured nixos version for the node,
+  # defaulting to the one defined in meta/nixpkgs
+  version = node: metadata.nodes.${node}.nixpkgs.version;
+  system = node: metadata.nodes.${node}.nixpkgs.system;
+  category = node: nixpkgs'.categories.${system node};
+
+  nodePkgs = node: nixpkgs.${system node}.${version node};
+
+  ##########
   # Function to create arguments based on the node
   #
   mkArgs = node: rec {
-    lib = sourcePkgs.lib // {
+    lib = sourcePkgs.lib.extend bootstrap.overlays.lib;
-      extra = nix-lib;
-    };
 
     sourcePkgs = nodePkgs node;
-    meta = (import ./meta) lib;
+    meta = metadata;
 
-    nodeMeta = meta.nodes.${node};
+    nodeMeta = metadata.nodes.${node};
     nodePath = "machines/${category node}/${node}";
   };
+
+  ##########
+  # Module for each node (quite empty since almost everything is in the default module)
+  #
+  mkNode = node: {
+    deployment.systemType = system node;
+  };
+
 in
 
 {
@@ -95,7 +94,10 @@ in
     specialArgs = {
       inherit nixpkgs sources;
 
-      dgn-keys = import ./keys;
+      dgn-keys = import ./lib/keys {
+        meta = metadata;
+        inherit lib;
+      };
     };
 
     nodeSpecialArgs = mapSingleFuse mkArgs nodes;
@@ -219,5 +221,6 @@ in
         };
     };
   };
+
 }
 // (mapSingleFuse mkNode nodes)

iso/configuration.nix

@@ -5,9 +5,9 @@
 { lib, pkgs, ... }:
 
 let
-  dgn-keys = import ../keys;
+  dgn-keys = import ../keys.nix;
 
-  dgn-members = (import ../meta lib).organization.groups.root;
+  dgn-members = (import ../meta lib).config.organization.groups.root;
 in
 
 {

keys.nix

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  bootstrap = import ./bootstrap.nix;
+
+  inherit (bootstrap.pkgs) lib;
+
+  meta = import ./meta lib;
+in
+
+import ./lib/keys { inherit meta lib; }

keys/default.nix

@@ -1,109 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-let
-  _sources = import ../npins;
-
-  inherit (import _sources.nixos-unstable { }) lib;
-
-  meta = import ../meta lib;
-
-  inherit (import ../lib/nix-lib) setDefault unique;
-in
-
-rec {
-  # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
-  #          If not, you will face an angry maintainer
-  _keys = {
-    # SSH keys of the nodes
-    bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
-    build01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIYJcEMQpOyKInqtd2/brnSQuzwgv6fNPlTSQx9tcvPu" ];
-    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
-    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
-    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
-    hypervisor01 = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
-    ];
-    hypervisor02 = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
-    ];
-    hypervisor03 = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
-    ];
-    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
-    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
-    tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ];
-    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
-    web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
-    web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
-    web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
-
-    # SSH keys of the DGNum members
-    agroudiev = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
-    ];
-    catvayor = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFfIJ8BToZ9EDxBsEJXQhUju7gm+rUDjGCNMvFSZCl1o openpgp:0x5CADCA1B"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdOxx4I8BSbYPdouvuzDepwTwzQzGSBCNIV8TB5dduT openpgp:0xF6018131"
-    ];
-    cst1 = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
-    ];
-    ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
-    gdd = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
-    ];
-    jemagius = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
-    ];
-    luj = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
-    ];
-    mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
-    mdebray = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
-    ];
-    raito = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
-    ];
-    thubrecht = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
-    ];
-  };
-
-  getKeys = ls: builtins.concatLists (builtins.map (member: _keys.${member} or [ ]) ls);
-
-  mkSecrets =
-    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
-
-  getNodeKeys' =
-    node:
-    let
-      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
-        meta.nodes.${node}.admins ++ [ node ]
-      ) meta.nodes.${node}.adminGroups;
-    in
-    unique (getKeys names);
-
-  getNodeKeys = node: rootKeys ++ getNodeKeys' node;
-
-  # List of keys for the root group
-  rootKeys = getKeys meta.organization.groups.root;
-
-  # List of 'machine' keys
-  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
-
-  nixosMachineKeys =
-    rootKeys
-    ++ (getKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == "nixos") meta.nodes)));
-}

lib/colmena/wrapper.sh.in

@@ -28,4 +28,4 @@ if [[ $1 == 'apply' ]]; then
 	doChecks
 fi
 
-exec @colmena@ "$@"
+exec @colmena@ --nix-option nix-path "" "$@"

lib/keys/default.nix

@@ -0,0 +1,51 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ meta, lib }:
+
+let
+  inherit (lib.extra) setDefault unique;
+
+  getAttr = lib.flip builtins.getAttr;
+in
+
+rec {
+  _memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
+  _builderKeys = builtins.mapAttrs (_: v: v.builderKeys) meta.organization.members;
+  _nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;
+
+  # Get keys of the users
+  getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);
+
+  # Get builder keys of the users
+  getBuilderKeys = getAttr _builderKeys;
+
+  # Get keys of the ssh server
+  getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name);
+
+  # List of keys for the root group
+  rootKeys = getMemberKeys meta.organization.groups.root;
+
+  # All admins for a node
+  getNodeAdmins = node: meta.organization.groups.root ++ meta.nodes.${node}.admins;
+
+  # All keys needed for secret encryption
+  getSecretKeys = node: unique (getMemberKeys (getNodeAdmins node) ++ getNodeKeys [ node ]);
+
+  # List of keys for all machines wide secrets
+  machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));
+
+  mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getSecretKeys nodes); };
+
+  mkRootSecrets = setDefault { publicKeys = unique rootKeys; };
+
+  machineKeysBySystem =
+    system:
+    rootKeys
+    ++ (getNodeKeys (
+      builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)
+    ));
+}

lib/nix-lib/default.nix

@@ -2,17 +2,13 @@
 # SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
 #
 # SPDX-License-Identifier: EUPL-1.2
-
+{ lib }:
-let
-  # Reimplement optional functions
-  _optional =
-    default: b: value:
-    if b then value else default;
-in
 
 rec {
-  inherit (import ./nixpkgs.nix)
+  inherit (lib)
     flip
+    optionals
+    optionalString
     hasPrefix
     recursiveUpdate
     splitString
@@ -53,6 +49,24 @@ rec {
     attrsList:
     fuseAttrs (builtins.map f attrsList);
 
+  /*
+    Generate an `attrsList` of given size with the generator before fusing
+    the resulting list of attribute sets.
+
+    Type: (Int -> attrs) -> Int -> attrs
+
+    Example:
+     f = s: { "a${toString s}" = s + s; }
+     genFuse f 3
+     => { a0 = 0; a1 = 2; a2 = 4; }
+  */
+  genFuse =
+    # Int -> attrs
+    f:
+    # Int
+    size:
+    fuseAttrs (builtins.genList f size);
+
   /*
     Equivalent of lib.singleton but for an attribute set.
 
@@ -112,11 +126,8 @@ rec {
 
   subAttrs = attrs: builtins.map (subAttr attrs);
 
-  optionalList = _optional [ ];
+  optionalList = optionals;
 
-  optionalAttrs = _optional { };
-
-  optionalString = _optional "";
   /*
     Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
     sets together.

lib/nix-lib/nixpkgs.nix

@@ -1,468 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-###
-# Collection of nixpkgs library functions, those are necessary for defining our own lib
-#
-# They have been simplified and builtins are used in some places, instead of lib shims.
-
-rec {
-  /**
-    Does the same as the update operator '//' except that attributes are
-    merged until the given predicate is verified.  The predicate should
-    accept 3 arguments which are the path to reach the attribute, a part of
-    the first attribute set and a part of the second attribute set.  When
-    the predicate is satisfied, the value of the first attribute set is
-    replaced by the value of the second attribute set.
-
-    # Inputs
-
-    `pred`
-
-    : Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
-
-    `lhs`
-
-    : Left attribute set of the merge.
-
-    `rhs`
-
-    : Right attribute set of the merge.
-
-    # Type
-
-    ```
-    recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.attrsets.recursiveUpdateUntil` usage example
-
-    ```nix
-    recursiveUpdateUntil (path: l: r: path == ["foo"]) {
-      # first attribute set
-      foo.bar = 1;
-      foo.baz = 2;
-      bar = 3;
-    } {
-      #second attribute set
-      foo.bar = 1;
-      foo.quz = 2;
-      baz = 4;
-    }
-
-    => {
-      foo.bar = 1; # 'foo.*' from the second set
-      foo.quz = 2; #
-      bar = 3;     # 'bar' from the first set
-      baz = 4;     # 'baz' from the second set
-    }
-    ```
-
-    :::
-  */
-  recursiveUpdateUntil =
-    pred: lhs: rhs:
-    let
-      f =
-        attrPath:
-        builtins.zipAttrsWith (
-          n: values:
-          let
-            here = attrPath ++ [ n ];
-          in
-          if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
-            builtins.head values
-          else
-            f here values
-        );
-    in
-    f
-      [ ]
-      [
-        rhs
-        lhs
-      ];
-
-  /**
-    A recursive variant of the update operator ‘//’.  The recursion
-    stops when one of the attribute values is not an attribute set,
-    in which case the right hand side value takes precedence over the
-    left hand side value.
-
-    # Inputs
-
-    `lhs`
-
-    : Left attribute set of the merge.
-
-    `rhs`
-
-    : Right attribute set of the merge.
-
-    # Type
-
-    ```
-    recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.attrsets.recursiveUpdate` usage example
-
-    ```nix
-    recursiveUpdate {
-      boot.loader.grub.enable = true;
-      boot.loader.grub.device = "/dev/hda";
-    } {
-      boot.loader.grub.device = "";
-    }
-
-    returns: {
-      boot.loader.grub.enable = true;
-      boot.loader.grub.device = "";
-    }
-    ```
-
-    :::
-  */
-  recursiveUpdate =
-    lhs: rhs:
-    recursiveUpdateUntil (
-      _: lhs: rhs:
-      !(builtins.isAttrs lhs && builtins.isAttrs rhs)
-    ) lhs rhs;
-
-  /**
-    Determine whether a string has given prefix.
-
-    # Inputs
-
-    `pref`
-    : Prefix to check for
-
-    `str`
-    : Input string
-
-    # Type
-
-    ```
-    hasPrefix :: string -> string -> bool
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.hasPrefix` usage example
-
-    ```nix
-    hasPrefix "foo" "foobar"
-    => true
-    hasPrefix "foo" "barfoo"
-    => false
-    ```
-
-    :::
-  */
-  hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
-
-  /**
-    Escape occurrence of the elements of `list` in `string` by
-    prefixing it with a backslash.
-
-    # Inputs
-
-    `list`
-    : 1\. Function argument
-
-    `string`
-    : 2\. Function argument
-
-    # Type
-
-    ```
-    escape :: [string] -> string -> string
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.escape` usage example
-
-    ```nix
-    escape ["(" ")"] "(foo)"
-    => "\\(foo\\)"
-    ```
-
-    :::
-  */
-  escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
-
-  /**
-    Convert a string `s` to a list of characters (i.e. singleton strings).
-    This allows you to, e.g., map a function over each character.  However,
-    note that this will likely be horribly inefficient; Nix is not a
-    general purpose programming language. Complex string manipulations
-    should, if appropriate, be done in a derivation.
-    Also note that Nix treats strings as a list of bytes and thus doesn't
-    handle unicode.
-
-    # Inputs
-
-    `s`
-    : 1\. Function argument
-
-    # Type
-
-    ```
-    stringToCharacters :: string -> [string]
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.stringToCharacters` usage example
-
-    ```nix
-    stringToCharacters ""
-    => [ ]
-    stringToCharacters "abc"
-    => [ "a" "b" "c" ]
-    stringToCharacters "🦄"
-    => [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
-    ```
-
-    :::
-  */
-  stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
-
-  /**
-    Turn a string `s` into an exact regular expression
-
-    # Inputs
-
-    `s`
-    : 1\. Function argument
-
-    # Type
-
-    ```
-    escapeRegex :: string -> string
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.escapeRegex` usage example
-
-    ```nix
-    escapeRegex "[^a-z]*"
-    => "\\[\\^a-z]\\*"
-    ```
-
-    :::
-  */
-  escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
-
-  /**
-    Appends string context from string like object `src` to `target`.
-
-    :::{.warning}
-    This is an implementation
-    detail of Nix and should be used carefully.
-    :::
-
-    Strings in Nix carry an invisible `context` which is a list of strings
-    representing store paths. If the string is later used in a derivation
-    attribute, the derivation will properly populate the inputDrvs and
-    inputSrcs.
-
-    # Inputs
-
-    `src`
-    : The string to take the context from. If the argument is not a string,
-      it will be implicitly converted to a string.
-
-    `target`
-    : The string to append the context to. If the argument is not a string,
-      it will be implicitly converted to a string.
-
-    # Type
-
-    ```
-    addContextFrom :: string -> string -> string
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.addContextFrom` usage example
-
-    ```nix
-    pkgs = import <nixpkgs> { };
-    addContextFrom pkgs.coreutils "bar"
-    => "bar"
-    ```
-
-    The context can be displayed using the `toString` function:
-
-    ```nix
-    nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
-    {
-      "/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
-    }
-    ```
-
-    :::
-  */
-  addContextFrom = src: target: builtins.substring 0 0 src + target;
-
-  /**
-    Cut a string with a separator and produces a list of strings which
-    were separated by this separator.
-
-    # Inputs
-
-    `sep`
-    : 1\. Function argument
-
-    `s`
-    : 2\. Function argument
-
-    # Type
-
-    ```
-    splitString :: string -> string -> [string]
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.splitString` usage example
-
-    ```nix
-    splitString "." "foo.bar.baz"
-    => [ "foo" "bar" "baz" ]
-    splitString "/" "/usr/local/bin"
-    => [ "" "usr" "local" "bin" ]
-    ```
-
-    :::
-  */
-  splitString =
-    sep: s:
-    let
-      splits = builtins.filter builtins.isString (
-        builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
-      );
-    in
-    builtins.map (addContextFrom s) splits;
-
-  /**
-    Remove duplicate elements from the `list`. O(n^2) complexity.
-
-    # Inputs
-
-    `list`
-
-    : Input list
-
-    # Type
-
-    ```
-    unique :: [a] -> [a]
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.lists.unique` usage example
-
-    ```nix
-    unique [ 3 2 3 4 ]
-    => [ 3 2 4 ]
-    ```
-
-    :::
-  */
-  unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
-
-  /**
-    Flip the order of the arguments of a binary function.
-
-    # Inputs
-
-    `f`
-
-    : 1\. Function argument
-
-    `a`
-
-    : 2\. Function argument
-
-    `b`
-
-    : 3\. Function argument
-
-    # Type
-
-    ```
-    flip :: (a -> b -> c) -> (b -> a -> c)
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.trivial.flip` usage example
-
-    ```nix
-    flip concat [1] [2]
-    => [ 2 1 ]
-    ```
-
-    :::
-  */
-  flip =
-    f: a: b:
-    f b a;
-
-  /**
-    `warn` *`message`* *`value`*
-
-    Print a warning before returning the second argument.
-
-    See [`builtins.warn`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn) (Nix >= 2.23).
-    On older versions, the Nix 2.23 behavior is emulated with [`builtins.trace`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn), including the [`NIX_ABORT_ON_WARN`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-abort-on-warn) behavior, but not the `nix.conf` setting or command line option.
-
-    # Inputs
-
-    *`message`* (String)
-
-    : Warning message to print before evaluating *`value`*.
-
-    *`value`* (any value)
-
-    : Value to return as-is.
-
-    # Type
-
-    ```
-    String -> a -> a
-    ```
-  */
-  warn =
-    # Since Nix 2.23, https://github.com/NixOS/nix/pull/10592
-    builtins.warn or (
-      let
-        mustAbort = builtins.elem (builtins.getEnv "NIX_ABORT_ON_WARN") [
-          "1"
-          "true"
-          "yes"
-        ];
-      in
-      # Do not eta reduce v, so that we have the same strictness as `builtins.warn`.
-      msg: v:
-      # `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
-      assert builtins.isString msg;
-      if mustAbort then
-        builtins.trace "evaluation warning: ${msg}" (
-          abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
-        )
-      else
-        builtins.trace "evaluation warning: ${msg}" v
-    );
-}

machines/netconf/netaccess01.nix

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  dgn-hardware.model = "EX2300-48P";
+  dgn-isp = {
+    enable = true;
+    AP = [
+      "ge-0/0/0"
+      "ge-0/0/1"
+      "ge-0/0/2"
+      "ge-0/0/3"
+      "ge-0/0/4"
+      "ge-0/0/5"
+    ];
+    admin-ip = "fd26:baf9:d250:8000::2001/64";
+  };
+  dgn-interfaces = {
+    # netcore02
+    "xe-0/1/0".ethernet-switching = {
+      interface-mode = "trunk";
+      vlans = [ "all" ];
+    };
+
+    # debug management
+    "me0".inet.addresses = [ "192.168.42.6/24" ];
+  };
+}

machines/netconf/netcore01.nix

@@ -0,0 +1,36 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  dgn-hardware.model = "EX2300-48P";
+  dgn-isp = {
+    enable = true;
+    admin-ip = "fd26:baf9:d250:8000::100f/64";
+  };
+  dgn-profiles."hypervisor" = {
+    interfaces = [
+      "ge-0/0/0"
+      "ge-0/0/1"
+      "ge-0/0/2"
+      "ge-0/0/3"
+      "ge-0/0/4"
+      "ge-0/0/5"
+      "ge-0/0/6"
+      "ge-0/0/7"
+    ];
+    configuration.ethernet-switching = {
+      interface-mode = "access";
+      vlans = [ "hypervisor" ];
+    };
+  };
+  dgn-interfaces = {
+    "xe-0/2/0".ethernet-switching = {
+      interface-mode = "trunk";
+      vlans = [ "all" ];
+    };
+
+    # debug management
+    "me0".inet.addresses = [ "192.168.2.2/24" ];
+  };
+}

machines/netconf/netcore02.nix

@@ -2,76 +2,41 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-let
-  #TODO: meta
-  vlansPlan = {
-    "uplink-cri".id = 223;
-
-    "admin-core" = {
-      id = 3000;
-      l3-interface = "irb.0";
-    };
-    "admin-ap".id = 3001;
-    "users".id-list = [
 {
-        begin = 3045;
-        end = 4094;
-      }
-    ];
-
-    "ap-staging".id = 2000;
-  };
-  #TODO: additionnal module (always the same for APs)
-  AP-staging = {
-    poe = true;
-    ethernet-switching = {
-      interface-mode = "access";
-      vlans = [ "ap-staging" ];
-    };
-  };
-in
-{
-  vlans = vlansPlan;
   dgn-hardware.model = "EX2300-48P";
+  dgn-isp = {
+    enable = true;
+    AP = [
+      # H1-00
+      "ge-0/0/0"
+      "ge-0/0/1"
+      "ge-0/0/2"
+      "ge-0/0/3"
+      "ge-0/0/4"
+      "ge-0/0/5"
+      # H1-01
+      "ge-0/0/6"
+      "ge-0/0/7"
+      "ge-0/0/8"
+      "ge-0/0/9"
+      "ge-0/0/10"
+      "ge-0/0/11"
+      # H1-02
+      "ge-0/0/12"
+      "ge-0/0/13"
+      "ge-0/0/14"
+      "ge-0/0/15"
+      "ge-0/0/16"
+      "ge-0/0/17"
+    ];
+    admin-ip = "fd26:baf9:d250:8000::1001/64";
+  };
   dgn-interfaces = {
-    # "ge-0/0/0" = AP-staging;
-    # "ge-0/0/1" = AP-staging;
-    # "ge-0/0/2" = AP-staging;
-    # "ge-0/0/3" = AP-staging;
-    "ge-0/0/4" = AP-staging;
-    # "ge-0/0/5" = AP-staging;
-    # "ge-0/0/6" = AP-staging;
-    # "ge-0/0/7" = AP-staging;
-    # "ge-0/0/8" = AP-staging;
-    # "ge-0/0/9" = AP-staging;
-    # "ge-0/0/10" = AP-staging;
-    # "ge-0/0/11" = AP-staging;
-    # "ge-0/0/12" = AP-staging;
-    # "ge-0/0/13" = AP-staging;
-    # "ge-0/0/14" = AP-staging;
-    # "ge-0/0/15" = AP-staging;
-    # "ge-0/0/16" = AP-staging;
-    # "ge-0/0/17" = AP-staging;
-
     # oob
     "ge-0/0/42".ethernet-switching = {
       interface-mode = "trunk";
       vlans = [ "all" ];
     };
-    # AP de test
-    "ge-0/0/43" = {
-      poe = true;
-      ethernet-switching = {
-        interface-mode = "access";
-        vlans = [ 4000 ];
-      };
-    };
-    # uplink oob
-    "ge-0/0/46".ethernet-switching = {
-      interface-mode = "access";
-      vlans = [ 222 ];
-      rstp = false;
-    };
     # ilo
     "ge-0/0/47".ethernet-switching = {
       interface-mode = "access";
@@ -95,9 +60,9 @@ in
     };
     # netcore01 (Potos)
     "xe-0/1/2".ethernet-switching = {
-      interface-mode = "access";
+      interface-mode = "trunk";
       vlans = [
-        "ap-staging"
+        "all"
       ];
     };
     # uplink
@@ -106,8 +71,7 @@ in
       vlans = [ "uplink-cri" ];
     };
 
-    # management
+    # debug management
     "me0".inet.addresses = [ "192.168.42.6/24" ];
-    "irb".inet6.addresses = [ "fd26:baf9:d250:8000::1001/64" ];
   };
 }

machines/nixos/bridge01/network.nix

@@ -3,8 +3,17 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-_:
+{
-
+  pkgs,
+  utils,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    getExe'
+    ;
+in
 {
   networking = {
     useNetworkd = true;
@@ -14,14 +23,28 @@ _:
     firewall.allowedUDPPorts = [ 67 ];
   };
 
-  systemd.network = {
+  systemd = {
+    services."arp-resolve-router" = {
+      wantedBy = [ "systemd-networkd.service" ];
+      after = [ "systemd-networkd-wait-online.service" ];
+      bindsTo = [ "systemd-networkd-wait-online.service" ];
+      serviceConfig.ExecStart = utils.escapeSystemdExecArgs [
+        (getExe' pkgs.iputils "ping")
+        "-c"
+        1
+        "10.120.33.245"
+      ];
+
+    };
+    network = {
+      wait-online.anyInterface = true;
       networks = {
-      "10-eno1" = {
+        "10-enp1s0f0" = {
-        name = "eno1";
+          name = "enp1s0f0";
+          # description = "To the switch";
           networkConfig = {
             VLAN = [
               "vlan-admin"
-            "vlan-uplink-oob"
             ];
 
             LinkLocalAddressing = false;
@@ -30,7 +53,21 @@ _:
             IPv6AcceptRA = false;
             IPv6SendRA = false;
           };
-        # address = [ "192.168.222.1/24" ];
+        };
+
+        "10-eno1" = {
+          name = "eno1";
+          # description = "Uplink cri";
+          address = [
+            "10.120.33.246/30"
+            "129.199.195.158/32"
+          ];
+          routes = [
+            {
+              PreferredSource = "129.199.195.158";
+              Gateway = "10.120.33.245";
+            }
+          ];
         };
 
         "10-vlan-admin" = {
@@ -54,11 +91,6 @@ _:
             "192.168.222.1/24"
           ];
         };
-
-      "10-vlan-uplink-oob" = {
-        name = "vlan-uplink-oob";
-        networkConfig.DHCP = "ipv4";
-      };
       };
 
       netdevs = {
@@ -67,17 +99,8 @@ _:
             Name = "vlan-admin";
             Kind = "vlan";
           };
-
           vlanConfig.Id = 3000;
         };
-
-      "10-vlan-uplink-oob" = {
-        netdevConfig = {
-          Name = "vlan-uplink-oob";
-          Kind = "vlan";
-        };
-
-        vlanConfig.Id = 500;
       };
     };
   };

machines/nixos/bridge01/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "bridge01" ]
   [
     # List of secrets for bridge01

machines/nixos/build01/nix-builder.nix

@@ -5,6 +5,7 @@
 {
   pkgs,
   lib,
+  dgn-keys,
   meta,
   ...
 }:
@@ -12,6 +13,14 @@
   config = {
     dgn-access-control.users = lib.genAttrs meta.organization.groups.nix-builder (u: lib.singleton u);
 
+    # FIXME(Raito): this should really go into `dgn-access-control` but I don't
+    # know what is the desired architecture for it. Leaving it for the people with opinions™.
+    users.groups.nix-builders = { };
+    users.users = lib.genAttrs meta.organization.groups.nix-builder (u: {
+      extraGroups = [ "nix-builders" ];
+      openssh.authorizedKeys.keys = dgn-keys.getBuilderKeys u;
+    });
+
     security.pam.loginLimits = [
       {
         domain = "*";
@@ -43,6 +52,10 @@
       nrBuildUsers = 128;
 
       settings = {
+        trusted-users = [
+          "@wheel"
+          "@nix-builders"
+        ];
         keep-outputs = false;
         keep-derivations = false;
         use-cgroups = true;

machines/nixos/build01/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "build01" ]
   [
     "forgejo_runners-token_file"

machines/nixos/compute01/_configuration.nix

@@ -25,6 +25,7 @@ lib.extra.mkConfig {
     "kanidm"
     "librenms"
     "mastodon"
+    # "netbox"
     "nextcloud"
     "ollama-proxy"
     "outline"

machines/nixos/compute01/dgsi/default.nix

@@ -40,6 +40,7 @@ let
       ps.gunicorn
       ps.psycopg
       ps.django-compressor
+      ps.django-htmx
       ps.django-import-export
 
       # Local packages
@@ -157,6 +158,8 @@ in
           DGSI_ARCHIVES_ROOT = "/var/lib/django-apps/dgsi/archives";
           DGSI_ARCHIVES_INTERNAL = "_archives";
 
+          DGSI_STAFF_GROUP = "grp_bureau@sso.dgnum.eu";
+
           DGSI_DATABASES = builtins.toJSON {
             default = {
               ENGINE = "django.db.backends.postgresql";

machines/nixos/compute01/extranix/default.nix

@@ -4,7 +4,9 @@
 
 {
   lib,
+  meta,
   sources,
+  dgn-keys,
   ...
 }:
 let
@@ -37,7 +39,7 @@ in
         "DGNum Infrastructure" =
           let
             # prefer a non-patched nixpkgs
-            infra-nixpkgs = (import "${hive-root}/hive.nix").meta.nixpkgs { };
+            infra-nixpkgs = (import "${hive-root}/bootstrap.nix").pkgs;
             infra-modulesPath = "${infra-nixpkgs.path}/nixos/modules/";
           in
           {
@@ -45,7 +47,7 @@ in
               "modules/generic"
               "modules/nixos"
             ];
-            ignored-modules = import "${infra-modulesPath}/module-list.nix" ++ [
+            ignored-modules = (import "${infra-modulesPath}/module-list.nix") ++ [
               "${sources.agenix}/modules/age.nix"
               "${sources.arkheon}/module.nix"
               "${sources."microvm.nix"}/nixos-modules/host"
@@ -53,20 +55,18 @@ in
               { system.stateVersion = "25.05"; }
             ];
             specialArgs = {
-              inherit sources;
+              inherit meta sources;
-              lib = infra-nixpkgs.lib // {
+              modulesPath = builtins.storePath infra-modulesPath;
-                inherit (lib) extra;
-              };
-              modulesPath = infra-modulesPath;
               pkgs = infra-nixpkgs;
+              inherit (infra-nixpkgs) lib;
               name = "nodeName";
               nodeMeta = {
                 nix-modules = [ ];
                 admins = [ ];
                 adminGroups = [ ];
               };
-              meta = {
+              dgn-keys = dgn-keys // {
-                organization.groups.root = [ ];
+                getNodeAdmins = _: [ ];
               };
             };
             path-translations = [

machines/nixos/compute01/grafana/default.nix

@@ -2,7 +2,12 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-{ config, ... }:
+{
+  config,
+  pkgs,
+  meta,
+  ...
+}:
 
 let
   host = "grafana.dgnum.eu";
@@ -62,6 +67,27 @@ in
           auto_assign_org_role = "Admin";
         };
       };
+
+      declarativePlugins = import ./plugins.nix { inherit pkgs; };
+
+      provision = {
+        enable = true;
+
+        datasources.settings.datasources = [
+          {
+            name = "VictoriaLogs";
+            type = "victoriametrics-logs-datasource";
+            access = "proxy";
+            url = "http://${meta.network.storage01.netbirdIp}:9428";
+          }
+          {
+            name = "VictoriaMetrics";
+            type = "victoriametrics-metrics-datasource";
+            access = "proxy";
+            url = "http://${meta.network.storage01.netbirdIp}:8428";
+          }
+        ];
+      };
     };
 
     postgresql = {

machines/nixos/compute01/grafana/plugins.nix

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2025 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ pkgs, ... }:
+
+builtins.map pkgs.grafanaPlugins.grafanaPlugin [
+  {
+    pname = "victoriametrics-logs-datasource";
+    version = "0.14.3";
+    zipHash = "sha256-g/ntmNyWJ9h/eYpZ0gqiESvVfm2fU6/Ci8R7FHIV7AQ=";
+  }
+
+  {
+    pname = "victoriametrics-metrics-datasource";
+    version = "0.13.1";
+    zipHash = "sha256-n1LskeOzp32LZS3PcsRh8FwQVBFVlzczfO2aGbEClSo=";
+  }
+]

machines/nixos/compute01/kanidm/default.nix

@@ -14,12 +14,10 @@ let
   inherit (lib)
     attrValues
     catAttrs
-    concatLists
     escapeRegex
     concatStringsSep
     mapAttrs'
     nameValuePair
-    unique
     ;
 
   domain = "sso.dgnum.eu";
@@ -83,25 +81,16 @@ in
       ) meta.organization.members;
 
       groups =
-        {
+        (lib.extra.genFuse (id: { "vlan_${builtins.toString (4094 - id)}".memberless = true; }) 850)
+        // {
           grp_active.members = catAttrs "username" (attrValues meta.organization.members);
+          grp-ext_cri.memberless = true;
         }
         // (mapAttrs' (
           name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
         ) meta.organization.groups)
         // (mapAttrs' (
-          name:
+          name: srv: nameValuePair "grp-admin_${name}" { members = builtins.map usernameFor srv.admins; }
-          {
-            admins ? [ ],
-            adminGroups ? [ ],
-          }:
-          nameValuePair "grp-admin_${name}" {
-            members = unique (
-              builtins.map usernameFor (
-                admins ++ (concatLists (builtins.map (group: meta.organization.groups.${group}) adminGroups))
-              )
-            );
-          }
         ) meta.organization.services);
 
       # INFO: The authentication resources declared here can only be for internal services,
@@ -155,7 +144,10 @@ in
           displayName = "Netbox [Inventory]";
           enableLegacyCrypto = true;
           originLanding = "https://netbox.dgnum.eu";
-          originUrl = "https://netbox.dgnum.eu/oauth/complete/oidc/";
+          originUrl = [
+            "https://netbox.dgnum.eu/oauth/complete/oidc/"
+            "https://netbox-v2.dgnum.eu/oauth/complete/oidc/"
+          ];
           preferShortUsername = true;
 
           scopeMaps.grp_active = [
@@ -163,6 +155,12 @@ in
             "profile"
             "email"
           ];
+
+          scopeMaps.grp-ext_cri = [
+            "openid"
+            "profile"
+            "email"
+          ];
         };
 
         dgn_outline = {

machines/nixos/compute01/kanidm/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../../keys).mkSecrets
+(import ../../../../../keys.nix).mkSecrets
   [ "compute01" ]
   [
     "kanidm-password_admin"

machines/nixos/compute01/netbox.nix

@@ -0,0 +1,74 @@
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  lib,
+  nixpkgs,
+  ...
+}:
+
+let
+  EnvironmentFile = [ config.age.secrets."netbox-environment_file".path ];
+in
+
+{
+  services = {
+    netbox = {
+      enable = true;
+      package = nixpkgs.nixos.unstable.netbox_4_1;
+      secretKeyFile = "/dev/null";
+      listenAddress = "127.0.0.1";
+      plugins = p: [ p.netbox-qrcode ];
+      settings = {
+        ALLOWED_HOSTS = [ "netbox-v2.dgnum.eu" ];
+        REMOTE_AUTH_BACKEND = "social_core.backends.open_id_connect.OpenIdConnectAuth";
+        PLUGINS = [ "netbox_qrcode" ];
+        PLUGINS_CONFIG = {
+          netbox_qrcode = {
+            custom_text = "DGNum. contact@dgnum.eu";
+            font = "Tahoma";
+          };
+        };
+      };
+
+      extraConfig = lib.mkForce ''
+        from os import environ as env
+
+        SECRET_KEY = env["SECRET_KEY"]
+
+        SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
+        SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
+        SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
+      '';
+    };
+  };
+
+  systemd.services = {
+    netbox.serviceConfig = {
+      inherit EnvironmentFile;
+
+      TimeoutStartSec = 600;
+    };
+
+    netbox-housekeeping.serviceConfig = {
+      inherit EnvironmentFile;
+    };
+
+    netbox-rq.serviceConfig = {
+      inherit EnvironmentFile;
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "netbox" ];
+
+  dgn-web.simpleProxies.netbox = {
+    inherit (config.services.netbox) port;
+    host = "netbox-v2.dgnum.eu";
+    vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
+  };
+
+  # dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
+  # dgn-backups.postgresDatabases = [ "netbox" ];
+}

machines/nixos/compute01/nextcloud.nix

@@ -76,7 +76,7 @@ in
       database.createLocally = true;
       configureRedis = true;
 
-      autoUpdateApps.enable = true;
+      autoUpdateApps.enable = false;
 
       settings = {
         overwriteprotocol = "https";

machines/nixos/compute01/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "compute01" ]
   [
     # List of secrets for compute01
@@ -22,6 +22,7 @@
     "librenms-environment_file"
     "mastodon-extra_env_file"
     "mastodon-smtp-password"
+    "netbox-environment_file"
     "nextcloud-adminpass_file"
     "nextcloud-s3_secret_file"
     "outline-oidc_client_secret_file"

machines/nixos/geo01/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "geo01" ]
   [
     # List of secrets for geo01

machines/nixos/geo02/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "geo02" ]
   [
     # List of secrets for geo02

machines/nixos/hypervisor01/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifer: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "hypervisor01" ]
   [
 

machines/nixos/hypervisor02/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifer: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "hypervisor02" ]
   [
 

machines/nixos/hypervisor03/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifer: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "hypervisor03" ]
   [
 

machines/nixos/rescue01/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "rescue01" ]
   [
     # List of secrets for rescue01

machines/nixos/storage01/_configuration.nix

@@ -23,6 +23,8 @@ lib.extra.mkConfig {
     "peertube"
     "prometheus"
     "redirections"
+    "victorialogs"
+    "victoriametrics"
   ];
 
   extraConfig = {

machines/nixos/storage01/garage.nix

@@ -14,12 +14,14 @@ let
     "lanuit.ens.fr"
     "simi.normalesup.eu"
     "pub.dgnum.eu"
+    "actes-administratifs.dgnum.eu"
   ];
 
   buckets = [
     "monorepo-terraform-state"
 
     "banda-website"
+    "actes-administratifs-website"
     "castopod-dgnum"
     "hackens-website"
     "nuit-website"

machines/nixos/storage01/prometheus.nix

@@ -17,9 +17,9 @@ let
     lib.mapAttrsToList (
       node:
       { config, ... }:
-      lib.optional config.dgn-node-monitoring.enable {
+      lib.optional config.dgn-monitoring.exporters.enable {
         targets = map (p: "${node}.dgnum:${builtins.toString p}") (
-          builtins.attrValues config.dgn-node-monitoring.ports
+          builtins.attrValues config.dgn-monitoring.exporters.ports
         );
         labels = {
           host = node;

machines/nixos/storage01/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "storage01" ]
   [
     # List of secrets for storage01

machines/nixos/storage01/victoria-metrics.nix

@@ -1,20 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-let
-  host = "victoria-metrics.dgnum.eu";
-  port = 9099;
-in
-
-{
-  services.victoriametrics = {
-    enable = true;
-
-    listenAddress = "127.0.0.1:${builtins.toString port}";
-  };
-
-  dgn-web.simpleProxies.victoria-metrics = {
-    inherit host port;
-  };
-}

machines/nixos/storage01/victorialogs.nix

@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ meta, name, ... }:
+
+let
+  port = 9428;
+in
+
+{
+  services.victorialogs = {
+    enable = true;
+
+    flags = {
+      retentionPeriod = "4w";
+      httpListenAddr = "${meta.network.${name}.netbirdIp}:${builtins.toString port}";
+    };
+  };
+
+  networking.firewall.interfaces.wt0.allowedTCPPorts = [ port ];
+}

machines/nixos/storage01/victoriametrics.nix

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ meta, name, ... }:
+
+let
+  port = 8428;
+in
+
+{
+  services.victoriametrics = {
+    enable = true;
+
+    flags = {
+      # INFO: We keep the data for 2 years (24 months)
+      retentionPeriod = "24";
+      httpListenAddr = "${meta.network.${name}.netbirdIp}:${builtins.toString port}";
+    };
+  };
+
+  networking.firewall.interfaces.wt0.allowedTCPPorts = [ port ];
+}

machines/nixos/tower01/secrets/secrets.nix

@@ -2,7 +2,8 @@
 #
 # SPDX-License-Identifer: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "tower01" ]
   [
+
   ]

machines/nixos/vault01/_configuration.nix

@@ -12,6 +12,7 @@ lib.extra.mkConfig {
   enabledServices = [
     # List of services to enable
     "k-radius"
+    "monitoring"
     "networking"
     "ups"
     "ulogd"

machines/nixos/vault01/monitoring/default.nix

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  imports = [
+    ./victorialogs.nix
+  ];
+}

machines/nixos/vault01/monitoring/victorialogs.nix

@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ meta, ... }:
+
+let
+  port = 9428;
+in
+
+{
+  services = {
+    nginx = {
+      enable = true;
+      streamConfig = ''
+        server {
+          listen 10.0.253.1:${toString port};
+          listen ${meta.network.vault01.netbirdIp}:${toString port};
+          proxy_pass 127.0.0.1:${toString port};
+        }
+      '';
+    };
+    victorialogs = {
+      enable = true;
+
+      flags = {
+        retentionPeriod = "52w";
+        httpListenAddr = "127.0.0.1:${builtins.toString port}";
+      };
+    };
+  };
+
+  networking.firewall.interfaces = {
+    wt0.allowedTCPPorts = [ port ];
+    vlan-admin-ap.allowedTCPPorts = [ port ];
+  };
+}

machines/nixos/vault01/networking.nix

@@ -59,12 +59,6 @@ let
             LinkLocalAddressing = "no";
             DHCPServer = "yes";
           };
-          dhcpServerConfig = {
-            SendOption = [
-              # FIXME: should be removed, it's used only for tests
-              "26:uint16:1378" # send MTU to users
-            ];
-          };
           linkConfig = {
             Promiscuous = true;
             MTUBytes = 1500;
@@ -115,7 +109,6 @@ let
     vlan-admin = {
       Id = 3000;
       address = [ "fd26:baf9:d250:8000::1/64" ];
-      networkConfig.linkConfig.MTUBytes = 1500;
     };
 
     vlan-admin-ap = {
@@ -130,7 +123,6 @@ let
           IPv6SendRA = true;
           DHCPServer = "yes";
         };
-        linkConfig.MTUBytes = 1500;
         ipv6Prefixes = [
           {
             AddressAutoconfiguration = false;
@@ -311,10 +303,12 @@ in
           ];
           script = ''
             if ping -c 1 8.8.8.8 > /dev/null || ping -c 1 1.1.1.1 > /dev/null; then
+              echo network is up
               ${lib.concatMapStringsSep "\n  " (
                 { interfaceName, ... }: "networkctl up ${interfaceName}"
               ) userVlans}
             else
+              echo network is down
               ${lib.concatMapStringsSep "\n  " (
                 { interfaceName, ... }: "networkctl down ${interfaceName}"
               ) userVlans}
@@ -344,26 +338,68 @@ in
       ] ++ userVlans;
       nftables = {
         enable = true;
-        tables.nat = {
+        tables = {
+          nat = {
             family = "ip";
             content = ''
               chain postrouting {
                 type nat hook postrouting priority 100;
-              ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.157
+                ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 snat ip to 129.199.195.130-129.199.195.157
-              ether saddr { e0:2e:0b:bd:97:73, e8:d5:2b:0d:fe:4a } snat to 129.199.195.130 comment "Elias"
-              ether saddr { 1c:1b:b5:14:9c:e5, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
-              ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
-              ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
               }
             '';
           };
+          filter = {
+            family = "inet";
+            content = ''
+              chain forward {
+                type filter hook forward priority filter; policy accept;
+                ct state vmap {
+                  invalid: drop,
+                  established: accept,
+                  related: accept,
+                  new: jump forward_decide,
+                  untracked: jump forward_decide,
+                };
+              }
+              chain forward_decide {
+                # Block access to vpn
+                ip daddr {
+                  10.10.17.0/30,
+                  100.80.0.0/16,
+                } jump forward_reject;
+
+                # And administrative vlans
+                ip6 daddr {
+                  fd26:baf9:d250::/48,
+                } jump forward_reject;
+
+                # These are being deployed, and so are not trusted
+                ip saddr 10.0.255.0/24 jump forward_reject;
+
+                # We only forward for ISP clients and our stuff
+                ip saddr != 10.0.0.0/16 jump forward_reject;
+
+                # Can talk to us
+                ip daddr 10.0.0.0/27 accept;
+
+                # Not others nor CRI
+                ip daddr 10.0.0.0/8 jump forward_reject;
+              }
+              chain forward_reject {
+                reject with icmpx type admin-prohibited;
+              }
+            '';
+          };
+        };
       };
       firewall = {
         allowedUDPPorts = [
           67
           1194
         ];
-        checkReversePath = false;
+        # FIXME: I dont't remember why it's here, and it doesn't seems right
+        # comes from https://git.dgnum.eu/DGNum/infrastructure/commit/411795c664374549e5e831722a80180b51fbf0d5
+        # checkReversePath = false;
       };
     };
 

machines/nixos/vault01/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "vault01" ]
   [
     # List of secrets for vault01

machines/nixos/vault01/ulogd/default.nix

@@ -57,4 +57,13 @@
       fi
     '';
   };
+  environment.defaultPackages = [
+    (pkgs.callPackage ./fill-vlan_prefixes.nix {
+      inherit (config.networking) vlans-info;
+      postgresql = config.services.postgresql.package;
+    })
+    (pkgs.callPackage ./nat-request-daddr.nix {
+      postgresql = config.services.postgresql.package;
+    })
+  ];
 }

machines/nixos/vault01/ulogd/fill-vlan_prefixes.nix

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  lib,
+  writeShellApplication,
+  writeText,
+  vlans-info,
+  postgresql,
+}:
+let
+  inherit (lib) concatMapStringsSep;
+  sql-script = writeText "vlan-filling.sql" ''
+    DROP TABLE IF EXISTS vlan_prefixes;
+    CREATE TABLE vlan_prefixes (
+      vlan_id smallint PRIMARY KEY UNIQUE NOT NULL,
+      prefix inet NOT NULL
+    );
+    INSERT INTO vlan_prefixes VALUES
+      ${concatMapStringsSep ",\n  " (
+        {
+          vlan,
+          netIP,
+          prefixLen,
+          ...
+        }:
+        "(${toString vlan}, inet '${netIP}/${toString prefixLen}')"
+      ) vlans-info}
+    ;
+  '';
+in
+writeShellApplication {
+  name = "fill-vlan_prefixes";
+  runtimeInputs = [ postgresql ];
+  text = ''
+    psql -d ulogd -U ulogd -f ${sql-script}
+  '';
+}

machines/nixos/vault01/ulogd/nat-request-daddr.nix

@@ -0,0 +1,35 @@
+# SPDX-FileCopyrightText: 2025 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  writeShellApplication,
+  postgresql,
+}:
+writeShellApplication {
+  name = "nat-request-daddr";
+  runtimeInputs = [ postgresql ];
+  text = ''
+    TARGET_TIMESTAMP=$2
+    TARGET_PREFIX=$1
+    psql -d ulogd -U ulogd -c "
+      select
+        vlan_id,
+        reply_ip_daddr_str as used_ip,
+        reply_l4_dport as used_port,
+        orig_ip_daddr_str as daddr,
+        orig_l4_dport as dport,
+        flow_start_sec, flow_end_sec
+      from ulog2_ct
+      join vlan_prefixes on ulog2_ct.orig_ip_saddr_str <<= vlan_prefixes.prefix
+        where
+        -- if we don't have conn start, we considered it started before the target time
+        ( flow_start_sec IS NULL or flow_start_sec <= $TARGET_TIMESTAMP )
+        and
+        -- similar for conn end
+        ( flow_end_sec IS NULL or flow_end_sec >= $TARGET_TIMESTAMP )
+        and
+        orig_ip_daddr_str <<= inet '$TARGET_PREFIX'
+      ;"
+  '';
+}

machines/nixos/web01/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "web01" ]
   [
     # List of secrets for web01

machines/nixos/web01/wordpress/default.nix

@@ -61,6 +61,18 @@ in
 
         languages = [ pkgs.wordpressPackages.languages.fr_FR ];
       };
+
+      "npr.wp.dgnum.eu" = {
+        themes = {
+          inherit (wp4nix.themes) twentytwentyfive;
+        };
+
+        plugins = {
+          inherit (wp4nix.plugins) user-role-editor;
+        };
+
+        languages = [ pkgs.wordpressPackages.languages.fr_FR ];
+      };
     };
   };
 

machines/nixos/web02/_configuration.nix

@@ -13,7 +13,8 @@ lib.extra.mkConfig {
   enabledServices = [
     # List of services to enable
     "cas-eleves"
-    "kadenios"
+    # "kadenios"
+    "django-apps"
   ];
 
   extraConfig = {
@@ -21,7 +22,7 @@ lib.extra.mkConfig {
     dgn-access-control.users.root = [ "thubrecht" ];
 
     # Disable monitoring
-    dgn-node-monitoring.enable = false;
+    dgn-monitoring.enable = false;
 
     # Enable Postgres databases
     services.postgresql = {

machines/nixos/web02/django-apps/default.nix

@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  imports = [
+    ./kadenios.nix
+  ];
+
+  services.django-apps = {
+    enable = true;
+
+    webhook = {
+      domain = "web02.dj-hooks.dgnum.eu";
+
+      nginx = {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+  };
+}

machines/nixos/web02/django-apps/kadenios.nix

@@ -0,0 +1,66 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, ... }:
+
+{
+  services.django-apps.sites.kadenios = {
+    source = "https://git.dgnum.eu/DGNum/kadenios";
+    branch = "production";
+    domain = "vote.dgnum.eu";
+
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+    };
+
+    webHookSecret = config.age.secrets."webhook-kadenios_token".path;
+
+    overlays.nix-pkgs = [
+      # Required packages
+      "authens"
+      "django-background-tasks"
+      "django-bulma-forms"
+      "django-translated-fields"
+      "loadcredential"
+
+      # Dependencies
+      "python-cas"
+    ];
+
+    dependencies = ps: [
+      ps.authens
+      ps.django
+      ps.django-background-tasks
+      ps.django-bulma-forms
+      ps.django-translated-fields
+      ps.gunicorn
+      ps.loadcredential
+      ps.markdown
+      ps.networkx
+      ps.numpy
+      ps.psycopg
+    ];
+
+    environment = {
+      KADENIOS_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
+      KADENIOS_EMAIL_USE_SSL = true;
+      KADENIOS_FROM_EMAIL = "Kadenios <vote@infra.dgnum.eu>";
+      KADENIOS_SERVER_EMAIL = "kadenios@infra.dgnum.eu";
+    };
+
+    credentials = {
+      SECRET_KEY = config.age.secrets."dj_kadenios-secret_key_file".path;
+      EMAIL_HOST_PASSWORD = config.age.secrets."dj_kadenios-email_password_file".path;
+    };
+
+    extraServices.tasks = {
+      script = "python3 manage.py process_tasks";
+
+      serviceConfig = {
+        WorkingDirectory = "/var/lib/django-apps/kadenios/source";
+      };
+    };
+  };
+}

machines/nixos/web02/kadenios/default.nix

@@ -1,190 +0,0 @@
-# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
-#
-# SPDX-License-Identifier: EUPL-1.2
-
-{
-  config,
-  lib,
-  pkgs,
-  sources,
-  ...
-}:
-
-let
-  inherit (lib) mapAttrsToList optionals;
-
-  host = "vote.dgnum.eu";
-  port = 9888;
-
-  python3 =
-    let
-      nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
-    in
-    pkgs.python3.override {
-      packageOverrides = _: _: {
-        inherit (nix-pkgs)
-          authens
-          django-background-tasks
-          django-browser-reload
-          django-bulma-forms
-          django-translated-fields
-          loadcredential
-          ;
-      };
-    };
-
-  pythonEnv =
-    {
-      debug ? false,
-    }:
-    python3.withPackages (
-      ps:
-      [
-        ps.django
-
-        ps.gunicorn
-
-        ps.markdown
-        ps.numpy
-        ps.networkx
-        ps.psycopg
-
-        ps.authens
-        ps.django-background-tasks
-        ps.django-bulma-forms
-        ps.django-translated-fields
-        ps.loadcredential
-      ]
-      ++ (optionals debug [
-        ps.django-browser-reload
-        ps.django-debug-toolbar
-      ])
-    );
-
-  manage = pkgs.writeShellApplication {
-    name = "kadenios-manage";
-
-    runtimeInputs = path ++ [
-      config.systemd.package
-      pkgs.util-linux
-    ];
-
-    text = ''
-      MainPID=$(systemctl show -p MainPID --value django-kadenios.service)
-
-      nsenter -e -a -t "$MainPID" -G follow -S follow python ${sources.kadenios}/manage.py "$@"
-    '';
-  };
-
-  staticDrv = pkgs.stdenv.mkDerivation {
-    name = "kadenios-static";
-
-    src = sources.kadenios;
-
-    nativeBuildInputs = [ (pythonEnv { debug = true; }) ];
-
-    configurePhase = ''
-      export KADENIOS_STATIC_ROOT=$out/static
-      export KADENIOS_DEBUG=true
-      export CREDENTIALS_DIRECTORY=$(pwd)/.credentials
-    '';
-
-    doBuild = false;
-
-    installPhase = ''
-      mkdir -p $out/static
-      python3 manage.py collectstatic
-    '';
-  };
-
-  environment = builtins.mapAttrs (_: builtins.toJSON) {
-    KADENIOS_ALLOWED_HOSTS = [ "vote.dgnum.eu" ];
-    KADENIOS_STATIC_ROOT = staticDrv;
-    KADENIOS_DATABASES = {
-      default = {
-        ENGINE = "django.db.backends.postgresql";
-        NAME = "kadenios";
-      };
-    };
-    KADENIOS_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
-    KADENIOS_EMAIL_USE_SSL = true;
-    KADENIOS_FROM_EMAIL = "Kadenios <vote@infra.dgnum.eu>";
-    KADENIOS_SERVER_EMAIL = "kadenios@infra.dgnum.eu";
-  };
-
-  path = [ (pythonEnv { }) ];
-in
-
-{
-  environment.systemPackages = [ manage ];
-  systemd.services = {
-    django-kadenios = {
-      description = "ENS simple voting server";
-      wantedBy = [ "multi-user.target" ];
-      after = [
-        "network.target"
-        "postgresql.service"
-      ];
-
-      serviceConfig = {
-        DynamicUser = true;
-        LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
-          SECRET_KEY = config.age.secrets."kadenios-secret_key_file".path;
-          EMAIL_HOST_PASSWORD = config.age.secrets."kadenios-email_password_file".path;
-        };
-        StateDirectory = "django-kadenios";
-        User = "kadenios";
-      };
-
-      inherit environment path;
-
-      script = ''
-        python3 ${sources.kadenios}/manage.py migrate
-        gunicorn app.wsgi --pythonpath ${sources.kadenios} -b 127.0.0.1:${builtins.toString port} --workers=2 --threads=4
-      '';
-    };
-
-    django-kadenios-tasks = {
-      description = "Background tasks worker for Kadenios";
-
-      wantedBy = [ "multi-user.target" ];
-      after = [
-        "network.target"
-        "postgresql.service"
-        "django-kadenios.service"
-      ];
-
-      serviceConfig = {
-        DynamicUser = true;
-        LoadCredential = mapAttrsToList (name: value: "${name}:${value}") {
-          SECRET_KEY = config.age.secrets."kadenios-secret_key_file".path;
-          EMAIL_HOST_PASSWORD = config.age.secrets."kadenios-email_password_file".path;
-        };
-        StateDirectory = "django-kadenios";
-        User = "kadenios";
-        WorkingDirectory = sources.kadenios;
-      };
-
-      inherit environment path;
-
-      script = ''
-        python3 manage.py process_tasks
-      '';
-    };
-  };
-
-  dgn-web.simpleProxies.kadenios = {
-    inherit host port;
-    vhostConfig.locations."/static/".root = staticDrv;
-  };
-
-  services.postgresql = {
-    ensureDatabases = [ "kadenios" ];
-    ensureUsers = [
-      {
-        name = "kadenios";
-        ensureDBOwnership = true;
-      }
-    ];
-  };
-}

machines/nixos/web02/secrets/secrets.nix

@@ -2,11 +2,13 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "web02" ]
   [
     # List of secrets for web02
+    "bupstash-put_key"
     "cas_eleves-secret_key_file"
-    "kadenios-secret_key_file"
+    "dj_kadenios-secret_key_file"
-    "kadenios-email_password_file"
+    "dj_kadenios-email_password_file"
+    "webhook-kadenios_token"
   ]

machines/nixos/web02/secrets/webhook-kadenios_token

@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA miVq8rZazx0Y0NYZklZh8ITlY7fOTwbPsAPcHwvJ3jI
+Vs0xx9ulk2++7+DfD+HqhISSvYMtuSJIs9zyGlnW8Wk
+-> ssh-ed25519 QlRB9Q z5TQpHovWNJ+Dq4GEcPfByMpTcTojIamJbU3kNKlmHQ
+U+ZFJ/0TVcfo85xAWYqcnzpMfU0KcY8QJ8jqWlyt1U0
+-> ssh-ed25519 r+nK/Q l5oBCnALC2HSoszpawrJZZUEFHjjGwei4Fd1Y+f7OjI
+PLgEu00ItWIbT3ZSNioZ3oXwBBVQTD/wf8I8akEDNWs
+-> ssh-rsa krWCLQ
+2rt9GmpSxUJSArSOlXKQscrApgLLIWuTo/IXensBP1uCnrpLl4IdcpEJNTs7wtZq
+h4OLCaLDoZvB3ZT3k+CXXXeBqLqz1DdBGo08RgfcUADTsm2Z9LsEyLo0GtHGEFjw
+m1r/VF8githDxaEK52+znr1FG8CE7+DBQAU9ZydhKKjjFS7ckDHw0qFXyGqpyWk4
+KnL7FGPX2z07V3nwauElDbaD1LLt0xHhqqEjmiRskhE2UU6q35IrLyKFHC1VHsFy
+ItsONTu8lDiqXSi7Z5b5Iv+iAWWTtt/glTv3WFa8u7CIahuZIfemr8NzjD2Z+Vxh
+yOEqBKyVgz8sFh1U7CgxCg
+-> ssh-ed25519 /vwQcQ dcnBNyypzMkxHwh76v7bKhGckPjIOL2vP2aDWhB8WxQ
+tTxcMXcLrFhD7u2xTOhsjWErSiCOfsVIDZgJldVePMw
+-> ssh-ed25519 0R97PA stdF6UFkWDCwNUAv+aAetpku7O9XRvtaxafCjok9yhI
+gXVXcwlY4Xue9WGk+WlByXvSgMju+VWKTBTXIngWYvE
+-> ssh-ed25519 JGx7Ng e+Ux4HK63pAM4scQCi4wHTUmo28z105Ok59dlki0OS8
+ulkU6zhXNpa3OswEC005BZ/YIExPysg25a4/O60fcWQ
+-> ssh-ed25519 bUjjig SEnDWloeuVgCGLUJNvsBL1HPYJGBSBhqdDngkQk+KiE
+MYL9SudJNuFyS4Inaod2Xxldi3d/kDwlIT9rVWs8vFc
+-> ssh-ed25519 IY5FSQ TO9BPLBwdlqyKXOBiohCzfZWrTDwqhLjZYeq9rZgH2c
+7Hqrqe+A3wg11H3wg9Cd+6F7mDwsLpzoh70sba32gCw
+-> 1DV;-grease
+9Ul6qKgH063H/HI1op+Gyk2+JRUGHwRG/SlOPTAnvBtq7xEy7yrR4lblBK8bcJNY
+lwmI4xOokAnIveVaPS8SAig
+--- GpJyGpk3QxJljiR6FZw8hdX0dXvEAIPZEZpL6oorLcM
+}­o÷ÕŸ¦‘A¹qç ™Ò™ö>áp™€M Õ¬Ía“zþƒÍT VVƒvI«f®<17>!>µ\Ö-þèÿ

machines/nixos/web03/django-apps/bocal.nix

@@ -8,7 +8,7 @@
   services.django-apps.sites.bocal = {
     source = "https://git.dgnum.eu/DGNum/www-bocal";
     branch = "main";
-    domain = "bocal.webapps.dgnum.eu";
+    domain = "bocal.cof.ens.fr";
 
     nginx = {
       enableACME = true;
@@ -50,8 +50,7 @@
     };
 
     environment = {
-      BOCAL_ALLOWED_HOSTS = [ "bocal.webapps.dgnum.eu" ];
+      BOCAL_RHOSTS_PATH = "/users/guests/bocal/.rhosts";
-      BOCAL_RHOSTS_PATH = "/var/lib/django-apps/bocal/.rhosts";
     };
   };
 }

machines/nixos/web03/django-apps/ernestophone.nix

@@ -42,6 +42,7 @@
 
     credentials = {
       SECRET_KEY = config.age.secrets."dj_ernestophone-secret_key_file".path;
+      ACCOUNT_CREATION_PASS = config.age.secrets."dj_ernestophone-password_file".path;
     };
   };
 }

machines/nixos/web03/django-apps/gestiobds.nix

@@ -7,8 +7,8 @@
 {
   services.django-apps.sites.gestiobds = {
     source = "https://git.dgnum.eu/DGNum/gestioCOF";
-    branch = "django-apps";
+    branch = "bds-prod";
-    domain = "gestiobds.webapps.dgnum.eu";
+    domain = "gestion.bds.ens.fr";
 
     nginx = {
       enableACME = true;
@@ -46,6 +46,8 @@
 
     credentials = {
       SECRET_KEY = config.age.secrets."dj_gestiobds-secret_key_file".path;
+      SYMPA_PASSWORD = config.age.secrets."dj_gestiobds-sympa_password_file".path;
+      SYMPA_USERNAME = config.age.secrets."dj_gestiobds-sympa_username_file".path;
     };
   };
 }

machines/nixos/web03/django-apps/gestiocof.nix

@@ -11,8 +11,8 @@ in
 {
   services.django-apps.sites.gestiocof = {
     source = "https://git.dgnum.eu/DGNum/gestioCOF";
-    branch = "cof-staging";
+    branch = "cof-prod";
-    domain = "gestiocof.webapps.dgnum.eu";
+    domain = "cof.ens.fr";
 
     nginx = {
       enableACME = true;
@@ -98,6 +98,9 @@ in
       HCAPTCHA_SECRET = config.age.secrets."dj_gestiocof-hcaptcha_secret_file".path;
       HCAPTCHA_SITEKEY = config.age.secrets."dj_gestiocof-hcaptcha_sitekey_file".path;
       KFETOPEN_TOKEN = config.age.secrets."dj_gestiocof-kfetopen_token_file".path;
+      SYMPA_PASSWORD = config.age.secrets."dj_gestiocof-sympa_password_file".path;
+      SYMPA_USERNAME = config.age.secrets."dj_gestiocof-sympa_username_file".path;
+      EMAIL_HOST = config.age.secrets."dj_gestiocof-email_host_file".path;
     };
 
     environment = {
@@ -112,6 +115,7 @@ in
       GESTIOCOF_CORS_ALLOWED_ORIGINS = [
         "https://${config.services.django-apps.sites.gestiocof.domain}"
       ];
+      GESTIOCOF_SERVER_EMAIL = "gestion@cof.ens.fr";
     };
 
     extraServices.worker = {
@@ -122,6 +126,26 @@ in
         SupplementaryGroups = [ "redis-gestiocof" ];
       };
     };
+    timers = {
+      rappel-negatifs = {
+        script = ''
+          python3 manage.py sendrappelsnegatifs
+        '';
+        startAt = "*-*-* 1,13:17:19";
+      };
+      rappel-bda = {
+        script = ''
+          python3 manage.py sendrappels
+        '';
+        startAt = "*-*-* 2,14:17:19";
+      };
+      manage-reventes = {
+        script = ''
+          python3 manage.py manage_reventes
+        '';
+        startAt = "*-*-* *:01..56/5:29";
+      };
+    };
   };
 
   services.redis.servers.gestiocof = {

machines/nixos/web03/django-apps/gestiojeux.nix

@@ -8,7 +8,7 @@
   services.django-apps.sites.gestiojeux = {
     source = "https://git.dgnum.eu/DGNum/gestiojeux";
     branch = "production";
-    domain = "gestiojeux.webapps.dgnum.eu";
+    domain = "jeux.cof.ens.fr";
 
     nginx = {
       enableACME = true;

machines/nixos/web03/redirections.nix

@@ -6,6 +6,7 @@
   dgn-redirections = {
     permanent = {
       "www.ernestophone.ens.fr" = "ernestophone.ens.fr";
+      "www.cof.ens.fr" = "cof.ens.fr";
     };
   };
 }

machines/nixos/web03/secrets/dj_bocal-secret_key_file

@@ -1,30 +1,33 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA HF+w4Kuk7Wo2s94SeNxAB3zFZhKNn1fPabJhUK/xGH0
+-> ssh-ed25519 jIXfPA w23oZwRdOmR6ZmJ/u1UVJX3aDjvFlP9J/0DX421EzTk
-KY5tknNrICYq0HTfNRX760OPyWPJ8B4Sasq8BjN9a6k
+GwBhoK4pLMph83ufQSh/DaKtDsQv2Vc/31kN4ahx1O0
--> ssh-ed25519 QlRB9Q OGcCe/S1aIQckJGzt4Wz+DFebTZpNV+YCevnVOPDMXQ
+-> ssh-ed25519 QlRB9Q bx2P8KY31nlurmjEsq6rOGz4RivuubPRr/pwJi8vZR4
-keDckjD4Vjhj3gmQnW0V8nJ1Soubkhb9WP28fsanhMA
+pHUYj6nCuQfv9Y6oJmLqmIWw9rSrb7YgFIGh4/DDBxk
--> ssh-ed25519 r+nK/Q lO6xwuhfQ6gMlJzFBF5J9c2elEg1J3leAt5x1uTYGSk
+-> ssh-ed25519 r+nK/Q xX3R7A7Pq+l98C/4rDzZfLa5IyoW4mS1RXCg8jmCVBg
-HQG0VQXvn72CIOqe6FRGrSX8TIa7sBB3cOZZQzXBl8w
+pZZ91CQNMfv+A9nUGM7FCHt79YsEIP8SA4UZ7NmIYyg
 -> ssh-rsa krWCLQ
-pvF18GVS3dHr2jiss4sn00UqVVM2f/6BmkpYMgAVQ3FNpgnimQGsgCssuBo3Hjrc
+JSYdRpvAP/pb8v9Rviw+DcwTGmlVbes8LNW/Hjjc3eKNYT6f5TR56Ma0C+ZXA8hC
-BTO4v2U6cQ28LTUsruWdPhRChT0zfGRtx1QIn0tPzy3XKUxjt2XkBeblxtLhCHmI
+BiEoDyvV631v7jf1NQENWgOrx8kIaMlJyJlndEUviFesoUXvBsrRVxZkPo9+q8gm
-muQ0yA15bP+aQfZn0dE1Eb4krw1unKWE4f82L/BQ5Y/i1P2rubhyBhBoQRb6atHv
+2jx8uLxRlq04fIh39YOcxayNPU6ZE0k4iV5Sv8bgNdPPsiSDPEcoGh4ptB/L7PqC
-S2EWBafaNr3orbFl9FPMjhWW3WZX/zKJxlu0saN88I6ZU2967mdR4PogMpL9iqST
+qa73mSskFsWLMdkhlF2PmobhFYBbJw76ekctHK4enABJR0wnpw76MB/1xaRysO0Z
-atraraA1jG6mR9Ojloyrf8FG6wTlplDlZk8Sgtg88FD1iHMN1q0DQv1LwRoD3QUa
+cE1yXy0TKPeQ6tBs+TgEbWPdjs7q2cCe78Cx14ob/bDTrSxn1VXxlTSEa+jZ8ES2
-ywIn9MABMufNXQ+jm/DQpw
+aRJM0RnnbulZJMu8vD+ztw
--> ssh-ed25519 /vwQcQ 83MxgOJhIBBGU6IRcTQPtxtyR4MapAxhdKT634w/em4
+-> ssh-ed25519 /vwQcQ +etnXlMmCofk42qEtdvIZyzpdGPTUR44Ur3rNiYpqQY
-scNxodN5j1HXOIPCB3glvc08Gb4wW9gmZ5gkWMCbm4E
++h+hNOOJHWXi4vqsBDudgiQ3BPHVOA1bl+R4d5zCs2g
--> ssh-ed25519 0R97PA LBFUS7zx26+rjiWqVwQ4UBqRxr+3Sx+j+GGrRaBbz08
+-> ssh-ed25519 0R97PA VuTnbuLdQANqvVDvIEOJVFWh3IgOKLHXROxSCx5E0C0
-fnFwvJz36SiKnEoJr+0+enNVcT7wduZUrYe7bWhyxfE
+euVIt58WGFPxL5IgE0Stce7q9MaQCLkWOGpLyxhszJk
--> ssh-ed25519 JGx7Ng iXjAn4Y7+yHASx4ZbIrvFffLzgX52DbQy9hIcTScHAs
+-> ssh-ed25519 JGx7Ng /1DGw0uUQ99aDlw5AdNIKZNZbRSXoxCwJZU4iotnMVA
-6AJZoV33mBryiCaquKTAkw8yB1NQs38QlG2p4LIcoMc
+v9B+dF8KmmVLjYh7IT61p757x+CeJQ0qY+kU69Ced3s
--> ssh-ed25519 bUjjig 0cqMXUVHqhyYhygR7meIyWRr/c7H8ZGB5eO7tTHhRUk
+-> ssh-ed25519 bUjjig tvi0aragAV8TvSAvVVYwgAe4D/iFPy8Hmo5BFIiMigc
-GYKKGB02ElJXpObmBJKF4Bvoswd3o83vvVYIHIpDprg
+ixKZkBQDFDoM3ntd43TPb5gzQmJKiuYHuPRvh+wlLwg
--> ssh-ed25519 VQSaNw xHhzKnYeKxrN2MJz84v7Mjg3Nh69UJ6Q/eAyVAvC3V0
+-> ssh-ed25519 ZIo4kw 4mpL5GIsgcXQH3+DTwo1wBO2IGtwqYX71sSj3HRTUD8
-/bvauGesQw9/tl4DhCNFY9Rq+qWv12O4TcqzdxTCWzk
+FyiH/fpn6rFmw6L1nbxqnlEQwHdgq2kacvkl4dDSpDA
--> T:){{-grease NuQ <}vLGT%
+-> ssh-ed25519 9/PCvA rwGsoEUqcUK/bj0wpo/2GIcPgJPdUCs/y/0MacBXlTQ
-0JSFYPMWs6LXpWacfiHNdwqvs/eHecFwj6cg0eLZEQe96shxy8/WSUBMpgasKufB
+4IRzAh7PgafkdUGOoUnTFZwQwpupt+09tNCuMQPtNow
-Nc4tpfiOVWVRGm4arhunwJ+1sgg37X35PWde89Qpg5g
+-> ssh-ed25519 VQSaNw if6Cp0uuuBCn5/sIEhhiD3Xa3MGOgxNhpA5jk/sNaxk
---- Y6N6GuCpRLdD25EWW+05qbUAadrT3z2Pzc5golCBHJw
+tZLZbxe2EswPA2DOzm1XILWxPJOfvtQEBb3J/g7gOdg
-ßNê¯3'8ú³€@/¨0,zWêS¦‘ï;ßñì)§e<C2A7>ßÉïèÞí
+-> p0A#yj-grease
-qMj’ÏŒrçHB–ÇR2šš–E2H+d­%
¶Ò–®
+GR/rBHQQMBRnEs3FdKUmaxDXNLeZuXXftbiAi+6dzv4SsZoJ5oqi4UKivc5DYLfO
+C8GywA
+--- XSYpA1AoDYYWRAjVBKAfn9s/nI7d6hE2j57BKVdMQ5Q
+#žSõ/éž5Õn%
´ªžô‰w9E‹Œ@Ø­¨¦TüMƒýP»?â…œ¡˜(<28>PGrj4$*<2A>Cû èü8´‡¤ô¥Jpt=H`Âî½n‚

machines/nixos/web03/secrets/dj_ernestophone-password_file

@@ -1,28 +1,32 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA kBFUMktUZ09T8ujSXHRIo4OIWxIiwysmRv+UTiH+02M
+-> ssh-ed25519 jIXfPA EsnCV2WNHwC5zZpIqMiOnpixioiS32MkPW2gvPW0hlA
-TvefF7CMKZIASBYaVQA22PzLr2rgZ3i7Q8ENBOmpQmI
+SdJ0CVIn+xIw851NfAVq2xi4eyIkjE5OBSjWjmXMbrA
--> ssh-ed25519 QlRB9Q 0R2BthIX790DAiL36WPOemUa04tOnN0Drpg6u72j7UE
+-> ssh-ed25519 QlRB9Q pSqgkPUwNF0ahPyz+bRXfnJqlhiis8+JLtGVXMJFkGs
-nFGbwKZvSXo0SpO8AMfAGcZkphcXhX+GoFxYwadNzwQ
+gEovHZ0L9Hf0FxITH7Pw82GmtpSry9AttmYyzOget/g
--> ssh-ed25519 r+nK/Q cs+vGq5RzK/AogpcGjRG3KZjl4fp2Ghhv2ngHjTdvlE
+-> ssh-ed25519 r+nK/Q abHRhq9gLkRJZnW16AkJUNkuDkFx6ZEgcfcPKD7qkl8
-AyXbgDlQbe3HurX7lodUrMZyRSWADSFWmTndnHjh0dY
+TZOo2qI9wtTr5EFyLa7XwcNu9t4TiBTjYFfDcXF5WzY
 -> ssh-rsa krWCLQ
-AnU8JBZXw8xIHA3L+220wCHwddC51Fx+sQx58tYsFg7eVH1NM2PKUr57a7+0KlxH
+NiW6aPN5sW1w8AWe66x5wkyJTYPnPqlmPdwkRMH62Z9rdRGoplPaThh46N1F7iSN
-TkIDMUuBotY4QPA0tzv212wnWaTw9ddV+T+Xe+l7JNyurCQRj1g1gWP3NLYIyYFC
+R7YfTRNy/xcSq612Wf1PbEGtcaEBU4snLwBUMxzgCEf7lLebnBFEv+wM46c6M4Vh
-i/eXHg3XxByQG1BfBSL2nnUEiy6eJ2bLMFsJ9P6baB6hpdEnoFIuGdV4Bg3k/KGl
+sRHm7LJP4EIFtC/OVi4Po3AOxnzWie6sgMtwVO1dxA92F52ANJm85+S9v4LyKf6B
-Zp+Q1a7Ov0l/G7sRCw4WLQtq59otI2lxeKRSonCqSNOmDXyZBr82GMr/BmhebtK4
+3j1CTlQnST4Jz+NFR1lIWkAzawQkrObj1XNw0JjAH5cCFPNX8KJwGPPtRaw6qdE2
-h19K+EXU+Ze57lUf2kDCe0b4RSHbSGU1T1fSEMNcXFV0952r6zO9YClTsQeKl+ev
+NN6boxJRuw015LFoT2REg8hFUj9mvKi1CF7zzAorlU8U5tGsTzWopFaz8sw6uw1e
-1O7xqUhcRXgFUbDYRjTsLw
+hnLDEWU79TB/Ytc9mk+VgQ
--> ssh-ed25519 /vwQcQ AtEImZ61sgC2OzZvDldY7ttRf9I5+zmL2I7hZkmBoTY
+-> ssh-ed25519 /vwQcQ uGDPoAidrjD4YOahlB14fECk3q7JYAgK2U3AwiTZp3Q
-zQiLX4L6t+jZqzAJmN7iuRTeadD1jbs3E/NZZj/25UA
+VMBSpbWgh9/+vNsxb31DztSAmuXQ2OT8PhGY8e5oEyg
--> ssh-ed25519 0R97PA JVheI/2kfdkqgM5Jf/py32lyYLtWjpmcx4zkHYMZl3g
+-> ssh-ed25519 0R97PA dneC7N5KN3lOt+tf+SBVHac5PiFuzah+kxPCL7taES0
-z/+qXmvziQo8yZ6f+2y5XVDv6d/uAghCVDQ9tpLXt54
+2ax/oATQ3RCZJrwa6rhRFjP/Pb83SE/K/JqzkDe4q5s
--> ssh-ed25519 JGx7Ng 41ZgklG6LmM5Mk6BkGWAf8N3j1safWPBKBAHKN2EQG0
+-> ssh-ed25519 JGx7Ng e+gbiPqeQvqH5SsMLtJjO1Yamqf/T3zMx9sZP/lE1WM
-yOiGIHkyoMFI6NQMLCZavCaz+qxAy9jhf+vctWQ2z4k
+ZaLKy2fNia1FOO/8McmHLCTs7mU02UhIEcfnWR8Rmo0
--> ssh-ed25519 bUjjig 0o9QkwuPZPOl/db1sQ9YL50DL1uyZqQ6ICxMEIupQ20
+-> ssh-ed25519 bUjjig YG96Anu4XdeqjveqgPKBg9DXRgQWzbZyqUh4zyp7NW8
-FwFbAYzLUNwoAQNcbcwWckhqRSEicQTe4O4BMK7wHyg
+XOW98Ncs7wa8+J7bdcni1BTvi0yt157YsqS37SyE1UE
--> ssh-ed25519 VQSaNw iaWBGmaWmBxMJILFyob6CyVXyY24edPtT2itTQGP7xM
+-> ssh-ed25519 ZIo4kw 0bsqX9eZWnobso+67zX7mv4NZHN0iLJgREpEAjsSog8
-EGmCuYElC5EgwqXtcXLAy7nNFt75Hl/gAehvfh+0sgg
+chztA4fSI+l/hFC1JG/I8csRjW6nRL5nD8H2BIvKhtc
--> /Wa)P<iw-grease (;ag_e g#LM+oA Y n(M-1K+.
+-> ssh-ed25519 9/PCvA u1TmEMmSAY01VT5KSkHIeGZyFR/AjO04fbdaQMOzWUU
-lWfOmA
+KgNuPOluctxdmyoRQKGhxzUdM+lJYijOTZTppx1x8Ig
---- k01yU9ZR8KIyG0JEfcYoP4iBlvqq7J676oPfDLpbvfs
+-> ssh-ed25519 VQSaNw y6+jgJvBopK1AkLk+FRsd1hOKyYhU3udCmpSqH73F2Y
-ÎD—èŒ<C3A8>Ptáçø4Õ•?6”N|ÐïZƒ³åM/œqo¨[ÄNä
+qZyA/Fe6kxaIaYBtEWdIt69phdcpPgPr6hvHslYGZV8
+-> ~Ef{]c0-grease ]bzX}@u' 23 } pjfN*GE
+cHkSTFWSdWHGclY
+--- 9GRqhQV1hb50rv2MYPgyJBP6eEm5KQUEUNqJnMMMx/0
+j	…
·!½DÚ'×­(ã°<C3A3>!³€É݈ço&Þˆo)ü½Ô~Ñå

machines/nixos/web03/secrets/dj_ernestophone-secret_key_file

@@ -1,29 +1,33 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA hAdsxHTIT08JvDQGzY0Vz+Jxd48Kw3XNpf6TEjiGiTc
+-> ssh-ed25519 jIXfPA iQr5+V3ESwwPQ0N5TWvKPQllxl51JbvY1pQ/LWFoGRM
-hZgLRBDGwpfIFMhTRExY6JJ0poJ+nqrBK8Fy3ukINFI
+mmPi5TEsoKaqqCNR9wFOW9m/ZO+LybILeAr0IltAA6A
--> ssh-ed25519 QlRB9Q AyfmPVVcb9WVzrbyh2KdPQMwPypQ0uq3q6kkPFcMyjw
+-> ssh-ed25519 QlRB9Q uWG5fTIkrcvoZPwTjeUIvUBb9SSw/tqLVXQ5EgPEpA4
-S2h//+6MMnUiBWrznI/1+qS83Gw1vpFmU8Hlma40bdA
+NxUobR435SRYhgtfqeL4nCTyBimMFQDeHkv1EXxyeW0
--> ssh-ed25519 r+nK/Q 741XzH0HZf/y8HR1AQIn+qgn0+L+2kcdPsepRcXx7w8
+-> ssh-ed25519 r+nK/Q mWebzwprS5rda66lWzpTXkeLBJ1cQr92jt1IKiGuhmI
-5aNoPnRTYHB5FTXipQV+8C/s8t1s5/ZF9PwnJfYy8bM
+s5C7BIJioGzDafwDDsBBEy9FfSDLhVI8loGPMI59ITE
 -> ssh-rsa krWCLQ
-HhSOliN7XQZngyyrJ++S2JMBytkPjSt/dEUlJNbJP5n6HY5H7QKqd9rsc4LLu/Hz
+O0u81IdCYXC/caM9tEUD21d06Uq+AEaUWauHd3T4uBzx6k8KxZQsXL7FlmpyHMQy
-BXKC9T3IVeuabMPNOBhE6SiOUejGv/txbMHPMdPTCju6JL4wP/2gqIK696kP62pL
+jWKX3lni54qWZqyGi3AVBWwrdT3C59vAUUtOPsR9BdhuETjuNhUVgOQhfygbpNTP
-CAS/cOZXrHS8etEFkpqSuEVquNIXbivXNHEwFMH/GkNut0SCpafvQHrN1wZdveH5
+Z+1xv/H+6iY4iaijkneUqjO+Zf8XzNiBjV1jxAEgVSMAYfYi2IUKaNGfTCxsf7z6
-rp60R9ULzTzS3ztjEomAt9gWN6s7CtqZEozCMExPTXSW+OmBJprY+/Ae/uxeKZMS
+FbcOZiwKffzF9ml3jRbi0zacy2YfBVA3HLtr0G2konocqB2blx0yQx+CUN66vODT
-x6pscBbZSEazZ476sZCWKTpeej7iFlSrIvLfkwYn9PtKqmaInoM/0F2thkqpVPkZ
+Dg2Rvjvxj/UILT6DHfhSEienmIyRVcEV4FMyDRAqVnSWvY+5rQu7Q193lsdwxu1V
-/pcg11dUQpXJdaIiPEowlg
+imAsspRLp7cLTHO13E7HEQ
--> ssh-ed25519 /vwQcQ m01BxY0nPTfcW0D/iFRbCNbFFp+lE/XLW315aPyNbTM
+-> ssh-ed25519 /vwQcQ D7UkEEde5wt6JLVwgw09YpI1jda5PpseNb3/oYXeuxY
-hiKCfZH9k5GcUAkCJ/+x5V20SCeql8031lOge0Y9WXk
+mAyubu6vZt9WGQz7LN66OFLysMJnggQM3Lzp1WL2WIw
--> ssh-ed25519 0R97PA oGfUKErY65Jd0ZlcVox/HXA3itOI5KImRqDwH+UR6XI
+-> ssh-ed25519 0R97PA KELROPFrMKhwm6qZa3pDGUwL46djU6KXuEvvJdvPVTY
-32BtXjqImmG6TjUKoDU2QaJiMxldZdZoAP9SKPfGuHA
+TLnuP2JD9KWnJyFG/TniJ7SZA8MwEGWRm/slgexr6Ws
--> ssh-ed25519 JGx7Ng FJCtkG+Ig5dC+ftTClgrKtIt/D8s9Dr97eWObbNEZDs
+-> ssh-ed25519 JGx7Ng frq2JO+UyHShB9/ho6SSO4gpm1x5gsT/FWNcce4FejI
-i6tf7p5FDsdTZMJuBNmcTgVnL6eQDZFkjjH7AaBakqE
+0yjxhYvLi6BJCV04liQ8EUfvd/QQDfvQW/+69k81SLI
--> ssh-ed25519 bUjjig mOfri52IdeSNAawjBR5rhvL2eZNlVOwYK6u1uHv98xw
+-> ssh-ed25519 bUjjig V8kyKJYS7AEddNQ/A1dDofL72gZhQx8S7CWXXDhO11M
-nx0Ko3omL+OVq3JHuCIacYfjn96kb78IgyvECEGq0G4
+70GSlCUdlM1C2TtWO34E/AeP6ESA2q/2hiRsG3yKa5M
--> ssh-ed25519 VQSaNw gEQeKOEwwR8QlykdFlo7iqrsmhemiS02v8Kfx2ER9Xc
+-> ssh-ed25519 ZIo4kw Q9v6Hj82FPt0vOADqZZvrA1C5zw5Xi54TdkWFQhY1GY
-jpAEZx64/AXpA8HahtJq9OdcZYbqIFti5mxaPztvul8
+/bbWn0eVMOcKMuxhSlHL5YNBAdNGkOEWDtKFbXfl5kI
--> $5-grease (y&6%5f<
+-> ssh-ed25519 9/PCvA umec3ZH6etHJWPhH350dg89jPisIen+g+V1biOk8uQg
-YSrHrNaXa7b7Ivv1yVP3idg8t4iIdu5NX3hzczFp64bY7Bjp/g7jK+bWnDG26ryd
+nrkdFNMpVaeYmxaXh9f5ZBwxjdPoCbbB0NMIGP6rgJA
-G+fhmUbFuDj8ZtXg6yk
+-> ssh-ed25519 VQSaNw jcBuMSisYemI6teXpAXmIfzmkCnQRUhzR02oIED7mw4
---- YmnVS7kPp6h4pC9u28A32/xh67NwhIXwB1dxolI1DCg
+mRPa20AN2KGqp5Sh5rxqMbTLCd6N3eNNNKRzu1TrBN8
-.¼Zs‡…n}®ì,èémõR€ÏêeÞ)¾bOª¶<C2AA>îնܷ†m8¼z£RyúìT/¦@¿CÜÝôW™¨F5ˆ?<ð.[Ö†r¡Ó[°M
+-> ;yNT#P-grease bzX
+MQVFOK4d6Iy4B1TtfEhvVM1nNBec24na1BPH++gbZE1n1dHxyy65O998u1oVml/V
+3PBkae5UTR62Hm/2oSTih/TIfGRSzT+MrjxzkRAxsWFaS+wNx3I8J3/kXg
+--- cevd2eHQSfWzGNPVrJB3XVoqxblBsDQEKKQn2HtbFBc
+¾‡ÃŽÌ¿ì+^FdÎÍ<C38E>†Õ^yGx·í$åF7<öŽT»¶˜.ƒ0µ	³ºOÇ'“â9ÕŽIxÕ³³›ï_ŠóTÎŽ')“†<E2809C>Ý

machines/nixos/web03/secrets/dj_gestiobds-sympa_username_file

@@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA BPmZDRfAOk4XKTzCbDP6g5A5rBkiPT3XYNJ7VYi4zDU
+hpR40ckBN8fDmn1zJ1gsOIPNAL1nQQSjOykfC8Wmvlo
+-> ssh-ed25519 QlRB9Q VR4c0MXH8TqfVl/jt1H+c7N1YZxforsbwfUdbaftwgI
+P0ID0YN8g0q80gCNVy8/CesgfyNM8Hgju/YFBNNc7i4
+-> ssh-ed25519 r+nK/Q 1LnsAqB3OHqlvvaGxYZFvU8Oa9Xvjrp01sUDjVOO8Bw
+Z4N53ptx9ezp5Z0e8wglFN9YsTC2Wx+xcyWphqEN+SQ
+-> ssh-rsa krWCLQ
+uLQNwGSU9U64PTg0FB+C0NbM50mCsPY7QZTOe6JU45KRB6QaxMPRFTf/XoAmKd6Z
+LiwXSODmuufSqBHT10ORDC20VHVY/5jE0OwDbO3PQNMOxSqlbDDrD6HKONESIvwt
++xRK5QvALr9qtOUQIRdIZWR62IfJpeCHsw/GAuyqGDoQiY35QXU3+54RImQXbdul
+7EcZDkuPORUN5mLkcwD6Qal3LlsvppvuzbiMoM2Uf+V95l+uye4b60mr3tcuyu50
+/j9Kw2bcw8/3mRxvHHIm12VkWJ7RxOKh3ZyqENOovCVAjTFjFg2WNaTQgjQyz6Q2
+u/Y04YgwM20W+RfZVwy0fA
+-> ssh-ed25519 /vwQcQ VBfJjQvfTB2egyV6ROWec4PHogtHvA/NwDsTIAghEyM
+XCJUP4HyX3VTPcJie0UlCckTb6xH6t2UtRnYy8iAiVo
+-> ssh-ed25519 0R97PA 4XLCUKQqhwcSNlGPPux5x5SaQJngLXtxnEzhvZnaYFs
+i33YipEo+eCmsPXHUSJUSRcVPy0icME7p/IHfsfH3v4
+-> ssh-ed25519 JGx7Ng hwjq+ArsRBw5hzQqWjdiAiYcgdKtEnOARCW8bKx5WhU
+hKTFWUBIEL1yA90AxvP/zKCzslhX6f+uKBbAiONyKRM
+-> ssh-ed25519 bUjjig eN6ZA6ZFTAvw6ybUhpULEliCF3ylYolKoc7Q4qNb9QE
+irRbRPuK5DbNedgrl1zdvlsekKbr6uTrYQSZToUnuPs
+-> ssh-ed25519 ZIo4kw YC9n67JcDrrXEvCxScfic1XxAp3p+FhMYs5f+gwMDiA
+mpQSeWFRedr3N0NVx1mZIfyHvYBSPlvSkX4aS180qO4
+-> ssh-ed25519 9/PCvA 9z1Q3HCLVVGoCRs/o95lPay8tpF3AkQCsTFoH6pYPVs
+kLQufNXzg5Ilhu+AnXg0q7O//cG99k6XUQFfeV3xBpI
+-> ssh-ed25519 VQSaNw P5JHIXN0XRL76iZ2D9h9qIszcJ4iU7Nkl4loTEAk9yg
+ggCMz8DLzprbo26Pg1EPmsDVAD9TxNq70N3pve3SdgI
+-> 0-grease F:o
+uui5Q+g
+--- 6FFZScIxri+ww/0vzMlzRMdyiFY+wP7E5b78FK1XTSs
+ﾈXﾒ
-<2D>=餃撈卲$gﾟ棚S艫ﾅT@*暈ｰ瞠<EFBDB0>ﾆﾚ4｡

machines/nixos/web03/secrets/dj_gestiocof-email_host_file

@@ -0,0 +1,33 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA OokbMT7prPJZJjF0p6QIntLClz6D2sMUbe01RUW3BCI
+hI25+2VNfhSLlXbJpvlU+Jv2SnFHOONDHU69Fb5X1AA
+-> ssh-ed25519 QlRB9Q pvt/09oGgvlSl3KnJ5WjE+Eg/xD0eZNuenoz/e1SBFQ
+ijatvoxkfVhiRxBDV4Krns2LKf9fcZgFe1JqmQ6FO0c
+-> ssh-ed25519 r+nK/Q 3INSyjdy/Er/v5H9x5lqePbxq9z4O7jKg21J5sTvJxI
+Pr5Qtf6v1ubDwB+OcfaUFKnoVAQrdWlf1QVfmXE9XAY
+-> ssh-rsa krWCLQ
+lEqyOxr41HNiNbuj5Yfrk0bVyfmCCIFaRR8ooHRQt2zr/Xs4DwWuuLjaReigbcTD
+hunJFmsGO7A0kcsREIJ4PED6bIfNqau5H5iNYByVS3u/wpiFIrdMpotvcmTrcvjv
+VU6Hd8t3EPBUWr0mFYk9pySve1rjtVatt1B9dIVQoWBfSy3NGTIuzINs68Xq2gF1
+p/cUNor1kAOWm+tVJca/lthne/iulZF8+WwLOvaVM3OUS5Nkhe7tGAZ4xMoJ99UR
+X8S9PSq6k+FTaBIse86/awGqxsG+FMCQ2P0KQRcQ3Jw0gaglhMv1BfeLVkQBqV15
+X6/OD9QHft7ZJqp5bA1lbg
+-> ssh-ed25519 /vwQcQ I6wGOkDkU4zkhGi9TzQTSpt/lKcXsvMQqQL9R97DbX8
+KRdXPF7341KetuDotzj+CbzH3QvYBOUZOsuRs6fpvMs
+-> ssh-ed25519 0R97PA fzovQHEruBaBn9nbKv7GpBAZFDYqhUTvhkF9WRqmEAk
+1QKpz96s6bymkJJvA4Xiph0/76UM2VEiSEy88sJCzSg
+-> ssh-ed25519 JGx7Ng wg04iyuGrkafjDFJR8CNYx65TItIV4O+l34sWirjdEU
+x8Cd2YyQbOn53zx/SDRtxtj58S5EV7Pv5cb+2wW2n64
+-> ssh-ed25519 bUjjig 8AxapWt5E4GIz4KRFyPN0IcUVPzlnvFoO1vPWoYV5Gs
+B26oR1JGchThFOTe+op6cN05mp80wF3FaU360fneGKs
+-> ssh-ed25519 ZIo4kw WGuR+yNBVfZ1iJB0LRjCHWyFaxiEGiIqXu++1ZI3mVE
+FD3KcCScrbCrNindYkbf26kWMXCtpasHIoe+5Vr8RfM
+-> ssh-ed25519 9/PCvA YSp6DaDPkilW1Brvxbjo56fffGL+zfilYjtsQKC7aiY
+Y48wFLNgQAgFnKz9mV/1vVRUZ6K3xDgGYsQ/lhCjK04
+-> ssh-ed25519 VQSaNw U874flU9cCoV+PECaYS7M9L93kjGej6618YTGfhfnng
+T+azIdtKrZll5R66g95lvUsTmO3HI96A8PEJGqi8J7E
+-> {X-grease l2'
+fnV77WKZsp8DjL9aKhnMBmmbMoqj0c+V4i65+Omn/iCwz8rbsZoURxiiwN8cF157
+yCV8MaGVMTBFBvL73h3Sjk7hxLI
+--- TNaYRXelk5PNioHcYqgPDiKl89pF8zh2L8hdJagRsLc
+­7óTpO’dE¬H¢öšÖèp[&¬‰[‘€Õ¶VC~|·c5Í þh9

machines/nixos/web03/secrets/dj_gestiocof-hcaptcha_secret_file

@@ -1,28 +1,32 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA VBCHEBE9YkosDntw4AzwbaFHbELym9LJ+oxQObZBzzk
+-> ssh-ed25519 jIXfPA 4hjU0on/SxbPxirYIlpFSJBRjmO7S0QLPx4unF6hfUk
-vAdwHKywgVzWDupA1PmzQUOmlbaIWK1BnFk3geQ4FKM
+KwHoWosU33Q9DwOjg/6IlR84EsowxRPH8OE44c5wJAk
--> ssh-ed25519 QlRB9Q AJ/c/fKpFY3JMC340o2hyseh/j1LY1+Dt+XzIc3MqVQ
+-> ssh-ed25519 QlRB9Q krNkxhJc6YaWiKFECX6b3vrd3L2P57Mw0/78Wr3TrCk
-LBfTk6L3lZxqScbdczn7JpadvnhgCMJm5ngodRTLhNE
+UzxrrJcHKUUyBcxnT49T69fUJkwEZlvT9URxg68yMHU
--> ssh-ed25519 r+nK/Q +4i0mhlT3xpV5YZB67djkWyejam8GkZWfOtktuuCalY
+-> ssh-ed25519 r+nK/Q gqDzS83j1Borr8LCP+JlV6GjVyL3aSegvQbpWzbxLTs
-AodcJXApJz2IiJlisepnNrZPQfLiGdfczNjFttadatA
+W6t7d8ptDk+BalumIrGpgKIK4a/6PDQjx+px/Ke74T8
 -> ssh-rsa krWCLQ
-jy6jHhW4KzttqdsaB/hF03ROMYygraudW7Pya2OzBRdi2NceNOK4lYBUwHFa4fGj
+gGtH4clOsmZ29CpK3zLvr08jXo2PaOWjhtSy/7IsqwPcgIlqfnvC57jkmxLo+R7i
-ztPP2htJkKXeQlZnnZQFcI1pL26HSJ3wf+aRq3wJqM+QVLzHsJbmWTxnsHyjQQhZ
+jnvJW36vj2Z9+zdyh8R8r/bjq+obM3YejNa63CU2VUWfDMXJ6cLbH+4cvApjEHwW
-2D36inLoJaXlHeScpivyC+zphXhfwRqNqoMF+vHHErNaejcd9HSjIT5m8+2BKukX
+bU7JpA42rIuBa1yOEfwCBeGZSPejn8SE8IGVde83lidHyDbE5w11tM1uZs7p6g+p
-QCXHHUktR4m6Rvb8ruPyz/amxFOCUCqJBFtgXJu5YiQ+Ddse536JTT/so2ej+uw5
+iFAmOkJvMfeL7IySfSgKrbLArvyiJ4kKLKnq8GogbLH9K1NoEJX8AgCWW8sbl53Y
-91yDAevF7A5mh5FN61CQUth1GG/zI5augw2CZnHnZ+v7Om/k/eLStfoOZNEkK40j
+6atYFVEoBvXpNIUBUIGbIFCxg95K8t4pTLT4NJtBYPSfVajMvgfWxYb0llaP9vcF
-9TxqJEwCq/GXm5TT7P0ggA
+pXlLJXmK9R2mbUXi7q9KEA
--> ssh-ed25519 /vwQcQ RQ7rg384QaVj5MVNicokltcQHq+TAcptHSCcXYttvTQ
+-> ssh-ed25519 /vwQcQ lSlAg8d/doQev0BY20FIer1HPabfU9S6xiraYkUi1xk
-tOW+gjt+v15v7Wm+6t5KUE5Dyt/rBBOI2/iZTKe2y6E
+X5VeZeE4RBb1BmyCsUeCih+Jza8xEMtXOEorbxc3B1A
--> ssh-ed25519 0R97PA BtTIq2S+RzVdlCiwgfq/EbTvnyMQB4lpvrhGVYYzvBM
+-> ssh-ed25519 0R97PA kMMyu43xgEhvu2EQradSUio0OBPrlAHbAICkAgwZCE4
-7be7fOant5YeXECI03wCHs3fCoffewtiAFccj3gLvkQ
+5FKRscx1Pwbc2vU3P7PVeBI8H/b5Quu1kBYkBhh7+ZI
--> ssh-ed25519 JGx7Ng vDty3aWPomDC8RxsDtqMDJjov/rmVXq8keag5vbkZ2A
+-> ssh-ed25519 JGx7Ng P0S73HUrNcAPJytI06avYJNmzb4hEau1MKZYThIAV0Y
-dPcVXs6FWyzB4Hu/kOhU3covn9WX0X3xSvZb2Qs1Dns
+VD5nM4kNkBQ0ZG4tVAHEZIGgkt+CnM4ww0QR/pQIwWc
--> ssh-ed25519 bUjjig 07l6L0AumSs+4aPeL5t7xcf/WNPmVpmjYBlJOdNGczY
+-> ssh-ed25519 bUjjig P9MW9urFRjMwFZeRTQgKKLcc8gYPcKTqRYNACheuClw
-sh34ZcXDL1R8NxhHWpOrMhgItWFSLFrLkH1Wu6EuXJU
+i4d6i6UZP2hwUa/EKGCU1UFYJZSz6mGjE7o3JvkhpCY
--> ssh-ed25519 VQSaNw 4e9ahu+KLQmjpQ5iPtpCN1GnYfq8VgxfYUiFJvNe9W0
+-> ssh-ed25519 ZIo4kw 3z0osjGyfGZOZfFEG6T+oEi29zzOKVPhnwiPvzW020w
-eRcbLfNLoFcQhKj1AEfsNKhV+cNz9sCH5iEON2eSWLg
+9Wb+jrkd51SQeKN3O8OUCAdUQUldAGFe65m11/mnal0
--> :-grease |_6] 8 ik7' Ih'Sm1z(
+-> ssh-ed25519 9/PCvA qPVRQCMWfsiuBSP0uvatMcLKob51pau5r/DwZGzq1TQ
-BL/IA5FVNaAa+cgAj5DAI4GjPvAI2J4E/yqfSx1Sifal3QdClazL86cmhKg
+D9K6jGpeEJWUOzoA4UUN8AHMw5V04DeCwWfMV5QNWr4
---- xvetQPUwoScpbK37DKgs4Z4C1D2nwW4ArN3kvLG+h1s
+-> ssh-ed25519 VQSaNw t8xP6xwwZ4a0JHQEB9GwpVGUZ8v2FLBmhK/61wLGm1E
-ãKè¹Õ4ùÞFdãòŸºÌG`%iWZw:GÙ/ÙYÇžP‹Xkÿàâr+‰ÿázï¬zr=ƒtÑå0‚4Y^J	{Ië
+3PZztuUXXj2rIwHGsuXUE4MB312n8346/ItQRpZDfxk
+-> XH-grease b# H& k
+MkWCQvMT9aQ
+--- nV69zhB/4Jdx1PcW/pQwquuKqhV+AV5+fwo31uyLigE
+ﾑR~晋･ｿ;<cﾆﾏ薈dq@)ﾐ<>ｩﾃгjｫy:<3A>=<ﾎSaCﾕr銚+Qd+ｷ;dﾄ豊svﾇ,L､EnｨﾟﾋD･(ｩﾆo-

machines/nixos/web03/secrets/dj_gestiocof-kfetopen_token_file

@@ -1,29 +1,32 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA sm/tSFwOmGkQpURqhy9wfXdREiyrlzbAdqIjYWwEW0A
+-> ssh-ed25519 jIXfPA kLeGA1GrLQz8oC2ughSKkAZlSOE5FB5EaHCkWg3FtD8
-flk7NB7VQpTuBAc57Vt5gqF9ZT6y9EguRYyvbrLjCis
++DynFsHlO+mQqye5NhBBLghGN4NSvChMaYXecMFSB9w
--> ssh-ed25519 QlRB9Q mJByrZUZ0XXzP9MAYy8BYjmn7ryXIOnh4MPjovuql3w
+-> ssh-ed25519 QlRB9Q yy7I6++wiMC9xDBxyRqKyigrVfEZWuDtTklbjlum+j0
-F4hd1PJc9un5Fy1s2B4LJRKHYif3ijGCpbNjAT2ZQ7A
+8pI0hrygKrYtvyEvE/m/VYgutJZ6mMKjFks6JkeIfYM
--> ssh-ed25519 r+nK/Q FUNJ5xSccM/p87zWZkPgV9/EtbxvXMUXxrhFB3tgSCs
+-> ssh-ed25519 r+nK/Q xDOAAqSWFSvcaNqJeXz0S5O9G55GJcom6IjZiuuFdXs
-WpQUc4gGWYCQqzlINHJngZQfzm9SbZix15Shg9PvEzk
+Xbseehe8YvEWrtXw303pCLoxOJyj+ej1A7/XuRexU0g
 -> ssh-rsa krWCLQ
-aXm5L4n3CyT29X03h7FIJm2HgWO566FvmiHu4FK1v/MDk+Zc54Z6MKUwZ9R79/gA
+netYNZja5O0asbYGRQpTUfPSvo/g53Q2IGLU5Fx8b8fxEiIA3AQwaZg1wzgzfSfU
-0qtfaWyJPIR/PBPNNSs+ohCuWjq9rcwXK1VG4hryGmPBYn/tJ72esH2IOcfKi+qx
+SpSLydASjukWl4tGuQYQpVXMCXlAPTREnsl3iGf8JZGBRyc4GuVx0cCXV3LSmH9i
-15NM1QG/zAAVk81z4YgEK+tM0EFPb+rhFwCYP/6LHGm9Q3DR00GnvogQ4xtqib0c
+He1/Y7fKaOpfoYQkWsjMDpYufiEZTtBSiRYTtdE1XySqyQtsdd/gkStk5AJui6v1
-v4MObUycsLwT13EfyQ+BUEUYtnvR7uiqLeR6cK8zuv6oZuGkNymMNxM4VfekRiqt
+DhILi4FFKzXiikO8ul1/zmLSFyg8swz0VJ9vSFAK+nP+R4SasXc0NdJLyw6Vn7xF
-FLW9I0uksyUQ3wHCgy4HaNvOyyMbZGu94bPKswQSpw4b9p17sr2IbisMqt1ATUtC
++DR7gzHG3WUP+9c4LWY8pbfLvcwe5/caFtzXONU0jV7itOMpEnyDmcjfUAT1SJ3O
-lGD/IfxG4RQekRlb4zbUlQ
+ZaxS0JpWYEacqj/kNyPoEg
--> ssh-ed25519 /vwQcQ nST2EGjIu9dZBkZtAVuwDlaE6PVminESMe8Yl3KpaRQ
+-> ssh-ed25519 /vwQcQ lv1c6xd9Lj07MsJ9ErRGma/WENDa3DKFU0BPfRMtzA0
-GCaGkuXws9IKVzyBRKdY/AYQbjnHjFLoBkTZ0OYG8tA
+VFonRj0kvHwr9+2FnI9LK0Z80HoVPLb1fv2piPhcMC0
--> ssh-ed25519 0R97PA wPo6NKiibzu/JtTsb0UuYzcLSNZwSX5HxuqaVZq+YRo
+-> ssh-ed25519 0R97PA 0xVsflR1l7Tr+RxHYJDjV03cBtkN5HEPXWYCce2DMyE
-WBDggGViZZE7SdCdhSNPnt+Br4SuwzYH2e4MOxC8JPw
+F6p4PO4TbGzkO4dB9UOpkpS9wLAXMM3ev0kQc/ZvkoY
--> ssh-ed25519 JGx7Ng XElqI8fmr/W4l0EBfJz9ocs9A7rqdC9goHfJcn2mByM
+-> ssh-ed25519 JGx7Ng dRXolBjmNvpmqhhdck1a+pHET1md/YnDLGsOgaaWLnQ
-VUczeT0WgKJ8bj/PSJgYky33K5fNNtVRoRzas+GGfHw
+VS9uaxn/wH8jxduz5z4BmpsxngG6HydxPVUMLugC5Co
--> ssh-ed25519 bUjjig 3XJ81o40O3UzmBn/ID1FJ+iF4GoJDgtrVNHKyYwNNSs
+-> ssh-ed25519 bUjjig jYoJtlMUe11fZbly2pM9EPmyeN+xdCaG3TDBGn69rBY
-T97H8FT7G5SB/aQfojLt/j6i8sCVJkbpL8Nd1f4V7ks
+sFAEnPFVdt+qwi0qb4S047UqMk1CWwU/EKbEbE5cm9k
--> ssh-ed25519 VQSaNw go/NCCzU0IzLgH0xEJP8SNeJ3i8C7PImiaSdY2KsyQg
+-> ssh-ed25519 ZIo4kw KPlH0SlnaO3ogLRvDqX2eWYw2BvoyloO3IO/3G5MGy8
-W6FaBHUNkwqj8xKUOtBfUfUgVliD1NZmG+bAOWwv+bY
+CMjejAw9296aBlesgbem0fo954acGE+gZPVh33WS6XE
--> _-grease 1X_* 'y
+-> ssh-ed25519 9/PCvA /35Q4xJQiTQn4zDBdqvNOsM40y2kYHuTNRU0P09Yeks
-qYXfi/2Gr/JQ4B05upJ4KSBwGKEg7xxnG82JR51QtzWwT4zX9r0MgLand/y/DEUF
+bLGA6lQxuMYN2onRsbfS4tWBXLAVFIHvZ+S4D+V94NE
-jdyrCSlbbL/DFFCGXcv+C0BStLqnrUlUK03s8bU
+-> ssh-ed25519 VQSaNw WaVOWg3OPNFjkXxGWfkjPn5lJmbpRDLskeU/HgL/4zQ
---- ghr3+3NT3IvaUcDErgYNgaNqJTW7vTb39QcTuXZvjSI
+K8Mhr65Z3loFyO2NTRQYwFkTyOvNG1Usf7POx7UBcQg
-/yñ%¦Ùx9µy¾»drÏÑ3©}ˆeNÛÒÞHlÇä´<C3A4>š-ãºú¸ŸIÀÙý¶^Ÿg†úÆ—Ç
+-> H2k-grease 7n+C e'fuzViT #w
+bUaQJ25Xi9g
+--- cwW+MFPovm31sU8S3DqMm0NzulVqOoOZIC4NhZgXBdw
+2Õ,.súr¸§¡Øh›µ³šÈ´úÁ[*	8òy’IzK`–¢Çi7Y·A«ýÕ0ÝÈ:H,

machines/nixos/web03/secrets/dj_gestiocof-secret_key_file

@@ -1,29 +1,33 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA Ya0ezvnwZBJMO6K3WhawZnbNG4P2CYejb1WtpPhXvwY
+-> ssh-ed25519 jIXfPA Mj+RSpweX+puapfgXwuaUu7BrEG0pJj+Xiadmgf/KEI
-NuGAvK7fLUR9IhiWI6KTph0uhtvgNe5BWWFHDOT9XBs
+SVMs6gtNgL7PzB+C31EhrRWhPYWx6o/zJKud7NtVpQA
--> ssh-ed25519 QlRB9Q kNcid7FBFyrYMsoEAVHcmo9KYKkhpM6U1+DX3bqutFQ
+-> ssh-ed25519 QlRB9Q a8TA5GfNMxx0SffG51n+Zr+huoXvm+rfDZiPG0cBazs
-WMg/YJ4bkkztenjYWODhO+vkcKGaSYnI7TsZ9lkuYkk
+lRct7Cr0cfq98WzV/TmtFCfKjHTFYlYCRWsIBwWgQvk
--> ssh-ed25519 r+nK/Q qbnmIjKpxW/M35IS+kQBpiPsJpxdAacWr1oUKKHAXlE
+-> ssh-ed25519 r+nK/Q kFeJYAAzpIvp2HQNuZym2U6BC5oh9CfYoUcnu0dViiQ
-xGdpIOy7LfTSJ+5ZZPCS7I3n6onHca7w4tDnIKYIMNU
+T0Y6C+/xNj1/NRDrgyPho+JF2SdlA4BpJXoxobtV9IQ
 -> ssh-rsa krWCLQ
-0rYhCERlMqhTgQeB+9sb/MhAYL0Y7EI8tAcEvGqfHNzNxTcMCyP19zhBKRzTeEss
+GSgK4NUuQ4rZgfYdVOtLydkgWspFtceILqTTWHGVDLxT5es+Iid4ccO06mBWi9p7
-gtkeYZ75DtxzzNtgHve0dyfNHuA8/jiOVd02hcqjUbuxBM7DF1hlYWWycc8ZPcNa
+LUJYEeFhKExMS+oFa/AG3eCpsqsw4Bq62joN98R7KCHWm3fbL/H2sfmB6f1HHyIj
-odR5GdfdfoB8DmWz43zeVHK123/KfBKS1wvhoFuQWdfqBS0t541ywyCeCJ3frrx/
+BUoPxeJs6NDO6KwqJS7FnUzYq5dm+uOW7KdkhLpr4kjaSG2QlCpL0GtMPoy9wO8S
-ZszFYBW81ABKcIvNoh41EHz6izCpiFiG3jAbgC94v4nQZEKb7Z4ReiZc2/1BbDNO
+4NVZFO8oS7hHYx8eBInSj5hNv18s2f/MW+yR9VYOnvME81qhAWWK0R6GG5R4pGgw
-HzDepXvX0AHmbNJovjHe73AfmSaCM8ZkXoftOHri3bKKbI6i7SGWQsYRKTki5nuX
+RbNeMXpn25LZMlF1YQNGVG6H8qwHw+9pqJfsnSeiYou3j6Mn79BobpGo41wqC/61
-PO5OdT8CcxD5BR+jRw1A1g
+WJwuloeUC5m0CLburddxOA
--> ssh-ed25519 /vwQcQ EZ3gzL6oDYEwvvd1IIgRlXZjSqndHHN1NDy+OKJ2hls
+-> ssh-ed25519 /vwQcQ d6l740FopulLX0/HlPqhy+qpEZUbJ1zKmXfWq0wr/m0
-FJtGY9jPWh1mIVbHcE7pT7iKHBxFPj3nZWayONkMyGQ
+7AaAghPmeCpKhzXtTL3WygI28xNfevpusy31KRT5g6w
--> ssh-ed25519 0R97PA VrmvX63CtSSMr0REOz2KsEob18GlGzy+c8Fhzqce5mI
+-> ssh-ed25519 0R97PA TWlkPlYgaFQm8yDwv/Jot/VVJerPdA/ZkF7m4vsB4ng
-aaVG2dPvP1j4Ovy0KajAMOL4+POOkFckOUKK/JhDFAU
+FWaGESJf+1l2bhIOyJ3UiSE3W/olLpsMgQ4Xph7Gy+o
--> ssh-ed25519 JGx7Ng 33tYHZbrAewMIIGH2P+MNc5XgFBTqDUu02YCQDbHT1Y
+-> ssh-ed25519 JGx7Ng 6wBbc7hTwvvWu7pJ+cKx8dTvUjRgBt30h1GU+ctVSTo
-5TUDTw4qTC+sL9t/WIGIAZvW2cFLnq3CGrT3rjS+aII
+Mz8VxcpxZr0lbk7P0sA76CY6OhQuCHlOXn7ZMeYA6j4
--> ssh-ed25519 bUjjig 7gzyEL8mZX0lblumEu3WDJ293m7T5Fl0f117qBFIwmY
+-> ssh-ed25519 bUjjig qnkM/4TCTmP7XBpfS17I5mKq62eIdROnOle920ClmDc
-qgppZdyZQpCU51///+sbsIEscG8RIHWEOvxYB6xf3C4
+LxrWclVdyAh+iHrJGvviyZiboZDuq9Sy1eDjJDqXO4w
--> ssh-ed25519 VQSaNw sSsmV8dovqEWBcJ9zhRj4PbGTy3u6C3UFBIxXoALolA
+-> ssh-ed25519 ZIo4kw sn8wK7TX1viq7lqVkCtyV/BRaLnfFH/PNYZyJIYsSkU
-wdXzdDiOet65BeWO9b5XoV5HDKW9HJrImXxoIOUVlpY
+gLqKABolumlpG4kX0j+DXqE6ItqXb0USFwCeofxPg9I
--> 1-grease ){ *) $*f
+-> ssh-ed25519 9/PCvA 5oHC6vK6B0i7xOE/X3K67QkEvJNb/ANIOrTsD4nJo20
-47XqkHGvz6t7tlrZf2Eg8X3Dep1UypCHdf5j+t3wlv7CQEiJ6WY8H7fmbdrCmX/a
+vn+DfR3JEuT4/iwJoYgO5U6skJTjPSqNhMDgR8XO2JI
-6hUldJj/WjY
+-> ssh-ed25519 VQSaNw AOGX4yvO4+goAjFeS4vrUtBvKcIoYqZtAinPEQL5uic
---- nwZIzSDPV8Hne6CHgkwic5kcQdNhilGsJwqBv+axmDc
+aanxEX57O66Bl6hCeiUtSuRPiECeO1+RB3Gtiy4mLwo
-É™xÚSúÅn<C385>‡Œ>q¢õ<C2A2>ð”~·v
ë=­÷Œ¬ÔËF¾9=‡ê
[Å
Lº3Ó"³ÚÓ£úÓ	C¸XªÉ¢Ì_æNäoÛnz˜Ÿ™²Â¸Z*Œ
+-> jb1$-grease :|V57:Gk LbZ`
+WDd2sM9ngrVkA6IV1XlsFVIM1nJup9Po/5FmNtO0OgAfrRUAiUBmY8cgMpl6V8o/
+mRKo7HprZ+kloHVuJO+XqgLnGMuJb1GPEt/Z6PV2AedrWwF8Qw
+--- kfO6xPGkAx+2canLeho9W6j7Wim/BhboAHQVPeEuDbg
+ßµdâ—>dvC¢ßGzqo*<2A>B .·éÖÌÍ£oÔö._.Ûqe¤<65>u?Œª’bÍ4<·ªÄ®ú¦õ.E–:јªã×N.›=Fuóä´Wf$¦>ø*

machines/nixos/web03/secrets/dj_gestiocof-sympa_password_file

@@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA DOvwE74iP3OrmsTCdOtRzX5wzulOrKWO27V/Js2gQWk
+lelv6pqnAIMMA/q6T0M5DJjw8GduaVZSFVxafb3KRwE
+-> ssh-ed25519 QlRB9Q JaubhHgX/Td97DNgU2VjjKdHExtVg7uiBcIp7vtcBWM
+nLpFsH+Wct+fOuAiJzmb3vxg2mGNo+KP598LD7q+E0Y
+-> ssh-ed25519 r+nK/Q /eiCAg3tmw91BtrWaYw5GQ0yUgctzv7umLw5oyu+XXc
+6qH2S2w0KXh4e3VfYw1dDbsk2qHdxxFlYGxKQuqZZUM
+-> ssh-rsa krWCLQ
+KEpmxnfHmqfeB+1g6YAY3Dh49Vi0fb/St3/nm9MBC1iXXg2Z0AZwxT1mOewZEPzl
+JeQBxxtgLltU3MpkGHmOZfSbQ5fANIleRqjWX4khHtquXjYoUEgCzBbhBz4rgaRF
+aSbsu3PNEUTEJykE7eZZOc2R4K2xJoPTCvc0qXBJYNqhjg3aAZ1y+mSspf9JUQeK
+NwdLXZRNbUQ2HPYwbkXbR2/ET5YuNF9RqIrCQt1k8n0xImb0I2mTZU4ZIJMCXYDo
+38S80bY7h/mrrb8wIqXE/yqbCrANkRZLzPDTDYtoI64XqjjkkeCaQGRt/pRJHbDW
+4EXtcaLMnhLwGAvMBjzEkw
+-> ssh-ed25519 /vwQcQ WoWf+dh9BQUdhgJMCgCFHMY8I6PcaSjUbDTMO8Bpnzg
+FvBY2MZC/1aurbcs6ktYHY6pG3cAbJL4d8nylNKUqGQ
+-> ssh-ed25519 0R97PA GliGVV1/sGa033xlhcDJZGLF3xHmPrvYKhZQg0w4Qjw
+Gn61VstI2qAIDpYbolHfHBIw3cWr0JvRyVU8JnEYlE4
+-> ssh-ed25519 JGx7Ng dskA9zgaLaMbBrRXZg8hT2XpH26iwQbmtZKZVrASgkU
+zrkfE+ibw9TXgHf+3ZBZpIInwFD+bzen6RIf0yNVY+M
+-> ssh-ed25519 bUjjig 1kjn2m1NxrKCOuElJNHMWkcqPHgLGrdyFNq7k/OrLGU
+JNn72hRd39El37S4WgmEjNzI6W0R6KHnaamVbyThI1o
+-> ssh-ed25519 ZIo4kw F5vezjoWzQWToYf36Mq/diaNMTKorKIQg0UeROL2vi0
+UlgFh2h9bCrF5g2s9EuV2KZLUB1MSjWuJJ6mM3Xo+FI
+-> ssh-ed25519 9/PCvA JauUBQSUBf7AFWnY5LyuFOdyHfzBCBMR/aqnXEw/hnM
+bvBbFLDFiYE0Fk+Zh5rX+S8MD61roomfiS2LBhzJjSk
+-> ssh-ed25519 VQSaNw QnQbe+gkAk3pqQvR2YPqrdgbfSfPbMmcv+0HfABT4kA
+hAaebd4sdK/VPVpIRoQEG4XnMGyQlxjDoFF+7sb46dI
+-> 5_@^MRlh-grease 5
+50UfFPahorsv5B8WxLN4tQOZAPOrHYAJYYLsBwrKWHTCsouct/zu/ppMKIJyog
+--- gaRQJkyCTtCiG7rklroVvdPbx092c9rGUxAqktWQ8l0
+{ðP“=­ ÂÈé㠆ϣ	ôhç̹JéÕ|Bp¨”ˆòØ6<12>öŸ
Ô¾Iâƒ}‰ú:ß¹,Ð.‚hxõÛl

machines/nixos/web03/secrets/dj_gestiocof-sympa_username_file

@@ -0,0 +1,32 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA N1vsOzYsWwqsv2IeSCfqnpdIqur3+6o8oe+YbYmmNDM
+LQqUD8faNqEg21ZBYLQ2xwmfBNDk9q43lpN3Q8VWMzg
+-> ssh-ed25519 QlRB9Q O0W5sqIViqPEL7kby6l9Aj6V1N1jSKgU5+9iW4B5Ol0
+/mDHkjw93UFUFJAEEzICGeHwd9sanvMcUXU4xoKkPIs
+-> ssh-ed25519 r+nK/Q U3Pny6Va0B8QQ6hTPN0l3tPoO/qFmAVC4/2d/x/pmGw
+dpENAFOFEC+1FJHXBhc7HxPjev2KqKT8X8ayFfhLwgM
+-> ssh-rsa krWCLQ
+DBVzHje7MNBK65yLN4S9Z3G1vK4GhwZBQNqyzyNs7bGlWVIy3ZQACkT7rTmnrCCM
+uNrO6lRso+sau91e16lPkYxG5XkKfJ8APuXpVTv0d+AS5hHluYyAzY9XaA9Ie6jJ
+Q8A2IWCUF9Loj7KShu5BNWTnchgG1sIZwaOGG4tr3xn42Pvl1A4fmyIxjx+xGiiy
+d1gaaFPpk2TE6owNLZAGyOX33/Ppc+mnUcJwDqM/5O5zv7UQ2K0XSk5uvUHmVcQx
+pIsIhIOXUtQLr+/E6nNDhBGYtdlhmuNIiAdVWPlBUaowE/tpffkKRReM59G9y48U
+8z1VNrMRXhRqd7oZnRnFqQ
+-> ssh-ed25519 /vwQcQ ED5ahBRsHSt2683QUYn/SJ02hPRrbv13IMAsVJ1oyHs
+H7wDLtnHXcyGOiLTMxNWNhWDikCwvCMHXa1kDbuW66k
+-> ssh-ed25519 0R97PA xrqvY9+rjo6txooIwUERpGSnfYA93xSDByyxZK9AN0A
+fnfq2fCbO5W9ig7jMB4f24WZoyGo9h0Q2sKGhkqB2XA
+-> ssh-ed25519 JGx7Ng T831q2KWSxBKmkFkXzs7Dpr0+1M8Xi1lToOa3T7/MwE
+2cg2MBO+1lZ8fiwf8PGnS4iYK3RD6wzd1rrseLNYp68
+-> ssh-ed25519 bUjjig ZOHRk2Belx0dg9T0UsOXsfGa0HTKzy3tLuvKv1NfZW8
+A6ccwGepjkpAqe8A+1Z9QjlOhGS+pRG3hP/OSE0+iNs
+-> ssh-ed25519 ZIo4kw Pq8ZGC2qkN2mzhQgyfM2x4jslpQc234UINtXUiMGwwE
+L+zFnX+PrUsvBIluuLdd2wWmSD432mB3+jHjkZsnmq0
+-> ssh-ed25519 9/PCvA rDyI/wr6y1C/Ndi5FJQN8tvUjT3dQSRYllV6gnQX3GA
+R0YNT6e8KKVTCbv0I417S+dVhRf7DdsRzGaciuZkvio
+-> ssh-ed25519 VQSaNw uNLUKcGfx5vZA5Ds6EMHRa72JMe2UlCvAcl1sd6u2G0
+PhYZWAXLrwdUhpP+buJj2+MVOdMIr5wgAX56VXtdL2Q
+-> B-grease 5AlSmu%' B1 <W
+oM47+2XCp0HX25MMJr28IzxyzHlRW6qqqffgL1KdlIV8CVvQ
+--- R5FloNTR5d54U8LYdaPQGzvntJ+wHdSCJlX+Jcp+D6I
+±²œŒ˜óuäsò<€aÍDvžu«ÂÔÛñRÖ$ä^þ–+÷hc

machines/nixos/web03/secrets/dj_gestiojeux-secret_key_file

@@ -1,30 +1,33 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA tuq63SvMOBnLOZNkIA5RenFt0DTg6bwCX4zJ8ISYRxc
+-> ssh-ed25519 jIXfPA F2yLcxiPRV/Zcvrb+BPb9jPv/aPh8COXxPhxo9TE1jU
-B1K+kEO/JC0t2EL+2od+UiVNlzBbpRg29lsp2L1DhHw
+qjzaCR/MWWGXp8nNdli4L2dNIA9eBlcnJu/FlgTdhG0
--> ssh-ed25519 QlRB9Q r3M3DQi3xJiP+3nTpwm+2PQipnAaRyaWSH+mb0es6kE
+-> ssh-ed25519 QlRB9Q PxeXnGimZ+uJQ8mx8wxbjaTFT7Lg+SQiwhJuosetMzw
-codqvk7AgptYBRyz2BFVH0FcQ7ebZGGdJ6PJmoWWXTk
+cFJVu7TAYmxu6XYPFKY7EMLpGtHIKCjAqKzgLEyLQmE
--> ssh-ed25519 r+nK/Q Ah4Oim/N0Tdkz1KPbQiHJQaqx614/jjlMqCxtYqjBy0
+-> ssh-ed25519 r+nK/Q 3+GlYdbxFFAETjEYpOBws7H7PbapurOvKSN7xqnPkh0
-aTrlmm3TbWN6pyDEHf9uGy9H9CyyChXGKL0RZr7U3W4
++NjlS22iOmYfEfnrsxT+gWDnn+8yHY63ZvvdK/TJOrg
 -> ssh-rsa krWCLQ
-ZbbBqvj7L2XFfJBCQrn799m7FQDrFDg96Moev+Uab/U5caQoJIljMldkfD7VphEt
+kZ+QyO1l0GdBS0xSXrPlwyGgoQbWm5NWJQVPB2lhB90EPySItGVUtk7x+NYo/J08
-56dyeJ7IdKdnwyt07213ua2gZ8Cmjyffi4b0mYhHkvRI5aSmfUtfiomXU0HkgZvK
+iOKQpkRjC6mqowGaACR1+rg1CXxjEHU1I4S0AKBSjKky0eAX8QdO1WONxwhl7n7U
-rk4+AVQYXTLZKlGaq5KkTt4i0ltwzjA9ECNirciqi5JmORkUD1T41xBKCSb+7N5b
+N3u/rWnoct1CZH2Nf7Lbctu8YIns1qbKeDSWix6Wtrhf/pqj3uCtpeyT7OsihLuI
-34Z/uka+oacxt7q27GnSonyFQIm7/owS4bTWV7vxoWLoOYTJcg4Oki/Op4gE9GkK
+ZF6r6NEIaytt+f1Q5AD2Yzqzjoca+YyWvJ+hr49xuOmI+GfnUBG4h/UMUG3e4z4N
-1y4RDpdVsHcRZbi7ewB9UKbvMzH44TN5VJARUf0mFQ/OHUo5IJcm/glS898fSLu/
+V0qqHFe1MdGlOXuKDgFEIv/xygivSvzsPYNmY8h14WMoB9/el0F/gfHQNbvwHJ9p
-mrjVT6XGAmPELB8uaVhSkg
+Ulx7gg2S1kL0HNUTiJmObw
--> ssh-ed25519 /vwQcQ 2mD6dstuZmOkYlBajNevQkeCYAGWshp0h0F1TzdcJSY
+-> ssh-ed25519 /vwQcQ dWptyg0Ye4/0glS16k05kPPCapVHoC6PmzR6jeps0QM
-pzjxW+RZDSqPAHm+c5cMJZOdIfkwTmSLw2BktGh/kHk
+hU9XFJfxIPdfn9UVuFfuXIqM+pEoS4ffEKfWXjHQu14
--> ssh-ed25519 0R97PA /vOiTSDwQVYTX+tFuJD0M8Enk+4b0ViZUnrZ/WhUKiI
+-> ssh-ed25519 0R97PA s5Ezbm8HvX6Tt/AmoMmTDikVS2dbAjPqMyrzdiiTZxM
-83r35uyZ/XELwTXZXzlU1yq+xzsNTUYNwK9aGGlOSAA
+xv7Tm2zl/uNTbM3v+m0LQQ0i58DXlSLjHGaVZ0jpweU
--> ssh-ed25519 JGx7Ng V6Xnn5q1hSvWHjiWtWJAD7as5N2fdtWNKWi3JwhfYgQ
+-> ssh-ed25519 JGx7Ng 1pNyUUXwSrJQntvYkVW2sRrF5pDr2vRILVkoDHFjHik
-aL3fX67spVrgguVtNNrfJ20fy3LRaDgMZldw5D1fKuE
+4IVatk+3s0/CVIJ7LY9aXL2KJleZfgNkl/GjYy7dIsM
--> ssh-ed25519 bUjjig RdTpxQYpmEtG2Cn1EACf85/ZynfPbZhGfoSF+sfw1AA
+-> ssh-ed25519 bUjjig +7PIzrm/jY+E4HNUzMjIgiE4FHDBv6nk8eAZMWQIo2c
-YovrKYRtwRPco3luRBVA0IA1qAq1jKxoS1UdoouhLGE
+czp+K5WI02gwJxaYEt35PeJjotQSaEgU9lACDP2Vpbs
--> ssh-ed25519 VQSaNw F4hYo2UaLzV8leVHx/oY9aIcZkZ9Fap5HiuTvZy+Hko
+-> ssh-ed25519 ZIo4kw 9gwIlnLlz4OY9g4luxUyyyraGhnPdbM48sbr6wuwlB8
-Qwf9JDKqLXmIzId7gAtG5ERirfwZlQWCV6YiKgbexS4
+iBy0YahwFT0vmtgKkqcefPeSlqsadbBdbEYxlkf2vwg
--> v>[->`-grease O {|u& 2o9 {w&!Ev
+-> ssh-ed25519 9/PCvA W12k1RPHDQ1zeb9wizqpMWRZSPasgYrz8vtj8MKp/gk
-jZPBNd6e20KQYli80kXK9D+qfmIVbOw9Y0aKXB3uvyNJPWDOoYTbzanjeXLuJdN+
+5Zc6Dv5zMyVJElOg24HHV6V9Akh5kqVnXMEX+IjCXDU
-pB/fgMX7znIg+VP87n2qMR5jFVj/x4g4vNgKTUtglw
+-> ssh-ed25519 VQSaNw SM2x7ZYYZNPlAh/S0lSAjE3IxkB7pW4x9T1gG0vEUVw
---- j4kt4DFy3r3y6IMvNakNkmlkeb6iHYI5xAK8CZtbPD4
+c213+J+1MSZ6BhfVEJ6byDnmp5sKiES9IAztwr0iklM
-EWS¦|p^/<2F> Ž?„<7F>Np%‚åeFU/>Ží¸0bccývr(ˆ‰Œº
+-> DAAZlx-grease h<2eB& -1f =2 HOG=-\
-“.èýVŸdgðáADZ3"® ‡Ù(½\5Ó§q<
+8u0unS6HmifDJwOyG9rSF0a+b2pWzS4CeMpTHUDta0g5CaYgsieEgJUeu7hYylNm
+znqrgJwnSK90Vu46/H+HMEgHwch1uQ
+--- 6sVHaqhrf5bqLXtxsoBPr2DkLpKThpQ8RS6fCpsXj0E
+#Ä]\<5C>â‰<1F>r˜]Õ"\èâÓŸ$"Ï. ‡Œw?c}¤	kÄA,¹ú£²5vOEÄ$a&­T!^
RtYLð—r¨­âg—`eí

machines/nixos/web03/secrets/dj_interludes-email_host_password_file

@@ -1,29 +1,32 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA iJSzsbA8RiEhUIyhlKWCASQKoSQstjK4drMYl+PsChw
+-> ssh-ed25519 jIXfPA MalSvW8Rf+B1R6BeJyhFjOTg3Jf8qIJGfzCX3Ixg7hQ
-8THrknrBu0WGFEb4xTZiJxEY26q7sW83rwViDjyTE24
+qD2S/IjS3QIc9HWLn0S/S1RwJOBuRiJQXC0b8UV8TrA
--> ssh-ed25519 QlRB9Q e7PRE212Ggt8nO6Bb+BabO85FOARsJGs9cPJmZNI9kg
+-> ssh-ed25519 QlRB9Q 9Bp5jDt8gLP59UH9kbM+h92iWeQAt3zazFfmLFIFc3Y
-ubKIBxI1ZBXttA7TWj401siKNT1HyB+N2MsZ+ldkgb8
+iDbCd+T4rDMKugKzBj4H6atB2BW4AiY3r0/buleJNKo
--> ssh-ed25519 r+nK/Q EWV24Emm9hENa+yUAuQpkuJ0uJ0zIv+vRIbWpM4Wtg4
+-> ssh-ed25519 r+nK/Q 84V4RkvqJsdGbjt1n3qMsCwSDfQSw+kn9XMFgcEnmTU
-J59wnHRytgNqpX4+5HaJ9KZ5GvhckgtRK6TzfX7Ci8Y
+hemc6TuwlJftBmdJZfBYjzklac3nf9Hz9kVhTP7gSKE
 -> ssh-rsa krWCLQ
-AvmrzShR+XTpUpKaScoqvgFQ40PTSqh8p383p98xjG5LIz5kqJoWBnxJK7JabBpq
+sF5eSqFt831fEF9C/orPPNIlUivKn2M7PdYEBvTK2TUjdm+MCbEcKcP5nvFZo791
-JkqVeq5XdH5RX4weobieG4KYUV8EDheLfOMXH5BrPgeJO4yhJ1rzH+oHBw4TwvFM
+tc1BPul9V2MYBrtioOII5wQX1LhZirEMAWanknJezTKxMZ4CzI1mn72TETH9Td+a
-UvEZEAVgi3G1/suPfJAkO7QRkZjE7fRppEo5RAI0gMlM43YyJavrfqVIqB40Uugk
+so/JqUsdbjfjIlUlffNrgCZEycu2s6Do5LA7GC7vf3SEFUVM/93cujz9Ei6/rAKr
-h0b0ybChUbKpXlZjqhYAAMN45jTAvW1emO0DMeIk6dbmnbZNdibul8f+NNdWKbI1
+rtW6wHbs+k4HKSD6sU9RHyTYKxIW6Hammy4XVDO23/HtmN/a0LEe3OwUgFXsjBay
-9NN5iH2IzuqTdc6gkE4912hdDeUJ4NZ6x/Fxp1/u3d1z/Yg7daUQUXUIoDX0Hyvb
+tQu8pPeLKsBCMAw+jCYQ2Ms+d5MXT6FfcsWf35rsCwiEwqzhe+J88ECiSL0BF/Gb
-+01dH0D/7kzRhEdNLO2NXA
+hyJrWFaaHPugqwSREv8bjQ
--> ssh-ed25519 /vwQcQ GAsAj2i65KDQeFhe69YR2ycdGskop1wu3Lzrxp59sTg
+-> ssh-ed25519 /vwQcQ qByuoq9zsn0tfcWzAlO2GKqCH4UfeaUloOAxIGYvABQ
-wCSUqEtWv0i6sNg1RVtHI/jZh3VeNX3qtnbagXoNGT4
+pY+N5rw/tmFNhJsfHaPY332wJ33tKREbip0CoTBqTT8
--> ssh-ed25519 0R97PA mFZ3q/3jd1guXl8bhRWyYjgsgE4JErJEels6vdmpfCs
+-> ssh-ed25519 0R97PA 5fvujKG6IoKXlhRZGN2XcuN0BopvZyNyCnvJvF56iBc
-7oIAT0MTsaKxbf26PSDBk7KqfyFgcBq09FGJ9v/rXqE
+2gGNHuDK3sveihZ8RBg16bnaZsPtA41Sg12UDpecSwg
--> ssh-ed25519 JGx7Ng tpslfMWMJMUH46EGycbLiXotVdXlP4xmK0slb7XKYS8
+-> ssh-ed25519 JGx7Ng d0sn0he1kbivcUImnwrGpRnIOfTnbJiTIRKMINV1/CQ
-wLLfX4jX4mIxzI8zr2GBlpBcPztTrHqKngi/ON0TExg
+hsMMKBFKNMLJb+vH3o0WQcX5lRmuHziRXd6dxCJGsMA
--> ssh-ed25519 bUjjig zLoniLfwKGH9Ctu34103WHBvjIyImtPyKx8O+5UMLUU
+-> ssh-ed25519 bUjjig hhEbxz4nar2tCF9/kNlpxI9ONR1IQ4VD9yHoryuxfH4
-sYsterVGvCg6JWA0z3AO5sSlj9DBfj8u5o5jH9K2xeA
+UnEDFZnge5U1ZUR0U1C8OI2xzUYiiloLG5XsITc6is0
--> ssh-ed25519 VQSaNw oHzU9Lc/7p+MZAjVylzC63h586vOcffXkkpAi4XB8Q0
+-> ssh-ed25519 ZIo4kw +ZqTM7fJr4a3DZr07ZvfZzFf/7b+f4dlYzBxx3Rl0hQ
-7T8CREpaCxM58KMYW28FY2i+ELjrx3eC3K7xaBy7O6A
+cS/FV6ZahQn6kro/UPpuvolvBL5H5RuBWO7XnK9XHPg
--> (_o61>U-grease .P>ZRrj~ -=7S;N
+-> ssh-ed25519 9/PCvA cJBd7PxCMTilzWSf/RuNeRa3vfMcIuTp5dQULJfrO24
-6vnQVKKZwp4JowIwVb4klrhaR6NZjwlZYnngVQ0wqVenMZPj9oyhIXthLRqE1Q6/
+OXL9Y6nvopL4LlXvSZnHY9O00iU8dqRPIIdYqYreFCY
-k+sGxA
+-> ssh-ed25519 VQSaNw GEQDTjuE+hOu+DNzZsKq8R/sJs77N6NRq/2vfcZmJjI
---- +yT0o8oZJS+32MeUAl8T9zREh31rq77pSVsSoFjHO5A
+Rz6bW6UE4Wwh1v765YVBltRVf5/zo6sJKquqEjCx/cg
-è™ñΗ´ä!î^ûØÖ8Ô‚zøÑaÒÓÐàÔ@Ö¡s\ ˜_ÃÃúoÖö<C396>wõÖ¥Cr)¾€fû¿AÃ'•3D€â
+-> P-grease !}P4V B O'Lk,
+/uJ6ZehJVzp6mQ
+--- Cqqr/cLuPZ+c4ODhL+so5Cok6ACXhXBhqfcDtHPvBms
+¦„,l¡ØÒ©Nwä϶™ŠD’B&_	Çìgµ­@¨¶ÌÏ"#/
ÛD³-Šp¬ý $€ø»ÓFª~„AÌ£<C38C>7

machines/nixos/web03/secrets/secrets.nix

@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: EUPL-1.2
 
-(import ../../../../keys).mkSecrets
+(import ../../../../keys.nix).mkSecrets
   [ "web03" ]
   [
     # List of secrets for web03
@@ -13,10 +13,15 @@
     "dj_ernestophone-password_file"
     "dj_ernestophone-admins_file"
     "dj_gestiobds-secret_key_file"
+    "dj_gestiobds-sympa_password_file"
+    "dj_gestiobds-sympa_username_file"
     "dj_gestiocof-secret_key_file"
+    "dj_gestiocof-sympa_password_file"
+    "dj_gestiocof-sympa_username_file"
     "dj_gestiocof-hcaptcha_secret_file"
     "dj_gestiocof-hcaptcha_sitekey_file"
     "dj_gestiocof-kfetopen_token_file"
+    "dj_gestiocof-email_host_file"
     "dj_gestiojeux-secret_key_file"
     "dj_interludes-email_host_password_file"
     "dj_interludes-secret_key_file"

machines/nixos/web03/secrets/webhook-annuaire_token

@@ -1,29 +1,33 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA NovhLzllQnEbnI7bno+zDoSRFJyZMfVVYPQMReUIymw
+-> ssh-ed25519 jIXfPA XTwwas0xEtuVCH9RLjor/7sJi+eFgIf8hVP0qLr2RnU
-sefGtZ8fbYVqtKgMhrEj9AlwP70YM5MGkQ+o8Dmfb/Q
+aDsqnVAMo0W/Wshq+fSIv1OLZ9zd5zJURryZUJj5dTI
--> ssh-ed25519 QlRB9Q 9mh3vQVo5tPorLYBVCcZUJOlcEftQKA94PxNhh+pDwg
+-> ssh-ed25519 QlRB9Q TQ8Hbjhf+bp5m1NmO4FGkGyLRyK1jaAHY6CEbpjq81A
-GXM67qitYqnxbFoHbsfa1lNNLIahPqshosIY7h0fDBA
+/VdXs19yIAoEx3tW4lrASII5kB7YSSeTv06oWJDhnPk
--> ssh-ed25519 r+nK/Q BOXck7k9AH+KvmoicI/fmGzWcna0nwnJ+uyteUjIukE
+-> ssh-ed25519 r+nK/Q hzJ+Uxo7qJH/f7XXjbkqNS1MwD4bHnsWIw49C1El+X0
-Hyts1/6EAdruuBilhifl/HwPTWEBe+Kr1RL6SDjHaaM
+PJLFt1iOqVvkfcVF6bjvi4dtyLP19s8ZRo1oLqwwFak
 -> ssh-rsa krWCLQ
-1ROqUHCkbkEgRTQUha0cVJVAqLu0nvfKik9yI392sbEQYgmpuf7F0gzA97BXcoi3
+Or3oEfiA3iiI/GxfXYY7O025VplXwrknsycRvRtbyiZk8WQjmEibTXierciTlbX5
-2BdZWu/cJ6m6bfMvXdZ04cUjRcNrnpPHsoqie3G9s9p6aa9XIrLO5K6kH7S6f5DZ
+SIob012w8/T4tRcNJMliciTi+BeAn9W3Mwx9qnE02yoP6WyPmTT2BzoV34XCMUlz
-pZdOqfSYldtJKRx7F8k0D/pscN5qB1Tb1x0CIULJVo7uKf9X1MnZwapOOCY2q40U
+LXuDOPSX2R2YURNCM06d7ksI3ruK4bHODdSPcAqedC5no2Jr8dE7TviZRFSvLB1i
-Ip2aefr40h3EO7jBlswx2/fB8aqW95BR4JQzJZ/uiIsBUQDqvn39GU7R0JaLdAPB
+7nuqH16BOCgvraiLInskpkHdA3kC642b0ZUcPfrfS4OX+6vAtDrx5FPUkIl2sExF
-6kJXaJ3ORaDDtslcaAVZWLqFbOlINXYHr/mqYNTZMubE4BmNjvJL3aRozQQWraoJ
+FdNe7YTN331RdMba0aoHgfyJHZ3omSE+XRa6Cxxm/gSUxdC3LugPSXYShJr1JNB8
-q5rDvgwUXVhpGpcaNf4/xw
+ZV3SbIOKzx7of59TDA97lg
--> ssh-ed25519 /vwQcQ FHYnfCad1imFiV5tRIfe9mtJ2ouiu2l19th2UD7j3gw
+-> ssh-ed25519 /vwQcQ fwtC63XD7Lv9FF++QkKpahHyuXDVoZ27CmFzIgQfDDM
-Xu+Sk9GEQ9Wyf7iU790yxv80vLYHp2StArPkfRqfRhI
+eDwbjI9To+wcybm//jFt7BZqLpaKm0O+Jw1bHHp41ZQ
--> ssh-ed25519 0R97PA etwCsiGmvzufJGMw8aDN+M931lPlE9fTUBQmk0X4DFk
+-> ssh-ed25519 0R97PA 4DFNn1jL86Cul2LsdUZHTpGUxjRZDsdFerYVM6sK7DU
-o6xJbfNjQ3Lko1MSJ9JBu6FefZ8267dZ+vL1Gpd1eH8
+rjOsKCuw8iQdSehoZiSNau9IpwA4bH2sacYwIJ3b6DI
--> ssh-ed25519 JGx7Ng h0XzejD/c5F2M7sWS4vTQL9OoRG73ACwlWCtK51Dcyo
+-> ssh-ed25519 JGx7Ng MCchgB9GKJ4nDKo6Evgy0TKQlO/gUXYxSgudvRwiuA0
-diMDy201IpwL6Ec+Zb4pH5f1yyMOMHT3jg6yriopCRU
+9NeUUtq7N3Bm8F8dxK7BJISOBHF5lQ2Dt+VHwWPTyhY
--> ssh-ed25519 bUjjig 2Oh5FhWfrbA9c5TisXuxasyYF41YOlNdurZR9QowETA
+-> ssh-ed25519 bUjjig 4Q4vFKZ346x4Ge1YFHavHYoAmPAtHAdgwo5YJIy9yCQ
-706/MLiPT9+9xHZPZQYtvKm8zbN5qS/9XJ+TK15etIs
+p+PATQkqC/RYZ8EGOd12QZ+Bew7XllfexjcMY3vJw0U
--> ssh-ed25519 VQSaNw YbtnCoySon7jNBq7IFOl8UfxuJXRjzLrgXp238q4RRE
+-> ssh-ed25519 ZIo4kw UncHT8lpi7qXA8L7d05xlhXVMr9SRuihu8QN9DCtT2Q
-10au0QwFP9ntPMU4u2bMl3KLYBIPy09xVoKNLxWvpw0
+MnKuPXpE8S1dtKUVwMVjN4a2tu/2z3u9efuwjoeuEg0
--> Vu-grease !oqb p1-QmV
+-> ssh-ed25519 9/PCvA fK05xfaZacnYx2OYjWXbHebbC8xECKZbpqEBouNMtWo
-i1WmaOmxmdAX/se60fnUL41n57c8tN1gnUjjBjSV7GkQGzhKnxTplJTUpifP9Js3
+9mdTdeF8IAMfO+0re7ijiFnUP5WPKxPrjfBttBkJ5xI
-8D+xe86sN2l2JQ5R9QFOAbsvSa5eXSo
+-> ssh-ed25519 VQSaNw BIeE2LriKTvcixgno6bVAJvNRyZZPLB+JrjQh2PojxI
---- JE+yvBRH9Jz6Sdz46AzWuhVI0kXWObODKSiNWz5L9As
+cK2+6Z1/x3XeXUB07Ciww+s6UOW60JvYcXaATa+lUpk
-_n´(I	6ÔÃPèCa\³U¼=é@ “†?6—P[Tò³ñˆjk<6A>0ãrÒ…°“ƒ¼-É(]/³a¿É
õ8¶=é¤i²<69>
+-> PA`a-grease .[V<@M%r 5&?aJO
+DCL6YRyrFvIFK0DO+xBMeRBN+rEmW5lc9/a5A7XUAU8fciat
+--- r+lRXC3t5YAvRG+j/CGedfTfBWfqjywQWWSasBzWxD0
+Ö"ä2
“â I¼Éi$-…
+ÏܾÅëžN×6>è4!!pxµØ‹¸‡“=žÀ^Ì<>›òåHÀÖ<C380>¬•ÇÌv
ÓÀÞÇ­ù×

machines/nixos/web03/secrets/webhook-bocal_token

@@ -1,29 +1,33 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA Ju7YL9wvvYr9VPLmYtYTniyuj9JTVqe2V8eRLISkIH8
+-> ssh-ed25519 jIXfPA 08egVQc7ktR2MhlymKTW0HdWc2mus8aJSn2Xb6Hp6Qk
-EJjZPLOhspyyrx7a+fYlPPH+1pr93KzW7E2Ztkic0cY
+R/2uk//Fhe2NA7oJeqIn/5HFvzaA28ASSXdfBSTqWlg
--> ssh-ed25519 QlRB9Q X+TAfiEk1d67rkz6CgIO66bBrahY39ZTnmj0cBGGrSo
+-> ssh-ed25519 QlRB9Q 7m1UsjXtZNrepWj5We+EUorSRsI1Deo8ZtcB7LtbmkI
-kBLFu6DnN7rIzP3mSlPEc+yBN+yU5toLeA069vuNW6g
+ysD6OEWgWxr39cn4WekqCRoKd8NshmbQUxh0nFLA49Q
--> ssh-ed25519 r+nK/Q wcXXCuAS9bOp3GM6c0pU7sxpylFEHFPmnibQTEwJ1x4
+-> ssh-ed25519 r+nK/Q +ge9YK6GUu6Q0MT95hZ26Uu6If2P77zdSHFHebxrxV4
-fR41b7fhZCzuNP1jst3vx3wUjIkBDsz54VzubwNX6+M
+cbNRLgoJA0ThRVdHDoR4wVZaO/GEI/2NnR1fNNtZN5E
 -> ssh-rsa krWCLQ
-ySG+OgB3gMW/ijdWqlGr1LnkfqeFD53ChxkOUfAe4+Z1VsK0FkVaBmqvW38SFMw9
+H6+NdcBX/Jk+r/BhWkomBGraoZdlO6D3rpSaq/lkgLf30bRwOEmdaNYD79XaWY9B
-S4dcOkO6Km8umsaZBZi2QaItm+p8Rf/j7+W2WZPoyoKE1l1KW1ic/wGOY7uqeucn
+YT10dGtON5v1/8GuPSWup4SUDjFoSw/hiEerxApWPQiccrC5roTnCKQ8U2glOd5d
-YZRq7rWX+DaH2VLbkl12wUlVgYwJGcH6VrpRizbq2z0jcdTak6hgzcXo7WhcNAit
+6GKu+ZvyvsW3vu20JMrDirzR0dxVM6UuHNoKyFur+uF2Ldwmsj5K4x+KK2oQgPu2
-DY8W8X5Zv34mpj1VO7n2LJs5V7gzfSLq+KVMIi++QphVv2VkFpvaOqlEP2neVXnV
+M+31AyyI1SxuBW+Ud29mCN4Wo0fi4qZ8+mkyHSUMjRa6oQP1sZ53NIhrjS3A5uB/
-C3YNJTkVx+R6wANCao+9a5VHC261Bkm81dKgzceW2OCHkwOP6XTbDpj59sMRxRuU
+egLfTwlrzXbHvJ2SGwD4DY8ifZSHaN/mca7OTtQjAlhMRS9DCGE1CkKH31lrGd6X
-B7jrvre5S1WZN9jc16Dv/Q
+0JNBnULyuy/rha3TcMTMtA
--> ssh-ed25519 /vwQcQ TW560PIrbJV3ZB55w+EvH2PEYOoYM93x3aaeeShYKE8
+-> ssh-ed25519 /vwQcQ xLMRHBPx6fODmXha0Sy+vJQf1deTQXryBguot3WVh2M
-LC6pydBK3yCq/Vs7MUoa0xjDSn3WjRaZuqwvhX24YJQ
+dUgdi70Lsr1rIiotYqQ0c96j3EfRkQOafKY2RrhidB8
--> ssh-ed25519 0R97PA zyerO6EIwW90XVSBVP3Y/7Q8hK+7uPe6kKENGCdDJRw
+-> ssh-ed25519 0R97PA w+hdiOdbnrWnn9tFsF6L6mZ1///cV6XoMjWtYXyKnQ8
-WEpgo8Y64YXnat1OJU5qtpecf+Zu2P2LmB7DEtmUuAU
+1at9SRvM5Sbu5iSYEFbYbXVoto1LMW1EzEdsJSWpwY0
--> ssh-ed25519 JGx7Ng 7h4q8ztQ0BFJSfavV4l1pKjbNRZveOPIJG0KF98vh28
+-> ssh-ed25519 JGx7Ng o/cdIVdkjzIAHw625tEfw7hTaQGo0vki+qdIL+CYz0c
-mYcUEL4n2+bkjpvJylIvzXSxoa71YZKMSgN21ONnvko
+Vocwm0geOXTk0H5WrBYMDZcUNk8n/8VNdW8x6dMl2cM
--> ssh-ed25519 bUjjig 9wKWtLWD+9LlAOO24iQiOdvpSDIWpL6Xo0Wt3QOLIQY
+-> ssh-ed25519 bUjjig 5OBdUl4Arg1wZJKQdWh3V/KNZV6qUGsAO1a2v99Q0nA
-Kq2QLFB7E5tiqZQlsn5pZRM52v8XqUyYsvwNHXZspRs
+aCrZaE35dXkQlagPSaDWss+IkIwPif1/r6bfZz3TNrA
--> ssh-ed25519 VQSaNw 3tJNtvi0WK9iAzx3Q7Q0Ogj1TGH0Zrm5v0ERhQILBVk
+-> ssh-ed25519 ZIo4kw 3OQoo8uI2P00UlbjnIvFEIvQoWGKGyHU3LGXw+sXBwc
-4232/j+xnbhQpId7ZS6+xAQBDxtumeOp4c1HVeMRqB4
+A46XyfquPbtbK8BGPp0hKgCWuoGCeYeDxVqYkD7tdyw
--> Pug13&(-grease 'w0JG}JF .t`9lMF v)8}4qW
+-> ssh-ed25519 9/PCvA I0FpL5vPxf7U093O+NY6CJJrCHnpuY0hFWvf/qJK+Qs
-yRriwE//abKvQgu962F7URbOAiHDFMipnsq22itGkLDvmwIRY6Bi83xOzx72EV4y
+vcl4vxnuO1iLHinvmiOM/gkjZjRVabrQvEqY1cSog6M
-27GNdxQOni+z8NPt0YTskqq4fHfZky/EMFUvXTfteB7izYxEliHLRKA
+-> ssh-ed25519 VQSaNw ff4SovgItjAFXti6SvyObcPDmk5NeTlAoavPL/Wnlyo
---- JNvexaDwzwOIUCxanJRLunfhBh1/PE8ssFCytr8nPjo
+QO4PFFxL+W9kFo6vFa1ttc7bZeqRzqSmETeDnwhh2jo
-TX¹Þ‚xòšd˜~KS?ìIò…C
eþ—3ÑJõ	¹ŸýCíÓF6qœv~Dùq¢T<>©55€bjˆf›Õ5”ñëã"ø£ÅŽp
+-> k-grease
+abx9DzQh9Vg7jjvbeTQkJ3HgHRgTKe4cKX26LTeRpAkJh3Su83UnhBYaa8f1LE4V
+lqwHbpD3EZ43lmqKZN7MIEU4S4DV
+--- rb95jJQm1T4fp8BBYzzcszoX5UZX/e8LdTPzK1EdSX0
+ö©ê{–UŸ<55>$s<>sQiWh"<22>çKkiº-èdšÇ|2nIõ’ØZæG¯¾´<C2BE>{<7B>/ÛÏîxž
ÒÇ·e\‡Ó£ò›

machines/nixos/web03/secrets/webhook-ernestophone_token

@@ -1,30 +1,33 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA Ifc4K8jusXCbeMSYeAL+3jdvmDK1ojYiSzHJO/uefzk
+-> ssh-ed25519 jIXfPA 16vr8JKVz+RF5XzpDk1oV4YxkFCzWwo3mTOBI2VFfS0
-h5ewdTYV3o8+tPCzVWvLtqEM3WxVjtOqTRnrFAwKnes
+ianzE2kl4JWoueI2m/HuxdoVkf2rjFIQc4rv/VuhEQo
--> ssh-ed25519 QlRB9Q djvVFcR5y+WI5+rED8ztIQZuLfCj2z8wHx3WIutlfjk
+-> ssh-ed25519 QlRB9Q l5GoSxEDfUk5mkPf0zNrA91WUEjxfFVpAkfjS/niIE0
-nsTUZEQRJAAZfNXw2YbzwV+RUJEx6Dmi0ujswMBqIro
+EEE73Rbula4xHZqMiirGjtoiB2mziOLBUm9+4KCdev8
--> ssh-ed25519 r+nK/Q Ryx2iuVCefSFFMEyRjVbKFxTqaX6D+Ty4B1+6mRLSCg
+-> ssh-ed25519 r+nK/Q 98sEpNMpoczfjW2l2yr9jJOc1VepL7Pk+TjJ6hFbkx0
-s7YjJa6NESaNZ9wzurlrsovu5ecJNnWLOhD80RnFqV4
+gpmp+Osr+idHXklG7gqVd61XMyOmuC7NxWWzXbbqOfc
 -> ssh-rsa krWCLQ
-utXBcdyAmbl463xcacn1+K9UyG78vKG9LW1vJ/q40ltqEsuxktP2C5YgBL2Whcld
+jQixiivph6yAlVzUE+Ir6rinwMo5R+2e16I2JS1xF8JNxu4/oYIwc80nsLhmf66t
-UYTsNFa3b02HP1wp0fPP4eVyk0NNKqO1rairMAvLJmQk15s0OVCk7LvjZe+Q31m1
+uGrYg3SqQq9r9OajpxKsIO9JuzuJLJWpMjh3Lk+hu149RXFgIfwzuYk9vUZpwRxW
-gYxBSuN4oy7gljtOlIfrHtcRqDMC5IToYSt91pwt/0wgkHDH1OcLap8jaQIuPdc1
+d7aJTLa00MoIlTQ+AyZgSLPtBp8WX7Mcem6ZMDAgyP4BxEJO56bIDS9Qp2x7eCif
-pQqd6iUTF96kvvp1P6XbvOHH3nVLNw/bITR5BUSqm/YBocJBrDNIL2wXcq27bBMs
+XRdUIw6HjvEFTzhQKBqUFNNFITbNNkg+d3k/PhxtGkuc8XSEroiNpEUJoGckIu5R
-YqF2nykztoSss+YM40XnHx14wNU0WeocbSYuPKabKvtgV0ry62w+EW5t453TfMng
++vZrJpBGuZ7o7TOj22WhH0+Kr6J4Jl3T8aSFzUxg6NL8HgYCnPle1EAHpsPXZYcJ
-y0dYmBdXVTKgCyL2v/onlA
+q9Bi08TiS1JW1th7O9+6Sw
--> ssh-ed25519 /vwQcQ tax06kUoYtjoUZ8k0+2L0cBr9CTpZpWd5Ev1qRh4dWM
+-> ssh-ed25519 /vwQcQ Q+8UC629ZU+37zcq5SF7qS7biRDWda++Bh3G61sj+zU
-x2RYQ+53UJnBXz8plzYrpga9JCWgm+WvkjpGg+CpG8M
+amTcoqlY/Ip7vLw1NNsUZs5KMb9sVAlDlcadgm3oaOg
--> ssh-ed25519 0R97PA DoPbx9NVAHTe6NRxT50nwdStoUJRnATQDEKgIyq2hhA
+-> ssh-ed25519 0R97PA Ysgil3FnJTdr+kbc/WnkqMyX6gWTYyeIvOZl7br3rCE
-6DUg7uQ9L80KzaMJi6h/Nm5EgtLlAI+R01Mke9GpyzQ
+oaJ+LtabA60dp78KNyg7jrYXvG9mzqSIoDuaf1zM6Z8
--> ssh-ed25519 JGx7Ng AG1PM5MB2TlfZoiF29gu01LqhcQ+rEQRQZHFVxdHYG8
+-> ssh-ed25519 JGx7Ng GzD1qZ8quTyBQk8/rwTu9BKULhVU3FF/z5YAfzKSQHQ
-ePz8kT+axuMZe8MKi1Yj+ZOCITIYjVAuRE2iTScgpyY
+OpdNcQwWY+ky4VUZqsP/DonDpT6Kmxug72BvwHwVAx0
--> ssh-ed25519 bUjjig SgZgUi5qfE8wK54Mj8P/FJ4QPNs4HUV5qPc9jJTskmY
+-> ssh-ed25519 bUjjig 87s2MhD6NkK8eV5hww4ylMyew12IGaOEes8o1xUbZX4
-n/fedObFehvhLwd3uhkhfBamFpjZDVK7M1J67BucoPI
+WAaALYovgjW7iYLB7itFysR7clZGoK7cVWJSLCTSttM
--> ssh-ed25519 VQSaNw a+SLVFR9PqKgyHfAPTjH4SGkp4XXjz6xz6uMjZgYOg0
+-> ssh-ed25519 ZIo4kw MEAFHWzbBdah28L7NsQzwfCPuXIc0wjjXjj0/+bmnyA
-hv5F5ENsfpU27opx8OT4mvL0waGO+AieG/VXvHNi2hg
+WdcddcNr4+36q+nK7Y3ye9VTcK2U1rZ+02/zCaqY/IQ
--> g**u4-grease Fb|HQ E
+-> ssh-ed25519 9/PCvA hUkZ64AD3UwIIe8w5wjQwedCtm5F6o93+wcr0ahZDDY
-FcQESlzpmCxDtrbCZhddPdNjVROYKj2XsOppqa2GPZsWqQH8cFfKzxjwlNlE7WNF
+u/HyNw2RwdR24d7u1QF3IQrFJoUCafGZIPZoHd2QhIg
-Q3xupVqn8H1Cg98i
+-> ssh-ed25519 VQSaNw SY3/Zld3DWCnJfwtANjFRF0Ouxj/6qY/p1Y479zdIhs
---- lYBZVJ4DEtBmKhenHOOkQpuPT7TrGGgN1OmTrfCTtY4
+WkVhwibatw01SNLcvnxvBgGkFlPhAp/fYgX27VqRnRU
-Žy[§—‘ÀÒh{`Z³öNŠx/ùºóSyFú£–ç
+-> uE9hj_n-grease &Ys xCJnv#]: cc@Br M^KC|v%
-+‚¨Õr:¶úÀcJ¸L˜b¿M‹ô™w<E284A2>n+™õœ"§¢—|w¼¯¬kµ*
+gsudKgvjsE6HDhMQ/mGXUSL38bKXvszMenPLcr6TvDTqzU7AA7fXn3Ct3bg6y4NU
+sfaWT2F8M8bJvg
+--- m5R+t6PYaGOTy18NgUIJRBVev6HpIYd2GfM1yvLFlMg
+/•éöÀ<C3B6> )ÏœëN®=è´š¸¼`gϼ‡Jx€	†ë—k.‰H´I˜d[ßÐtWyšÓ£,!E^«²âŸg'v†ŒT™ç'›‡ÉàfÇ2

machines/nixos/web03/secrets/webhook-gestiocof_token

@@ -1,29 +1,32 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA KrKFEp6rV9xfBHAj9NeHKI0eIECjogKMyeClTaBipG0
+-> ssh-ed25519 jIXfPA Em7PnBEyb7D0d6/kWwsDh4J1W+/dyUiT7FvAupHaP24
-1fxm8PtMPXJTMM7NDiTKuoFp2J+tBQxI85MgifdISho
+BX8kyVQdJqUJmLcUL23sl626U9ab75/r5NTI7v/o7ns
--> ssh-ed25519 QlRB9Q 97pPLWOIzOee8ZAjZil29PvzCM3dUXobZErfN4/gzX0
+-> ssh-ed25519 QlRB9Q 1nP4tTHiXVFeE92o+Nzr79o71QR+81+7ovrJLrB58xM
-UEL1QdbywRgxnMZo78/olkvV4658ezc4yG6MuISGUbY
+EMCQMNZ5ca/yPPQHdFl0vTARpaPmI4xUA9SKENq/dfU
--> ssh-ed25519 r+nK/Q DbBaSui7qk1+umFZpaLXp7BRxncPqz4z8ClFQc7m11o
+-> ssh-ed25519 r+nK/Q 5uzQKWNt43S2mM5akwtXnYkSr02zerem1+fGI9fdITY
-DwqwK/5pCUN/mFH9wK/lv5AFWyoMmAUUntNpGu14UEI
+BRSdgM253ZQkcuWXniiQIi8J/xLeE2pRyDd1o9CY240
 -> ssh-rsa krWCLQ
-0DqUVAzJiRi9UyttiwNWBU/bJ2j0CEn4iYa8+k+WFqtHZEPnVPKivmHSsafaaVul
+A/anGDlkTsIChZfwcpsuAV8Q99L9eu8uMkFwJzQOpB3hPExG4v0fkvj5jt2LMKuP
-uZRdx8HsBCXQW7O5YGXGtkedmJhwDGM8JV/PaeQhr3yYQj/x+3oiEiwqOHiXKxHf
+rYr8TrvzfyXOx4FQwpL3IrtDMKNSu6TJ6/QvcnWO4AnGrmPUrAuZsR8xKgRkMSMY
-K/MGXtaUlzy88bfVmVXUbxVlUXcjANS19ofvzsUa80ru45iQnjPDAxrVBdmu3AvK
+FG31ttlx0d6tdmDh3jixSEMe534L7wvPaOST1Kf9yWOygkvIqNaOK4Xatn0IFYHP
-1yxmQqu0fwnfQEuBQcQq3ORlqhUlRNgcQbS/WMiB9iEavtMj0ZP8aqG39RaFlL1D
+N7x6fP6ZOcMl7va+os3Y9+nZaF4aeYBmHkno5Wkkn9zLZlHCqm6+yDpEt4WkVbcN
-jfRqrliV9ihhGfa846lv/Py3NQ7pY2DFilLwYG7DUSLqDrDFuABRl9uGbsZeNNGm
+JveVujdOjnoRtvMrY4UoGnAjc1QCuKx2ZHr6AidI0DkWi2+wzD57+IfBj4J3UYB2
-iB5IXoTfd1NwzKWlo9oAag
+xmPmL7tfF+x9k8FMSwDTyw
--> ssh-ed25519 /vwQcQ +Bi7L49XCBFV07IXoNh5bjqg40J3rxTw8HXNDyOyPUI
+-> ssh-ed25519 /vwQcQ MirX6UYf7Iwa694voS8+pzsjoe0x1f2q0+0wTRC8gXU
-4ZnfgVVKZa2LLXPgD/Aokg/CYa3Ekv9r+F1HEefGJ+c
+dOT4g7oXOsT1zjivLSYFCrd4kRGPlSHU26EOdSZkgyM
--> ssh-ed25519 0R97PA BD4To9vKcK9/N+SsNR47XRAEGgYtQpLjxB9uHx3upmw
+-> ssh-ed25519 0R97PA tNB090+u+BXCoEDk5WL7cPWNp90GS9RCs/q+uc4+Amw
-KCXt2U0wbt+YAkMbyg8IiqxSEb4PqYqcF/Eyccp+/Ss
+6inQex3VDvpQeA4eWurcTudLzzevgtSrK8BkbS/bbrc
--> ssh-ed25519 JGx7Ng jMBazI26/KI/SnoaW9RenfkfaaXVoC7fAzOE5ag5yik
+-> ssh-ed25519 JGx7Ng rI1hOmcgwYEHc61WASstR28qNR6DZL7Lm0TUZPgFJAc
-V5roh9mLqwu8U7xa8uDjE5FvJ0f9oGBZvcc8Sq95c/g
+YoJaPh59Bgh4LqLmKOaUkx6QFLFUo6nGjS9OAiDXPOE
--> ssh-ed25519 bUjjig c+j4yAZbc79z8PY2mh3YKBb1Ufx5o+6mEZfBKFqx3BY
+-> ssh-ed25519 bUjjig gO2MExeoxESQu0UdE4Fa/fFIs7g2RybBOyhOc34tNGA
-b70Yqth6WlEHCE5IayJdIOjw0LwvKRKtOAtqKKWsbcs
+0dt92qCh9fBjyKicE4iHSPBi8PI+6j43l3nmgnuD8fg
--> ssh-ed25519 VQSaNw qKlh7tiMBtr+nSEBk6WeZoJ7Dzh6VHO5gN4hBf4muRM
+-> ssh-ed25519 ZIo4kw 1Dsr2GnTeovirdaQDP6rOmYVZGwEelsiMzBIIxBo+XU
-Aq2c0Gi5eAlwL5RKrmrygtZdRYk2aY2vjG9s3k7p9hQ
+iICbsK3fq4tT+ik4Y1QFs2gm8b74HuOJKJNt6oTFJyw
--> kO[(ddID-grease qq^m ?
+-> ssh-ed25519 9/PCvA WJkJxSSNkVB6fwNfQ4GzCaNz4G/hmCItL3/pI6fnIDQ
-JNVmowjDLasojkFmvRnZ7sxMi7/SpsSan0VXIj8qxqoBo5flLWhvD7mSblGHzegP
+PQHvay/PkTs29OG+n2/taElF3vZDnK0JQNrs70JcfNk
-/degDQCvLlok9w6XDizZGN7nRAk
+-> ssh-ed25519 VQSaNw nR4FmyiSBDWssm3SBVnxzbONnLwaNnAZv8hUUR0IkHc
---- skSDFui7qsitmkHgiWfNf1zkXOfGM6wrL/RwgVpyoL4
+ALIlf0eCDGcApxyU5Rg2SnvDyOUMvzX8SGdAZODLbJw
-õqAW—xFBâΟܟ{ü(çI?ñZ	‡IXºc4îÅìþ;
Ĥ9Ò×—}(I
ˆ<C38B>!Ù¬ç|ŒÃÑË S„
+-> =Zil-grease >62kQS y ?!b&||n Kf9
+pEaW7kRzDq0EITVZzxNDb40BeNl8
+--- YEvmK+6dMTyImZyFsbtEmxgF8prKBkgg7g2me/HKyD4
+d2½šO¹
–Ø^
Û$¬]¼8<>ÿåv3¹ƒ	’´*F<1C>!LÓð½ÜÕ¨B<C2A8>qH±<48>µcÒÃ<C392>/&–øLl!

machines/nixos/web03/secrets/webhook-gestiojeux_token

@@ -1,29 +1,32 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA dBBF9o4SBTHNv495PFZa6dszbs9nEARwg0EfOlfFwhc
+-> ssh-ed25519 jIXfPA /sAsMjd8Hpn8Rcl5ElA42UKF7rEVyrqXRTLiIuPHKCE
-GkqX8sjLqFHGm4UA+zyVRB7FGGgAxilFYHarEQB0YAk
+vPlHKxAdC9lsD4Khvd3NTc4AVGnBsoJunAmtZ0v7WAc
--> ssh-ed25519 QlRB9Q DEu91DA+qho3Zs3gSQbWH/hOKUfgP5Qd90+9ZzYs1So
+-> ssh-ed25519 QlRB9Q snCj4d7iC3RmZh+oWla2PmG+VFMAUpIlfC11rfu6Txc
-aIw1ygo/e0tpqW2N27Fl8WRe362ronzqy52vSzD35Tc
+eswcGvMsAHrO6s8xTujLHMhDdhl2EEN9wYKQmr9qarw
--> ssh-ed25519 r+nK/Q JUurf12UYuJKvKusUh/GOJryFbA8lWaS8v+/pRb0kys
+-> ssh-ed25519 r+nK/Q HX54EpIo7qeg36dr9ylTbz/486Q6h5OEY7wODYmCuiQ
-VsgsBSwjBXTD+tmP3jxCPVeDY7AHVFx5o57y+ubEjts
+8wBRjVjoYzQECtYXNxQCQBl5NDCD+EzS51NGURh7LXE
 -> ssh-rsa krWCLQ
-o08ZnFZIj37p5hpWgl8FXwPwHKjoBD7Z0UxMRsF4CUF0sLOpwVHD4L57hAA8a80S
+zsjUt9wlEgn6nOtc9pAAao9AxFY1h5hZub9OL+sBzY1T7fjbxfymPYCJnKArZWXI
-063e48OJ5OsrtueqqJwPT+wjXfmEarLUqC+rP0X+JDW8OLwSImBcYC5DQJZLUFSK
+UyDV0aS0O4ayyvzogfodw+9i/k2uK/c9uFczjiDVq4XyW3NqYJ1uHoOrBAzYbDnn
-doF8S8Bo0MbuB4eKnXUAJlhdZOk/iqYK8TYuuSIwWQxHwF/fT43hrYIkj6lmqdmG
+MCFDJ7LZBR5j5lwAPw6UYkptyQs1aCtx4jk/vQsubMqDjcid/ZUfCXN/UNuLYHO9
-IqSXA04KpQFoL15INIAtsnj5xXJlI0gCPp0pxMNUmVyTTrNLfaEiKH191D+Elmjd
+R/uzH9VYTGYtRNjBZLxcmT/kkZz1O0ENFEluRJ1xMpuutnMGbw/m9DgnFsT2vDrw
-xcdvMX1yzIPI/mI/+/OjeYspijY0XpRHLJ9ljfEK7E2N8IgpyzBx2BzxYhRHoQmi
+MMlwS2uBd0YfDEQWXxVICo6kaz0Oo3S9JIMd/aY6cTqoqhgA5q22ul03vsBHu1Ye
-6SbZu9Tirw+yv5wv8oIaHA
+tnLHV7zQjaIHQhI3PfuiMw
--> ssh-ed25519 /vwQcQ M6QID8DMaFMnF97UWwbSYJ7Sh0wvj/fq7cszu82/oHI
+-> ssh-ed25519 /vwQcQ uGQxrfprG+sBQES8UpdeIMeL3vKYll9llqWEY1T0lUQ
-T+aT4NCbVfGXnvPK7w8fbojAwDTE41h40q0tDwnGyhE
+0fSe/cbnnoEu8iQ/VYAw899YojJxU2+zA4JyHVQ36bI
--> ssh-ed25519 0R97PA XyZvyy80nv2tGe1fBzM0LeiIAGuyV22CzBoCPFMMrw8
+-> ssh-ed25519 0R97PA 0GC9S/8syAeTnaKtF+DoLf4gFJwbGYpizosba/2dMEM
-9VPiRV3GCWbH1So5LBrjBeRzEtErPM7BwOF/zaD/yGk
+STbpLqqGCkmAoKJTnkthK1EAqG0N717lg5G8Qgk7jzI
--> ssh-ed25519 JGx7Ng OPlQBKO+Wub+PPMNPoRGWTeSZfGF3kYCD8HLbLbPR0k
+-> ssh-ed25519 JGx7Ng vi4vnBSi02B9zeg63FAQ12HVv1NmZ50wuVkwmbDOyGM
-ZhBUT5ig0FnLCau+da9bfEkVjFxfZXG0mXW1o0yZ+JQ
+QI6esTxJ9YxtwBDzdYOOZB4JeoYZZ5fS0kAd3Pcgk/M
--> ssh-ed25519 bUjjig T5/dZtIRaXmNg8pajSAM76cVANM7MvQ7f32fz2fEqx0
+-> ssh-ed25519 bUjjig vLtnNj1ExEEfsv8C6ivK03cVRpWP3Pw8ebygt+/45gY
-+6kRffMJX+8QAOf5jA5acGihgw4q8yJda0EzVGePD+I
+Nhw5uszBnkLyz5Q7a4TfnCEkbLxDA26OE6TamfcB98o
--> ssh-ed25519 VQSaNw InflFPtAwYwQFWqd+KK+ILwMa0XTNkVB+xEMtUXW8Us
+-> ssh-ed25519 ZIo4kw 5fHM1qlVrjF+E3ezAPIizL9Ht+xCc6hLC4Ee2MBlfQM
-XZ6LVMCpvq+QBo0EHAlnC8uBhQssixTLVCpul6ov4Dk
+4WZSV8fhoxK0m0C1i7CbjCYjkPPgo57gy6PwFYLoFBI
--> YKmn+c&-grease EA5d$ ="1d }cP
+-> ssh-ed25519 9/PCvA HfRZ1fQvl+tJTnX+bH3Ki+lF6hccw2+ol/zsaE5pYAQ
-3u46NE2SdfO9ugNN/41PeU/65CRgmDiO54B9ZQLNRQtVyyLlcmvaYHCQach+s+Rs
+lUUBEdIje0/PFXqm5jlyXXioRrCr8kdQ5w8zsCedCbs
-tE0Gc8MD23hPw5ZhWj0nq7xF8VHtRQSTLQ
+-> ssh-ed25519 VQSaNw 4U6vBdSxE0h4su9DLfY+gTSHufnW4HfYEXdxXecMIAg
---- UkbfAVgnLkeg6Zdb3bsdPtx9Wh6HOjdB+qmTvrAWFuE
+hohBOA/IF1UfDmi//k7lrbffKqqaLk6zpktelo5oxqk
-5_E¼ñ/e)±žÑÊC×7Ú›ÈY<C388>wPŽöTášt6>l_0:[èP»ÎH5·¼j—<6A>€P˸â=vèFýÉIÄ4¹ÿÏD쪘ýp£§
+-> _adQ-grease :-ic1W tkUM 3e
+UYm65BMlSUw
+--- 8yZM8IYR6VDhkXkWksoxd+zHm/BW+Kq0CqMUGxGP+v4
+¡¹ºv©U&`‘ÄÕƒ(Øérâ<±û`[9¶^’¨™ýym˜(¦ÞÑùbiÂâÈ
µÑ*)R}5ÂË3<C38B>«xžøó™¿$<>H9-ƒ9O

meta/default.nix

@@ -10,13 +10,11 @@
 lib:
 
 (lib.evalModules {
-  modules = [
+  modules = lib.extra.mkImports ./. [
-    ./options.nix
+    "network"
-    {
+    "nodes"
-      network = import ./network.nix;
+    "options"
-      nodes = import ./nodes;
+    "organization"
-      organization = import ./organization.nix;
-    }
   ];
   class = "dgnumMeta";
 }).config