feat: init roam01

keys/default.nix

@@ -14,11 +14,18 @@ rec {
   _keys = (import "${_sources.infrastructure}/keys")._keys // {
     krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
     router02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5t0InDV9nTLEqXrenqMJZAjkCAmfzHk6LLLHme3k3j" ];
+    roam01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXjzVxYs5v5+7N0tyqpBQERXKjXwTZUqVGkdye4S1LP" ];
     status01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQFCsn/8c46O7JLx0QYdbZsXnS+NYtsgUNHPd2Toksj" ];
   };
 
+  _vpnKeys =
+    builtins.mapAttrs (_: v: v.vpnKeys) meta.organization.members
+    // builtins.mapAttrs (_: v: v.vpnKeys) meta.network;
+
   getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
 
+  getVpnKey = vpn: name: _vpnKeys.${name}.${vpn};
+
   mkSecrets =
     nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
 

machines/roam01/_configuration.nix

@@ -0,0 +1,18 @@
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+    "wireguard"
+  ];
+
+  extraConfig = {
+    networking.interfaces.enp1s0.useDHCP = true;
+  };
+
+  root = ./.;
+}

machines/roam01/_hardware-configuration.nix

@@ -0,0 +1,62 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "usb_storage"
+        "usbhid"
+        "sd_mod"
+        "sdhci_pci"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/bfb4359b-75b2-4fa0-bdb6-283658a0019a";
+    fsType = "xfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/1A70-E9AE";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/6518c729-a0cb-41b4-acc8-ec219d0afba6"; }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp4s0d1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/roam01/secrets/secrets.nix

@@ -0,0 +1,4 @@
+(import ../../../keys).mkSecrets [ "roam01" ] [
+  # List of secrets for router02
+  "systemd-network-wg_key"
+]

machines/roam01/secrets/systemd-network-wg_key

@@ -0,0 +1,39 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA eITDLS0bZ9nCNbcpXN2S2JK6+gy0V9Ix5anuz1DXpi8
+h/3wu702P2+Mnrsh5EimLoLY6XPiyTvjytjVr2nVPU0
+-> ssh-ed25519 QlRB9Q atT+Cb4dk/jH7uhQ7b8Qu1E4tFcrm7mUzqhwlvciCng
+eZvsq5OsW7cxf4EmE7L4KhzmiCRhV72ILT5mOg3D7GY
+-> ssh-ed25519 r+nK/Q RfAubzTOifMb9Pukkwkh7iUgOLxmIxkPCBhZqzohHA4
+0rdpQrp7iSRjGCsi7EjOcuCx2YXXscJxIYv0vfpV9hw
+-> ssh-rsa krWCLQ
+tBs7XiMvJdAqbtZTaDxgyLrHxyUjgKU4amTtPdVxRUuqm4uSoxoHJj7N6NGBPhW4
+ODB8ft5OoAwjtP/D12pNUn3fsIuo7DJGc57Dt74f0ge+MWTVI/tEC8I8EVOVYIpv
+Udc1kW8n2CCdkAulSrvlfLQPuVFUcOYWGTvEVE05gPRoJ7NiXR9CW2ByyRjD12Fj
+W+8c/H0/h8CmWGRFMZG+xlt9DmYNegz2TCKyTJPtWHRT6sYCqct13GQP/C8s8fJv
+ZQjIUcF91EBTr6Gc0fGEYFmKQckOkEeAG3P92YuK9NLyHw5xHl9M+gFZlYsQ91kg
+/uVW29GmK7qoyxpUP0GamA
+-> ssh-ed25519 /vwQcQ 0y6bP+6t8EhcHs7ap/FmCDWxQLCkDF5KyeXlGZln9Qc
+9xpybiFqQTxJ8Po0044HRhoBlmcFzqeXMG3IrZzKOdI
+-> ssh-ed25519 0R97PA 1pn+9GwTf+AHsSCqI+xe0blM/6qJUgCgjCF3mlEV4k0
+W278+7Qc5/QyALiy1Gt8WKqCw+MX4Ko0VLV+p1KoSjA
+-> ssh-ed25519 JGx7Ng hrWsXtVn1DNQ86woVee66ljaMpgBBoJmHdS7qyESbz0
+dRPPTNmGYFZ+VR9gPhfD5wutqIuJXXEtoMapnAShrHE
+-> ssh-ed25519 bUjjig RzQTuUiEmKd9VqYMKz3cbaU7v4OncTK8N1VA+4M851w
+49tmBO+NwrGfNyDwcyuk+7DFqK0yYfZoJ98qeYg0yBY
+-> ssh-ed25519 5SY7Kg 9icmp/ZQKCNxep3mnqbJs3pfjaunJwpK9OP5PhXSvE4
+Yx6OjFMMwg+MRsHSlg8DjBDF5jumxJcweaWPsy0TCNU
+-> ssh-ed25519 p/Mg4Q yhvaDm7yq75qq2Sb5wmXqunG5sHoamAi0r/kBOFHJjw
+ZnmJd4au4dGscs7HdW1TqqLjqniRT3EhivgllyuGp5s
+-> ssh-ed25519 5rrg4g oQn9sbjixiuN02aDo/v4n6JWTT4MPbYVwni0OW04NFk
+hhYoASjz7CPqNXwGCOydrzadudrvncUsv318zFFUB0A
+-> ssh-ed25519 oRtTqQ holCshSmzD+N5BYaUOv00WZlFn0UOLTikddFPZpCw1o
+XdPjWqs7UqmA4ZLbgNAlDuHcdEGeeGCryBLE0jUtRbM
+-> ssh-ed25519 F2C+8w h7ncoDRcnH+pVcRAP5au111c47oRjg4ISn93qK912zk
+7sisrDx+avRb9HE2WvYkgSErsvNMqsc+UESmRKt7xz8
+-> ssh-ed25519 PMC4Bw oyKwRE22OV8RupaRKV6MgdL9sYK12NvhRDseQwo2MWE
+oQOX7qy2Lo6eqmOBqgCjssu5mrd85NQDwmOdzIrj7yg
+-> :1G-grease
+krZ6nazBc8pS3EHxhcidv4uBigiek7jhODqwOoFQa3+31acCrziN8elOxd6gEa7B
+a/xpMlN0
+--- BZD889tFoBkFafKWHk0vfNhpP+YtdcU+wpmm0d9RV+Q
+Ç„yz¥5Y7ùY}‡ˆ"·Q{±sy;âÇ“˜dÛü°”PX4¹Ï›Ã×c½Š1
AÕv©ýJ›î<ž^fÁ¯ƒñv3U%eó]–P

machines/roam01/wireguard.nix

@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  dgn-keys,
+  name,
+  ...
+}:
+let
+  mkPeer =
+    prefix: peerName:
+    let
+      peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
+    in
+    {
+      Endpoint = "129.199.146.230:1194";
+      PersistentKeepalive = 25;
+      AllowedIPs = [
+        "fdaa::${prefix}:0/64"
+      ];
+      PublicKey = peer.key;
+    };
+in
+
+{
+  age-secrets.autoMatch = [ "systemd-network" ];
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  systemd.network = {
+    networks = {
+      "50-wg-mgmt" = {
+        name = "wg-mgmt";
+        address = [
+          "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64"
+        ];
+        routes = [
+          {
+            Destination = "fdaa::/64";
+            Scope = "link";
+          }
+        ];
+      };
+    };
+    netdevs = {
+      "50-wg-mgmt" = {
+        netdevConfig = {
+          Name = "wg-mgmt";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          ListenPort = 1194;
+          PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
+        };
+
+        wireguardPeers = builtins.map (mkPeer "0") [ "router02" ];
+      };
+    };
+  };
+  networking.firewall.allowedUDPPorts = [ 1194 ];
+}

machines/router02/_configuration.nix

@@ -8,6 +8,7 @@ lib.extra.mkConfig {
   enabledServices = [
     # List of services to enable
     "networking"
+    "wireguard"
   ];
 
   extraConfig = { };

machines/router02/secrets/systemd-network-wg_key

@@ -0,0 +1,39 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA 6v2v03EntXNNOnWAuZEcLybn6iWI+LB0kA/AbzszgQs
+aqtydlqLgpfvC9rz0x0MshF+RfYJSpQaah5moS3CsGY
+-> ssh-ed25519 QlRB9Q 8SqWmf7skeFnmT1HU43V7PwaqYl/hHTifx70qr05Y3c
+W/b0CABozdoiSXWokOs+ChRL2pKCjL/b3kZHsBLBemw
+-> ssh-ed25519 r+nK/Q TwRRJzM7q81lTdiMwINKYs5RqUaKR9odwTj0CaAUOFU
+mYvyP/UeLFDgXFAUkCfZRNuRTJBL5t01nQ5a3U9BVrc
+-> ssh-rsa krWCLQ
+ssWV1ySMEEZJEsNUjss0U+rLVLYVLlPovyeqv3dWgRdbojFOboXZh7yo07KHOuu8
+N3QU64Iy1B8VOoPPhkfRURJjsjEEt/48gwMm9Ff9lmF/rxuw8KOPlGgAF+HwGK0z
+Y2gTJkehFuuBN70jsPpCGqlEpmbwLfw1BbYp8zYEq6OKXkhZjIWVEwfa3Ahiw0Z7
+3VTC/9GVhpPu/s532TxYNsTZj6nBSp22jc8AZZvOxbPrV5Qk8yLb3JMfXBWn3bJv
+N4A1x+ibCI6bnl+gYzmVjiquMuo8CMR1t+KAp6nNfv1dZT5UDBYKswYQ1AhQi7jh
+KzBK3vInE18L3qWPxt4Zdw
+-> ssh-ed25519 /vwQcQ YilslLDdIPQRNOr/ZA+WreHP5PNBiy/f6xz2UImsEQA
+gjH2VsGYM/bJu+X5vwF1y+r0+pDC7EOjesuawUw5WAo
+-> ssh-ed25519 0R97PA qFqvdP6/zg+/ruLrNmmFdi0ED43LVNtrfFISTVMLimA
+YQyo/5tyH2JMPWiqV0bxWhMWVpyjcaQc9nr1WPUMygc
+-> ssh-ed25519 JGx7Ng /SvvUDt/rDTaFOqaxL+d49pNyx7Wvkl0FMr36RIsxgQ
+pF191qRavD24LSw2JHKpVKFGK281UitMTcLDV7Zw87M
+-> ssh-ed25519 bUjjig +o1W/J1qFW96kC5SCz5azW4ar/bGglWOIST/VEBl0k8
+mHPgOqZN5eLw5AG47TIXccckR1qhhr6Ix08l3CY2NF4
+-> ssh-ed25519 5SY7Kg 53VjPE/xjun7Q1fKUaRKoEw1p5ble9fiunb/hX8sSns
+5ro90MKLPz2rqdHghVBbrKXiRHHUEeRKkB+RZwxX1Ls
+-> ssh-ed25519 p/Mg4Q tLc6UNchEe2AR/91gGauHIhD84UfKbIgS5MR77dhxhw
+Q5/8BbmXj9wTv0oHr73Au3gNgMDPxT1btyRFhVZ+My8
+-> ssh-ed25519 5rrg4g WVq0dsHIxZffMqbAgdtBoMZDpzWI2eSc/gYuohn2JHc
+CXBXkFLl8ljpBZK3emGaj5D0lb07KfCBeHPLc0AuCFA
+-> ssh-ed25519 oRtTqQ Zq/GevKIc0qaGd0jXWpkd88BxA6yPonFzvxqxtylCiw
+KO0avMpoF1ICg+17xvsmBLGsZ4FVorjkcMl/adT2/IU
+-> ssh-ed25519 F2C+8w b9E1FgolbSv9cbAKTwSUnUhcilOFC3mkX8zEgeYwJxs
+vqh2UldeQQTkDuiRxrT8+Xxdpt2s16X+14J57rpZVKM
+-> ssh-ed25519 Dk/ltw 9zNl1I2J0A99y6G2M4JHhUVgn/9xcCaDz+I1NQxJewg
+GFQp+hYM9dyICmI5UmdnNftq7g3QyNH3MlkAoag8YtQ
+-> jn$!zr-grease w#SDYrYf
+tNm7A1/g1RMy3lwzsibb/VhsMojufa8iCJCfZ5PG13ikyKab/8GY2oBO282yzcGJ
+NLDaG5WbIbese3Rxi+rC0ucRZYWlx/w
+--- 8tELVgxGaIQsgC4NrrRbSh8Y8p+d8sQLG6pWZrc4b3o
+<16>kÜèŽuûEõ¬4>7>«p<C2AB>KøÎH¶ê$8MÞŸ@¢’¢û„<C3BB>°º

fñ`ÿ°XÍÚLi½:”öû³&wè>
4ۥ,#qh™4

machines/router02/wireguard.nix

@@ -1,13 +1,33 @@
-{ config, ... }:
 {
-  config.age-secrets.autoMatch = [ "systemd-network" ];
+  config,
+  lib,
+  dgn-keys,
+  name,
+  ...
+}:
+let
+  mkPeer =
+    prefix: peerName:
+    let
+      peer = dgn-keys.getVpnKey "wg-mgmt" peerName;
+    in
+    {
+      AllowedIPs = [
+        "fdaa::${prefix}:${lib.toHexString peer.id}/32"
+      ];
+      PublicKey = peer.key;
+    };
+in
+
+{
+  age-secrets.autoMatch = [ "systemd-network" ];
   networking.firewall.trustedInterfaces = [ "wg0" ];
   systemd.network = {
     networks = {
       "50-wg-mgmt" = {
         name = "wg-mgmt";
         address = [
-          "fdaa::1/64"
+          "fdaa::${lib.toHexString (dgn-keys.getVpnKey "wg-mgmt" name).id}/64"
         ];
         routes = [
           {
@@ -28,17 +48,14 @@
           PrivateKeyFile = config.age.secrets."systemd-network-wg_key".path;
         };
 
-        wireguardPeers = [
-          {
-            AllowedIPs = [
-              "fdaa::2/64"
-            ];
-            PublicKey = "h4Nf+e4JIjqOMuM5JtLN298BF/fym9fWKGtRZmS5MVA=";
-          }
-        ];
+        wireguardPeers =
+          builtins.map (mkPeer "1") [
+            "mdebray"
+            "catvayor"
+          ]
+          ++ builtins.map (mkPeer "0") [ "roam01" ];
       };
     };
   };
   networking.firewall.allowedUDPPorts = [ 1194 ];
 }
-

meta/network.nix

@@ -117,6 +117,13 @@ in
 
     addresses.ipv4 = [ "129.199.146.230" ];
 
+    vpnKeys = {
+      wg-mgmt = {
+        id = 1;
+        key = "PN8/zo1Clue7jAnkvaUOg1ZdmcXmcTb6kIRpu5cplHs=";
+      };
+    };
+
     hostId = "144d0f7a";
   };
   photo01 = {
@@ -143,5 +150,17 @@ in
 
     hostId = "7ce86f3d";
   };
+  roam01 = {
+    interfaces = { };
+
+    vpnKeys = {
+      wg-mgmt = {
+        id = 2;
+        key = "Yg1GwHbJ7kwNbnjxI+5LtgDvzMPMiOm3EgI/saLI7FU=";
+      };
+    };
+
+    hostId = "999dc679";
+  };
 }
 // mkRoutexp (import ./routexp.nix)

meta/nodes.nix

@@ -102,7 +102,7 @@ in
 
     hashedPassword = "$y$j9T$5OchePm5POsgveGLY/bKy/$9XkkZq9aBycg.YImEzFSiYRbAfBO0A4G7qMGIF/WEo9";
 
-    deployment.targetHost = "129.199.146.37";
+    deployment.targetHost = "129.199.146.39";
 
     stateVersion = "24.11";
     nixpkgs = "unstable";

meta/options.nix

@@ -14,11 +14,14 @@ let
     ints
     listOf
     nullOr
+    singleLineStr
     str
     submodule
     unspecified
     ;
 
+  inherit (ints) positive;
+
   addressType =
     max:
     submodule {
@@ -34,6 +37,22 @@ let
       };
     };
 
+  vpnKeyType = submodule {
+    options = {
+      id = mkOption {
+        type = positive;
+        description = ''
+          Unique ID that will be  used to guess IP address
+        '';
+      };
+      key = mkOption {
+        type = str;
+        description = ''
+          Public key of the user for this VPN
+        '';
+      };
+    };
+  };
   org = config.organization;
 in
 
@@ -41,23 +60,55 @@ in
   options = {
     organization = {
       members = mkOption {
-        type = attrsOf (submodule {
-          options = {
-            name = mkOption {
-              type = str;
-              description = ''
-                Name of the member.
-              '';
-            };
+        type = attrsOf (
+          submodule (
+            { name, ... }:
+            {
+              options = {
+                name = mkOption {
+                  type = str;
+                  description = ''
+                    Name of the member.
+                  '';
+                };
 
-            email = mkOption {
-              type = str;
-              description = ''
-                Main e-mail address of the member.
-              '';
-            };
-          };
-        });
+                email = mkOption {
+                  type = str;
+                  description = ''
+                    Main e-mail address of the member.
+                  '';
+                };
+
+                username = mkOption {
+                  type = str;
+                  default = name;
+                  description = ''
+                    The username used for authentication.
+                    WARNING: Must be the same as the ens login!
+                  '';
+                };
+
+                sshKeys = lib.mkOption {
+                  type = listOf singleLineStr;
+                  description = ''
+                    A list of verbatim OpenSSH public keys that should be added to the
+                    user's authorized keys.
+                  '';
+                  example = [
+                    "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
+                    "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
+                  ];
+                };
+
+                vpnKeys = mkOption {
+                  type = attrsOf vpnKeyType;
+                  default = { };
+                  description = "Attribute sets to define vpn keys of the user";
+                };
+              };
+            }
+          )
+        );
 
         description = ''
           Members of the DGNum organization.
@@ -70,6 +121,39 @@ in
           Groups of the DGNum organization.
         '';
       };
+
+      external = mkOption {
+        type = attrsOf (listOf str);
+        description = ''
+          External services used by the DGNum organization.
+        '';
+      };
+
+      services = mkOption {
+        type = attrsOf (submodule {
+          options = {
+            admins = mkOption {
+              type = listOf str;
+              default = [ ];
+              description = ''
+                List of administrators of the service.
+              '';
+            };
+
+            adminGroups = mkOption {
+              type = listOf str;
+              default = [ ];
+              description = ''
+                List of administrator groups of the service.
+              '';
+            };
+          };
+        });
+        description = ''
+          Administrator access of the different DGNum services,
+          it is mainly indicative as most services cannot configure this statically.
+        '';
+      };
     };
 
     nodes = mkOption {
@@ -256,6 +340,13 @@ in
                   IP address of the node in the netbird network.
                 '';
               };
+
+              vpnKeys = mkOption {
+                type = attrsOf vpnKeyType;
+                default = { };
+                description = "Attribute sets to define vpn keys of the machine";
+
+              };
             };
 
             config =
@@ -327,11 +418,20 @@ in
           extract "adminGroups" config.nodes
         ))
 
-        # Check that all members have ssh keys
-        (builtins.map (name: {
-          assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
-          message = "No ssh keys found for ${name}.";
-        }) members)
+        # Check that all services admins exist
+        (membersExists (name: "A member of the service ${name} admins was not found in the members list.") (
+          extract "admins" org.services
+        ))
+
+        # Check that all services adminGroups exist
+        (groupsExists (
+          name: "A member of the service ${name} adminGroups was not found in the groups list."
+        ) (extract "adminGroups" org.services))
+
+        # Check that all external services admins exist
+        (membersExists (
+          name: "A member of the external service ${name} admins was not found in the members list."
+        ) org.external)
       ];
     };
 }

meta/organization.nix

@@ -5,44 +5,104 @@
 
 {
   members = {
+    agroudiev = {
+      name = "Antoine Groudiev";
+      email = "antoine.groudiev@dgnum.eu";
+      sshKeys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
+      ];
+    };
+
     catvayor = {
       name = "Lubin Bailly";
       email = "catvayor@dgnum.eu";
+      username = "lbailly";
+      sshKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
+      ];
+      vpnKeys = {
+        wg-mgmt = {
+          id = 1;
+          key = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4=";
+        };
+      };
     };
-
     cst1 = {
       name = "Constantin Gierczak--Galle";
       email = "cst1@dgnum.eu";
+      username = "cgierczakgalle";
+      sshKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
+      ];
     };
 
     ecoppens = {
       name = "Elias Coppens";
       email = "ecoppens@dgnum.eu";
+      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
     };
 
     jemagius = {
       name = "Jean-Marc Gailis";
       email = "jm@dgnum.eu";
+      username = "jgailis";
+      sshKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
+      ];
     };
 
     luj = {
       name = "Julien Malka";
       email = "luj@dgnum.eu";
+      username = "jmalka";
+      sshKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
+      ];
+    };
+
+    mboyer = {
+      name = "Matthieu Boyer";
+      email = "matthieu.boyer@dgnum.eu";
+      username = "mboyer02";
+      sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
     };
 
     mdebray = {
       name = "Maurice Debray";
       email = "maurice.debray@dgnum.eu";
+      sshKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
+      ];
+      vpnKeys = {
+        wg-mgmt = {
+          id = 2;
+          key = "+nTxD4ZAzk+9LHGwEfK0t2cMQf0ognBYmhybNbCzW38=";
+        };
+      };
     };
 
     raito = {
       name = "Ryan Lahfa";
       email = "ryan@dgnum.eu";
+      username = "rlahfa";
+      sshKeys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
+      ];
     };
 
     thubrecht = {
       name = "Tom Hubrecht";
       email = "tom.hubrecht@dgnum.eu";
+      sshKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
+      ];
     };
   };