feat: add Sel's key everywhere

feat(agb01): add Sel's keys
feat(ragb): Commit all the hotfixes
2024-11-13 17:05:04 +01:00 · 2024-11-13 13:53:48 +01:00 · 2024-11-07 20:58:01 +01:00 · 2024-10-22 00:46:43 +02:00 · 2024-10-15 16:53:44 +02:00 · 2024-10-15 13:35:12 +02:00
142 changed files with 3201 additions and 639 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
+result
+result-*
+*.swp
+/public.tar.gz
--- a/hive.nix
+++ b/hive.nix
@ -0,0 +1,73 @@
+let
+  sources = import ./npins;
+  metadata = import ./meta.nix;
+
+  defaultNixpkgs = importNixpkgsPath "x86_64-linux" sources."nixos-unstable";
+
+  inherit (defaultNixpkgs) lib;
+
+  revision =
+    node:
+    (builtins.fromJSON (builtins.readFile ./npins/sources.json)).pins.${pkgsVersion node}.revision;
+
+  mkNode = node: {
+    ${node} =
+      {
+        name,
+        nodes,
+        ...
+      }:
+      {
+        imports = [
+          ./machines/${node}/_configuration.nix
+        ] ++ lib.attrByPath [ "imports" ] [ ] metadata.nodes.${node};
+        inherit (metadata.nodes.${node}) deployment;
+        nix.nixPath = builtins.map (n: "${n}=${sources.${n}}") (builtins.attrNames sources) ++ [
+          "nixpkgs=${mkNixpkgsPath name}"
+        ];
+        system.nixos.tags = [
+          (revision node)
+        ];
+      };
+  };
+
+  pkgsVersion =
+    node:
+    lib.attrByPath [
+      node
+      "nixpkgs"
+    ] "nixos-unstable" metadata.nodes;
+
+  mkNixpkgsPath = node: sources.${pkgsVersion node};
+
+  mkNixpkgs = node: {
+    ${node} = importNixpkgsPath (lib.attrByPath [ "arch" ] "x86_64-linux" metadata.nodes.${node}) (
+      mkNixpkgsPath node
+    );
+  };
+
+  importNixpkgsPath =
+    arch: p:
+    import p {
+      config.allowUnfree = true;
+      overlays = import ./pkgs/overlays.nix { inherit sources; };
+      system = arch;
+    };
+
+  nodes = builtins.attrNames metadata.nodes;
+
+  concatAttrs = builtins.foldl' (x: y: x // y) { };
+in
+{
+  meta = {
+    specialArgs = {
+      inherit sources metadata;
+    };
+    nixpkgs = defaultNixpkgs;
+    nodeNixpkgs = concatAttrs (builtins.map mkNixpkgs nodes);
+    specialArgs = {
+      lib = lib;
+    };
+  };
+}
+// (concatAttrs (builtins.map mkNode nodes))
--- a/hosts/hackens-milieu/hardware-configuration.nix
+++ b/hosts/hackens-milieu/hardware-configuration.nix
@ -1,33 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, ... }:
-
-{
-  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    ];
-
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-label/nixos-root";
-      fsType = "btrfs";
-      options = [ "ssd" "noatime" "ssd_spread" "discard" "space_cache" ];
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-label/BOOT";
-      fsType = "vfat";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-label/SWAP"; }
-    ];
-
-  nix.maxJobs = lib.mkDefault 4;
-  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
-}
--- a/hosts/hackens-org/hardware-configuration.nix
+++ b/hosts/hackens-org/hardware-configuration.nix
@ -1,29 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/8deb32c9-ee6a-4de8-94da-239c8ec509a2";
-      fsType = "btrfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/0795-75ED";
-      fsType = "vfat";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/bd7c1c01-ce31-4db3-9c06-70716020e24a"; } ];
-
-}
--- a/hosts/hackens-org/misc/default.nix
+++ b/hosts/hackens-org/misc/default.nix
@ -1,12 +0,0 @@
-{ pkgs, ... }:
-{
-  imports = [
-    # ./static-website.nix
-    # ./game2048.nix
-    # ./casauth.nix
-    # ./nds.nix
-    # ./prez.nix
-    # ./public.nix
-    # ./jarvis.nix
-  ];
-}
--- a/hosts/hackens-org/modules/static-website.nix
+++ b/hosts/hackens-org/modules/static-website.nix
@ -1,26 +0,0 @@
-{ lib, config }:
-
-with lib;
-let
-  cfg = config.services.static-website.config;
-  l = builtins.split cfg.name "/";
-  name = lists.last l;
-in
-{
-  services.static-website.config = lib.mkOption {
-    type = with types; attrsOf (submodule {
-      options.name = mkOption path;
-    });
-  };
-
-  config = {
-    services.nginx.enable = cfg.enable;
-    virtualHosts."${cfg.name}" = {
-      root = "/var/lib/nginx/static/${name}";
-    }
-  };
-}
-
-/* TODO
-ACME
-*/
--- a/hosts/hackens-org/physical.nix
+++ b/hosts/hackens-org/physical.nix
@ -1,15 +0,0 @@
-{ pkgs, ... }:
-{
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.device = "/dev/vdb"; # or "nodev" for efi only
-
-  time.timeZone = "Europe/Paris";
-
-  networking.useDHCP = false;
-  networking.interfaces.eth0 = {
-    ipv4.addresses = [ { address = "129.199.129.76"; prefixLength = 24; } ];
-  };
-  networking.defaultGateway = { address = "129.199.129.1"; interface = "eth0"; };
-}
--- a/hosts/hackens-org/wiki.nix
+++ b/hosts/hackens-org/wiki.nix
@ -1,63 +0,0 @@
-{ pkgs, ... }:
-{
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  # TODO: move to hackens.org
-  services.dokuwiki.sites."hackens.ens.fr" = {
-    enable = true;
-
-    extraConfig = ''
-      $conf['title'] = 'hackEns';
-      $conf['start'] = 'accueil';
-      $conf['lang'] = 'fr';
-      $conf['template'] = 'bootstrap3';
-      $conf['license'] = 'cc-by-sa';
-      $conf['breadcrumbs'] = 0; # On s'en fiche de l'historique des pages visitées
-      $conf['youarehere'] = true; # Par contre on veut notre position dans la hiérarchie du site
-      # On veut que les liens externes s'ouvrent dans de nouveaux onglets
-      $conf['target'] = array(
-        'extern' => '_tab'
-      );
-      $conf['htmlok'] = 1; # On peut mettre du html dans les pages
-      $conf['sitemap'] = 7;
-      $conf['rss_type'] = 'rss2';
-      $conf['userewrite'] = 1; # Important, sinon on casse tout avec les règles nginx définies par le module nixos
-      $conf['useslash'] = 1;
-      $conf['plugin']['tokenbucketauth']['tba_send_mail'] = 'hackens@clipper.ens.fr'; # Ban auto des IPs qui brute-forcent
-      $conf['htmlmail'] = 0; # On envoie les mails en plain text
-      $conf['useacl'] = 1; # On ne veut pas que n'importe qui écrive
-    '';
-
-    pluginsConfig = ''
-      $plugins['authmysql'] = 0;
-      $plugins['popularity'] = 0;
-      $plugins['authpgsql'] = 0;
-      $plugins['authpdo'] = 0;
-      $plugins['authldap'] = 0;
-    '';
-
-    disableActions = "register";
-    superUser = "@admin";
-
-    acl = ''
-      *	@ALL	1
-      *	@users  8
-    '';
-
-    # Il faut packager les templates
-    templates = let
-      template-bootstrap3 = pkgs.stdenv.mkDerivation {
-        name = "bootstrap3";
-        # Download the theme from the dokuwiki site
-        src = pkgs.fetchurl {
-          url = "https://github.com/giterlizzi/dokuwiki-template-bootstrap3/archive/v2019-05-22.zip";
-          sha256 = "4de5ff31d54dd61bbccaf092c9e74c1af3a4c53e07aa59f60457a8f00cfb23a6";
-        };
-        # We need unzip to build this package
-        buildInputs = [ pkgs.unzip ];
-        # Installing simply means copying all files to the output directory
-        installPhase = "mkdir -p $out; cp -R * $out/";
-      };
-    # And then pass this theme to the template list like this:
-    in [ template-bootstrap3 ];
-  };
-}
--- a/machines/agb01/_configuration.nix
+++ b/machines/agb01/_configuration.nix
@ -0,0 +1,54 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+  {
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image-aarch64.nix") # this holds the hardware-config
+    ./bootloader.nix
+    ./secrets
+    ./networking.nix
+    ./users.nix
+  ];
+
+  nix.settings.substituters = lib.mkForce [];
+
+  networking.hostName = "agb01"; # Define your hostname.
+
+  environment.systemPackages = [
+    (pkgs.writeShellApplication {
+      name = "run-gw";
+      runtimeInputs = [
+        pkgs.curl
+        (pkgs.python3.withPackages (ps: [
+          ps.pyjecteur
+          ps.colour
+          ps.requests
+        ]))
+      ];
+      text = "curl -s -n https://agb.hackens.org/api/sse | python ${./script.py}";
+    })
+  ];
+
+  services.openssh.enable = true;
+  programs.mosh = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  fonts.enableDefaultPackages = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "unstable"; # Did you read the comment?
+}
--- a/machines/agb01/bootloader.nix
+++ b/machines/agb01/bootloader.nix
@ -0,0 +1,4 @@
+{pkgs, ...}: {
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+}
--- a/machines/agb01/networking.nix
+++ b/machines/agb01/networking.nix
@ -0,0 +1,98 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
+
+  systemd.network = {
+    enable = true;
+    wait-online.anyInterface = true;
+
+    networks = {
+      "10-uplink" = {
+        name = "enu1u1";
+        DHCP = "yes";
+      };
+      "50-wg0" = {
+        name = "wg0";
+        address = [
+          "10.10.10.5/24"
+        ];
+      };
+      "10-wifi" = {
+        name = "wlan0";
+        networkConfig.DHCPServer = "yes";
+        address = [
+          "192.168.55.1/24"
+        ];
+      };
+    };
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;
+
+        wireguardPeers = [
+          {
+            AllowedIPs = [
+              "10.10.10.0/24"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
+            Endpoint = "129.199.129.76:1194";
+            PersistentKeepalive = 5;
+          }
+        ];
+      };
+    };
+  };
+  networking = {
+    useDHCP = false;
+    nameservers = [
+      "2620:fe::fe"
+      "2620:fe::9"
+      "9.9.9.9"
+      "149.112.112.112"
+    ];
+    nftables = {
+      enable = true;
+      tables.nat = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority 100;
+            ip saddr 192.168.55.0/24 masquerade
+          }
+        '';
+      };
+    };
+
+    firewall.allowedUDPPorts = [ 67 ];
+  };
+
+  services.hostapd = {
+    enable = true;
+    radios.wlan0 = {
+      # countryCode = "FR";
+      wifi4.enable = false;
+      wifi5.enable = false;
+      channel = 7; # ACS doesn't work
+      networks.wlan0 = {
+        settings = {
+          ieee80211w = 0;
+          wmm_enabled = false;
+        };
+        ssid = "agb - wifi";
+        logLevel = 0;
+        authentication = {
+          mode = "wpa2-sha1";
+          wpaPasswordFile = pkgs.writeText "psk" "azertyuiop"; # TODO : secret
+        };
+      };
+    };
+  };
+}
--- a/machines/agb01/script.py
+++ b/machines/agb01/script.py
@ -0,0 +1,105 @@
+#!/nix/store/q1p072dnnx7fh7qfcavkmpwn3rgf2xh1-python3-3.12.5-env/bin/python
+
+import json
+import logging
+import sys
+
+import requests
+from colour import Color
+from pyjecteur.fixtures import Blinder, LedBar48Ch, Tradi, Wash, Lyre
+from pyjecteur.lights import Universe
+from pyjecteur.widget import Widget
+
+if False:  # True:  # True:
+    logging.basicConfig(level=logging.DEBUG)
+else:
+    logging.basicConfig(level=logging.INFO)
+
+w = Widget("/dev/ttyUSB0")
+
+DIM = {
+    "blinder": 0.1,
+    "led_tub": 0.3,
+    "spot": 0.3,
+}
+
+u = Universe(w)
+
+
+def strToProj(s):
+    match s:
+        case "spot":
+            return Tradi()
+        case "led_tub":
+            return LedBar48Ch()
+        case "blinder":
+            return LedBar48Ch()
+
+
+r = requests.get("https://agb.hackens.org/api-docs/patch.json")
+patch = r.json()
+
+lights = {}
+
+update = {}
+
+current_addr = 0
+
+for k, v in patch["lights"].items():
+    lights[k] = strToProj(v["kind"])
+    u.register(lights[k], v["channels"][0]*3)
+    print(v["kind"], v["channels"])
+    # update dmx since some params are set before
+    lights[k].update_dmx()
+    logging.info(
+        f"Light {k} of kind {v['kind']} is at DMX{v['channels'][0]*3+1} (PLS convention)"
+    )
+    for i, chan in enumerate(v["channels"]):
+        update[chan] = (k, i)  # put the light name
+    current_addr += lights[k].address_size
+
+l = Lyre()
+u.register(l, 489)
+
+def update_light(address, red, green, blue):
+    if address not in update:
+        return
+    light, chan = update[address]
+    kind = patch["lights"][light]["kind"]
+    r, g, b = red * DIM[kind] / 255, (green * DIM[kind]) / 255, (blue * DIM[kind]) / 255
+    match kind:
+        case "blinder":
+            lights[light].colors[chan] = Color(rgb=(r, g, b))
+        case "led_tub":
+            lights[light].colors[chan] = Color(rgb=(r, g, b))
+        case "spot":
+            lights[light].color = Color(rgb=(r, g, b))
+
+
+def run():
+    logging.info("Started")
+    bump = False
+    bump_color = None
+    for line in sys.stdin:
+        logging.debug(line)
+        if line.startswith("data:"):
+            dataStr = line[5:]
+            logging.info(f"Received: {dataStr}")
+            data = json.loads(dataStr)
+            if data["type"] == "Color":
+                if data["address"] == 90:
+
+                    r, g, b = data["value"]["red"] /255, data["value"]["green"] /255, data["value"]["blue"] /255
+                    w.color = Color(rgb = (r, g, b))
+                else:
+                    update_light(data["address"], **data["value"])
+            else:
+                l.pan = data["pan"]
+                l.tilt = data["tilt"]
+                l.dimmer = data["focus"]
+                l.color = data["white_button"] *7 + 3
+
+
+
+
+run()
--- a/machines/agb01/secrets/default.nix
+++ b/machines/agb01/secrets/default.nix
@ -0,0 +1,11 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  age.secrets."wg" = {
+    file = ./wg.age;
+    owner = "systemd-network";
+  };
+}
--- a/machines/agb01/secrets/secrets.nix
+++ b/machines/agb01/secrets/secrets.nix
@ -0,0 +1,9 @@
+let
+  lib = (import <nixpkgs> {}).lib;
+  readPubkeys = user:
+    builtins.filter (k: k != "") (lib.splitString "\n"
+      (builtins.readFile (../../../pubkeys + "/${user}.keys")));
+in {
+  "wg.age".publicKeys = (readPubkeys "catvayor") ++ (readPubkeys "sinavir") ++ (readPubkeys "agb01");
+
+}
--- a/machines/agb01/secrets/wg.age
+++ b/machines/agb01/secrets/wg.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 5rrg4g Q11014nLdGOukZJV5enI4qoAqDrysWAxYtRN7VTSnTA
+oEK2C8A28KrNh4WNcGGQNB9/3ADNHgGxTzOegL49TT8
+-> ssh-ed25519 JGx7Ng NH6IB+2tB8fyvE81GF7p8SflY7HH2R3uvx9xC/5HFyQ
+4x0x1L0wv6+k04ESLIy+qY/RhVCWtOeyETo1FkAK+8A
+-> ssh-ed25519 kXobKQ 7J0f+l8+/mNQ7q8nW0jcg2LqGDARN1K63IJttdQ7JQw
+SfFDS4HgjYkp+vGmCwy0c5GIqqWcc4m7mRVQmcsW/pM
+-> ssh-ed25519 OZDL4Q M3Lztf8lPH4G7a+QPMY32u3UyhcHMoC08ZRV5UE6Gmo
+Kc7116r+3+xa2qRSe22lctbTd/a133tVZzLkWt0XI6k
+--- lsOrVi/OJ6AxtmEbB67VKvlFlDnt+sdv1TucqWqGk2w
+‚õnDÜg4Ü²¯*ßM<C39F>!ÙY¿™‘hA<68>š6‡IÝbFgö{3¢*7d¤¤¦A¬:¼×Èª á“±½}ÀˆÝ+lu·¨9Þê
--- a/machines/agb01/users.nix
+++ b/machines/agb01/users.nix
@ -0,0 +1,14 @@
+{ ... }:
+{
+  users = {
+    mutableUsers = false;
+    users = {
+      root.openssh.authorizedKeys.keyFiles = [
+        ../../pubkeys/sinavir.keys
+        ../../pubkeys/catvayor.keys
+        ../../pubkeys/soyouzpanda.keys
+        ../../pubkeys/sel.keys
+      ];
+    };
+  };
+}
--- a/machines/agb02/_configuration.nix
+++ b/machines/agb02/_configuration.nix
@ -0,0 +1,38 @@
+{ config, pkgs, lib, modulesPath, ... }:
+let
+  agb-control-box = pkgs.callPackage ./agb { };
+in
+{
+  imports = [
+    "${modulesPath}/installer/sd-card/sd-image-aarch64.nix"
+    ./secrets
+    ./networking.nix
+    ./users.nix
+  ];
+  sdImage.compressImage = false;
+  services = {
+    getty.autologinUser = "root";
+    openssh.enable = true;
+  };
+
+  networking.hostName = "agb02";
+  networking.networkmanager.enable = true;
+
+  environment.systemPackages = [
+    agb-control-box
+    pkgs.libgpiod
+  ];
+
+  systemd.services."agb-control-box" = {
+    wantedBy = [ "multi-user.target" ];
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    unitConfig.Description = "The program of the control-box";
+    serviceConfig = {
+      Restart = "always";
+      ExecStart = "${agb-control-box}/bin/agb /dev/gpiochip0";
+    };
+  };
+
+  system.stateVersion = "24.11";
+}
--- a/machines/agb02/agb/agb.cpp
+++ b/machines/agb02/agb/agb.cpp
@ -0,0 +1,214 @@
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <arpa/inet.h>
+#include <gpiod.hpp>
+#include <iostream>
+#include <fstream>
+#include <thread>
+
+using namespace std::literals::chrono_literals;
+
+constexpr std::chrono::microseconds debounce = 40ms;
+constexpr std::chrono::microseconds poll_period = 5ms;
+constexpr std::chrono::microseconds autorepeat_delay = 70ms;
+constexpr std::chrono::microseconds server_ratelimit = 50ms;
+constexpr std::chrono::microseconds retry_timeout = 500ms;
+
+constexpr double joystick_movement = 0.2;
+
+const gpiod::line::offsets drive_down = { 21, 13, 6 };
+
+const gpiod::line::offsets decoder = { 3, 4, 17, 27, 24, 23, 18, 2 }; // lsbf
+const gpiod::line::offsets joystick = { 19, 26, 5, 0 }; // x+, y+, x-, y-
+const gpiod::line::offset black_button = 20;
+const gpiod::line::offset white_button = 16;
+
+const gpiod::line_settings input_settings =
+  gpiod::line_settings()
+    .set_direction(gpiod::line::direction::INPUT)
+    .set_bias(gpiod::line::bias::PULL_UP)
+    .set_active_low(false)
+    .set_debounce_period(debounce);
+
+constexpr std::array<uint8_t, 256> decoder_table =
+  #include "decoder_table.inl"
+
+uint8_t read_decoder_realpos(gpiod::line_request& line_reader){
+  static gpiod::line::values decoder_read(8);
+  line_reader.get_values(decoder, decoder_read);
+  uint8_t graycode = 0;
+  for(uint8_t i = 0; i < 8; ++i) graycode |= uint8_t(decoder_read[i]) << i;
+  return decoder_table[graycode];
+};
+
+inline void clamp_decoder(uint8_t& decoder, int move){
+  decoder = uint8_t(std::clamp(decoder + move, 0, 255));
+}
+
+int main(const int argc, char const* const* const argv) {
+  if(argc < 2) {
+    std::cerr << "usage: agb gpiodevice" << std::endl;
+    return 1;
+  }
+
+  /// init gpio chip ///
+
+  gpiod::chip chip(argv[1]);
+  gpiod::line_request line_reader =
+    chip.prepare_request()
+      .set_consumer("AGB")
+      .add_line_settings(drive_down,
+        gpiod::line_settings()
+          .set_direction(gpiod::line::direction::OUTPUT)
+          .set_drive(gpiod::line::drive::OPEN_DRAIN)
+          .set_output_value(gpiod::line::value::INACTIVE)
+      )
+      .add_line_settings({ black_button, white_button }, input_settings)
+      .add_line_settings(joystick,
+          gpiod::line_settings(input_settings)
+            .set_active_low(true))
+      .add_line_settings(decoder,
+          gpiod::line_settings(input_settings)
+            .set_debounce_period(0ms))
+      .do_request();
+
+  // let the settings apply
+  std::this_thread::sleep_for(poll_period);
+
+  /// internal state and buffers ///
+
+  std::chrono::time_point now = std::chrono::system_clock::now();
+
+  gpiod::line::values joystick_read(4);
+  gpiod::line::values joystick_last_read(4);
+  line_reader.get_values(joystick, joystick_read);
+  std::vector<std::chrono::time_point<std::chrono::system_clock>> rising_point = { now, now, now, now };
+  std::pair<double, double> spot_pos(0.0, 0.0); //TODO: init from server
+  auto joystick_move = [&](int i) -> double {
+    if (! bool(joystick_read[i]))
+      return 0.0;
+    else if (bool(joystick_last_read[i])){
+      if (now - rising_point[i] < autorepeat_delay)
+        return 0.0;
+      else
+        return joystick_movement;
+    } else {
+      rising_point[i] = now;
+      return 1.0;
+    }
+  };
+
+  uint8_t decoder_pos = 0; //TODO: init from server
+  uint8_t decoder_realpos = read_decoder_realpos(line_reader);
+
+  uint8_t white_state = 0;
+  bool white_pressed = false;
+  bool black_pressed = false;
+
+  bool has_changed = true;
+  std::chrono::time_point last_send = now;
+  std::string postData;
+
+  /// init server communication ///
+
+  int socket_file_desc;
+connection:
+  socket_file_desc = socket(AF_INET, SOCK_STREAM, 0);
+  {
+    sockaddr_in socket_addr = {
+      .sin_family = AF_INET,
+      .sin_port = htons(1235),
+      .sin_addr = { .s_addr = inet_addr("10.10.10.1") }
+    };
+    while (connect(socket_file_desc,
+                   reinterpret_cast<const sockaddr*>(&socket_addr),
+                   sizeof(socket_addr)) < 0) {
+      std::cerr << "Failed to open tcp socket, retrying..." << std::endl;
+      std::this_thread::sleep_for(retry_timeout);
+    }
+    std::cout << "Connected." << std::endl;
+  }
+
+  for(;;){
+    std::this_thread::sleep_for(poll_period);
+    now = std::chrono::system_clock::now();
+
+    /// joystick ///
+    std::swap(joystick_read, joystick_last_read);
+    line_reader.get_values(joystick, joystick_read);
+
+    spot_pos.first  += joystick_move(0);
+    spot_pos.second += joystick_move(1);
+    spot_pos.first  -= joystick_move(2);
+    spot_pos.second -= joystick_move(3);
+
+    if (bool(joystick_read[0]) || bool(joystick_read[1])
+        || bool(joystick_read[2]) || bool(joystick_read[3])){
+      spot_pos.first = std::clamp(spot_pos.first, 0.0, 255.0);
+      spot_pos.second = std::clamp(spot_pos.second, 0.0, 255.0);
+      has_changed = true;
+    }
+
+    /// Buttons ///
+    bool pressed = bool(line_reader.get_value(black_button));
+    if(pressed ^ black_pressed)
+      has_changed = true;
+    black_pressed = pressed;
+
+    pressed = bool(line_reader.get_value(white_button));
+    if(pressed && !white_pressed){
+      has_changed = true;
+      white_state = (white_state + 1)%9;
+    }
+    white_pressed = pressed;
+
+    /// decoder ///
+    uint8_t new_realpos = read_decoder_realpos(line_reader);
+    uint8_t seen_travel = std::abs(int(new_realpos) - int(decoder_realpos));
+
+    // CCW
+    if(seen_travel < 50 && new_realpos < decoder_realpos)
+      clamp_decoder(decoder_pos, -seen_travel);
+    if(seen_travel >= 50 && new_realpos > decoder_realpos)
+      clamp_decoder(decoder_pos, seen_travel - 128);
+
+    // CW
+    if(seen_travel < 50 && new_realpos > decoder_realpos)
+      clamp_decoder(decoder_pos, seen_travel);
+    if(seen_travel >= 50 && new_realpos < decoder_realpos)
+      clamp_decoder(decoder_pos, 128 - seen_travel);
+
+    decoder_realpos = new_realpos;
+    if(seen_travel)
+      has_changed = true;
+
+    /// server notification
+    if(has_changed && (now - last_send > server_ratelimit)){
+      postData.clear();
+      std::format_to(std::back_inserter(postData), "{{"
+          "\"pan\": {},"
+          "\"tilt\": {},"
+          "\"focus\": {},"
+          "\"white_button\": {},"
+          "\"black_button\": {}"
+        "}}\n",
+        uint8_t(spot_pos.first),
+        uint8_t(spot_pos.second),
+        int(decoder_pos),
+        white_state,
+        black_pressed
+      );
+
+      int wrote = write(socket_file_desc, postData.data(), postData.size());
+      if(wrote < postData.size()){
+        std::cerr << "Failed to send data, reconnecting..." << std::endl;
+        close(socket_file_desc);
+        std::this_thread::sleep_for(retry_timeout);
+        goto connection;
+      } else {
+        has_changed = false;
+        last_send = now;
+      }
+    }
+  }
+}
--- a/machines/agb02/agb/decoder_table.inl
+++ b/machines/agb02/agb/decoder_table.inl
@ -0,0 +1,132 @@
+[]() {
+  std::array<uint8_t, 256> table;
+	table[127] = 0;
+	table[63] = 1;
+	table[62] = 2;
+	table[58] = 3;
+	table[56] = 4;
+	table[184] = 5;
+	table[152] = 6;
+	table[24] = 7;
+	table[8] = 8;
+	table[72] = 9;
+	table[73] = 10;
+	table[77] = 11;
+	table[79] = 12;
+	table[15] = 13;
+	table[47] = 14;
+	table[175] = 15;
+	table[191] = 16;
+	table[159] = 17;
+	table[31] = 18;
+	table[29] = 19;
+	table[28] = 20;
+	table[92] = 21;
+	table[76] = 22;
+	table[12] = 23;
+	table[4] = 24;
+	table[36] = 25;
+	table[164] = 26;
+	table[166] = 27;
+	table[167] = 28;
+	table[135] = 29;
+	table[151] = 30;
+	table[215] = 31;
+	table[223] = 32;
+	table[207] = 33;
+	table[143] = 34;
+	table[142] = 35;
+	table[14] = 36;
+	table[46] = 37;
+	table[38] = 38;
+	table[6] = 39;
+	table[2] = 40;
+	table[18] = 41;
+	table[82] = 42;
+	table[83] = 43;
+	table[211] = 44;
+	table[195] = 45;
+	table[203] = 46;
+	table[235] = 47;
+	table[239] = 48;
+	table[231] = 49;
+	table[199] = 50;
+	table[71] = 51;
+	table[7] = 52;
+	table[23] = 53;
+	table[19] = 54;
+	table[3] = 55;
+	table[1] = 56;
+	table[9] = 57;
+	table[41] = 58;
+	table[169] = 59;
+	table[233] = 60;
+	table[225] = 61;
+	table[229] = 62;
+	table[245] = 63;
+	table[247] = 64;
+	table[243] = 65;
+	table[227] = 66;
+	table[163] = 67;
+	table[131] = 68;
+	table[139] = 69;
+	table[137] = 70;
+	table[129] = 71;
+	table[128] = 72;
+	table[132] = 73;
+	table[148] = 74;
+	table[212] = 75;
+	table[244] = 76;
+	table[240] = 77;
+	table[242] = 78;
+	table[250] = 79;
+	table[251] = 80;
+	table[249] = 81;
+	table[241] = 82;
+	table[209] = 83;
+	table[193] = 84;
+	table[197] = 85;
+	table[196] = 86;
+	table[192] = 87;
+	table[64] = 88;
+	table[66] = 89;
+	table[74] = 90;
+	table[106] = 91;
+	table[122] = 92;
+	table[120] = 93;
+	table[121] = 94;
+	table[125] = 95;
+	table[253] = 96;
+	table[252] = 97;
+	table[248] = 98;
+	table[232] = 99;
+	table[224] = 100;
+	table[226] = 101;
+	table[98] = 102;
+	table[96] = 103;
+	table[32] = 104;
+	table[33] = 105;
+	table[37] = 106;
+	table[53] = 107;
+	table[61] = 108;
+	table[60] = 109;
+	table[188] = 110;
+	table[190] = 111;
+	table[254] = 112;
+	table[126] = 113;
+	table[124] = 114;
+	table[116] = 115;
+	table[112] = 116;
+	table[113] = 117;
+	table[49] = 118;
+	table[48] = 119;
+	table[16] = 120;
+	table[144] = 121;
+	table[146] = 122;
+	table[154] = 123;
+	table[158] = 124;
+	table[30] = 125;
+	table[94] = 126;
+	table[95] = 127;
+  return table;
+} ();
--- a/machines/agb02/agb/default.nix
+++ b/machines/agb02/agb/default.nix
@ -0,0 +1,15 @@
+{ stdenv, libgpiod }:
+stdenv.mkDerivation rec {
+  pname = "agb";
+  version = "oct-24";
+  src = ./.;
+
+  buildPhase = ''
+    g++ --std=c++23 agb.cpp -o agb \
+      -L${libgpiod}/lib -lgpiodcxx -I${libgpiod}/include \
+  '';
+  installPhase = ''
+    mkdir -p $out/bin
+    cp agb $out/bin
+  '';
+}
--- a/machines/agb02/networking.nix
+++ b/machines/agb02/networking.nix
@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  systemd.network = {
+    enable = true;
+
+    networks = {
+      "50-wg0" = {
+        name = "wg0";
+        address = [
+          "10.10.10.6/24"
+        ];
+      };
+    };
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;
+
+        wireguardPeers = [
+          {
+            AllowedIPs = [
+              "10.10.10.0/24"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
+            Endpoint = "129.199.129.76:1194";
+            PersistentKeepalive = 5;
+          }
+        ];
+      };
+    };
+  };
+  networking = {
+    nameservers = [
+      "2620:fe::fe"
+      "2620:fe::9"
+      "9.9.9.9"
+      "149.112.112.112"
+    ];
+  };
+}
--- a/machines/agb02/secrets/default.nix
+++ b/machines/agb02/secrets/default.nix
@ -0,0 +1,11 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  age.secrets."wg" = {
+    file = ./wg.age;
+    owner = "systemd-network";
+  };
+}
--- a/machines/agb02/secrets/secrets.nix
+++ b/machines/agb02/secrets/secrets.nix
@ -0,0 +1,8 @@
+let
+  lib = (import <nixpkgs> {}).lib;
+  readPubkeys = user:
+    builtins.filter (k: k != "") (lib.splitString "\n"
+      (builtins.readFile (../../../pubkeys + "/${user}.keys")));
+in {
+  "wg.age".publicKeys = (readPubkeys "catvayor") ++ (readPubkeys "sinavir") ++ (readPubkeys "agb02");
+}
--- a/machines/agb02/secrets/wg.age
+++ b/machines/agb02/secrets/wg.age
--- a/machines/agb02/users.nix
+++ b/machines/agb02/users.nix
@ -0,0 +1,14 @@
+{ ... }:
+{
+  users = {
+    mutableUsers = false;
+    users = {
+      root.openssh.authorizedKeys.keyFiles = [
+        ../../pubkeys/sinavir.keys
+        ../../pubkeys/catvayor.keys
+        ../../pubkeys/soyouzpanda.keys
+        ../../pubkeys/sel.keys
+      ];
+    };
+  };
+}
--- a/machines/hackens-milieu/_configuration.nix
+++ b/machines/hackens-milieu/_configuration.nix
@ -5,24 +5,32 @@
 { config, pkgs, ... }:

 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-      ../../profiles/hackens
-    ];
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./aarch64.nix
+    ./audio.nix
+    ./dns
+    ./gnome.nix
+    ./i18n.nix
+    ./no-sleep.nix
+    ./programs.nix
+    ./system.nix
+    ./users.nix
+    ./vim.nix
+    ./pixiecore
+    ./networking.nix
+    ./secrets
+  ];

-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot = {
+    enable = true;
+  };
  boot.loader.efi.efiSysMountPoint = "/boot";
-  boot.loader.grub.device = "nodev"; # or "nodev" for efi only
-  boot.loader.grub.configurationLimit = 2;

  networking.hostName = "hackens-milieu"; # Define your hostname.

-
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
@ -37,4 +45,3 @@
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "20.09"; # Did you read the comment?
 }
-
--- a/machines/hackens-milieu/aarch64.nix
+++ b/machines/hackens-milieu/aarch64.nix
--- a/machines/hackens-milieu/audio.nix
+++ b/machines/hackens-milieu/audio.nix
@ -0,0 +1,5 @@
+{ pkgs, ... }:
+{
+  # Enable sound.
+#  hardware.pulseaudio.enable = true;
+}
--- a/machines/hackens-milieu/default.nix
+++ b/machines/hackens-milieu/default.nix
@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  imports =
+    [
+    ];
+}
--- a/machines/hackens-milieu/dns/default.nix
+++ b/machines/hackens-milieu/dns/default.nix
@ -6,7 +6,10 @@ let
 in
 {
  networking = {
-    nameservers = [ "127.0.0.1" "::1" ];
+    nameservers = [
+      "127.0.0.1"
+      "::1"
+    ];
  };

  services.dnscrypt-proxy2 = {
@ -15,11 +18,15 @@ in
      ipv6_servers = true;
      require_dnssec = true;

-      forwarding_rules = ./dns/forwarding.txt;
+      forwarding_rules = ./forwarding.txt;

-      query_log = if debugDNS then {
-        file = "/dev/stdout";
-      } else {};
+      query_log =
+        if debugDNS then
+          {
+            file = "/dev/stdout";
+          }
+        else
+          { };

      sources.public-resolvers = {
        urls = [
--- a/machines/hackens-milieu/dns/forwarding.txt
+++ b/machines/hackens-milieu/dns/forwarding.txt
--- a/machines/hackens-milieu/gnome.nix
+++ b/machines/hackens-milieu/gnome.nix
@ -0,0 +1,10 @@
+{ ... }:
+{
+  services.xserver = {
+    enable = true;
+    displayManager.gdm.enable = true;
+    desktopManager.gnome.enable = true;
+  };
+  services.xserver.layout = "fr";
+  services.autorandr.enable = true;
+}
--- a/machines/hackens-milieu/hardware-configuration.nix
+++ b/machines/hackens-milieu/hardware-configuration.nix
@ -0,0 +1,50 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ehci_pci"
+    "ahci"
+    "usbhid"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # boot.kernelParams = [ "nomodeset" ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos-root";
+    fsType = "btrfs";
+    options = [
+      "ssd"
+      "noatime"
+      "ssd_spread"
+      "discard"
+      "space_cache"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/BOOT";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-label/SWAP"; } ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
+}
--- a/machines/hackens-milieu/i18n.nix
+++ b/machines/hackens-milieu/i18n.nix
@ -1,4 +1,5 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+{
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
--- a/machines/hackens-milieu/networking.nix
+++ b/machines/hackens-milieu/networking.nix
@ -0,0 +1,33 @@
+{ lib, config, ... }: {
+  systemd.network = {
+    enable = true;
+
+    networks."50-wg0" = {
+      name = "wg0";
+      address = [
+        "10.10.10.4/24"
+      ];
+    };
+
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig.PrivateKeyFile = config.age.secrets."wg".path;
+
+        wireguardPeers = [
+          {
+            AllowedIPs = [
+              "10.10.10.0/24"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-org.pub);
+            Endpoint = "129.199.129.76:1194";
+            PersistentKeepalive = 5;
+          }
+        ];
+      };
+    };
+  };
+}
--- a/machines/hackens-milieu/nightworker.nix
+++ b/machines/hackens-milieu/nightworker.nix
--- a/machines/hackens-milieu/no-sleep.nix
+++ b/machines/hackens-milieu/no-sleep.nix
@ -0,0 +1,9 @@
+{ ... }:
+{
+  systemd.targets = {
+    sleep.enable = false;
+    suspend.enable = false;
+    hibernate.enable = false;
+    hybrid-sleep.enable = false;
+  };
+}
--- a/machines/hackens-milieu/pixiecore/default.nix
+++ b/machines/hackens-milieu/pixiecore/default.nix
@ -0,0 +1,16 @@
+{ pkgs, config, ... }:
+let
+  netboot_efi = pkgs.fetchurl rec {
+    version = "2.0.82";
+    url = "https://github.com/netbootxyz/netboot.xyz/releases/download/${version}/netboot.xyz.efi";
+    hash = "sha256-cO8MCkroQ0s/j8wnwwIWfnxEvChLeOZw+gD4wrYBAog=";
+  };
+in
+{
+  services.pixiecore = rec {
+    enable = true;
+    openFirewall = true;
+    kernel = "${netboot_efi}";
+    extraArguments = [ "-d" "--ipxe-efi64" "${kernel}" ];
+  };
+}
--- a/machines/hackens-milieu/programs.nix
+++ b/machines/hackens-milieu/programs.nix
@ -6,45 +6,41 @@
  programs.wireshark.enable = true;

  environment.systemPackages = with pkgs; [
-    kitty
-    # Todolist
-    taskwarrior
-
-    # Slicers
-    prusa-slicer super-slicer
-
-    # CAD/3D
-    blender freecad openscad kicad-with-packages3d
-    # Microcontrollers
-    arduino arduino-cli stm32flash stm32loader
-    # FPGA
-    # python38Packages.nmigen python38Packages.nmigen-soc python38Packages.nmigen-boards
-    verilog verilator yosys symbiyosys mcy
-    # Reverse engineering
-    ghidra-bin apktool pwndbg
-    radare2
-
    # IRC
    weechat

-    # Editors
-    vscodium emacs neovim
+    # Latex
+    texlive.combined.scheme-full
+
+    # Editors
+    vscodium
+    emacs
+    neovim
+    arduino

-    # Utilities
-    minicom
    smartmontools
-    starship
-    wget firefox ripgrep chromium
+    wget
+    firefox
+    ungoogled-chromium
+    ripgrep
+    fd
    nmap
    htop
    dnsutils
-    ncdu lazygit
+    ncdu
+    lazygit
+    alacritty

    # Networking
-    speedtest-cli iperf
+    speedtest-cli
+    iperf

-    # CNC
-    inkscape
+    # Serial
+    minicom
+    tio
+
+    # Deploy
+    colmena
  ];

  programs.chromium = {
--- a/machines/hackens-milieu/secrets/default.nix
+++ b/machines/hackens-milieu/secrets/default.nix
@ -0,0 +1,11 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  age.secrets."wg" = {
+    file = ./wg.age;
+    owner = "systemd-network";
+  };
+}
--- a/machines/hackens-milieu/secrets/secrets.nix
+++ b/machines/hackens-milieu/secrets/secrets.nix
@ -0,0 +1,8 @@
+let
+  lib = (import <nixpkgs> {}).lib;
+  readPubkeys = user:
+    builtins.filter (k: k != "") (lib.splitString "\n"
+      (builtins.readFile (../../../pubkeys + "/${user}.keys")));
+in {
+  "wg.age".publicKeys = (readPubkeys "catvayor") ++ (readPubkeys "sinavir") ++ (readPubkeys "hackens-milieu");
+}
--- a/machines/hackens-milieu/secrets/wg.age
+++ b/machines/hackens-milieu/secrets/wg.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 5rrg4g B36oMQ2IqhBXDaltfkba8gBjhTzHujh/KtpXmoBfIkE
+ga5w9MzfwR2LwlSmeA0ddyx2Fms/ZSp1c8p/rC46OSE
+-> ssh-ed25519 JGx7Ng wis78jvQlXpeK0rb50RNgliWwVaPqUYR66Dfxxq8+nk
+awK/Il5jYV2s95GxDLkeRas0PjDKKnVE2HjKTOFyQco
+-> ssh-ed25519 kXobKQ gYW3wXPQr756wsRQ6nKo4qQtT09OaEsnQmAX4G41PXQ
+sa8Bhxfosqf1VNXfj+rS2ryJs9T4sZK13tx5j+NOCm4
+-> ssh-ed25519 Dx1R2Q 2BLCykYc4lKLyBnDfJ6J7ZCD8CeX3vt2S2fLkwjeunw
+ueU6TaxgeX9Cp98LkHy5pkaUaRGdcTHtV8CopEILv10
+--- Ah6a49hN7wxxfR8C8Jczc/2jMAoTJoumYMj4PPKax2I
+î)Bš+£Ín
+c™ï<EFBFBD>›ÁY<EFBFBD>ú-l™k<E284A2>ÛMF+ÞÙ<C39E>r1)æÞ‹¸aU=<3D>}%\õÔ²¶=W~ã)Àp6nÜG%ð*ðâšk>	ä
--- a/machines/hackens-milieu/system.nix
+++ b/machines/hackens-milieu/system.nix
@ -1,14 +1,22 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+{
  # Upgrades
  system.autoUpgrade = {
    enable = true;
    allowReboot = false;
  };

+  # SSD stuff
+  services.fstrim = {
+    enable = true;
+  };
+
  # Auto-GC and store optimizations
  nix = {
-    trustedUsers = [ "root" "hackens" ];
-    package = pkgs.nixUnstable;
+    trustedUsers = [
+      "root"
+      "hackens"
+    ];
    gc = {
      automatic = true;
      dates = "weekly";
@ -24,7 +32,13 @@
  };

  services.locate.enable = true;
+
+  # ssh
  services.openssh.enable = true;
+  services.openssh.passwordAuthentication = false;
+
+  # We are on a trusted network
  networking.firewall.enable = false;
+
  documentation.info.enable = false;
 }
--- a/machines/hackens-milieu/users.nix
+++ b/machines/hackens-milieu/users.nix
@ -1,23 +1,32 @@
 { pkgs, ... }:
+let
+  superadmins = [
+    ../../pubkeys/raito.keys
+    ../../pubkeys/gdd.keys
+    ../../pubkeys/BiBi.keys
+    ../../pubkeys/sinavir.keys
+    ../../pubkeys/soyouzpanda.keys
+    ../../pubkeys/catvayor.keys
+    ../../pubkeys/sel.keys
+  ];
+in
 {
  users.users.hackens = {
    isNormalUser = true;
-    extraGroups = [ "wheel" ];
+    extraGroups = [
+      "wheel"
+      "dialout"
+      "audio"
+      "video"
+    ];

-    openssh.authorizedKeys.keys = [ 
+    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop"
    ];
-    openssh.authorizedKeys.keyFiles = [
-      ../../pubkeys/raito.keys
-      ../../pubkeys/gdd.keys
-    ];
+    openssh.authorizedKeys.keyFiles = superadmins;
  };

  users.users.root = {
-    openssh.authorizedKeys.keyFiles = [
-      ./pubkeys/raito.keys
-      ./pubkeys/gdd.keys
-    ];
+    openssh.authorizedKeys.keyFiles = superadmins;
  };
-
 }
--- a/machines/hackens-milieu/vim.nix
+++ b/machines/hackens-milieu/vim.nix
@ -1,10 +1,10 @@
-{ pkgs, ... }: {
+{ pkgs, ... }:
+{
  environment.systemPackages = with pkgs; [
-    nixfmt
+    nixfmt-rfc-style
    git
    (neovim.override {
      vimAlias = true;
-      configure.plug.plugins = with vimPlugins; [ vim-nix vim-lastplace ];
    })
  ];
 }
--- a/machines/hackens-org/_bootloader.nix
+++ b/machines/hackens-org/_bootloader.nix
@ -0,0 +1,5 @@
+{
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
+}
--- a/machines/hackens-org/_configuration.nix
+++ b/machines/hackens-org/_configuration.nix
@ -5,18 +5,29 @@
 { config, pkgs, ... }:

 {
-  imports =
-    [
-      ./hardware-configuration.nix
-      ./physical.nix
-      ../../profiles/core-hackens
-      ./wiki.nix
-      ./webpass.nix
-      # ./bridge.nix
-      # ./gha.nix
-      # ./sync.nix
-      ./misc
-    ];
+  imports = [
+    ./_bootloader.nix
+    ./_networking.nix
+    ./_ssh.nix
+    ./_users.nix
+    ./dokuwiki.nix
+    ./thelounge.nix
+    ./hardware-configuration.nix
+    ./matterbridge.nix
+    ./nginx.nix
+    ./orga
+    ./ragb.nix
+    ./snipe-it.nix
+    ./secrets
+    ./static-sites.nix
+    ./legacy-redir.nix
+    ./webpass.nix
+    ./prometheus.nix
+    ./grafana.nix
+    ./kfet-monitor
+  ];
+
+  time.timeZone = "Europe/Paris";

  networking.hostName = "hackens-org"; # Define your hostname.

@ -26,7 +37,6 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.11"; # Did you read the comment?
+  system.stateVersion = "22.11"; # Did you read the comment?

 }
-
--- a/machines/hackens-org/_networking.nix
+++ b/machines/hackens-org/_networking.nix
@ -0,0 +1,45 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./wireguard.nix
+  ];
+  networking.useDHCP = false;
+  systemd.network = {
+    enable = true;
+    netdevs."10-sit-he" = {
+      netdevConfig = {
+        Kind = "sit";
+        Name = "sit-he";
+      };
+      tunnelConfig = {
+        Local = "129.199.129.76";
+        Remote = "216.66.84.42";
+      };
+    };
+    networks = {
+      "10-uplink" = {
+        name = "enp1s0";
+        DHCP = "no";
+        address = [
+          "129.199.129.76/24"
+        ];
+        networkConfig = {
+          Gateway = "129.199.129.1";
+          Tunnel = [ "sit-he" ];
+        };
+      };
+      "10-tun-he" = {
+        matchConfig.Name = "sit-he";
+        networkConfig = {
+          Gateway = [ "2001:470:1f12:d21::1" ];
+          Description = "HE.NET IPv6 Tunnel (owned by maurice)";
+          Address = [ "2001:470:1f12:d21::2/64" ];
+        };
+      };
+    };
+  };
+  networking.nameservers = [
+    "1.1.1.1"
+    "8.8.8.8"
+  ];
+}
--- a/machines/hackens-org/_ssh.nix
+++ b/machines/hackens-org/_ssh.nix
@ -0,0 +1,19 @@
+{ ... }:
+{
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.ports = [
+    22
+    2222
+  ];
+
+  # Open ports in the firewall. (In fact not needed)
+  networking.firewall.allowedTCPPorts = [
+    22
+    2222
+  ];
+
+  # Mosh <3
+  programs.mosh.enable = true;
+}
--- a/machines/hackens-org/_users.nix
+++ b/machines/hackens-org/_users.nix
@ -0,0 +1,43 @@
+{ ... }:
+{
+  users = {
+    mutableUsers = false;
+    users = {
+      rlahfa = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        hashedPassword = "$6$y/I6nKCMYUku7$91vTR5kYz4nHyhbuA/j6kPsD8Vfo/Rg7ri6Ympftra9V6emOt/mPg0AScECtYjSIxretvfQ3sPUF1Ho0IWx381";
+        openssh.authorizedKeys.keyFiles = [ ../../pubkeys/raito.keys ];
+      };
+      gdoriathdohler = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keyFiles = [ ../../pubkeys/gdd.keys ];
+      };
+      mdebray = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        hashedPassword = "$6$ujz06kXa4TgvPAbF$NaXkDuOUpf3.fBRh7JuygtS0V2U/Bz4N3DpbOznO.md44xEdlKwPH/pSbL9CQJBhI5kodaKZeSaoCyhzybBPA/";
+        openssh.authorizedKeys.keyFiles = [ ../../pubkeys/sinavir.keys ];
+      };
+      ecoppens = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        hashedPassword = "$2b$05$c7kIDOunRJvgncWq5pmbXupy/wzUzCvN3b/RHgl/BjlUw891wI.Oa";
+        openssh.authorizedKeys.keyFiles = [ ../../pubkeys/soyouzpanda.keys ];
+      };
+      hbarral = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keyFiles = [ ../../pubkeys/backslash.keys ];
+      };
+      root.openssh.authorizedKeys.keyFiles = [
+        ../../pubkeys/beigbeder.keys
+        ../../pubkeys/sinavir.keys
+        ../../pubkeys/soyouzpanda.keys
+        ../../pubkeys/catvayor.keys
+        ../../pubkeys/sel.keys
+      ];
+    };
+  };
+}
--- a/machines/hackens-org/dokuwiki.nix
+++ b/machines/hackens-org/dokuwiki.nix
@ -0,0 +1,97 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+
+  services.nginx.virtualHosts."hackens.org" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  # Si tu as des problèmes un jour, vide le cache avant tout
+  services.dokuwiki.sites."hackens.org" = {
+    enable = true;
+    settings = {
+      template = "bootstrap3";
+      license = "cc-by-sa";
+      title = "hackENS";
+      lang = "fr";
+      breadcrumbs = 0;
+      yourarehere = true;
+      userewrite = 1;
+      useacl = true;
+      htmlok = 1;
+      target._raw = ''
+        array(
+          'extern' => '_tab'
+        );
+      '';
+      sitemap = 7;
+      disableactions = "register";
+      superuser = "@admin";
+      start = "accueil";
+      tpl.bootstrap3 = {
+        showAddNewPage = "logged";
+        fluidContainer = 0;
+      };
+      plugin.htmlok.htmlok = 1;
+    };
+    pluginsConfig = {
+
+      authad = false;
+      authldap = false;
+      authpdo = false;
+      authmysql = false;
+      authpgsql = false;
+      popularity = false;
+
+    };
+
+    plugins = [
+      (pkgs.fetchFromGitHub {
+        name = "catlist";
+        owner = "xif-fr";
+        repo = "dokuwiki-plugin-catlist";
+        rev = "147793e2b41e8cb6465df888eecfbc4ee54fb68a";
+        hash = "sha256-kTL0Hm4BeWpmusLnybmBM9JPpx+ss0e/cusDHu6hH2I=";
+      })
+      (pkgs.php.buildComposerProject (finalAttrs: {
+        pname = "commonmark";
+        name = "commonmark";
+        version = "1.3.1";
+        composerStrictValidation = false;
+        src = pkgs.fetchFromGitHub {
+          owner = "clockoon";
+          repo = "dokuwiki-plugin-commonmark";
+          rev = "671ab735193ffb1324064ff0ddb92f63408b8580";
+          hash = "sha256-0WFz71O6GLVZ1Mf5eu96cQ3t+H6F6VtlC3hNtlANwBs=";
+        };
+        vendorHash = "sha256-QnFdwc6IfdH98Hbm9jt6E/rO+u6I7kZqb7+hRnPra9I=";
+        postInstall = ''
+          rm -r $out/share
+          cp -r . $out
+        '';
+      }))
+      (pkgs.fetchFromGitHub {
+        name = "htmlok";
+        owner = "saggi-dw";
+        repo = "dokuwiki-plugin-htmlok";
+        rev = "f186dda6240c61079cd9166c1f17aabefa21c7d8";
+        hash = "sha256-3s+WAb1BG2mq8+wxpQ6HgPJZ+dx6v5e+vMXaOiLYceo=";
+      })
+    ];
+    templates = [
+      (pkgs.fetchFromGitHub {
+        name = "bootstrap3";
+        owner = "giterlizzi";
+        repo = "dokuwiki-template-bootstrap3";
+        rev = "v2022-07-27";
+        hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo=";
+      })
+    ];
+  };
+
+}
--- a/machines/hackens-org/gestiohackens/default.nix
+++ b/machines/hackens-org/gestiohackens/default.nix
@ -0,0 +1,91 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  src = pkgs.fetchgit {
+    url = "https://git.rz.ens.wtf/HackENS/gestiojeux.git";
+    rev = "HEAD";
+    hash = "sha256-ly786xct9U4hdsHr7NLl23smnOfE891au9/GXqxpFb4=";
+  };
+in
+{
+  imports =
+    [
+    ];
+  systemd.services.django-gestiohackens.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "django-gestiohackens";
+    SupplementaryGroups = [ "nginx" ];
+  };
+  users.users.django-gestiohackens = {
+    group = "django-gestiohackens";
+    isSystemUser = true;
+  };
+  users.groups.django-gestiohackens = { };
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts."inventaire.hackens.org" = {
+      enableACME = true;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://localhost:51667";
+        };
+        "/media/".alias = "/var/lib/django-gestiohackens/media/";
+        "/static".root = config.services.django.gestiohackens.staticAssets;
+      };
+    };
+  };
+  services.django.gestiohackens = {
+    inherit src;
+    enable = true;
+    mainModule = "gestiojeux";
+    port = 51667;
+    settings = {
+      DEBUG = false;
+      CSRF_COOKIE_SECURE = true;
+      AUTHENS_ALLOW_STAFF = true;
+      SESSION_COOKIE_SECURE = true;
+      MEDIA_URL = "media/";
+      ALLOWED_HOSTS = [ "inventaire.hackens.org" ];
+      DATABASES = {
+        "default" = {
+          "ENGINE" = "django.db.backends.sqlite3";
+          "NAME" = "/var/lib/django-gestiohackens/db.sqlite3";
+        };
+      };
+      HAYSTACK_CONNECTIONS = {
+        "default" = {
+          "ENGINE" = "haystack.backends.whoosh_backend.WhooshEngine";
+          "PATH" = "/var/lib/django-gestiohackens/whoosh_index";
+        };
+      };
+      MEDIA_ROOT = "/var/lib/django-gestiohackens/media";
+    };
+    extraPackages = ps: [
+      ps.django-autoslug
+      ps.loadcredential
+      ps.django-cleanup
+      ps.django-haystack
+      ps.django-markdownx
+      ps.django-tables2
+      ps.pillow
+      ps.whoosh
+      ps.markdown-icons
+      ps.authens
+
+      ps.qrcode
+      ps.pillow
+
+      # Django haystack is drunk
+      ps.setuptools
+    ];
+    secrets = {
+      SECRET_KEY = config.age.secrets.django-gestiohackens.path;
+    };
+  };
+}
--- a/machines/hackens-org/grafana.nix
+++ b/machines/hackens-org/grafana.nix
@ -0,0 +1,59 @@
+{ config, ... }:
+
+let
+  host = "grafana.hackens.org";
+  port = 3033;
+
+in
+
+{
+  services = {
+    grafana = {
+      enable = true;
+
+      settings = {
+        database = {
+          type = "postgres";
+          user = "grafana";
+          host = "/run/postgresql";
+        };
+
+        server = {
+          domain = host;
+          enable_gzip = true;
+          enforce_domain = true;
+          http_port = port;
+          root_url = "https://${host}";
+          router_logging = true;
+        };
+
+        users = {
+          default_theme = "system";
+          default_language = "en-GB";
+        };
+      };
+    };
+
+    postgresql = {
+      enable = true;
+      ensureDatabases = [ "grafana" ];
+      ensureUsers = [
+        {
+          name = "grafana";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    nginx.virtualHosts.${host} = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString port}";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+    };
+  };
+}
--- a/machines/hackens-org/hardware-configuration.nix
+++ b/machines/hackens-org/hardware-configuration.nix
@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ahci"
+    "virtio_pci"
+    "virtio_blk"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/8deb32c9-ee6a-4de8-94da-239c8ec509a2";
+    fsType = "btrfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/0795-75ED";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/bd7c1c01-ce31-4db3-9c06-70716020e24a"; } ];
+
+}
--- a/machines/hackens-org/kfet-monitor/default.nix
+++ b/machines/hackens-org/kfet-monitor/default.nix
@ -0,0 +1,25 @@
+{ lib, pkgs, ... }:
+let
+  wsScraper = pkgs.callPackage ./websocket-exporter.nix { };
+in
+{
+  systemd.services.kfet-open-recorder = {
+    environment = {
+      WEBSOCKET_EXPORTER_URI = "wss://cof.ens.fr/ws/k-fet/open";
+      WEBSOCKET_EXPORTER_MATCH_TYPE = "contains";
+      WEBSOCKET_EXPORTER_EXPECTED_MESSAGE = "open";
+      WEBSOCKET_EXPORTER_LISTEN_ADDR = "127.0.0.1";
+    };
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    wants = [ "network.target" ];
+
+    serviceConfig = {
+      ExecStart = "${lib.getExe wsScraper}";
+      Restart = "always";
+      RestartSec = 5;
+      DynamicUser = true;
+      StateDirectory = "kfet-open-recorder";
+    };
+  };
+}
--- a/machines/hackens-org/kfet-monitor/patch
+++ b/machines/hackens-org/kfet-monitor/patch
@ -0,0 +1,61 @@
+diff --git a/websocket_exporter/probe.py b/websocket_exporter/probe.py
+index a95b97e..a7b057e 100644
+--- a/websocket_exporter/probe.py
+++ b/websocket_exporter/probe.py
+@@ -3,28 +3,29 @@ import logging
+ from time import perf_counter
+ from typing import Union
+ 
+-from websockets import NegotiationError, client, InvalidStatusCode
+from websockets import InvalidStatusCode, NegotiationError, client
+ 
+-
+-EXACT_MATCH = 'exact'
+-CONTAINS_MATCH = 'contains'
+EXACT_MATCH = "exact"
+CONTAINS_MATCH = "contains"
+ 
+ 
+ class ProbResults(object):
+     def __init__(self, up: int, latency: float = 0, received: int = 0):
+         self.up = up
+         self.latency = round(latency, 2)
+-        self.received = int(received) if received is not None else "NaN"
+        self.received = int(received) if received is not None else 0
+ 
+     def __str__(self):
+         if self.up:
+             return f'Websocket up, latency:{self.latency}s, expected response {"" if self.received else "NOT"} received'
+-        return f'Webserver DOWN'
+        return f"Webserver DOWN"
+ 
+ 
+ class WebSocketProbe(object):
+ 
+-    def __init__(self, uri, message=None, expected=None, match=CONTAINS_MATCH, timeout=10):
+    def __init__(
+        self, uri, message=None, expected=None, match=CONTAINS_MATCH, timeout=10
+    ):
+         """
+         Create a websocket probe that tries establishing a connection and reports the metrics
+         :param uri: starts with 'ws://' or ws://
+@@ -68,13 +69,17 @@ class WebSocketProbe(object):
+         elapsed = 0
+         while elapsed < self.timeout:
+             try:
+-                resp = await asyncio.wait_for(connection.recv(), timeout=(self.timeout-elapsed))
+                resp = await asyncio.wait_for(
+                    connection.recv(), timeout=(self.timeout - elapsed)
+                )
+                 if self._match(resp):
+                     return True
+                 await asyncio.sleep(1)
+                 elapsed += 1
+             except asyncio.TimeoutError:
+-                logging.info(f'Time out while waiting for {self.expected_message} from {self.uri}')
+                logging.info(
+                    f"Time out while waiting for {self.expected_message} from {self.uri}"
+                )
+                 return None
+         return None
+ 
--- a/machines/hackens-org/kfet-monitor/websocket-exporter.nix
+++ b/machines/hackens-org/kfet-monitor/websocket-exporter.nix
@ -0,0 +1,40 @@
+{
+  lib,
+  python3,
+  fetchFromGitHub,
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "blackbox-websocket-exporter";
+  version = "unstable-2021-12-15";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "smohsensh";
+    repo = "blackbox-websocket-exporter";
+    rev = "6f9f32396f740fe606bf1b0118a27ad5caa3d9a6";
+    hash = "sha256-+G7xw5631TllDGNzVK9swbSNfVu4r4glbYIblEa0WqA=";
+  };
+
+  patches = [
+    ./patch
+  ];
+
+  nativeBuildInputs = [
+    python3.pkgs.setuptools
+    python3.pkgs.wheel
+  ];
+
+  propagatedBuildInputs = with python3.pkgs; [
+    prometheus-client
+    websockets
+  ];
+
+  meta = with lib; {
+    description = "A Blackbox Websocket Uptime Exporter for Prometheus";
+    homepage = "https://github.com/smohsensh/blackbox-websocket-exporter";
+    license = licenses.mit;
+    maintainers = with maintainers; [ ];
+    mainProgram = "websocket_exporter";
+  };
+}
--- a/machines/hackens-org/legacy-redir.nix
+++ b/machines/hackens-org/legacy-redir.nix
@ -0,0 +1,55 @@
+{
+  services.nginx.virtualHosts = {
+
+    "www.hackens.org" = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        return 301 $scheme://hackens.org$request_uri;
+      '';
+    };
+
+    "new.hackens.org" = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        return 301 $scheme://hackens.org$request_uri;
+      '';
+    };
+    "pass.new.hackens.org" = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        return 301 $scheme://pass.hackens.org$request_uri;
+      '';
+    };
+    "known.hackens.org" = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        return 301 $scheme://hackens.org/known$request_uri;
+      '';
+    };
+    "prez.hackens.org" = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        return 301 $scheme://hackens.org/prez$request_uri;
+      '';
+    };
+    "pub.hackens.org" = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        return 301 $scheme://hackens.org/pub$request_uri;
+      '';
+    };
+    "2048.hackens.org" = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        return 301 $scheme://hackens.org/2048$request_uri;
+      '';
+    };
+  };
+}
--- a/machines/hackens-org/matterbridge.nix
+++ b/machines/hackens-org/matterbridge.nix
@ -0,0 +1,60 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  port = 52187;
+  configFile = pkgs.writeText "metterbridge.toml" ''
+    [irc]
+        [irc.ulminfo]
+        Server="ulminfo.fr:6697" # Ou ens.wtf tu choisis.
+        Nick="roBOT"
+            UseTLS=true
+            Charset="utf8"
+            PrefixMessagesWithNick=true
+            RemoteNickFormat="<{NICK}> "
+          
+    [mattermost]
+        [mattermost.merle]
+            WebhookBindAddress="0.0.0.0:${builtins.toString port}"
+            PrefixMessagesWithNick=false
+            RemoteNickFormat="{NICK}"
+      
+    [[gateway]]
+    name="hackens"
+    enable=true
+        [[gateway.inout]]
+        account="irc.ulminfo"
+        channel="#hackens"
+        [[gateway.inout]]
+        account="mattermost.merle"
+        channel="town-square"
+  '';
+in
+{
+  systemd.services.matterbridge = {
+    description = "Matterbridge chat platform bridge";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    script = ''
+      ${pkgs.matterbridge}/bin/matterbridge -conf ${configFile}
+    '';
+
+    serviceConfig = {
+      User = "matterbridge";
+      Group = "matterbridge";
+      Restart = "always";
+      RestartSec = "10";
+      EnvironmentFile = config.age.secrets."matterbridge-env".path;
+    };
+  };
+  users.users.matterbridge = {
+    isSystemUser = true;
+    group = "matterbridge";
+
+  };
+  users.groups.matterbridge = { };
+  networking.firewall.allowedTCPPorts = [ port ];
+}
--- a/hosts/hackens-org/modules/nginx.nix
+++ b/hosts/hackens-org/modules/nginx.nix
--- a/machines/hackens-org/orga/default.nix
+++ b/machines/hackens-org/orga/default.nix
@ -0,0 +1,54 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  src = pkgs.fetchgit {
+    url = "https://git.rz.ens.wtf/HackENS/hackens-orga.git";
+    rev = "HEAD";
+    hash = "sha256-BiOKGeDPVp7EV/q4S9Zc54jUeBTpfOs5e/MsCPGAk/I=";
+  };
+in
+{
+  imports =
+    [
+    ];
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts."hackens.org" = {
+      locations = {
+        "/orga" = {
+          proxyPass = "http://localhost:51666/orga";
+          extraConfig = ''
+            proxy_set_header SCRIPT_NAME /orga;
+          '';
+        };
+        "/static".root = config.services.django.hackens-orga.staticAssets;
+      };
+    };
+  };
+  services.django.hackens-orga = {
+    inherit src;
+    enable = true;
+    mainModule = "hackens_orga";
+    settings = {
+      DEBUG = false;
+      ALLOWED_HOSTS = [ "hackens.org" ];
+      DATABASES = {
+        "default" = {
+          "ENGINE" = "django.db.backends.sqlite3";
+          "NAME" = "/var/lib/django-hackens-orga/db.sqlite3";
+        };
+      };
+    };
+    extraPackages = p: [
+      p.authens
+    ];
+    secrets = {
+      SECRET_KEY = config.age.secrets.django.path;
+    };
+  };
+}
--- a/machines/hackens-org/programs.nix
+++ b/machines/hackens-org/programs.nix
@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [
+    pkgs.vim
+  ];
+}
--- a/machines/hackens-org/prometheus.nix
+++ b/machines/hackens-org/prometheus.nix
@ -0,0 +1,68 @@
+{ config, ... }:
+
+let
+  host = "prometheus.hackens.org";
+  port = 9091;
+in
+
+{
+  services.prometheus = {
+    enable = true;
+
+    inherit port;
+
+    checkConfig = "syntax-only";
+    enableReload = true;
+
+    listenAddress = "127.0.0.1";
+
+    webConfigFile = config.age.secrets."prometheus-webconf".path;
+
+    webExternalUrl = "https://${host}";
+
+    retentionTime = "5y";
+
+    extraFlags = [ "--storage.tsdb.retention.size=2GB" ];
+
+    rules = [
+      ''
+        groups:
+          - name: Chrony
+            rules:
+              - record: instance:chrony_clock_error_seconds:abs
+                expr: >
+                  abs(chrony_tracking_last_offset_seconds)
+                  +
+                  chrony_tracking_root_dispersion_seconds
+                  +
+                  (0.5 * chrony_tracking_root_delay_seconds)
+      ''
+    ];
+
+    scrapeConfigs = [
+      {
+        job_name = "prometheus";
+        static_configs = [ { targets = [ "localhost:9090" ]; } ];
+      }
+      {
+        job_name = "chrony";
+        static_configs = [ { targets = [ "10.10.10.3:9123" ]; } ];
+      }
+      {
+        job_name = "kfet";
+        static_configs = [ { targets = [ "127.0.0.1:9802" ]; } ];
+      }
+    ];
+  };
+
+  services.nginx.virtualHosts.${host} = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${builtins.toString port}";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+    };
+  };
+}
--- a/machines/hackens-org/ragb.nix
+++ b/machines/hackens-org/ragb.nix
@ -0,0 +1,80 @@
+{
+  sources,
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  services.django.ragb = {
+    enable = true;
+    src = pkgs.ragb-src + "/frontend";
+    settings = {
+      DEBUG = false;
+      WEBSOCKET_ENDPOINT = "https://agb.hackens.org/api";
+      ALLOWED_HOSTS = [
+        "127.0.0.1"
+        "agb.hackens.org"
+      ];
+      DATABASES = {
+        "default" = {
+          "ENGINE" = "django.db.backends.sqlite3";
+          "NAME" = "/var/lib/django-ragb/ragb_frontend.sqlite3";
+        };
+      };
+    };
+    processes = 2;
+    threads = 4;
+    port = 9991;
+    extraPackages = p: [
+      p.authens
+      p.pyjwt
+    ];
+    secrets = {
+      SECRET_KEY = config.age.secrets.ragb.path;
+      JWT_SECRET = config.age.secrets.ragbJWT.path;
+    };
+  };
+  services.nginx.virtualHosts."agb.hackens.org" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/" = {
+        proxyPass = "http://localhost:9991";
+      };
+      "/api" = {
+        proxyPass = "http://localhost:9999";
+        proxyWebsockets = true;
+      };
+      "/static".root = config.services.django.ragb.staticAssets;
+      "= /api-docs" = {
+        return = "302 /api-docs/";
+      };
+      "/api-docs/" = {
+        alias = "${pkgs.ragb-src + "/api-docs/"}/";
+        extraConfig = "autoindex on;";
+      };
+      "= /api-docs/patch.json".alias = pkgs.ragb-src + "/frontend/patch.json";
+    };
+  };
+
+  systemd.services.django-ragb.serviceConfig = {
+    Wants = [ "ragb-backend.service" ];
+  };
+  systemd.services.ragb-backend = {
+    script = ''
+      export JWT_SECRET=$(cat $CREDENTIALS_DIRECTORY/jwt_secret)
+      export BK_FILE="$STATE_DIRECTORY/data.json"
+      export BIND_TCP="10.10.10.1:1235"
+      export RUST_LOG=debug
+      ${pkgs.ragb-backend}/bin/ragb-backend
+    '';
+    serviceConfig = {
+      LoadCredential = [
+        "jwt_secret:${config.age.secrets.ragbJWT.path}"
+      ];
+      DynamicUser = true;
+      StateDirectory = "ragb-backend";
+    };
+  };
+}
--- a/machines/hackens-org/secrets/default.nix
+++ b/machines/hackens-org/secrets/default.nix
@ -0,0 +1,31 @@
+{ ... }:
+{
+  age.secrets."django" = {
+    file = ./django.age;
+  };
+  age.secrets."ragbJWT" = {
+    file = ./ragbJWT.age;
+  };
+  age.secrets."ragb" = {
+    file = ./ragb.age;
+  };
+  age.secrets."snipeit" = {
+    file = ./snipeit.age;
+    owner = "snipeit";
+  };
+  age.secrets."django-gestiohackens" = {
+    file = ./django-gestiohackens.age;
+  };
+  age.secrets."matterbridge-env" = {
+    file = ./matterbridge-env.age;
+    owner = "matterbridge";
+  };
+  age.secrets."wg-key" = {
+    file = ./wg-key.age;
+    owner = "systemd-network";
+  };
+  age.secrets."prometheus-webconf" = {
+    file = ./prometheus-webconf;
+    owner = "prometheus";
+  };
+}
--- a/machines/hackens-org/secrets/django-gestiohackens.age
+++ b/machines/hackens-org/secrets/django-gestiohackens.age
@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 JGx7Ng UMbo24t6bweWPSYr1MUpjW96t3+usu+M3+WmLkJpSTc
+vW8wOX/E6p3YEh8rRObScdcKB+uCtVIEOQ58HXSHYRU
+-> ssh-ed25519 kXobKQ wEsnzLjnW+tdNvBHYBL+pLQh0GsAviTiD7tODc+5nSc
+gW8TEewhh4N0ed6KNe+PYBQuEmuL8iO+KxLQt2imbbo
+-> ssh-ed25519 7hZk0g 2Y9Y3DSR9Zt5N1XXckNMlHEpczvsyruqBue54fC4lQY
+1UTRMGuN4uXR2ljP+3h7y58dU9C4GCkfKMY6l6GgRas
+-> ssh-ed25519 5rrg4g 6ILvq1I6OlTmvxhgo145YUdpNxZomFvCYl7nguL10kI
+7DPETzO4s3J4+lHIlkWvo4M0zH2792NttKBIJ09xii4
+-> ssh-rsa krWCLQ
+LdJzAaTTOSSxXTjLEv2n3pRjDJ8Cv/rLZZCsadK2vIK/2swax5loeprUzx60xRUt
+3qLZuXocsE1S8sUq4E0lzyQXmJj3DtgjWFvvhDhsx+UnUPB/S7yojlNPLsqSxJkO
+r5p6dvXsngF78BDDlFU/DnDI/tMnH6wL5PqV7iZiosSmASWxHMAQYcWGNZqdV1xl
+9q2txZF7LxvE1S2eUOFcXTC7r8Z/kBt7XqPfGyBWI1wYPG2r2Zw+tbO8S04iZExT
+Lj2YGnrNGGwNbREoqhMwAxDM6fLVoNnhHXoVQvCkr/wxk+sh2/Lt1ivcTT7Ua2YG
+ApaavUan7cEs3ghnanM+6A
+-> ssh-ed25519 /vwQcQ oaIOirE4++Kx76xSCoQ8EKmnI3Zh8rzou0XACYVY3Gw
+H9DsHQPdKaN/5bz4kf224NiJ8W1ykGx9tARd5UUrMbc
+-> ssh-ed25519 0R97PA SujU6d2DMDGX4zxsQwQTLFM2ap/3ni2y7zpU8BksTw0
+zLuD8EwORd5aDOFBpE0Nm5gHpi8ChRobg6v7r1sNfMU
+-> ssh-ed25519 cvTB5g t62LJ9atiYi5K+CBXXLB9obIZRWBKxrC896q6iCz/mA
+WYkA2muGBMuXlO5ebnul3NkidNcyIWecAdNTo03trf0
+-> ssh-ed25519 Wu8JLQ 3gzrf2TLDbG3YtMmO0qKVKiEPw+arN8DJvNiC09/4wg
+bYCCgA0ve55hKEjGFa+nAelWiYWy6WFHss9R6uEjiUI
+-> ssh-ed25519 EIt1vA kKs5NcxlLTt3iGD8stN7nOgOfomKEv2aZZ969dZNFlg
+IQT3Fx9Egd4kJ6Q3gsbiymu8EHSrjG1F7T5Uz76Z6Bo
+-> ssh-ed25519 X51wxg GU838E9JPhdAkYgRRcYi+gMsFFUTvY4iciFi9b43WhY
+vsHQ70mCsW0NUzMKjgRq6czFD8FwIFj6uo/jklPzI68
+--- axO8MoSOSkcp2HcVpAz9tQuuf0Unh2Ri20S60/Yq6xA
+i¸0ä<3›6,Û{àu›$apG7¢—Ú10Y•&«Øf7(&{3Û]àƒcÝ“ ¶>l¶P"$`ÝU(9¨ì5+°îJî^¼æé‚Ï»|†Õ:~
--- a/machines/hackens-org/secrets/django.age
+++ b/machines/hackens-org/secrets/django.age
@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 JGx7Ng IWxk65t5YAq/Sg+0CCcLGJyDhvPydKm1D9rYAfCDjUc
+ckB1V+J7Qddbt9EILraMge9RrThyTU2al5Eg6ffD7C4
+-> ssh-ed25519 kXobKQ ZEECnMHvZL3+JfkQpSjuzIuGfcLIIcudeiMlanUUBhc
+pBWa6DxVrinuv6urFDKPW2kSaa95FVFCXOFwMQ/X1RY
+-> ssh-ed25519 7hZk0g la8ZgkcqYQgFzYoqgkZrdSuaK+89mPx9UbiSWGOVXjQ
+4NWbJtWRUnZGMMLyDLArvZktfVfhXmgtn7h5oghH5Ms
+-> ssh-ed25519 5rrg4g KC9SOs8NJ18pbE4/HwHmX8W5XSeu528dFl2tEt3JfW0
+at+D2BMK1UAPsA2fkhMW5uHUjJSK2p+BPeFcfqyD/LA
+-> ssh-rsa krWCLQ
+U0DpCXNugnsPlWvDJZIwlFA3lCg/uihhLmLFYsdpwpx7kdyRF3KGn9p4X0kfjNQa
+PjT7akh+xaCC9a3GRDEsc3B4L6M/91YdiIX5kCtWccT3fFkdC8xrHnVblE0h6vYM
+I4ay5PR9etittiMIb3coanBU5gZpAhCFvSNjWIV3YvchpOtWO2PL8rR9fRqDfmT
+BdTZMUOm01vuFuPFKmzKNbQS5ydwydv8BGc1MktqoyhafYVBirnVcwtsTQKZKDEL
+CBNgH81down+UFaCi/FTSffkBtBfnl1mzCF3TJ0CrSeEMgyY5yxvtWHUksDzznfJ
+C2ev+95nbRYUSM+OOBABHQ
+-> ssh-ed25519 /vwQcQ C7TusZYxTvR03xbxEmUf8+ePmdTRBbi4eAeg2+kbAAY
+3YpLUT5mmGLSel0vPpDUwPyFav1z/HCAsPsYA7woQas
+-> ssh-ed25519 0R97PA iQRH2sRnDsNoWuom8fVt8naGMrVAX3JAPmwnU/pZ3m8
+CipYmklGkMXYlWyhatEj7cGk51RNdfkkwlKPz26Q220
+-> ssh-ed25519 cvTB5g 05g8kd7yu1+4JzFCrqMEZ6QNsO8VE2egXOUR73fo/hM
+AY/8cMfVTyOY4z08Hz6cLnKrM1GYZbbgpwPVnwnJ3NU
+-> ssh-ed25519 Wu8JLQ Bn0shD1/Uzb3VdAOuyNeHSzLaboxhAUsqQWXycZYDFc
+V2EHtwK0CUdLYCzia43m4WmBxFy8frfR0hkdIkARnl4
+-> ssh-ed25519 EIt1vA FmznskIDNtFkD6HD64uL5OS2rwPwT1S5lCirtYFW0Rk
+3TKTCN45ygLTcrfSRdsXJZKdoz+A3tP7lXbNn2NOhvk
+-> ssh-ed25519 X51wxg X3KyzjW97PF8CFcb0NWW5F6JNMZslmP22d0+r0FRvlo
+mZq7lSEnD3Ui7hcloSCdTH/q4mB2q6lFTvzMRS+BCb4
+--- 4u64XNKKDMEaWeL4wLdkOgugYTkrqpfoFeG/BW4/zK8
+)Éé9çèñ”ÖÙ
+È.kâùô}O<>0Š«6ï'¥áJ¼}ŒýW(„ÖÖ·V>dè$ö8icjw	hÂ<aöÞ¿4›3Ð5NŒUºÎÎègYÃ
--- a/machines/hackens-org/secrets/matterbridge-env.age
+++ b/machines/hackens-org/secrets/matterbridge-env.age
--- a/machines/hackens-org/secrets/prometheus-webconf
+++ b/machines/hackens-org/secrets/prometheus-webconf
--- a/machines/hackens-org/secrets/ragb.age
+++ b/machines/hackens-org/secrets/ragb.age
@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 JGx7Ng 6s1XuhN3TFuW433ZrghssoyScvjqG6tg+ZSvHBwYOjQ
+54ijsvv7CO/1L9ib4fgiRAQHmlU2r3j/fbc79qiAo38
+-> ssh-ed25519 kXobKQ WMApvaovS/ddPbz7Eh9bCF3SzmUJN1NQGMKzWCJ6jQc
+3NehvO3X7uMU/H7g7d4nFsmHk0PhXrRT1XetWUBHAnY
+-> ssh-ed25519 7hZk0g RqNPzJqoSY1umAJE/FPZ+MR0R9eCDdxonzuh3uMBRhI
+Cfou0mqV4gHGP7OJbgPm8VotU4cM5YVX3iUkd6myU+E
+-> ssh-ed25519 5rrg4g mSZUVF9y4vYfBbjgP0UnSfgaGTC3/Yx+fAFquA5022E
+1yiri7+CZTSUhPpJlo9f1EraRVl3Ihw4wtjgXJPMRqY
+-> ssh-rsa krWCLQ
+gMc7ogvibqMuboKqSgqfedIxqyhhljJFp5zI2bK6D5rdcV5CIPVz2xQdk4h678Qg
+8pYlg1+UDu+JyXvJgtWZHYMGSs17woIYZmw9UQh+IYMo4Qn89tn4QN4exYwB+7gm
+dWEqo7GggWG0Mu2w2OVu2oB1D5aUvF940hUCyl40V7hIkMpJwFfMfvvD04XsScXV
+GLpWNYcWIQNaBAxTWRGkpt9jvD1W/DjsOUhOk0BP5hnSPm39awfLFRo3wWFBiaDq
+yPRi6P8AJdVWS2n+KdQ1j5dLo19DngkUAmepIR+oiNvgIFKqDAvIB5y30d3guGdP
+7zCS7IEOOMLQvBiq99DU2Q
+-> ssh-ed25519 /vwQcQ GWEth3AXh2blSPzXzyqaHdRlA+Qmopvdk9DfL69PVlk
+sVq7EbVmJ0SnYLueCHB5zOr/aR9QurTqtMIXGdL22cY
+-> ssh-ed25519 0R97PA gZLoe8C+FTOXM0i4VWBwBSNSxZhfxG6U3pakRBDwZ0k
+LKxzJofqUfdY1swAbRNcOcWfZJ1lbp7S20y+dfjKvUU
+-> ssh-ed25519 cvTB5g GbEB6Z/6A/ntU8truri+tshuy5tqYSSo5SF0Brt0VgI
+DOkGd68tE85ajEBmKUx9HXiKLjCdUf/tKME6+Ems/RA
+-> ssh-ed25519 Wu8JLQ tOF/Dc72uMnmQy4rNjPoRzVhQEuwiYLrmmdCsmJ5wEk
+RS5erkX1HIvTDw6g8qrOtZy1zpCphnGw/bqT4F0Q6/8
+-> ssh-ed25519 EIt1vA tSBgk0ljTD1pLRsw7axRh2zl+vIMISjrw7zrr01TBB0
+hb3kb12kRHCxMeBlxjg6tJpgQpHzJkovH5ncuM4MzNA
+-> ssh-ed25519 X51wxg Gy0QJbua5ZoNYDnuQXlPVFxQvm7SSOMUR0uDRI719gk
+VEYU1qazlM62F2xsXIFhIAEL4ssWW8o2/e07NguMp88
+--- VwkrST6cm5HpWtRWBM4tkk14C/NwtxpBbXHVj6ouyxk
+(`WÊ;+u'oÓj	Ý<>—õ{ïMÄP0ž‡›DèÈ™J}Å<>¯»È{ìætˆ°ïj`ÂK:×¸ŠI;™çA2ÿCÕ+ ö\Nú
--- a/machines/hackens-org/secrets/ragbJWT.age
+++ b/machines/hackens-org/secrets/ragbJWT.age
--- a/machines/hackens-org/secrets/secrets.nix
+++ b/machines/hackens-org/secrets/secrets.nix
@ -0,0 +1,32 @@
+let
+  lib = (import <nixpkgs> { }).lib;
+  readpubkeys =
+    user:
+    builtins.filter (k: k != "") (
+      lib.splitString "\n" (builtins.readFile (../../../pubkeys + "/${user}.keys"))
+    );
+  keys = 
+    (readpubkeys "sinavir")
+    ++ (readpubkeys "hackens-host")
+    ++ (readpubkeys "catvayor")
+    ++ (readpubkeys "raito")
+    ++ (readpubkeys "gdd")
+    ++ (readpubkeys "backslash");
+in
+{
+  "matterbridge-env.age".publicKeys = keys;
+  "snipeit.age".publicKeys =
+    keys;
+  "ragbJWT.age".publicKeys =
+    keys;
+  "ragb.age".publicKeys =
+    keys;
+  "django.age".publicKeys =
+    keys;
+  "django-gestiohackens.age".publicKeys =
+    keys;
+  "wg-key.age".publicKeys =
+    keys;
+  "prometheus-webconf".publicKeys =
+    keys;
+}
--- a/machines/hackens-org/secrets/snipeit.age
+++ b/machines/hackens-org/secrets/snipeit.age
@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 JGx7Ng XPTwmcI9Xyu3ulX68UgyFhORwDsbTAvcaTDhGKzcAFs
+EkDJhGqFqtW4VMIKN9SMU3MrwIf+3Y50Ku0ToKf/wJI
+-> ssh-ed25519 kXobKQ /Z+Qh1kUFI+X97VsebUHv51+XyJT2fZWsDF0TFdl0A0
+8W13NrPTb1aoDYA5M7Xej5R/DJ2YLyngx/UzIAIVnXU
+-> ssh-ed25519 7hZk0g xRggNYJuJGAR4uSeZeoZI7tNqorkc1BDEO+Jz6saKH4
+xYKIqp/E0GQ1t5VhOWBpCi8WgLSDDZuKbOg6l7Htjuk
+-> ssh-ed25519 5rrg4g hW1VZuxL+eCGeUJDhDXg3L9h1KMp/OTpTvj2bOPIwnU
+s3Fvjx/jFCPa6dG5RgJseJPYf4LcojDSq4mtbEza+sc
+-> ssh-rsa krWCLQ
+AwxiOyNOxRKOA3B6sbnFm97UABVXnuXdddHhl0Qk0jGdJtK/Gg3IQ3RAUPdW46e4
+S3LsQ+REqcA33h3DUhh6Yaz3agAvNtqFfp3h3Wy1+tVsIKQx9T6rEg7XcyWlQGg6
+/sLkLMKg2kcMxTZFjGlYfoRMu/yMD3I+M/3DMZiccSYTa+Z+cJ13ERDmhLVh5X+j
+R/v3JMM0vupwjxWnVdMJNAz2dLNawWTFIBN1IVAgYPyaVrL99H65CPLUAeN2CVx6
+I8bEOJ15tk5q8yzX8DwTfJnXYBP+FyN8WVS0v5WfxSvB/ME6VtjeuZRd2h/nPpbc
+FKZgZZt94GDjZLl+zHff5w
+-> ssh-ed25519 /vwQcQ ct0vQfUsUO8gg2kU41lVDB2acgxuT8hCKWHZwymkFzM
+Eu3YaXAVUoF6q2xhk4B77mCTYCqL87rbqZeFNBtYrWA
+-> ssh-ed25519 0R97PA xwM4ukaEfI0B93YHSU9f77F6VvnZZctR03regzrDDF4
+uoL8wz3iqzB5dnS8z+wRIAu5CmHM8yjnJFduoDtjlAM
+-> ssh-ed25519 cvTB5g czmtpirWtnbAjcJEOkLSc2Sfr4SXmtE+e7pS+AE86Co
+s20XHgWekxWvP4nypSUZ0YgKWyDobm/3lNA4REUvUGQ
+-> ssh-ed25519 Wu8JLQ l4hH8MAJesz5jXzSDf8SDCXNcp8jWJnq0SRYyCCPNB0
+Y4XOuoxWXGDnrdhu7aCf8sJNYN/loaKc1bx81KaDAFc
+-> ssh-ed25519 EIt1vA eMUqUckKwH5ubKSY8swqT3jfUi9loZKerl9WljV8Hxo
+AJL3yBcCaitwOYHL74dymm1cngBf47Yq2jiGJoxeC0g
+-> ssh-ed25519 X51wxg I8aIi5liVlYQointFhCCIj5OiRrjhyxWOJdu7JAg3x8
+rqPx/8e8e2nNiRwzH61HXA++a5HTyRjMU46c1Tm97yk
+--- t53Ft5ztsJLbK0jJZ7uolsbf+NZij6A++98DeqroOro
+ºåjKËïŽ¨}§Ú³Ý9QÅ¸<ïm#ž>EÔ—9’+)Äí‚_³äaTaÔiSRÌµ}½ RoP=Õëž-Æ<JœÈ”66Æ+<2B>
--- a/machines/hackens-org/secrets/wg-key.age
+++ b/machines/hackens-org/secrets/wg-key.age
@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 JGx7Ng HCBkB8gfYUDnWwaPlGquE39fnEBvm0cEVxL8Vuh/f2Y
+yJapxn2cVn0QjEnpGUq+gfdf+V8f5Mji2JhqPUH13WI
+-> ssh-ed25519 kXobKQ 9flhpuGn/MgqRlT4AlphvNRf9ktnuyFvyQrK7eeKbXE
+hHpPk2m4XWKgbwNv16Vzh8uJkpk0kwN1WqC4G4rGL5E
+-> ssh-ed25519 7hZk0g /DQi1BAovPKmel2zgchEhZkxr9v8ZxVXe6SRuX/yjxg
+KALPbUNK6YGvSiNfgQGSdZriJokpHUmO/vVtW9Sfm+I
+-> ssh-ed25519 5rrg4g NqFtTNIaoTYEhq7SzFCVD+t2AZ03ANe+kqhDQHmd7zA
+NDYBZIdGLItcHPmYRHZ1DZ5vhlR1Qt0PPtDqRxfo9hg
+-> ssh-rsa krWCLQ
+tylZdWKOsro4O2g5Oa34ALB3hDmb5krinvk7sXBKQWj+QaRA/J6geAUq7pHGM+zs
+MehzMsdJX4tklCUE8ECh5clwdfnTl57m+V9jdD88CAgscyFsMHdX2BEIjzGN3kB1
+jYzDO7sLoOx6k8eiQaPFtxkT/tYPI9vpdyyyxKS5thowmQ99NSZQUHaMTqmC36H3
+sCr1uyFPrKTEoCZe9Klsdz2KxaPPd7oOo7J5VU4SeiosPfNFhO9kDQ5xRn3SDClD
+PMUFhjRxmWjNY4aQqUxi9lJWK35pb87mZNdaPZXH18mbraTIuI08B3KTrR5112PW
+oDTckZo3szhzR2JJ0cTG6Q
+-> ssh-ed25519 /vwQcQ b9mdEG1+JMJxDBp6b0wU/JGM4Mldh7w7jf4pghb+ejw
+1GfaMyOkfHD/I/OvHNjd1kzdT1vWnbR1fAP4za++c5g
+-> ssh-ed25519 0R97PA 0DdkxpjsoA6ERi43skpS7/lyttMlJu5BcNFSAF3+g34
+tz3fM0C+zT6enFgiqbKwiBWLTdOS2xKLZQOngRpf5q4
+-> ssh-ed25519 cvTB5g aL+EY/DYolrhoaKHPpAvPr3rNO3vThV+uqX9m39jEG4
+cnFq0cgCWac07x+6Fu+M9os6wxPxfoHcSJ+8ispYkPk
+-> ssh-ed25519 Wu8JLQ wwQGruBxZ8tUHGw08B7ezoPj1ddPlWmemmm8aI6EIRE
+0WUod40m3tVP+mTx2B9b/4AoT1kcXAeNVMnj8BLFRuM
+-> ssh-ed25519 EIt1vA zYOPPPZgk4NIUyInXyoapCRkg/dshOuRPnKuwJyM7lM
+Jn8J2sQn1qrtH4OANx73OYsBChGUB2fuWaB38pEhbm8
+-> ssh-ed25519 X51wxg 9ofVG6z1+KwMkk97WViCDfnAXTNgFzQYBBsEYhBP1yw
+wwWlCbJ2xOWR9FZw+apjn11MQqKSeyHsRJYvFEV+0VU
+--- QU5Ewm2faKYtF6HK7hagXVPSjzqjQbaZ6/wPJ61eDCI
+fÞ<EFBFBD>ž×ÝnšÓ£*¨…¯;©uï~õls0Ô¤¾íM5fÎjhâå‘§iž¤Ÿ£ŒÈ6«í%ôH»cv`®$©˜ùYÑ0WW¢
--- a/machines/hackens-org/snipe-it.nix
+++ b/machines/hackens-org/snipe-it.nix
@ -0,0 +1,22 @@
+{ config, ... }:
+{
+  services.snipe-it = {
+    enable = true;
+    appKeyFile = config.age.secrets."snipeit".path;
+    config = {
+      APP_LOCALE = "fr-FR";
+      APP_TIMEZONE = "Europe/Paris";
+    };
+    database = {
+      createLocally = true;
+      user = "snipeit";
+    };
+    user = "snipeit";
+    group = "snipeit";
+    hostName = "inventaire.hackens.org";
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}
--- a/machines/hackens-org/static-sites.nix
+++ b/machines/hackens-org/static-sites.nix
@ -0,0 +1,31 @@
+{ pkgs, lib, ... }:
+let
+  sites = [
+    "/2048"
+    "/prez"
+    "/known"
+    "/pub"
+  ];
+in
+{
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts = {
+    "hackens.org" = {
+      forceSSL = true;
+      enableACME = true;
+      locations = lib.genAttrs sites (name: {
+        root = "/var/www";
+        extraConfig = ''
+          autoindex on;
+          charset utf-8;
+        '';
+      });
+    };
+
+  };
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}
--- a/machines/hackens-org/thelounge.nix
+++ b/machines/hackens-org/thelounge.nix
@ -0,0 +1,40 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  services.thelounge = {
+    enable = true;
+    port = 9000;
+    extraConfig = {
+      reverseProxy = true;
+      host = "127.0.0.1";
+      public = false;
+      prefetch = true;
+      fileUpload = {
+        enable = true;
+      };
+
+      defaults= {
+        name= "ulminfo";
+        host= "ulminfo.fr";
+        port= 3725;
+        password= "";
+        tls= true;
+        rejectUnauthorized= true;
+        join= "#hackens";
+      };
+    };
+  };
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."irc.hackens.org" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:9000";
+      proxyWebsockets = true;
+    };
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+}
--- a/machines/hackens-org/webpass.nix
+++ b/machines/hackens-org/webpass.nix
@ -8,19 +8,20 @@
  services.vaultwarden = {
    enable = true;
    config = {
-      DOMAIN = "https://pass.new.hackens.org";
+      DOMAIN = "https://pass.hackens.org";
      WEBSOCKET_ENABLED = true;
      WEBSOCKET_PORT = 10500;
      SIGNUPS_DOMAINS_WHITELIST = "ens.fr,ens.psl.eu";
      ROCKET_PORT = 10501;
      ROCKET_ADDRESS = "127.0.0.1";
-      LOG_FILE = "/var/log/vaultwarden";
+      LOG_FILE = "/var/lib/bitwarden_rs/logfile";
      SIGNUPS_VERIFY = true;
    };
    environmentFile = "/etc/secrets/vaultwarden.env";
  };

-  services.nginx.virtualHosts."pass.new.hackens.org" = {
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."pass.hackens.org" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
@ -36,4 +37,8 @@
      proxyWebsockets = true;
    };
  };
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
 }
--- a/machines/hackens-org/wireguard.nix
+++ b/machines/hackens-org/wireguard.nix
@ -0,0 +1,94 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  systemd.network = {
+    enable = true;
+    networks = {
+      "50-wg0" = {
+        name = "wg0";
+        address = [
+          "10.10.10.1/24"
+        ];
+        networkConfig = {
+          IPv4Forwarding = true;
+        };
+        routes = [
+          {
+            Destination = "10.10.10.0/24";
+            Scope = "link";
+          }
+        ];
+      };
+    };
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          ListenPort = 1194;
+          PrivateKeyFile = config.age.secrets."wg-key".path;
+        };
+
+        wireguardPeers = [
+          {
+            # hackens-desktop
+            AllowedIPs = [
+              "10.10.10.3/32"
+            ];
+            PublicKey = "h4Nf+e4JIjqOMuM5JtLN298BF/fym9fWKGtRZmS5MVA=";
+          }
+          {
+            # hackens-milieu
+            AllowedIPs = [
+              "10.10.10.4/32"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/hackens-milieu.pub);
+          }
+          {
+            # agb01
+            AllowedIPs = [
+              "10.10.10.5/32"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/agb01.pub);
+          }
+          {
+            # agb02
+            AllowedIPs = [
+              "10.10.10.6/32"
+            ];
+            PublicKey = lib.trim (builtins.readFile ../../wg-keys/agb02.pub);
+          }
+          {
+            # soyouzpanda
+            AllowedIPs = [
+              "10.10.10.11/32"
+            ];
+            PublicKey = "/xjWqkiyHY93wqo/Apj5SHP8UaXF4mKQRVwylKC2wy8=";
+          }
+          {
+            # sinavir
+            AllowedIPs = [
+              "10.10.10.12/32"
+            ];
+            PublicKey = "kmc3PexCMKm1Tg8WUDbHaOkcWLl8KUh52CtrDOODf0M=";
+          }
+          {
+            # catvayor
+            AllowedIPs = [
+              "10.10.10.13/32"
+            ];
+            PublicKey = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4=";
+          }
+        ];
+      };
+    };
+  };
+  networking.firewall.allowedUDPPorts = [ 1194 ];
+}
--- a/machines/rigel/README.md
+++ b/machines/rigel/README.md
@ -0,0 +1,11 @@
+Put pls key in keys.keys
+
+Put pls mac in networking
+
+
+# How to get an sd image
+
+```
+DRV_PATH=$(colmena eval -E "{ nodes, ...}: nodes.rigel.config.system.build.sdImage.drvPath")
+nix-store -r $DRV_PATH
+```
--- a/machines/rigel/_configuration.nix
+++ b/machines/rigel/_configuration.nix
@ -0,0 +1,64 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+let
+  launchpad = pkgs.python3.withPackages (ps: [
+    (ps.callPackage ./launchpad.nix { lpminimk3 = ps.callPackage ./lpminimk3.nix { }; })
+  ]);
+in
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image-aarch64.nix")
+    ./bootloader.nix
+    ./networking.nix
+    ./nix-conf.nix
+    ./programs.nix
+    ./ssh.nix
+    ./users.nix
+  ];
+
+  nix.settings.substituters = lib.mkForce [ ];
+
+  networking.hostName = "rigel"; # Define your hostname.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  environment.systemPackages = [
+    launchpad
+  ];
+
+  systemd.services.launchpad = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    path = [
+      launchpad
+      pkgs.unixtools.ping
+    ];
+    script = ''
+      while ! ping -n -w 1 -c 1 10.1.1.2 &> /dev/null
+      do
+          echo "waiting eos"
+      done
+      sleep 0.1
+      python -m eos_midi 10.1.1.2
+    '';
+  };
+  environment.shellAliases = {
+    r = "systemctl restart launchpad.service";
+  };
+
+  fonts.enableDefaultPackages = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "unstable"; # Did you read the comment?
+}
--- a/machines/rigel/bootloader.nix
+++ b/machines/rigel/bootloader.nix
@ -0,0 +1,5 @@
+{ pkgs, ... }:
+{
+  boot.loader.grub.enable = false;
+  boot.loader.generic-extlinux-compatible.enable = true;
+}
--- a/machines/rigel/keys.keys
+++ b/machines/rigel/keys.keys
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRA2W8T8rnWIn0xnP2LXSmmB92YuQygkLwLK60rpBG+ PLS@DESKTOP-KK74B9P
--- a/machines/rigel/kfet_lauchpad_controller.nix
+++ b/machines/rigel/kfet_lauchpad_controller.nix
@ -0,0 +1,38 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchgit,
+  poetry,
+  lpminimk3,
+  python-osc,
+}:
+
+buildPythonPackage rec {
+  pname = "kfet-launchpad-controller";
+  version = "unstable";
+  pyproject = true;
+
+  src = fetchgit {
+    url = "https://git.soyouzpanda.fr/soyouzpanda/kfet_launchpad_controller.git";
+    rev = "58f1086ca7a8a9258da7240987bf26c03182b152";
+    hash = "sha256-c21BbRKK1AK6roIjdEg3zfMThyijRTK5Z87DBBBjoL0=";
+  };
+
+  nativeBuildInputs = [
+    poetry
+  ];
+
+  propagatedBuildInputs = [
+    lpminimk3
+    python-osc
+  ];
+
+  pythonImportsCheck = [ "eos_midi" ];
+
+  meta = with lib; {
+    description = "";
+    homepage = "https://git.soyouzpanda.fr/soyouzpanda/kfet_launchpad_controller.git";
+    license = licenses.mit;
+    maintainers = with maintainers; [ ];
+  };
+}
--- a/machines/rigel/launchpad.nix
+++ b/machines/rigel/launchpad.nix
@ -0,0 +1,40 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchgit,
+  poetry-core,
+  lpminimk3,
+  python-osc,
+}:
+
+buildPythonPackage rec {
+  pname = "kfet-launchpad-controller";
+  version = "unstable";
+  pyproject = true;
+
+  src = fetchgit {
+    url = "https://git.soyouzpanda.fr/soyouzpanda/kfet_launchpad_controller";
+    rev = "6d7df83cfd2f558d4837474ea101f98439a4f8c5";
+    hash = "sha256-HkaR1+9NxvyRQ3+iP6pq3Wn6QT+qQRFJBvxHNH6qM0k=";
+  };
+
+  patches = [ ./launchpad.patch ];
+
+  nativeBuildInputs = [
+    poetry-core
+  ];
+
+  propagatedBuildInputs = [
+    lpminimk3
+    python-osc
+  ];
+
+  pythonImportsCheck = [ "eos_midi" ];
+
+  meta = with lib; {
+    description = "";
+    homepage = "https://git.soyouzpanda.fr/soyouzpanda/kfet_launchpad_controller";
+    license = licenses.mit;
+    maintainers = with maintainers; [ ];
+  };
+}
--- a/machines/rigel/launchpad.patch
+++ b/machines/rigel/launchpad.patch
@ -0,0 +1,13 @@
+diff --git a/pyproject.toml b/pyproject.toml
+index dd2e48c..48339c9 100644
+--- a/pyproject.toml
+++ b/pyproject.toml
+@@ -42,7 +42,7 @@ black = "*"
+ 
+ 
+ [build-system]
+-requires = ["poetry>=1.7.1"]
+requires = ["poetry-core"]
+ build-backend = "poetry.core.masonry.api"
+ 
+ [tool.isort]
--- a/machines/rigel/lpminimk3.nix
+++ b/machines/rigel/lpminimk3.nix
@ -0,0 +1,43 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  setuptools,
+  wheel,
+  jsonschema,
+  python-rtmidi,
+  websockets,
+}:
+
+buildPythonPackage rec {
+  pname = "lpminimk3";
+  version = "0.6.2";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "obeezzy";
+    repo = "lpminimk3";
+    rev = "v${version}";
+    hash = "sha256-CVjBUKjLOFaIgCpwNIO/PJ55s7nQ0WMRKKqVS3xOI3g=";
+  };
+
+  nativeBuildInputs = [
+    setuptools
+    wheel
+  ];
+
+  propagatedBuildInputs = [
+    jsonschema
+    python-rtmidi
+    websockets
+  ];
+
+  pythonImportsCheck = [ "lpminimk3" ];
+
+  meta = with lib; {
+    description = "Python API for the Launchpad Mini MK3";
+    homepage = "https://github.com/obeezzy/lpminimk3";
+    license = licenses.mit;
+    maintainers = with maintainers; [ ];
+  };
+}
--- a/machines/rigel/networking.nix
+++ b/machines/rigel/networking.nix
@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  networking.useDHCP = false;
+  networking.firewall.allowedUDPPorts = [ 67 ];
+
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-uplink" = {
+        name = "end0";
+        networkConfig = {
+          Address = "10.1.1.1/24";
+          DHCPServer = "yes";
+          IPMasquerade = "ipv4";
+        };
+        dhcpServerConfig = {
+          PoolOffset = 100;
+          PoolSize = 20;
+          UplinkInterface = ":none";
+          EmitDNS = "no";
+          EmitNTP = "no";
+          EmitSIP = "no";
+          EmitRouter = "no";
+        };
+        dhcpServerStaticLeases = [
+          {
+            dhcpServerStaticLeaseConfig = {
+              Address = "10.1.1.2";
+              MACAddress = "14:b3:1f:06:3c:2e";
+            };
+          }
+        ];
+      };
+    };
+  };
+  networking.nameservers = [
+    "2620:fe::fe"
+    "2620:fe::9"
+    "9.9.9.9"
+    "149.112.112.112"
+  ];
+}
--- a/machines/rigel/nix-conf.nix
+++ b/machines/rigel/nix-conf.nix
@ -0,0 +1,21 @@
+{
+  lib,
+  pkgs,
+  config,
+  metadata,
+  nodes,
+  name,
+  ...
+}:
+{
+  nix.settings = {
+    trusted-users = [
+      "root"
+      "@wheel"
+    ];
+    extra-experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+  };
+}
--- a/machines/rigel/programs.nix
+++ b/machines/rigel/programs.nix
@ -0,0 +1,28 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  environment.systemPackages = with pkgs; [
+    sqlite-web
+    dhcpdump
+    dig
+    git
+    htop
+    jq
+    nmap
+    npins
+    ripgrep
+    screen
+    tcpdump
+    unzip
+    vim
+    wireguard-tools
+  ];
+
+  programs.mtr.enable = true;
+
+  programs.vim.defaultEditor = true;
+}
--- a/machines/rigel/ssh.nix
+++ b/machines/rigel/ssh.nix
@ -0,0 +1,5 @@
+{ ... }:
+{
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = true;
+}
--- a/machines/rigel/users.nix
+++ b/machines/rigel/users.nix
@ -0,0 +1,12 @@
+{ ... }:
+{
+  users.mutableUsers = false;
+  users.users.root = {
+    openssh.authorizedKeys.keyFiles = [
+      ../../pubkeys/sinavir.keys
+      ../../pubkeys/soyouzpanda.keys
+      ./keys.keys
+    ];
+    hashedPassword = "$y$j9T$p6Fe9Gm/C4iLIQBYXCjBn.$zLCzaxrsUDd4/2H5eTXqNch.bVJubrpZNOZgAZqbeV/";
+  };
+}
--- a/machines/router/liminix
+++ b/machines/router/liminix
@ -0,0 +1 @@
+Subproject commit 5bb68f24b539db1d9591ea320436b9dbdd2dc354
--- a/meta.nix
+++ b/meta.nix
@ -0,0 +1,52 @@
+let
+  sources = import ./npins;
+
+  agenix = sources.agenix + "/modules/age.nix";
+  djangonix = sources.djangonix + "/module.nix";
+
+  metadata = {
+    nodes = {
+      hackens-milieu = {
+        deployment = {
+          targetHost = "10.10.10.4";
+          allowLocalDeployment = true;
+          tags = [ "desktop" ];
+        };
+        imports = [ agenix ];
+      };
+      agb01 = {
+        deployment = {
+          targetHost = "10.10.10.5";
+        };
+        arch = "aarch64-linux";
+        imports = [ agenix ];
+      };
+      rigel = {
+        deployment = {
+          targetHost = "10.1.1.1";
+        };
+        arch = "aarch64-linux";
+      };
+      hackens-org = {
+        deployment = {
+          targetHost = "10.10.10.1"; # todo make something with ens firewall
+          tags = [ "server" ];
+          targetPort = 22;
+        };
+        imports = [
+          agenix
+          djangonix
+        ];
+      };
+
+      agb02 = {
+        deployment = {
+          targetHost = "10.10.10.6";
+        };
+        arch = "aarch64-linux";
+        imports = [ agenix ];
+      };
+    };
+  };
+in
+metadata
--- a/npins/default.nix
+++ b/npins/default.nix
@ -0,0 +1,73 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  mkSource =
+    spec:
+    assert spec ? type;
+    let
+      path =
+        if spec.type == "Git" then
+          mkGitSource spec
+        else if spec.type == "GitRelease" then
+          mkGitSource spec
+        else if spec.type == "PyPi" then
+          mkPyPiSource spec
+        else if spec.type == "Channel" then
+          mkChannelSource spec
+        else
+          builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource =
+    {
+      repository,
+      revision,
+      url ? null,
+      hash,
+      ...
+    }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else
+      assert repository.type == "Git";
+      builtins.fetchGit {
+        url = repository.url;
+        rev = revision;
+        # hash = hash;
+      };
+
+  mkPyPiSource =
+    {
+      url,
+      hash,
+      ...
+    }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource =
+    {
+      url,
+      hash,
+      ...
+    }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
--- a/npins/sources.json
+++ b/npins/sources.json
@ -0,0 +1,78 @@
+{
+  "pins": {
+    "agenix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "ryantm",
+        "repo": "agenix"
+      },
+      "branch": "main",
+      "revision": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+      "url": "https://github.com/ryantm/agenix/archive/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41.tar.gz",
+      "hash": "1x8nd8hvsq6mvzig122vprwigsr3z2skanig65haqswn7z7amsvg"
+    },
+    "disko": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "disko"
+      },
+      "branch": "master",
+      "revision": "6c5ba9ec9d470c1ca29e7735762c9c366e28f7f5",
+      "url": "https://github.com/nix-community/disko/archive/6c5ba9ec9d470c1ca29e7735762c9c366e28f7f5.tar.gz",
+      "hash": "0l0qlwv5qxi58crv45xz9rwfz9hbdp99z70j60jri28ic89lfvpd"
+    },
+    "djangonix": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.dgnum.eu/mdebray/djangonix.git"
+      },
+      "branch": "master",
+      "revision": "a61afb48e2478c47360a8efea6f835c3b0f5f503",
+      "url": null,
+      "hash": "0a0hnkyhvr6am484m7lg46040icbxzydnycaa1a2hclfnpgrxrdk"
+    },
+    "dns.nix": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "kirelagin",
+        "repo": "dns.nix"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "v1.2.0",
+      "revision": "a3196708a56dee76186a9415c187473b94e6cbae",
+      "url": "https://api.github.com/repos/kirelagin/dns.nix/tarball/v1.2.0",
+      "hash": "011b6ahj4qcf7jw009qgbf6k5dvjmgls88khwzgjr9kxlgbypb90"
+    },
+    "nixos-unstable": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "NixOS",
+        "repo": "nixpkgs"
+      },
+      "branch": "nixos-unstable",
+      "revision": "06cf0e1da4208d3766d898b7fdab6513366d45b9",
+      "url": "https://github.com/NixOS/nixpkgs/archive/06cf0e1da4208d3766d898b7fdab6513366d45b9.tar.gz",
+      "hash": "0l68zz8mn2kvp9wvc6rgw7dns8vkl7w9y6z92blvgn1wnm9ib6ab"
+    },
+    "ragb": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.dgnum.eu/HackENS/ragb"
+      },
+      "branch": "main",
+      "revision": "ddfbbe50e385db3ffbf1dd1bf7ffb6102c968bf5",
+      "url": null,
+      "hash": "00zz65qc1yzxlff65qv6818bhnqdbjnwcz00w34hiz0597ancdx0"
+    }
+  },
+  "version": 3
+}
--- a/pkgs/authens/01-get-success_url.patch
+++ b/pkgs/authens/01-get-success_url.patch
@ -0,0 +1,15 @@
+diff --git a/authens/views.py b/authens/views.py
+index 0478861..b1c93e9 100644
+--- a/authens/views.py
+++ b/authens/views.py
+@@ -138,8 +138,8 @@ class LogoutView(auth_views.LogoutView):
+         else:
+             self.cas_connected = False
+ 
+-    def get_next_page(self):
+-        next_page = super().get_next_page()
+    def get_success_url(self):
+        next_page = super().get_success_url()
+         if self.cas_connected:
+             cas_client = get_cas_client(self.request)
+ 
--- a/pkgs/authens/default.nix
+++ b/pkgs/authens/default.nix
@ -0,0 +1,24 @@
+{
+  python-cas,
+  django,
+  ldap,
+  buildPythonPackage,
+}:
+buildPythonPackage rec {
+  pname = "authens";
+  version = "v0.1b5";
+  doCheck = false;
+  patches = [
+    ./01-get-success_url.patch
+  ];
+  src = builtins.fetchGit {
+    url = "https://git.eleves.ens.fr/klub-dev-ens/authens.git";
+    #rev = "master";
+    #sha256 = "sha256-R0Nw212/BOPHfpspT5wzxtji1vxZ/JOuwr00naklWE8=";
+  };
+  propagatedBuildInputs = [
+    django
+    ldap
+    python-cas
+  ];
+}
--- a/pkgs/django-autoslug/default.nix
+++ b/pkgs/django-autoslug/default.nix
@ -0,0 +1,39 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  setuptools,
+  wheel,
+  django,
+}:
+
+buildPythonPackage rec {
+  pname = "django-autoslug";
+  version = "1.9.9";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "justinmayer";
+    repo = "django-autoslug";
+    rev = "v${version}";
+    hash = "sha256-IRLY4VaKYXVkSgU/zdY+PSmGrcFB2FlE5L7j0FqisRM=";
+  };
+
+  nativeBuildInputs = [
+    setuptools
+    wheel
+  ];
+
+  propagatedBuildInputs = [ django ];
+
+  # Requires DJANGO_SETTINGS_MODULE
+  # pythonImportsCheck = [ "autoslug" ];
+
+  meta = with lib; {
+    description = "AutoSlugField for Django";
+    homepage = "https://github.com/justinmayer/django-autoslug/";
+    changelog = "https://github.com/justinmayer/django-autoslug/blob/${src.rev}/CHANGELOG.rst";
+    license = licenses.lgpl3Only;
+    maintainers = with maintainers; [ thubrecht ];
+  };
+}
--- a/pkgs/loadcredential/default.nix
+++ b/pkgs/loadcredential/default.nix
@ -0,0 +1,34 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  setuptools,
+  wheel,
+}:
+
+buildPythonPackage rec {
+  pname = "loadcredential";
+  version = "1.2";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "Tom-Hubrecht";
+    repo = "loadcredential";
+    rev = "v${version}";
+    hash = "sha256-rNWFD89h1p1jYWLcfzsa/w8nK3bR4aVJsUPx0UtZnIw=";
+  };
+
+  build-system = [
+    setuptools
+    wheel
+  ];
+
+  pythonImportsCheck = [ "loadcredential" ];
+
+  meta = {
+    description = "A simple python package to read credentials passed through systemd's LoadCredential, with a fallback on env variables ";
+    homepage = "https://github.com/Tom-Hubrecht/loadcredential";
+    license = lib.licenses.mit;
+    maintainers = [ ]; # with lib.maintainers; [ thubrecht ];
+  };
+}
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
catvayor	4baab56308	feat: add Sel's key everywhere	2024-11-13 17:05:04 +01:00
Sélène Corbineau	8f0980a52c	feat(agb01): add Sel's keys	2024-11-13 13:53:48 +01:00
sinavir	54170c0ee9	feat(ragb): Commit all the hotfixes	2024-11-07 20:58:01 +01:00
catvayor	da09ce104a	feat(pixiecore): use netboot.xyz	2024-10-22 00:46:43 +02:00
catvayor	fecddb1f77	feat(agb02/control-box): auto-reconnect and white_button cycle	2024-10-15 16:53:44 +02:00
catvayor	bcc156c5fc	fix(agb02/control-box): gpio mapping and network wait	2024-10-15 13:35:12 +02:00
catvayor	071cf7741f	feat(agb02/gpio): auto-repeat on joystick	2024-10-14 17:44:22 +02:00
sinavir	6733ec2b77	feat(pkgs/pyjecteur): update	2024-10-13 21:15:02 +02:00
sinavir	3376137ef8	feat(pkgs/ragb): update	2024-10-13 21:15:02 +02:00
catvayor	5f779aef09	fix(agb02): joystick on 0-255	2024-10-13 21:09:25 +02:00
sinavir	5bbc38c6ca	feat(hackens-org): Trust vpn	2024-10-13 19:54:23 +02:00
catvayor	f976bed8c8	feat(agb02): mapping	2024-10-13 19:54:23 +02:00
catvayor	fed5e28372	fix(shell): give sources to overlays	2024-10-13 16:35:26 +02:00
catvayor	8de7773129	feat(agb02): protocol change	2024-10-13 10:42:30 +02:00
catvayor	012e5fb772	feat(agb02): api implementation	2024-10-12 18:44:41 +02:00
sinavir	2d51b7265d	feat(agb01): enable mosh	2024-10-12 17:46:04 +02:00
sinavir	8356e15211	feat(hackens-org): deploy ragb server	2024-10-12 17:45:41 +02:00
catvayor	d5a8c00539	feat(agb02): fix decoder readings	2024-10-12 16:00:59 +02:00
catvayor	af71fc1063	feat(wg-agb02): connecting to wireguard	2024-10-12 15:16:18 +02:00
catvayor	891b02e96d	feat(milieu): add alacritty and tio	2024-10-12 13:53:10 +02:00
catvayor	b4ddf471c8	feat(milieu): add arduino to hacken-milieu <3 salsifi	2024-10-12 09:52:08 +02:00
catvayor	4d997935ad	feat(wg-milieu): connected hackens-milieu to wireguard	2024-10-12 09:45:29 +02:00
catvayor	f43db5224f	feat(agb02): gpio reader sketch	2024-10-12 00:41:04 +02:00
sinavir	81289eb5da	fix(shell): Use agenix overlay	2024-10-11 14:30:27 +02:00
catvayor	706795d38d	feat(shell.nix): init	2024-10-11 13:17:56 +02:00
catvayor	58fe7351c9	feat(agb02): enable hostapd	2024-10-11 12:56:05 +02:00
sinavir	fee3314add	fix(ssh keys): fix secret decryption on agb01	2024-10-10 23:26:56 +02:00
catvayor	dc5a99fee0	feat(hackens-org): add catvayor	2024-10-10 21:04:18 +02:00
catvayor	194bf6a672	feat(agb02): init	2024-10-10 15:58:45 +02:00
sinavir	660ca4a71a	fix(org): Add ip forwarding on vpn	2024-10-10 01:23:50 +02:00
sinavir	113a78a7a0	feat(agb01): init	2024-10-10 01:00:01 +02:00
sinavir	85da820b24	feat(irc): The lounge	2024-10-09 23:32:10 +02:00
sinavir	53e06aa3d6	fix(networking): Predictable interface names	2024-10-09 23:32:00 +02:00
catvayor	89e52b8a74	feat(pixiecore): enable for milieu	2024-10-03 18:07:52 +02:00
catvayor	cfbcf819ee	update not applied on hackens-org	2024-10-01 23:56:15 +02:00
catvayor	defdfbb08d	feat(milieu): add catvayor	2024-10-01 23:55:24 +02:00
catvayor	2b8162ec2a	fix(milieu): build	2024-10-01 23:54:47 +02:00
sinavir	823b5c8206	commit everything	2024-09-24 13:42:57 +02:00
sinavir	0054c74806	org: orga v2	2024-06-11 14:41:57 +02:00
sinavir	1d56410e26	org: patch kfet monitoring	2024-06-09 15:27:25 +02:00
sinavir	22ba6b0237	org: monitor kfet	2024-04-13 23:40:41 +02:00
sinavir	20cd845627	org: deploy monitoring of clock	2024-04-01 15:53:31 +02:00
sinavir	b9e36f0767	milieu: add colmena	2024-04-01 15:53:01 +02:00
sinavir	24ede21b8b	update	2024-03-29 23:50:22 +01:00
sinavir	7b925313c8	milieu: refactor	2024-03-29 23:50:17 +01:00
sinavir	41861a743b	rigel: add readme	2024-03-15 13:14:23 +01:00
sinavir	5be59e32d1	rigel: init (raspi-pls)	2024-03-08 17:04:42 +01:00
sinavir	2766c9dbbf	org: vpn	2024-03-03 12:16:09 +01:00
sinavir	06f82ef82b	add ecoppens	2024-02-20 21:38:36 +01:00
sinavir	cacff10e47	router: remove from main. Dev is know made on dev-router branch	2024-01-23 13:41:45 +01:00
sinavir	fc28547693	router: patch dtbsize in liminix	2024-01-19 19:46:05 +01:00
sinavir	50b22e0dcd	router: add some utils	2024-01-19 19:45:38 +01:00
sinavir	dcde00c428	router: simplify the config for testing We don't even boot so why are we doing complicated stuff	2024-01-19 19:45:01 +01:00
sinavir	19439ea13a	liminix: update	2024-01-19 19:43:23 +01:00
sinavir	d52f45442e	org: deploy ipv6 and vpn	2024-01-12 18:07:38 +01:00
sinavir	dd370bdebb	desktop: clean up	2024-01-12 16:19:31 +01:00
Raito Bezarius	9acf72a648	router: clean up and fix it	2024-01-11 01:25:59 +01:00
sinavir	3354f5b221	org: update	2024-01-08 20:08:55 +01:00
sinavir	e00e55460c	org: add 2222 ssh port	2023-12-20 19:53:39 +01:00
sinavir	db5c4008b8	org: migrate to hackens.org	2023-12-20 19:53:09 +01:00
sinavir	eabf2556bd	hackens-org: use networkd	2023-12-19 13:34:37 +01:00
sinavir	e660c216de	big refactor	2023-12-19 13:27:58 +01:00
hackens server	4d681f5f93	Update hackens-orga	2023-09-27 14:33:26 +02:00
hackens server	ae0ab8a439	Add static sites	2023-07-25 18:59:13 +02:00
hackens server	49ffb15fb3	update orga; add bk spi	2023-04-05 09:36:42 +02:00
hackens server	3851a66193	add_hackens_orga	2023-03-08 00:48:11 +01:00
hackens server	6f28af8576	enable mosh	2023-02-24 14:55:31 +01:00
hackens server	141e1ce8dd	nixpkgs-fmt	2023-02-24 14:43:35 +01:00
hackens server	2693fbf8cb	matterbridge	2023-02-24 14:43:18 +01:00
hackens server	42d63b428a	working wiki	2023-02-24 14:40:14 +01:00
HackENS milieu	ccafd8797a	RYAN commit les changements de la config bordel	2023-02-06 18:20:02 +01:00
HackENS milieu	7a5d85ec79	milieu: add ungoogled-chromium, move to kernel 6, update raito.keys	2023-01-31 22:48:10 +01:00
HackENS milieu	733f868d0c	programs: add fd, flush sinavir work	2023-01-17 20:55:22 +01:00
HackENS milieu	a9f9bd0cc5	gros menage chez hackens milieu	2023-01-15 18:34:00 +01:00
sinavir	2aadb17158	oauth for wiki	2023-01-14 19:14:54 +01:00
hackens server	bbcadab707	better conf for wiki	2023-01-14 15:45:32 +01:00
hackens server	b6e90593a1	fix wrong wiki plugin version	2023-01-13 13:47:35 +01:00
sinavir	75fd47230d	wiki	2023-01-13 13:27:38 +01:00
hackens server	648ab4aea8	nixfmt	2023-01-12 18:40:38 +01:00
hackens server	f7337345f4	bugfix	2023-01-12 18:39:33 +01:00
sinavir	0ac470c493	~	2023-01-12 18:11:50 +01:00
sinavir	dd8ec6c18e	refactorisation continuing	2022-08-31 03:30:59 +02:00
sinavir	1c5790c0f7	renaming	2022-08-08 13:20:43 +02:00
HackENS milieu	2029a5ccb2	gitignore	2022-07-30 08:45:54 +02:00
HackENS milieu	7613a24981	milieu update	2022-07-30 08:44:32 +02:00
hackens server	936f613834	age	2022-06-11 21:12:42 +02:00
hackens server	9680562642	age; refactor (un peu) wiki; misc	2022-06-09 22:13:12 +02:00
hackens server	87545d9e8b	kaycloak	2022-05-18 21:37:08 +02:00
sinavir	ecfc58fecd	catlist plugin for dokuwiki	2022-05-05 18:02:42 +02:00
hackens server	5d23db8e14	config nginx valide pour grafana	2022-05-05 17:31:18 +02:00
sinavir	3d5b2d9dda	grafana accessible depuis l'extérieur	2022-04-29 15:20:42 +02:00
hackens server	a4a8fed358	monitoring de la poubelle	2022-04-29 15:09:56 +02:00
hackens server	e6e8092613	adduser hbarral	2022-04-29 15:09:13 +02:00
sinavir	353070ef08	graphana	2022-04-26 00:55:00 +02:00
sinavir	a6fc45f870	kfet2mqtt	2022-04-25 10:11:02 +02:00
hackens server	7ab97c1643	ajouter prometheus à configuration.nix; changer l'adresse d'ecoute	2022-04-25 01:26:15 +02:00
sinavir	63ee851b2d	Merge pull request 'prometheus' (#10 ) from prometheus into master Reviewed-on: https://git.rz.ens.wtf/HackENS/hackens-org-configurations/pulls/10	2022-04-25 01:02:21 +02:00
sinavir	ab6a7352a1	prometheus	2022-04-25 00:53:18 +02:00
Maurice Debray	c30492cfde	template module prometheus; package mqtt2prometheus	2022-04-24 12:22:16 +02:00
hackens server	7038f3a5cf	Plugin markdown pour le wiki	2022-04-20 13:00:46 +02:00
hackens server	5eab094b2e	Droits d'ecriture broker mqtt	2022-04-15 00:27:42 +02:00
hackens server	122a2b458a	Ajout du broker mqtt à la config	2022-04-13 17:17:34 +02:00
sinavir	42f69f6fc4	Merge pull request 'mqtt_broker' (#9 ) from mqtt_broker into master Reviewed-on: https://git.rz.ens.wtf/HackENS/hackens-org-configurations/pulls/9	2022-04-13 17:09:57 +02:00
hackens server	dec2dd0ad2	Enlever l'authentification	2022-04-13 17:00:40 +02:00
sinavir	1f72377e61	Merge pull request 'Nouvelle clef pour maurice' (#7 ) from nouvelle_clef_maurice into master Reviewed-on: https://git.rz.ens.wtf/HackENS/hackens-org-configurations/pulls/7	2022-04-13 11:58:41 +02:00
hackens server	44f895d58a	forceSSL for wiki	2022-04-13 01:41:22 +02:00
hackens server	08bcd00451	enlever la variable debug	2022-04-13 01:16:35 +02:00
sinavir	34ab26c22c	Merge pull request 'Wiki qui marche' (#8 ) from sinavir/amélioration_template into master Reviewed-on: https://git.rz.ens.wtf/HackENS/hackens-org-configurations/pulls/8	2022-04-13 01:02:47 +02:00
sinavir	733062750a	Merge branch 'master' into sinavir/amélioration_template	2022-04-13 01:01:43 +02:00
hackens server	b914f3a119	Fix acme email for pass-store	2022-04-13 00:57:44 +02:00
sinavir	bb99bc313d	MQTT Brocker	2022-04-10 17:56:04 +02:00
sinavir	a343de6dfa	debug=false	2022-04-06 14:27:57 +02:00
sinavir	a41f9a5873	Custom module	2022-04-06 14:23:43 +02:00
sinavir	1213ddaccd	nouvelle clef pour maurice	2022-04-06 12:29:03 +02:00
Maurice Debray	b75803557d	ACME, refactorisation	2022-03-31 11:36:08 +02:00
Maurice Debray	deffeb3ef5	Essai de fix le template mais tjrs cassé	2022-03-28 16:49:30 +02:00
Maurice Debray	0d171f8026	ajout php-xml pour le template	2022-03-17 00:05:23 +01:00
Maurice Debray	7dd00fe792	Ajout du logo d'hackens	2022-03-16 23:45:00 +01:00
Maurice Debray	4877158066	logo et version récente du template	2022-03-13 12:08:33 +01:00
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRA2W8T8rnWIn0xnP2LXSmmB92YuQygkLwLK60rpBG+ PLS@DESKTOP-KK74B9P`
				`@ -0,0 +1 @@`
				`Subproject commit 5bb68f24b539db1d9591ea320436b9dbdd2dc354`