fix(storage01): pass through the admin API of Garage

not the web API! Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
feat(krz01): move ollama to compute01 via a reverse proxy
2024-10-10 17:52:22 +02:00 · 2024-10-10 17:40:56 +02:00 · 2024-10-10 17:20:28 +02:00 · 2024-10-10 17:13:11 +02:00 · 2024-10-10 17:13:11 +02:00 · 2024-10-10 16:43:33 +02:00
223 changed files with 12752 additions and 2407 deletions
--- a/.forgejo/workflows/check-meta.yaml
+++ b/.forgejo/workflows/check-meta.yaml
@ -0,0 +1,25 @@
 name: Check meta
 on:
  pull_request:
    branches:
      - main
  push:
    paths:
      - 'meta/*'
 jobs:
  check_meta:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Check the validity of meta options
        run: nix-build meta/verify.nix -A meta
  check_dns:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Check the validity of the DNS configuration
        run: nix-build meta/verify.nix -A dns --no-out-link
--- a/.forgejo/workflows/ds-fr.yaml
+++ b/.forgejo/workflows/ds-fr.yaml
@ -1,8 +1,7 @@
 name: ds-fr update
 on:
  schedule:
-    # Run at 8 o'clock every day
+    - cron: "26 18 * * wed"
    - cron: "26 18 * * *"
 jobs:
  npins_update:
--- a/.forgejo/workflows/eval.yaml
+++ b/.forgejo/workflows/eval.yaml
@ -9,62 +9,192 @@ on:
      - main
 jobs:
-  build_compute01:
+  build_and_cache_krz01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
-      - name: Build compute01
+      - name: Build and cache the node
-        run: |
+        run: nix-shell --run cache-node
-          # Enter the shell
+        env:
-          nix-shell --run 'colmena build --on compute01'
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "krz01"
-  build_storage01:
+      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_krz01
          path: paths.txt
  build_and_cache_compute01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
-      - name: Build storage01
+      - name: Build and cache the node
-        run: |
+        run: nix-shell --run cache-node
-          # Enter the shell
+        env:
-          nix-shell --run 'colmena build --on storage01'
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "compute01"
-  build_vault01:
+      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_compute01
          path: paths.txt
  build_and_cache_storage01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
-      - name: Build vault01
+      - name: Build and cache the node
-        run: |
+        run: nix-shell --run cache-node
-          # Enter the shell
+        env:
-          nix-shell --run 'colmena build --on vault01'
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "storage01"
-  build_web01:
+      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_storage01
          path: paths.txt
  build_and_cache_rescue01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
-      - name: Build web01
+      - name: Build and cache the node
-        run: |
+        run: nix-shell --run cache-node
-          # Enter the shell
+        env:
-          nix-shell --run 'colmena build --on web01'
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "rescue01"
-  build_web02:
+      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_rescue01
          path: paths.txt
  build_and_cache_geo01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
-      - name: Build web02
+      - name: Build and cache the node
-        run: |
+        run: nix-shell --run cache-node
-          # Enter the shell
+        env:
-          nix-shell --run 'colmena build --on web02'
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "geo01"
-  build_rescue01:
+      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_geo01
          path: paths.txt
  build_and_cache_geo02:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
-      - name: Build rescue01
+      - name: Build and cache the node
-        run: |
+        run: nix-shell --run cache-node
-          # Enter the shell
+        env:
-          nix-shell --run 'colmena build --on rescue01'
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "geo02"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_geo02
          path: paths.txt
  build_and_cache_vault01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "vault01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_vault01
          path: paths.txt
  build_and_cache_web01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "web01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web01
          path: paths.txt
  build_and_cache_web02:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "web02"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web02
          path: paths.txt
  build_and_cache_bridge01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3
      - name: Build and cache the node
        run: nix-shell --run cache-node
        env:
          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
          STORE_USER: "admin"
          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
          BUILD_NODE: "bridge01"
      - uses: actions/upload-artifact@v3
        if: always()
        with:
          name: outputs_web02
          path: paths.txt
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -1,5 +1,5 @@
 name: lint
-on: push
+on: [push, pull_request]
 jobs:
  check:
@ -8,4 +8,4 @@ jobs:
      - uses: actions/checkout@v3
      - name: Run pre-commit on all files
-        run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.
+        run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.
--- a/README.md
+++ b/README.md
@ -3,6 +3,115 @@
 The dgnum infrastructure.
 # Contributing
-Some instruction on how to contribute are available (in french) in [/CONTRIBUTING.md](CONTRIBUTING.md). You're expected to read this document before commiting to the repo.
+
 Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.md](CONTRIBUTE.md).
 You're expected to read this document before commiting to the repo.
 Some documentation for the development tools are provided in the aforementioned file.
 # Using the binary cache
 Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
 ```
 { lib, ... }:
 let
  dgnum-infra = PINNED_PATH_TO_INFRA;
 in {
  nix.settings = (import dgnum-infra { }).mkCacheSettings {
    caches = [ "infra" ];
  };
 }
 ```
 # Adding a new machine
 The first step is to create a minimal viable NixOS host, using tha means necessary.
 The second step is to find a name for this host, it must be unique from the other hosts.
 > [!TIP]
 > For the rest of this part, we assume that the host is named `host02`
 ## Download the keys
 The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
 It can be retreived with :
 ```bash
 ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
 ```
 ## Initialize the machine folder and configuration
 - Create a folder `host02` under `machines/`
 - Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
 - Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
 ```nix
 { lib, ... }:
 lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
  ];
  enabledServices = [
    # List of services to enable
  ];
  extraConfig = {
    services.netbird.enable = true;
  };
  root = ./.;
 }
 ```
 ## Fill in the metadata
 ### Network configuration
 The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
 ```bash
 head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
 ```
 ### Other details
 The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
 - `site`, where the node is physically located
 - `stateVersion`
 - `nixpkgs`, the nixpkgs version to use
 ## Initialize secrets
 Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
 ```nix
 (import ../../../keys).mkSecrets [ "host02" ] [
  # List of secrets for host02
 ]
 ```
 This will be used for future secret management.
 ## Update encrypted files
 Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
 ```bash
 agenix -r
 ```
 ## Commit and create a PR
 Once all of this is done, check that the configuration builds correctly :
 ```bash
 colmena build --on host02
 ```
 Apply it, and create a Pull Request.
--- a/default.nix
+++ b/default.nix
@ -1,88 +1,102 @@
-/* Copyright :
+/*
-   - Maurice Debray <maurice.debray@dgnum.eu>  2023
+  Copyright :
-   - Tom Hubrecht <tom.hubrecht@dgnum.eu>      2023
+  - Maurice Debray <maurice.debray@dgnum.eu>  2023
  - Tom Hubrecht <tom.hubrecht@dgnum.eu>      2023
-   Ce logiciel est un programme informatique servant à déployer des
+  Ce logiciel est un programme informatique servant à déployer des
-   configurations de serveurs via NixOS.
+  configurations de serveurs via NixOS.
-   Ce logiciel est régi par la licence CeCILL soumise au droit français et
+  Ce logiciel est régi par la licence CeCILL soumise au droit français et
-   respectant les principes de diffusion des logiciels libres. Vous pouvez
+  respectant les principes de diffusion des logiciels libres. Vous pouvez
-   utiliser, modifier et/ou redistribuer ce programme sous les conditions
+  utiliser, modifier et/ou redistribuer ce programme sous les conditions
-   de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
+  de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
-   sur le site "http://www.cecill.info".
+  sur le site "http://www.cecill.info".
-   En contrepartie de l'accessibilité au code source et des droits de copie,
+  En contrepartie de l'accessibilité au code source et des droits de copie,
-   de modification et de redistribution accordés par cette licence, il n'est
+  de modification et de redistribution accordés par cette licence, il n'est
-   offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
+  offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
-   seule une responsabilité restreinte pèse sur l'auteur du programme, le
+  seule une responsabilité restreinte pèse sur l'auteur du programme, le
-   titulaire des droits patrimoniaux et les concédants successifs.
+  titulaire des droits patrimoniaux et les concédants successifs.
-   A cet égard l'attention de l'utilisateur est attirée sur les risques
+  A cet égard l'attention de l'utilisateur est attirée sur les risques
-   associés au chargement, à l'utilisation, à la modification et/ou au
+  associés au chargement, à l'utilisation, à la modification et/ou au
-   développement et à la reproduction du logiciel par l'utilisateur étant
+  développement et à la reproduction du logiciel par l'utilisateur étant
-   donné sa spécificité de logiciel libre, qui peut le rendre complexe à
+  donné sa spécificité de logiciel libre, qui peut le rendre complexe à
-   manipuler et qui le réserve donc à des développeurs et des professionnels
+  manipuler et qui le réserve donc à des développeurs et des professionnels
-   avertis possédant des connaissances informatiques approfondies. Les
+  avertis possédant des connaissances informatiques approfondies. Les
-   utilisateurs sont donc invités à charger et tester l'adéquation du
+  utilisateurs sont donc invités à charger et tester l'adéquation du
-   logiciel à leurs besoins dans des conditions permettant d'assurer la
+  logiciel à leurs besoins dans des conditions permettant d'assurer la
-   sécurité de leurs systèmes et ou de leurs données et, plus généralement,
+  sécurité de leurs systèmes et ou de leurs données et, plus généralement,
-   à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
+  à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
-   Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
+  Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
-   pris connaissance de la licence CeCILL, et que vous en avez accepté les
+  pris connaissance de la licence CeCILL, et que vous en avez accepté les
-   termes.
+  termes.
 */
-let
+{
-  sources = import ./npins;
+  sources ? import ./npins,
-  pkgs = import sources.nixpkgs { };
+  pkgs ? import sources.nixpkgs { },
  nix-pkgs ? import sources.nix-pkgs { inherit pkgs; },
 }:
-  pre-commit-check = (import sources.pre-commit-hooks).run {
+let
  git-checks = (import (builtins.storePath sources.git-hooks)).run {
    src = ./.;
    hooks = {
-      # Nix Hooks
+      statix = {
      statix.enable = true;
      deadnix.enable = true;
      rfc101 = {
        enable = true;
-
+        stages = [ "pre-push" ];
-        name = "RFC-101 formatting";
+        settings.ignore = [
-        entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
+          "**/lon.nix"
-        files = "\\.nix$";
+          "**/npins"
        ];
      };
      deadnix = {
        enable = true;
        stages = [ "pre-push" ];
      };
      nixfmt-rfc-style = {
        enable = true;
        stages = [ "pre-push" ];
      };
      # Misc Hooks
      commitizen.enable = true;
    };
  };
 in
 {
-  nodes = builtins.mapAttrs (host: { site, ... }: "${host}.${site}.infra.dgnum.eu") (
+  nodes = builtins.mapAttrs (
-    import ./meta/nodes.nix
+    host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
-  );
+  ) (import ./meta/nodes.nix);
  dns = import ./meta/dns.nix;
  mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
  shells = {
    default = pkgs.mkShell {
      name = "dgnum-infra";
-      packages =
+      packages = [
-        (
+        (pkgs.nixos-generators.overrideAttrs (_: {
-          with pkgs;
+          version = "1.8.0-unstable";
-          [
+          src = builtins.storePath sources.nixos-generators;
-            npins
+        }))
-            colmena
+        pkgs.npins
-            nixos-generators
+
-          ]
+        (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
-          ++ (builtins.map (p: callPackage p { }) [ (sources.disko + "/package.nix") ])
+        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
-        )
+        (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
-        ++ (import ./scripts { inherit pkgs; });
+
      ] ++ (import ./scripts { inherit pkgs; });
      shellHook = ''
-        ${pre-commit-check.shellHook}
+        ${git-checks.shellHook}
      '';
      preferLocalBuild = true;
@ -92,7 +106,7 @@ in
      name = "pre-commit-shell";
      shellHook = ''
-        ${pre-commit-check.shellHook}
+        ${git-checks.shellHook}
      '';
    };
  };
--- a/hive.nix
+++ b/hive.nix
@ -1,78 +1,113 @@
 let
-  sources = import ./npins;
+  sources' = import ./npins;
-  lib = import (sources.nix-lib + "/src/trivial.nix");
+  # Patch sources directly
  sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
    .applyPatches' sources';
-  patch = import sources.nix-patches { patchFile = ./patches; };
+  nix-lib = import ./lib/nix-lib;
  patch = import ./lib/nix-patches { patchFile = ./patches; };
  nodes' = import ./meta/nodes.nix;
  nodes = builtins.attrNames nodes';
  mkNode = node: {
    # Import the base configuration for each node
-    imports = builtins.map (lib.mkRel (./machines/${node})) [
+    imports = [ ./machines/${node}/_configuration.nix ];
      "_configuration.nix"
      "_hardware-configuration.nix"
    ];
  };
-  mkNixpkgs =
+  nixpkgs' = import ./meta/nixpkgs.nix;
-    node:
+  # All supported nixpkgs versions, instanciated
  nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
  # Get the configured nixos version for the node,
  # defaulting to the one defined in meta/nixpkgs
  version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;
  # Builds a patched version of nixpkgs, only as the source
  mkNixpkgs' =
    v:
    patch.mkNixpkgsSrc rec {
-      src = sources.${version};
+      src = sources'.${name};
-      version = "nixos-${nodes'.${node}.nixpkgs or (import ./meta/nixpkgs.nix)}";
+      name = "nixos-${v}";
    };
-  mkNixpkgs' = node: import (mkNixpkgs node) { };
+  # Instanciates the required nixpkgs version
  mkNixpkgs = version: import (mkNixpkgs' version) { };
  ###
  # Function to create arguments based on the node
  #
  mkArgs = node: rec {
-    lib = import sources.nix-lib {
+    lib = nixpkgs.${version node}.lib // {
-      inherit (mkNixpkgs' node) lib;
+      extra = nix-lib;
      keysRoot = ./keys;
    };
    meta = (import ./meta) lib;
    nodeMeta = meta.nodes.${node};
  };
 in
-# nodes = builtins.attrNames metadata.nodes;
+
 {
  meta = {
-    nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes;
+    nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;
    specialArgs = {
-      inherit sources;
+      inherit nixpkgs sources;
      dgn-keys = import ./keys;
    };
-    nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
+    nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
  };
  defaults =
-    { meta, name, ... }:
+    {
      pkgs,
      name,
      nodeMeta,
      ...
    }:
    {
      # Import the default modules
-      imports = [ ./modules ];
+      imports = [
        ./modules
        (import "${sources.lix-module}/module.nix" {
          lix = pkgs.applyPatches {
            name = "lix-2.90.patched";
            src = sources.lix;
            patches = [ ./patches/00-disable-installChecks-lix.patch ];
          };
        })
      ];
      # Include default secrets
-      age-secrets.sources = [ (./machines + "/${name}/secrets") ];
+      age-secrets.sources = [ ./machines/${name}/secrets ];
      # Deployment config is specified in meta.nodes.${node}.deployment
-      inherit (meta.nodes.${name}) deployment;
+      inherit (nodeMeta) deployment;
-      # Set NIX_PATH to the patched version of nixpkgs
+      nix = {
-      nix.nixPath = [ "nixpkgs=${mkNixpkgs name}" ];
+        # Set NIX_PATH to the patched version of nixpkgs
-      nix.optimise.automatic = true;
+        nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
        optimise.automatic = true;
        gc = {
          automatic = true;
          dates = "weekly";
          options = "--delete-older-than 7d";
        };
      };
      # Allow unfree packages
      nixpkgs.config.allowUnfree = true;
      # Use the stateVersion declared in the metadata
      system = {
-        inherit (meta.nodes.${name}) stateVersion;
+        inherit (nodeMeta) stateVersion;
      };
    };
 }
-// (lib.mapSingleFuse mkNode nodes)
+// (nix-lib.mapSingleFuse mkNode nodes)
--- a/iso/build-iso.sh
+++ b/iso/build-iso.sh
@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-NIXPKGS=$(nix-build nixpkgs.nix)
+NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
 nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso
--- a/iso/configuration.nix
+++ b/iso/configuration.nix
@ -1,9 +1,9 @@
 { lib, pkgs, ... }:
 let
-  dgn-lib = import ../lib { };
+  dgn-keys = import ../keys;
-  dgn-members = (import ../meta).members.groups.iso;
+  dgn-members = (import ../meta lib).organization.groups.root;
 in
 {
@ -11,7 +11,7 @@ in
  boot = {
    blacklistedKernelModules = [ "snd_pcsp" ];
-    kernelPackages = pkgs.linuxPackages_6_1;
+    kernelPackages = pkgs.linuxPackages_latest;
    tmp.cleanOnBoot = true;
    loader = {
@ -22,6 +22,7 @@ in
    supportedFilesystems = [
      "exfat"
      "zfs"
      "bcachefs"
    ];
    swraid.enable = lib.mkForce false;
@ -33,7 +34,5 @@ in
    openssh.enable = true;
  };
-  users.users.root.openssh.authorizedKeys.keyFiles =
+  users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
    builtins.map (m: dgn-lib.mkRel ../keys "${m}.keys")
      dgn-members;
 }
--- a/iso/nixpkgs.nix
+++ b/iso/nixpkgs.nix
@ -1,5 +1,6 @@
 let
-  inherit (import ../npins) nixpkgs;
+  version = (import ../meta/nixpkgs.nix).default;
  nixpkgs = (import ../npins)."nixos-${version}";
 in
 (import nixpkgs { }).srcOnly {
--- a/keys/default.nix
+++ b/keys/default.nix
@ -0,0 +1,80 @@
 let
  _sources = import ../npins;
  meta = import ../meta (import _sources.nixpkgs { }).lib;
  getAttr = flip builtins.getAttr;
  inherit (import ../lib/nix-lib) flip setDefault unique;
 in
 rec {
  # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
  #          If not, you will face an angry maintainer
  _keys = {
    # SSH keys of the nodes
    bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
    krz01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB" ];
    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
    web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
    web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
    # SSH keys of the DGNum members
    catvayor = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
    ];
    ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
    gdd = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
    ];
    jemagius = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
    ];
    luj = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
    ];
    mdebray = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
    ];
    raito = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
    ];
    thubrecht = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
    ];
  };
  getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
  mkSecrets =
    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
  getNodeKeys' =
    node:
    let
      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
        meta.nodes.${node}.admins ++ [ node ]
      ) meta.nodes.${node}.adminGroups;
    in
    unique (getKeys names);
  getNodeKeys = node: rootKeys ++ getNodeKeys' node;
  # List of keys for the root group
  rootKeys = getKeys meta.organization.groups.root;
  # List of 'machine' keys
  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
 }
--- a/keys/gdd.keys
+++ b/keys/gdd.keys
@ -1,2 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ
--- a/keys/jemagius.keys
+++ b/keys/jemagius.keys
@ -1,2 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=
--- a/keys/luj.keys
+++ b/keys/luj.keys
@ -1,2 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower
--- a/keys/machines/compute01.keys
+++ b/keys/machines/compute01.keys
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu
--- a/keys/machines/geo01.keys
+++ b/keys/machines/geo01.keys
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4
--- a/keys/machines/geo02.keys
+++ b/keys/machines/geo02.keys
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket
--- a/keys/machines/storage01.keys
+++ b/keys/machines/storage01.keys
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ
--- a/keys/machines/vault01.keys
+++ b/keys/machines/vault01.keys
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW
--- a/keys/machines/web01.keys
+++ b/keys/machines/web01.keys
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5
--- a/keys/mdebray.keys
+++ b/keys/mdebray.keys
@ -1 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris
--- a/keys/raito.keys
+++ b/keys/raito.keys
@ -1,3 +0,0 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU
--- a/keys/thubrecht.keys
+++ b/keys/thubrecht.keys
@ -1,3 +0,0 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn
--- a/lib/colmena/default.nix
+++ b/lib/colmena/default.nix
@ -0,0 +1,11 @@
 # Copyright: Jade Lovelace <lix@jade.fyi> 2024
 { colmena, runCommandNoCC }:
 runCommandNoCC "colmena-wrapper" { env.colmena = "${colmena}/bin/colmena"; } ''
  mkdir -p $out
  ln -s ${colmena}/share $out/share
  mkdir $out/bin
  substituteAll ${./wrapper.sh.in} $out/bin/colmena
  chmod +x $out/bin/colmena
 ''
--- a/lib/colmena/wrapper.sh.in
+++ b/lib/colmena/wrapper.sh.in
@ -0,0 +1,31 @@
 #!/usr/bin/env bash
 #
 # Copyright: Jade Lovelace <lix@jade.fyi> 2024
 doChecks() {
 	# creates refs in the refs/prefetch/remotes/origin namespace
 	echo "Prefetching repo changes..." >&2
 	git fetch --quiet --prefetch --no-write-fetch-head origin
 	diffs=$(git rev-list --left-right --count HEAD...refs/prefetch/remotes/origin/main)
 	only_in_local=$(echo "$diffs" | cut -f1)
 	only_in_main=$(echo "$diffs" | cut -f2)
 	if [[ $only_in_main -gt 0 && ! -v $FORCE_DEPLOY_DGNUM ]]; then
 		echo >&2
 		echo "Attempting to deploy when main has $only_in_main commits not in your branch!" >&2
 		echo "This will probably revert someone's changes. Consider merging them." >&2
 		echo "If you really mean it, set the environment variable FORCE_DEPLOY_DGNUM" >&2
 		exit 1
 	fi
 	if [[ $only_in_local -gt 0 ]]; then
 		echo "You have $only_in_local commits not yet pushed to main. Reminder to push them after :)" >&2
 	fi
 }
 if [[ $1 == 'apply' ]]; then
 	doChecks
 fi
 exec @colmena@ "$@"
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,29 +0,0 @@
 _:
 let
  sources = import ../npins;
  lib =
    (import sources.nix-lib {
      inherit ((import sources.nixpkgs { })) lib;
      keysRoot = ../keys;
    }).extra;
  meta = import ../meta;
 in
 lib
 // rec {
  # Get publickeys associated to a node
  getNodeKeys =
    node:
    let
      names =
        builtins.foldl' (names: group: names ++ meta.members.groups.${group})
          (meta.nodes.${node}.admins ++ [ "/machines/${node}" ])
          meta.nodes.${node}.adminGroups;
    in
    rootKeys ++ (lib.getAllKeys names);
  rootKeys = lib.getAllKeys meta.members.groups.root;
 }
--- a/lib/nix-lib/default.nix
+++ b/lib/nix-lib/default.nix
@ -0,0 +1,197 @@
 # Copyright Tom Hubrecht, (2023)
 #
 #  Tom Hubrecht <tom@hubrecht.ovh>
 #
 #  This software is governed by the CeCILL  license under French law and
 #  abiding by the rules of distribution of free software.  You can  use,
 #  modify and/ or redistribute the software under the terms of the CeCILL
 #  license as circulated by CEA, CNRS and INRIA at the following URL
 #  "http://www.cecill.info".
 #
 #  As a counterpart to the access to the source code and  rights to copy,
 #  modify and redistribute granted by the license, users are provided only
 #  with a limited warranty  and the software's author,  the holder of the
 #  economic rights,  and the successive licensors  have only  limited
 #  liability.
 #
 #  In this respect, the user's attention is drawn to the risks associated
 #  with loading,  using,  modifying and/or developing or reproducing the
 #  software by the user in light of its specific status of free software,
 #  that may mean  that it is complicated to manipulate,  and  that  also
 #  therefore means  that it is reserved for developers  and  experienced
 #  professionals having in-depth computer knowledge. Users are therefore
 #  encouraged to load and test the software's suitability as regards their
 #  requirements in conditions enabling the security of their systems and/or
 #  data to be ensured and,  more generally, to use and operate it in the
 #  same conditions as regards security.
 #
 #  The fact that you are presently reading this means that you have had
 #  knowledge of the CeCILL license and that you accept its terms.
 let
  # Reimplement optional functions
  _optional =
    default: b: value:
    if b then value else default;
 in
 rec {
  inherit (import ./nixpkgs.nix)
    flip
    hasPrefix
    recursiveUpdate
    splitString
    unique
    ;
  /*
    Fuses a list of attribute sets into a single attribute set.
    Type: [attrs] -> attrs
     Example:
       x = [ { a = 1; } { b = 2; } ]
       fuseAttrs x
       => { a = 1; b = 2; }
  */
  fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
  fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
  /*
    Applies a function to `attrsList` before fusing the resulting list
    of attribute sets.
    Type: ('a -> attrs) -> ['a] -> attrs
    Example:
     x = [ "to" "ta" "ti" ]
     f = s: { ${s} = s + s; }
     mapFuse f x
     => { to = "toto"; ta = "tata"; ti = "titi"; }
  */
  mapFuse =
    # 'a -> attrs
    f:
    # ['a]
    attrsList:
    fuseAttrs (builtins.map f attrsList);
  /*
    Equivalent of lib.singleton but for an attribute set.
    Type: str -> 'a -> attrs
     Example:
       singleAttr "a" 1
       => { a = 1; }
  */
  singleAttr = name: value: { ${name} = value; };
  # Enables a list of modules.
  enableAttrs' =
    enable:
    mapFuse (m: {
      ${m}.${enable} = true;
    });
  enableModules = enableAttrs' "enable";
  /*
    Create an attribute set from a list of values, mapping those
    values through the function `f`.
    Example:
     mapSingleFuse (x: "val-${x}") [ "a" "b" ]
     => { a = "val-a"; b = "val-b" }
  */
  mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
  /*
    Creates a relative path as a string
    Type: path -> str -> path
     Example:
       mkRel /home/test/ "file.txt"
       => "/home/test/file.txt"
  */
  mkRel = path: file: path + "/${file}";
  setDefault =
    default:
    mapFuse (name: {
      ${name} = default;
    });
  mkBaseSecrets =
    root:
    mapFuse (secret: {
      ${secret}.file = mkRel root secret;
    });
  getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
  subAttr = attrs: name: attrs.${name};
  subAttrs = attrs: builtins.map (subAttr attrs);
  optionalList = _optional [ ];
  optionalAttrs = _optional { };
  optionalString = _optional "";
  /*
    Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
    sets together.
    Type: [attrs] -> attrs
  */
  recursiveFuse = builtins.foldl' recursiveUpdate { };
  mkImport =
    root: file:
    let
      path = mkRel root file;
    in
    path + (optionalString (!(builtins.pathExists path)) ".nix");
  mkImports = root: builtins.map (mkImport root);
  /*
    Creates a confugiration by merging enabled modules,
    services and extraConfig.
    Example:
     mkConfig {
       enabledModules = [ "ht-defaults" ];
       enabledServices = [ "toto" ];
       extraConfig = { services.nginx.enable = true; };
       root = ./.;
     }
     =>
     {
       imports = [ ./toto ];
       ht-defaults.enable = true;
       services.nginx.enable = true;
     }
  */
  mkConfig =
    {
      # List of modules to enable with `enableModules`
      enabledModules,
      # List of services to import
      enabledServices,
      # Extra configuration, defaults to `{ }`
      extraConfig ? { },
      # Path relative to which the enabled services will be imported
      root,
    }:
    recursiveFuse [
      (enableModules enabledModules)
      { imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
      extraConfig
    ];
 }
--- a/lib/nix-lib/nixpkgs.nix
+++ b/lib/nix-lib/nixpkgs.nix
@ -0,0 +1,416 @@
 ###
 # Collection of nixpkgs library functions, those are necessary for defining our own lib
 #
 # They have been simplified and builtins are used in some places, instead of lib shims.
 rec {
  /**
    Does the same as the update operator '//' except that attributes are
    merged until the given predicate is verified.  The predicate should
    accept 3 arguments which are the path to reach the attribute, a part of
    the first attribute set and a part of the second attribute set.  When
    the predicate is satisfied, the value of the first attribute set is
    replaced by the value of the second attribute set.
    # Inputs
    `pred`
    : Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
    `lhs`
    : Left attribute set of the merge.
    `rhs`
    : Right attribute set of the merge.
    # Type
    ```
    recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
    ```
    # Examples
    :::{.example}
    ## `lib.attrsets.recursiveUpdateUntil` usage example
    ```nix
    recursiveUpdateUntil (path: l: r: path == ["foo"]) {
      # first attribute set
      foo.bar = 1;
      foo.baz = 2;
      bar = 3;
    } {
      #second attribute set
      foo.bar = 1;
      foo.quz = 2;
      baz = 4;
    }
    => {
      foo.bar = 1; # 'foo.*' from the second set
      foo.quz = 2; #
      bar = 3;     # 'bar' from the first set
      baz = 4;     # 'baz' from the second set
    }
    ```
    :::
  */
  recursiveUpdateUntil =
    pred: lhs: rhs:
    let
      f =
        attrPath:
        builtins.zipAttrsWith (
          n: values:
          let
            here = attrPath ++ [ n ];
          in
          if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
            builtins.head values
          else
            f here values
        );
    in
    f [ ] [
      rhs
      lhs
    ];
  /**
    A recursive variant of the update operator ‘//’.  The recursion
    stops when one of the attribute values is not an attribute set,
    in which case the right hand side value takes precedence over the
    left hand side value.
    # Inputs
    `lhs`
    : Left attribute set of the merge.
    `rhs`
    : Right attribute set of the merge.
    # Type
    ```
    recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
    ```
    # Examples
    :::{.example}
    ## `lib.attrsets.recursiveUpdate` usage example
    ```nix
    recursiveUpdate {
      boot.loader.grub.enable = true;
      boot.loader.grub.device = "/dev/hda";
    } {
      boot.loader.grub.device = "";
    }
    returns: {
      boot.loader.grub.enable = true;
      boot.loader.grub.device = "";
    }
    ```
    :::
  */
  recursiveUpdate =
    lhs: rhs:
    recursiveUpdateUntil (
      _: lhs: rhs:
      !(builtins.isAttrs lhs && builtins.isAttrs rhs)
    ) lhs rhs;
  /**
    Determine whether a string has given prefix.
    # Inputs
    `pref`
    : Prefix to check for
    `str`
    : Input string
    # Type
    ```
    hasPrefix :: string -> string -> bool
    ```
    # Examples
    :::{.example}
    ## `lib.strings.hasPrefix` usage example
    ```nix
    hasPrefix "foo" "foobar"
    => true
    hasPrefix "foo" "barfoo"
    => false
    ```
    :::
  */
  hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
  /**
    Escape occurrence of the elements of `list` in `string` by
    prefixing it with a backslash.
    # Inputs
    `list`
    : 1\. Function argument
    `string`
    : 2\. Function argument
    # Type
    ```
    escape :: [string] -> string -> string
    ```
    # Examples
    :::{.example}
    ## `lib.strings.escape` usage example
    ```nix
    escape ["(" ")"] "(foo)"
    => "\\(foo\\)"
    ```
    :::
  */
  escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
  /**
    Convert a string `s` to a list of characters (i.e. singleton strings).
    This allows you to, e.g., map a function over each character.  However,
    note that this will likely be horribly inefficient; Nix is not a
    general purpose programming language. Complex string manipulations
    should, if appropriate, be done in a derivation.
    Also note that Nix treats strings as a list of bytes and thus doesn't
    handle unicode.
    # Inputs
    `s`
    : 1\. Function argument
    # Type
    ```
    stringToCharacters :: string -> [string]
    ```
    # Examples
    :::{.example}
    ## `lib.strings.stringToCharacters` usage example
    ```nix
    stringToCharacters ""
    => [ ]
    stringToCharacters "abc"
    => [ "a" "b" "c" ]
    stringToCharacters "🦄"
    => [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
    ```
    :::
  */
  stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
  /**
    Turn a string `s` into an exact regular expression
    # Inputs
    `s`
    : 1\. Function argument
    # Type
    ```
    escapeRegex :: string -> string
    ```
    # Examples
    :::{.example}
    ## `lib.strings.escapeRegex` usage example
    ```nix
    escapeRegex "[^a-z]*"
    => "\\[\\^a-z]\\*"
    ```
    :::
  */
  escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
  /**
    Appends string context from string like object `src` to `target`.
    :::{.warning}
    This is an implementation
    detail of Nix and should be used carefully.
    :::
    Strings in Nix carry an invisible `context` which is a list of strings
    representing store paths. If the string is later used in a derivation
    attribute, the derivation will properly populate the inputDrvs and
    inputSrcs.
    # Inputs
    `src`
    : The string to take the context from. If the argument is not a string,
      it will be implicitly converted to a string.
    `target`
    : The string to append the context to. If the argument is not a string,
      it will be implicitly converted to a string.
    # Type
    ```
    addContextFrom :: string -> string -> string
    ```
    # Examples
    :::{.example}
    ## `lib.strings.addContextFrom` usage example
    ```nix
    pkgs = import <nixpkgs> { };
    addContextFrom pkgs.coreutils "bar"
    => "bar"
    ```
    The context can be displayed using the `toString` function:
    ```nix
    nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
    {
      "/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
    }
    ```
    :::
  */
  addContextFrom = src: target: builtins.substring 0 0 src + target;
  /**
    Cut a string with a separator and produces a list of strings which
    were separated by this separator.
    # Inputs
    `sep`
    : 1\. Function argument
    `s`
    : 2\. Function argument
    # Type
    ```
    splitString :: string -> string -> [string]
    ```
    # Examples
    :::{.example}
    ## `lib.strings.splitString` usage example
    ```nix
    splitString "." "foo.bar.baz"
    => [ "foo" "bar" "baz" ]
    splitString "/" "/usr/local/bin"
    => [ "" "usr" "local" "bin" ]
    ```
    :::
  */
  splitString =
    sep: s:
    let
      splits = builtins.filter builtins.isString (
        builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
      );
    in
    builtins.map (addContextFrom s) splits;
  /**
    Remove duplicate elements from the `list`. O(n^2) complexity.
    # Inputs
    `list`
    : Input list
    # Type
    ```
    unique :: [a] -> [a]
    ```
    # Examples
    :::{.example}
    ## `lib.lists.unique` usage example
    ```nix
    unique [ 3 2 3 4 ]
    => [ 3 2 4 ]
    ```
    :::
  */
  unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
  /**
    Flip the order of the arguments of a binary function.
    # Inputs
    `f`
    : 1\. Function argument
    `a`
    : 2\. Function argument
    `b`
    : 3\. Function argument
    # Type
    ```
    flip :: (a -> b -> c) -> (b -> a -> c)
    ```
    # Examples
    :::{.example}
    ## `lib.trivial.flip` usage example
    ```nix
    flip concat [1] [2]
    => [ 2 1 ]
    ```
    :::
  */
  flip =
    f: a: b:
    f b a;
 }
--- a/lib/nix-patches/default.nix
+++ b/lib/nix-patches/default.nix
@ -0,0 +1,110 @@
 # Copyright Tom Hubrecht, (2023-2024)
 #
 # Tom Hubrecht <tom@hubrecht.ovh>
 #
 # This software is governed by the CeCILL  license under French law and
 # abiding by the rules of distribution of free software.  You can  use,
 # modify and/ or redistribute the software under the terms of the CeCILL
 # license as circulated by CEA, CNRS and INRIA at the following URL
 # "http://www.cecill.info".
 #
 # As a counterpart to the access to the source code and  rights to copy,
 # modify and redistribute granted by the license, users are provided only
 # with a limited warranty  and the software's author,  the holder of the
 # economic rights,  and the successive licensors  have only  limited
 # liability.
 #
 # In this respect, the user's attention is drawn to the risks associated
 # with loading,  using,  modifying and/or developing or reproducing the
 # software by the user in light of its specific status of free software,
 # that may mean  that it is complicated to manipulate,  and  that  also
 # therefore means  that it is reserved for developers  and  experienced
 # professionals having in-depth computer knowledge. Users are therefore
 # encouraged to load and test the software's suitability as regards their
 # requirements in conditions enabling the security of their systems and/or
 # data to be ensured and,  more generally, to use and operate it in the
 # same conditions as regards security.
 #
 # The fact that you are presently reading this means that you have had
 # knowledge of the CeCILL license and that you accept its terms.
 {
  patchFile,
  excludeGitHubManual ? true,
  fetchers ? { },
 }:
 rec {
  base =
    { pkgs }:
    rec {
      mkUrlPatch =
        attrs:
        pkgs.fetchpatch (
          {
            hash = pkgs.lib.fakeHash;
          }
          // attrs
          // (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
            excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
          })
        );
      mkGitHubPatch =
        { id, ... }@attrs:
        mkUrlPatch (
          (builtins.removeAttrs attrs [ "id" ])
          // {
            url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
          }
        );
      mkCommitPatch =
        { sha, ... }@attrs:
        mkUrlPatch (
          (builtins.removeAttrs attrs [ "sha" ])
          // {
            url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
          }
        );
      patchFunctions = {
        commit = mkCommitPatch;
        github = mkGitHubPatch;
        remote = pkgs.fetchpatch;
        static = attrs: attrs.path;
        url = mkUrlPatch;
      } // fetchers;
      mkPatch =
        {
          _type ? "github",
          ...
        }@attrs:
        if builtins.hasAttr _type patchFunctions then
          patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
        else
          throw "Unknown patch type: ${builtins.toString _type}.";
      mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
      applyPatches =
        {
          src,
          name,
          patches ? mkPatches name,
        }:
        if patches == [ ] then
          src
        else
          pkgs.applyPatches {
            inherit patches src;
            name = "${name}-patched";
          };
      applyPatches' = name: src: applyPatches { inherit name src; };
    };
  mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
 }
--- a/machines/bridge01/_configuration.nix
+++ b/machines/bridge01/_configuration.nix
@ -0,0 +1,20 @@
 { lib, pkgs, ... }:
 lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
  ];
  enabledServices = [
    # List of services to enable
    "network"
  ];
  extraConfig = {
    services.netbird.enable = true;
    environment.systemPackages = [ pkgs.bcachefs-tools ];
  };
  root = ./.;
 }
--- a/machines/bridge01/_hardware-configuration.nix
+++ b/machines/bridge01/_hardware-configuration.nix
@ -0,0 +1,53 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { modulesPath, pkgs, ... }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot = {
    initrd = {
      availableKernelModules = [
        "xhci_pci"
        "ehci_pci"
        "ahci"
        "sd_mod"
        "sr_mod"
      ];
    };
    kernelModules = [ "kvm-intel" ];
    kernelPackages = pkgs.linuxPackages_latest;
    supportedFilesystems.bcachefs = true;
  };
  fileSystems = {
    "/" = {
      device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
      fsType = "bcachefs";
      options = [ "compression=zstd" ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/4D0A-AF11";
      fsType = "vfat";
      options = [
        "fmask=0022"
        "dmask=0022"
      ];
    };
  };
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
  # networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = true;
 }
--- a/machines/bridge01/network.nix
+++ b/machines/bridge01/network.nix
@ -0,0 +1,79 @@
 _:
 {
  networking = {
    useNetworkd = true;
    useDHCP = false;
    nftables.enable = true;
    firewall.allowedUDPPorts = [ 67 ];
  };
  systemd.network = {
    networks = {
      "10-eno1" = {
        name = "eno1";
        networkConfig = {
          VLAN = [
            "vlan-admin"
            "vlan-uplink-oob"
          ];
          LinkLocalAddressing = false;
          LLDP = false;
          EmitLLDP = false;
          IPv6AcceptRA = false;
          IPv6SendRA = false;
        };
        # address = [ "192.168.222.1/24" ];
      };
      "10-vlan-admin" = {
        name = "vlan-admin";
        # DHCP for the BMC
        networkConfig.DHCPServer = "yes";
        dhcpServerConfig = {
          PoolOffset = 128;
          EmitDNS = false;
          EmitNTP = false;
          EmitSIP = false;
          EmitPOP3 = false;
          EmitSMTP = false;
          EmitLPR = false;
          UplinkInterface = ":none";
        };
        address = [
          "fd26:baf9:d250:8000::ffff/64"
          "192.168.222.1/24"
        ];
      };
      "10-vlan-uplink-oob" = {
        name = "vlan-uplink-oob";
        networkConfig.DHCP = "ipv4";
      };
    };
    netdevs = {
      "10-vlan-admin" = {
        netdevConfig = {
          Name = "vlan-admin";
          Kind = "vlan";
        };
        vlanConfig.Id = 3000;
      };
      "10-vlan-uplink-oob" = {
        netdevConfig = {
          Name = "vlan-uplink-oob";
          Kind = "vlan";
        };
        vlanConfig.Id = 500;
      };
    };
  };
 }
--- a/machines/bridge01/secrets/secrets.nix
+++ b/machines/bridge01/secrets/secrets.nix
@ -0,0 +1,3 @@
 (import ../../../keys).mkSecrets [ "bridg01" ] [
  # List of secrets for bridge01
 ]
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@ -1,38 +1,42 @@
 { lib, ... }:
 lib.extra.mkConfig {
  # List of modules to enable
  enabledModules = [
-    # List of modules to enable
+    # INFO: This list needs to stay sorted alphabetically
    "dgn-backups"
-    "dgn-fail2ban"
+    "dgn-chatops"
    "dgn-web"
  ];
  # List of services to enable
  enabledServices = [
-    # List of services to enable
+    # INFO: This list needs to stay sorted alphabetically
    "arkheon"
    "dgsi"
    "ds-fr"
    "grafana"
    "hedgedoc"
    "k-radius"
    "kanidm"
    "librenms"
    "mastodon"
    "nextcloud"
    "ollama-proxy"
    "outline"
    "plausible"
    "postgresql"
    "rstudio-server"
    "satosa"
    "signal-irc-bridge"
    "signald"
    "stirling-pdf"
    "takumi"
    "telegraf"
    "vaultwarden"
    "zammad"
    "signald"
  ];
  extraConfig = {
    dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
      "sshd-bruteforce"
      "sshd-timeout"
    ];
    dgn-hardware.useZfs = true;
    services.netbird.enable = true;
--- a/machines/compute01/arkheon.nix
+++ b/machines/compute01/arkheon.nix
@ -0,0 +1,28 @@
 { config, sources, ... }:
 {
  nixpkgs.overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
  services.arkheon = {
    enable = true;
    pythonEnv =
      (import sources.nixos-unstable {
        overlays = [ (import (sources.arkheon.outPath + "/overlay.nix")) ];
      }).python3.withPackages
        (ps: [
          ps.arkheon
          ps.daphne
          ps.psycopg2
        ]);
    domain = "arkheon.dgnum.eu";
    nginx = {
      enableACME = true;
      forceSSL = true;
    };
    envFile = config.age.secrets."arkheon-env_file".path;
  };
 }
--- a/machines/compute01/dgsi/default.nix
+++ b/machines/compute01/dgsi/default.nix
@ -0,0 +1,222 @@
 {
  config,
  lib,
  pkgs,
  utils,
  sources,
  ...
 }:
 let
  inherit (lib) toLower;
  python =
    let
      python3 = pkgs.python312;
      nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
    in
    python3.override {
      packageOverrides = _: _: {
        inherit (nix-pkgs)
          django-allauth
          django-allauth-cas
          django-browser-reload
          django-bulma-forms
          django-sass-processor
          django-sass-processor-dart-sass
          django-unfold
          pykanidm
          python-cas
          loadcredential
          xlwt
          ;
      };
    };
  pythonEnv = python.withPackages (
    ps:
    [
      ps.django
      ps.gunicorn
      ps.psycopg
      ps.django-compressor
      ps.django-import-export
      # Local packages
      ps.django-allauth
      ps.django-allauth-cas
      ps.django-browser-reload
      ps.django-bulma-forms
      ps.django-sass-processor
      ps.django-sass-processor-dart-sass
      ps.django-unfold
      ps.loadcredential
      ps.pykanidm
      ps.python-cas
    ]
    ++ ps.django-allauth.optional-dependencies.saml
  );
  staticDrv = pkgs.stdenv.mkDerivation {
    name = "dgsi-static";
    src = sources.dgsi;
    sourceRoot = "source/src";
    nativeBuildInputs = [
      pkgs.dart-sass
      pythonEnv
    ];
    configurePhase = ''
      export DGSI_STATIC_ROOT=$out/static
      export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
      export DGSI_KANIDM_CLIENT="dgsi_test"
      export DGSI_KANIDM_AUTH_TOKEN="fake.token"
      export DGSI_X509_KEY=""
      export DGSI_X509_CERT=""
    '';
    doBuild = false;
    installPhase = ''
      mkdir -p $out/static
      python3 manage.py compilescss
      python3 manage.py collectstatic
    '';
  };
 in
 {
  users = {
    users.nginx.extraGroups = [ "django-apps" ];
    groups.django-apps = { };
  };
  systemd = {
    services = {
      dj-dgsi = {
        description = "DGSI web app";
        requires = [ "dj-dgsi.socket" ];
        wantedBy = [ "multi-user.target" ];
        after = [
          "network.target"
          "postgresql.service"
        ];
        serviceConfig = {
          DynamicUser = true;
          LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
            "EMAIL_HOST_PASSWORD"
            "KANIDM_AUTH_TOKEN"
            "KANIDM_SECRET"
            "SECRET_KEY"
            "X509_CERT"
            "X509_KEY"
          ];
          RuntimeDirectory = "django-apps/dgsi";
          StateDirectory = "django-apps/dgsi";
          UMask = "0027";
          User = "dj-dgsi";
          Group = "django-apps";
          WorkingDirectory = sources.dgsi;
          ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";
          KillMode = "mixed";
          Type = "notify";
          ExecStart = utils.escapeSystemdExecArgs [
            (lib.getExe' pythonEnv "gunicorn")
            "--workers"
            4
            "--bind"
            "unix:/run/django-apps/dgsi.sock"
            "--pythonpath"
            "src"
            "app.wsgi"
          ];
        };
        environment = {
          DGSI_ALLOWED_HOSTS = builtins.toJSON [
            "profil.dgnum.eu"
            "dgsi.dgnum.eu"
          ];
          DGSI_EMAIL_HOST = "kurisu.lahfa.xyz";
          DGSI_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
          DGSI_EMAIL_USE_SSL = builtins.toJSON true;
          DGSI_FROM_EMAIL = "La Délégation Générale Numérique <noreply@infra.dgnum.eu>";
          DGSI_SERVER_EMAIL = "dgsi@infra.dgnum.eu";
          DGSI_KANIDM_CLIENT = "dgsi";
          DGSI_KANIDM_URI = "https://sso.dgnum.eu";
          DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
          DGSI_STATIC_ROOT = "${staticDrv}/static";
          DGSI_DATABASES = builtins.toJSON {
            default = {
              ENGINE = "django.db.backends.postgresql";
              NAME = "dj-dgsi";
            };
          };
          DJANGO_SETTINGS_MODULE = "app.settings";
        };
        path = [ pythonEnv ];
        preStart = ''
          python3 src/manage.py migrate --no-input
        '';
      };
    };
    sockets."dj-dgsi" = {
      description = "Socket for the DGSI Django Application";
      wantedBy = [ "sockets.target" ];
      socketConfig = {
        ListenStream = "/run/django-apps/dgsi.sock";
        SocketMode = "600";
        SocketUser = config.services.nginx.user;
      };
    };
    mounts = [
      {
        where = "/run/django-apps/dgsi/media";
        what = "/var/lib/django-apps/dgsi/media";
        options = "bind";
        after = [ "dj-dgsi.service" ];
        partOf = [ "dj-dgsi.service" ];
        upheldBy = [ "dj-dgsi.service" ];
      }
    ];
  };
  dgn-redirections.permanent."dgsi.dgnum.eu" = "profil.dgnum.eu";
  services = {
    postgresql = {
      ensureDatabases = [ "dj-dgsi" ];
      ensureUsers = [
        {
          name = "dj-dgsi";
          ensureDBOwnership = true;
        }
      ];
    };
    nginx.virtualHosts."profil.dgnum.eu" = {
      enableACME = true;
      forceSSL = true;
      locations = {
        "/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
        "/static/".root = staticDrv;
        "/media/".root = "/run/django-apps/dgsi";
      };
    };
  };
 }
--- a/machines/compute01/ds-fr/package/default.nix
+++ b/machines/compute01/ds-fr/package/default.nix
@ -3,9 +3,7 @@
  stdenv,
  fetchFromGitHub,
  git,
-  fetchYarnDeps,
+  bun,
  yarn,
  fixup_yarn_lock,
  nodejs,
  ruby_3_2,
  bundlerEnv,
@ -18,7 +16,7 @@ let
  inherit (lib) getExe;
  # Head of the DGNum repo
-  dgn-id = "8eecf28eeaf39bade8aed5e191a5bbf794dec4cc";
+  dgn-id = "f270f1cdd09e643a9c666c94df1841234430de49";
  pname = "ds-fr";
  meta = import ./meta.nix;
@ -50,20 +48,46 @@ let
    };
  };
  node_modules = stdenv.mkDerivation {
    pname = "${pname}-node_modules";
    inherit src version;
    impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [
      "GIT_PROXY_COMMAND"
      "SOCKS_SERVER"
    ];
    nativeBuildInputs = [ bun ];
    dontConfigure = true;
    buildPhase = ''
      bun install --no-progress --frozen-lockfile --ignore-scripts 
      rm -r node_modules/.cache
      # Remove inconsistent file
      rm node_modules/.bin/grunt
    '';
    installPhase = ''
      mv node_modules $out
    '';
    dontFixup = true;
    outputHash = meta.deps-hash or lib.fakeHash;
    outputHashAlgo = "sha256";
    outputHashMode = "recursive";
  };
  dsModules = stdenv.mkDerivation {
    pname = "${pname}-modules";
    inherit src version;
    offlineCache = fetchYarnDeps {
      yarnLock = "${src}/yarn.lock";
      hash = meta.deps-hash;
    };
    buildInputs = [ rubyEnv ];
    nativeBuildInputs = [
-      fixup_yarn_lock
+      bun
      nodejs
      yarn
      rubyEnv.wrappedRuby
    ];
@ -84,18 +108,13 @@ let
    APP_HOST = "precompile_placeholder";
    buildPhase = ''
-      export HOME=$(mktemp -d)
+      cp -R ${node_modules} node_modules
-      yarn config --offline set yarn-offline-mirror $offlineCache
+      chmod u+w -R node_modules
      fixup_yarn_lock yarn.lock
      yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
-      patchShebangs node_modules/
+      patchShebangs node_modules
      patchShebangs bin/
      bin/rake assets:precompile
      yarn cache clean --offline
      rm -rf node_modules/
    '';
    installPhase = ''
@ -116,7 +135,6 @@ stdenv.mkDerivation {
    ./patches/replay_routing_engine_for_a_cloned_procedure.patch
    ./patches/smtp_settings.patch
    ./patches/garage.patch
    ./patches/secrets-fc.patch
  ];
  postPatch = ''
--- a/machines/compute01/ds-fr/package/meta.nix
+++ b/machines/compute01/ds-fr/package/meta.nix
@ -1,5 +1,5 @@
 {
-  version = "2024-02-29-01";
+  version = "2024-04-24-01";
-  src-hash = "sha256-YHK86sQMaa0Oa40uNMXDs25lPR9RkDnkzMcMFW+djYQ=";
+  src-hash = "sha256-+FjthJZb1KqqFttFmXr/FN5qaFcY9RGTKAqhdLGVFSg=";
-  deps-hash = "sha256-9HbZtk0sgBSWzzFrjXnSyEVWaQMiyC1v89vXB0UK9Hc=";
+  deps-hash = "sha256-Vj8WCB+LSHJM67qbsZ5CPc+jK1KWO1MXnSFp/LH0Ow8=";
 }
--- a/machines/compute01/ds-fr/package/patches/secrets-fc.patch
+++ b/machines/compute01/ds-fr/package/patches/secrets-fc.patch
@ -1,19 +0,0 @@
 diff --git a/config/secrets.yml b/config/secrets.yml
 index 866fa6159..6fd49ee59 100644
 --- a/config/secrets.yml
 +++ b/config/secrets.yml
@@ -23,10 +23,10 @@ defaults: &defaults
     identifier: <%= ENV['FC_PARTICULIER_ID'] %>
     secret: <%= ENV['FC_PARTICULIER_SECRET'] %>
     redirect_uri: https://<%= ENV['APP_HOST'] %>/france_connect/particulier/callback
 -    authorization_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/api/v1/authorize
 -    token_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/api/v1/token
 -    userinfo_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/api/v1/userinfo
 -    logout_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/api/v1/logout
 +    authorization_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/ui/oauth2
 +    token_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/oauth2/token
 +    userinfo_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/oauth2/openid/demarches_dgn/userinfo
 +    logout_endpoint: <%= ENV['FC_PARTICULIER_BASE_URL'] %>/oauth2/token/revoke
   agent_connect:
     identifier: <%= ENV['AGENT_CONNECT_ID'] %>
     secret: <%= ENV['AGENT_CONNECT_SECRET'] %>
--- a/machines/compute01/ds-fr/package/rubyEnv/Gemfile
+++ b/machines/compute01/ds-fr/package/rubyEnv/Gemfile
@ -10,6 +10,7 @@ gem 'active_storage_validations'
 gem 'addressable'
 gem 'administrate'
 gem 'administrate-field-enum' # Allow using Field::Enum in administrate
 gem 'after_commit_everywhere'
 gem 'after_party'
 gem 'ancestry'
 gem 'anchored'
@ -22,21 +23,24 @@ gem 'chunky_png'
 gem 'clamav-client', require: 'clamav/client'
 gem 'daemons'
 gem 'deep_cloneable' # Enable deep clone of active record models
-gem 'delayed_cron_job' # Cron jobs
+gem 'delayed_cron_job', require: false # Cron jobs
 gem 'delayed_job_active_record'
 gem 'delayed_job_web'
-gem 'devise', git: 'https://github.com/heartcombo/devise.git', ref: "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1" # Gestion des comptes utilisateurs, drop ref on next release: 4.9.4
+gem 'devise'
 gem 'devise-i18n'
 gem 'devise-two-factor'
 gem 'discard'
 gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails
 gem 'dry-monads'
 gem 'faraday-jwt'
 gem 'flipper'
 gem 'flipper-active_record'
 gem 'flipper-active_support_cache_store'
 gem 'flipper-ui'
 gem 'fugit'
 gem 'geocoder'
 gem 'geo_coord', require: "geo/coord"
 gem 'gitlab-sidekiq-fetcher', require: 'sidekiq-reliable-fetch', git: 'https://github.com/demarches-simplifiees/reliable-fetch.git'
 gem 'gon'
 gem 'graphql', '2.0.24'
 gem 'graphql-batch', '0.5.1'
@ -73,6 +77,7 @@ gem 'puma' # Use Puma as the app server
 gem 'pundit'
 gem 'rack-attack'
 gem 'rails-i18n' # Locales par défaut
 gem 'rails-pg-extras'
 gem 'rake-progressbar', require: false
 gem 'redcarpet'
 gem 'redis'
@ -86,15 +91,23 @@ gem 'sentry-ruby'
 gem 'sentry-sidekiq'
 gem 'sib-api-v3-sdk'
 gem 'sidekiq'
 gem 'sidekiq-cron'
 gem 'skylight'
 gem 'spreadsheet_architect'
 gem 'strong_migrations' # lint database migrations
 gem 'sys-proctable'
 gem 'turbo-rails'
 gem 'typhoeus'
 gem 'ulid-ruby', require: 'ulid'
 gem 'view_component'
 gem 'vite_rails'
 gem 'warden'
 gem 'webrick', require: false
 gem 'yabeda-graphql'
 gem 'yabeda-prometheus'
 gem 'yabeda-puma-plugin'
 gem 'yabeda-rails'
 gem 'yabeda-sidekiq'
 gem 'zipline'
 gem 'zxcvbn-ruby', require: 'zxcvbn'
@ -112,6 +125,8 @@ group :test do
  gem 'selenium-devtools'
  gem 'selenium-webdriver'
  gem 'shoulda-matchers', require: false
  gem 'simplecov', require: false
  gem 'simplecov-cobertura', require: false
  gem 'timecop'
  gem 'vcr'
  gem 'webmock'
--- a/machines/compute01/ds-fr/package/rubyEnv/Gemfile.lock
+++ b/machines/compute01/ds-fr/package/rubyEnv/Gemfile.lock
@ -1,14 +1,10 @@
 GIT
-  remote: https://github.com/heartcombo/devise.git
+  remote: https://github.com/demarches-simplifiees/reliable-fetch.git
-  revision: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
+  revision: f547a270c402b0180091516d790434e83287fae7
  ref: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
  specs:
-    devise (4.9.3)
+    gitlab-sidekiq-fetcher (0.11.0)
-      bcrypt (~> 3.0)
+      json (>= 2.5)
-      orm_adapter (~> 0.1)
+      sidekiq (~> 7.0)
      railties (>= 4.1.0)
      responders
      warden (~> 1.2.3)
 GEM
  remote: https://rubygems.org/
@ -108,10 +104,15 @@ GEM
    administrate-field-enum (0.0.9)
      administrate (~> 0.12)
    aes_key_wrap (1.1.0)
    after_commit_everywhere (1.4.0)
      activerecord (>= 4.2)
      activesupport
    after_party (1.11.2)
    ancestry (4.3.3)
      activerecord (>= 5.2.6)
    anchored (1.1.0)
    anyway_config (2.6.3)
      ruby-next-core (~> 1.0)
    ast (2.4.2)
    attr_required (1.0.2)
    axe-core-api (4.8.2)
@ -135,8 +136,8 @@ GEM
      erubi (~> 1.4)
      parser (>= 2.4)
      smart_properties
-    bigdecimal (3.1.6)
+    bigdecimal (3.1.7)
-    bindata (2.4.15)
+    bindata (2.5.0)
    bindex (0.8.1)
    bootsnap (1.18.3)
      msgpack (~> 1.2)
@ -167,7 +168,7 @@ GEM
      nokogiri (~> 1.10, >= 1.10.4)
      rubyzip (>= 1.3.0, < 3)
    charlock_holmes (0.7.7)
-    chartkick (5.0.5)
+    chartkick (5.0.6)
    choice (0.2.0)
    chunky_png (1.4.0)
    clamav-client (3.2.0)
@ -200,6 +201,12 @@ GEM
      sinatra (>= 1.4.4)
    descendants_tracker (0.0.4)
      thread_safe (~> 0.3, >= 0.3.1)
    devise (4.9.4)
      bcrypt (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 4.1.0)
      responders
      warden (~> 1.2.3)
    devise-i18n (1.12.0)
      devise (>= 4.9.0)
    devise-two-factor (5.0.0)
@ -210,6 +217,7 @@ GEM
    diff-lcs (1.5.1)
    discard (1.3.0)
      activerecord (>= 4.2, < 8)
    docile (1.4.0)
    dotenv (2.8.1)
    dotenv-rails (2.8.1)
      dotenv (= 2.8.1)
@ -218,25 +226,40 @@ GEM
    dry-core (1.0.1)
      concurrent-ruby (~> 1.0)
      zeitwerk (~> 2.6)
    dry-initializer (3.1.1)
    dry-monads (1.6.0)
      concurrent-ruby (~> 1.0)
      dry-core (~> 1.0, < 2)
      zeitwerk (~> 2.6)
    dumb_delegator (1.0.0)
    email_validator (2.2.4)
      activemodel
    erubi (1.12.0)
-    et-orbi (1.2.7)
+    et-orbi (1.2.11)
      tzinfo
    ethon (0.16.0)
      ffi (>= 1.15.0)
    excon (0.109.0)
    factory_bot (6.4.6)
      activesupport (>= 5.0.0)
    faraday (2.9.0)
      faraday-net_http (>= 2.0, < 3.2)
    faraday-follow_redirects (0.3.0)
      faraday (>= 1, < 3)
    faraday-jwt (0.1.0)
      faraday (~> 2.0)
      json-jwt (~> 1.16)
    faraday-net_http (3.1.0)
      net-http
    ffi (1.16.3)
    flipper (1.2.2)
      concurrent-ruby (< 2)
    flipper-active_record (1.2.2)
      activerecord (>= 4.2, < 8)
      flipper (~> 1.2.2)
    flipper-active_support_cache_store (1.2.2)
      activesupport (>= 4.2, < 8)
      flipper (~> 1.2.2)
    flipper-ui (1.2.2)
      erubi (>= 1.0.0, < 2.0.0)
      flipper (~> 1.2.2)
@ -255,7 +278,7 @@ GEM
      fog-core (~> 2.1)
      fog-json (>= 1.0)
    formatador (1.1.0)
-    fugit (1.9.0)
+    fugit (1.10.1)
      et-orbi (~> 1, >= 1.2.7)
      raabro (~> 1.4)
    geo_coord (0.2.0)
@ -305,8 +328,7 @@ GEM
    highline (3.0.1)
    htmlentities (4.3.4)
    http_accept_language (2.1.1)
-    httpclient (2.8.3)
+    i18n (1.14.4)
    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
    i18n-tasks (1.0.13)
      activesupport (>= 4.0.2)
@ -328,7 +350,7 @@ GEM
    invisible_captcha (2.2.0)
      rails (>= 5.2)
    io-console (0.7.2)
-    irb (1.11.2)
+    irb (1.12.0)
      rdoc
      reline (>= 0.4.2)
    job-iteration (1.4.1)
@ -337,17 +359,23 @@ GEM
      rails-dom-testing (>= 1, < 3)
      railties (>= 4.2.0)
      thor (>= 0.14, < 2.0)
-    json (2.7.1)
+    json (2.7.2)
-    json-jwt (1.13.0)
+    json-jwt (1.16.6)
      activesupport (>= 4.2)
      aes_key_wrap
      base64
      bindata
-    json_schemer (2.1.1)
+      faraday (~> 2.0)
      faraday-follow_redirects
    json_schemer (2.2.1)
      base64
      bigdecimal
      hana (~> 1.3)
      regexp_parser (~> 2.0)
      simpleidn (~> 0.2)
    jsonapi-renderer (0.2.2)
-    jwt (2.7.1)
+    jwt (2.8.1)
      base64
    kaminari (1.2.2)
      activesupport (>= 4.1.0)
      kaminari-actionview (= 1.2.2)
@ -374,7 +402,7 @@ GEM
      letter_opener (~> 1.7)
      railties (>= 5.2)
      rexml
-    listen (3.8.0)
+    listen (3.9.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    lograge (0.14.0)
@ -391,7 +419,7 @@ GEM
      net-imap
      net-pop
      net-smtp
-    maintenance_tasks (2.6.0)
+    maintenance_tasks (2.7.0)
      actionpack (>= 6.0)
      activejob (>= 6.0)
      activerecord (>= 6.0)
@ -401,7 +429,7 @@ GEM
    marcel (1.0.2)
    matrix (0.4.2)
    memory_profiler (1.0.1)
-    method_source (1.0.0)
+    method_source (1.1.0)
    mime-types (3.5.2)
      mime-types-data (~> 3.2015)
    mime-types-data (3.2024.0206)
@ -409,12 +437,14 @@ GEM
      rake
    mini_magick (4.12.0)
    mini_mime (1.1.5)
-    mini_portile2 (2.8.5)
+    mini_portile2 (2.8.6)
-    minitest (5.22.2)
+    minitest (5.22.3)
    msgpack (1.7.2)
    multi_json (1.15.0)
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    net-http (0.4.1)
      uri
    net-imap (0.4.10)
      date
      net-protocol
@ -424,20 +454,23 @@ GEM
      timeout
    net-smtp (0.4.0.1)
      net-protocol
-    nio4r (2.7.0)
+    nio4r (2.7.1)
-    nokogiri (1.16.2)
+    nokogiri (1.16.4)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    openid_connect (1.3.0)
+    openid_connect (2.3.0)
      activemodel
      attr_required (>= 1.0.0)
-      json-jwt (>= 1.5.0)
+      email_validator
-      rack-oauth2 (>= 1.6.1)
+      faraday (~> 2.0)
-      swd (>= 1.0.0)
+      faraday-follow_redirects
      json-jwt (>= 1.16)
      mail
      rack-oauth2 (~> 2.2)
      swd (~> 2.0)
      tzinfo
      validate_email
      validate_url
-      webfinger (>= 1.0.1)
+      webfinger (~> 2.0)
    orm_adapter (0.5.0)
    parallel (1.24.0)
    parsby (1.1.1)
@ -445,8 +478,8 @@ GEM
      ast (~> 2.4.1)
      racc
    pdf-core (0.9.0)
-    pg (1.5.4)
+    pg (1.5.6)
-    phonelib (0.8.7)
+    phonelib (0.8.8)
    prawn (2.4.0)
      pdf-core (~> 0.9.0)
      ttfunk (~> 1.7)
@ -464,25 +497,27 @@ GEM
      actionmailer (>= 3)
      net-smtp
      premailer (~> 1.7, >= 1.7.9)
    prometheus-client (4.2.2)
    promise.rb (0.7.4)
    psych (5.1.2)
      stringio
-    public_suffix (5.0.4)
+    public_suffix (5.0.5)
    puma (6.4.2)
      nio4r (~> 2.0)
    pundit (2.3.1)
      activesupport (>= 3.0.0)
    raabro (1.4.0)
    racc (1.7.3)
-    rack (2.2.8.1)
+    rack (2.2.9)
    rack-attack (6.7.0)
      rack (>= 1.0, < 4)
    rack-mini-profiler (3.3.1)
      rack (>= 1.2.0)
-    rack-oauth2 (1.19.0)
+    rack-oauth2 (2.2.1)
      activesupport
      attr_required
-      httpclient
+      faraday (~> 2.0)
      faraday-follow_redirects
      json-jwt (>= 1.11.0)
      rack (>= 2.1.0)
    rack-protection (3.2.0)
@ -525,9 +560,12 @@ GEM
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
      nokogiri (~> 1.14)
-    rails-i18n (7.0.8)
+    rails-i18n (7.0.9)
      i18n (>= 0.7, < 2)
      railties (>= 6.0.0, < 8)
    rails-pg-extras (5.3.1)
      rails
      ruby-pg-extras (= 5.3.1)
    railties (7.0.8.1)
      actionpack (= 7.0.8.1)
      activesupport (= 7.0.8.1)
@ -536,20 +574,20 @@ GEM
      thor (~> 1.0)
      zeitwerk (~> 2.5)
    rainbow (3.1.1)
-    rake (13.1.0)
+    rake (13.2.1)
    rake-progressbar (0.0.5)
    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
-    rdoc (6.6.2)
+    rdoc (6.6.3.1)
      psych (>= 4.0.0)
    redcarpet (3.6.0)
-    redis (5.1.0)
+    redis (5.2.0)
-      redis-client (>= 0.17.0)
+      redis-client (>= 0.22.0)
-    redis-client (0.20.0)
+    redis-client (0.22.1)
      connection_pool
    regexp_parser (2.9.0)
-    reline (0.4.2)
+    reline (0.5.3)
      io-console (~> 0.5)
    request_store (1.5.1)
      rack (>= 1.4)
@ -574,20 +612,20 @@ GEM
    rspec-mocks (3.13.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (6.1.1)
+    rspec-rails (6.1.2)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
-      rspec-core (~> 3.12)
+      rspec-core (~> 3.13)
-      rspec-expectations (~> 3.12)
+      rspec-expectations (~> 3.13)
-      rspec-mocks (~> 3.12)
+      rspec-mocks (~> 3.13)
-      rspec-support (~> 3.12)
+      rspec-support (~> 3.13)
    rspec-retry (0.6.2)
      rspec-core (> 3.3)
-    rspec-support (3.13.0)
+    rspec-support (3.13.1)
    rspec_junit_formatter (0.6.0)
      rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.60.2)
+    rubocop (1.63.3)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
@ -595,29 +633,36 @@ GEM
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.30.0)
+    rubocop-ast (1.31.2)
-      parser (>= 3.2.1.0)
+      parser (>= 3.3.0.4)
    rubocop-capybara (2.20.0)
      rubocop (~> 1.41)
    rubocop-factory_bot (2.25.1)
      rubocop (~> 1.41)
-    rubocop-performance (1.20.2)
+    rubocop-performance (1.21.0)
      rubocop (>= 1.48.1, < 2.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.23.1)
+    rubocop-rails (2.24.1)
      activesupport (>= 4.2.0)
      rack (>= 1.1)
      rubocop (>= 1.33.0, < 2.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rspec (2.26.1)
+    rubocop-rspec (2.29.1)
      rubocop (~> 1.40)
      rubocop-capybara (~> 2.17)
      rubocop-factory_bot (~> 2.22)
      rubocop-rspec_rails (~> 2.28)
    rubocop-rspec_rails (2.28.3)
      rubocop (~> 1.40)
    ruby-graphviz (1.2.5)
      rexml
    ruby-next-core (1.0.2)
    ruby-pg-extras (5.3.1)
      pg
      terminal-table
    ruby-progressbar (1.13.0)
    ruby-vips (2.2.0)
      ffi (~> 1.12)
@ -648,38 +693,52 @@ GEM
    scss_lint (0.60.0)
      sass (~> 3.5, >= 3.5.5)
    selectize-rails (0.12.6)
-    selenium-devtools (0.121.0)
+    selenium-devtools (0.123.0)
      selenium-webdriver (~> 4.2)
-    selenium-webdriver (4.17.0)
+    selenium-webdriver (4.19.0)
      base64 (~> 0.2)
      rexml (~> 3.2, >= 3.2.5)
      rubyzip (>= 1.2.2, < 3.0)
      websocket (~> 1.0)
-    sentry-delayed_job (5.16.1)
+    sentry-delayed_job (5.17.3)
      delayed_job (>= 4.0)
-      sentry-ruby (~> 5.16.1)
+      sentry-ruby (~> 5.17.3)
-    sentry-rails (5.16.1)
+    sentry-rails (5.17.3)
      railties (>= 5.0)
-      sentry-ruby (~> 5.16.1)
+      sentry-ruby (~> 5.17.3)
-    sentry-ruby (5.16.1)
+    sentry-ruby (5.17.3)
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
-    sentry-sidekiq (5.16.1)
+    sentry-sidekiq (5.17.3)
-      sentry-ruby (~> 5.16.1)
+      sentry-ruby (~> 5.17.3)
      sidekiq (>= 3.0)
-    shoulda-matchers (6.1.0)
+    shoulda-matchers (6.2.0)
      activesupport (>= 5.2.0)
    sib-api-v3-sdk (9.1.0)
      addressable (~> 2.3, >= 2.3.0)
      json (~> 2.1, >= 2.1.0)
      typhoeus (~> 1.0, >= 1.0.1)
-    sidekiq (7.2.1)
+    sidekiq (7.2.2)
      concurrent-ruby (< 2)
      connection_pool (>= 2.3.0)
      rack (>= 2.2.4)
      redis-client (>= 0.19.0)
    sidekiq-cron (1.12.0)
      fugit (~> 1.8)
      globalid (>= 1.0.1)
      sidekiq (>= 6)
    simple_xlsx_reader (1.0.4)
      nokogiri
      rubyzip
    simplecov (0.22.0)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
      simplecov_json_formatter (~> 0.1)
    simplecov-cobertura (2.1.0)
      rexml
      simplecov (~> 0.19)
    simplecov-html (0.12.3)
    simplecov_json_formatter (0.1.4)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
    sinatra (3.2.0)
@ -687,13 +746,13 @@ GEM
      rack (~> 2.2, >= 2.2.4)
      rack-protection (= 3.2.0)
      tilt (~> 2.0)
-    skylight (6.0.3)
+    skylight (6.0.4)
      activesupport (>= 5.2.0)
    smart_properties (1.17.0)
    spreadsheet_architect (5.0.0)
      caxlsx (>= 3.3.0, < 4)
      rodf (>= 1.0.0, < 2)
-    spring (4.1.3)
+    spring (4.2.1)
    spring-commands-rspec (1.0.4)
      spring (>= 0.9.1)
    sprockets (4.2.1)
@ -705,23 +764,26 @@ GEM
      sprockets (>= 3.0.0)
    stackprof (0.2.26)
    stringio (3.1.0)
-    strong_migrations (1.7.0)
+    strong_migrations (1.8.0)
      activerecord (>= 5.2)
-    swd (1.3.0)
+    swd (2.0.3)
      activesupport (>= 3)
      attr_required (>= 0.0.5)
-      httpclient (>= 2.4)
+      faraday (~> 2.0)
      faraday-follow_redirects
    sys-proctable (1.3.0)
      ffi (~> 1.1)
    sysexits (1.2.0)
    temple (0.8.2)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
-    thor (1.3.0)
+    thor (1.3.1)
    thread_safe (0.3.6)
    tilt (2.3.0)
    timecop (0.9.8)
    timeout (0.4.1)
    ttfunk (1.7.0)
-    turbo-rails (2.0.2)
+    turbo-rails (2.0.5)
      actionpack (>= 6.0.0)
      activejob (>= 6.0.0)
      railties (>= 6.0.0)
@ -734,14 +796,12 @@ GEM
      unf_ext
    unf_ext (0.0.9.1)
    unicode-display_width (2.5.0)
-    validate_email (0.1.6)
+    uri (0.13.0)
      activemodel (>= 3.0)
      mail (>= 2.2.5)
    validate_url (1.0.15)
      activemodel (>= 3.0.0)
      public_suffix
    vcr (6.2.0)
-    view_component (3.10.0)
+    view_component (3.12.1)
      activesupport (>= 5.2.0, < 8.0)
      concurrent-ruby (~> 1.0)
      method_source (~> 1.0)
@ -763,13 +823,15 @@ GEM
      activemodel (>= 6.0.0)
      bindex (>= 0.4.0)
      railties (>= 6.0.0)
-    webfinger (1.2.0)
+    webfinger (2.1.3)
      activesupport
-      httpclient (>= 2.4)
+      faraday (~> 2.0)
-    webmock (3.20.0)
+      faraday-follow_redirects
    webmock (3.23.0)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
    webrick (1.8.1)
    websocket (1.2.10)
    websocket-driver (0.7.6)
      websocket-extensions (>= 0.1.0)
@ -783,6 +845,30 @@ GEM
      nokogiri (~> 1.11)
    xpath (3.2.0)
      nokogiri (~> 1.8)
    yabeda (0.12.0)
      anyway_config (>= 1.0, < 3)
      concurrent-ruby
      dry-initializer
    yabeda-graphql (0.2.3)
      graphql (>= 1.9, < 3)
      yabeda (~> 0.2)
    yabeda-prometheus (0.9.1)
      prometheus-client (>= 3.0, < 5.0)
      rack
      yabeda (~> 0.10)
    yabeda-puma-plugin (0.7.1)
      json
      puma
      yabeda (~> 0.5)
    yabeda-rails (0.9.0)
      activesupport
      anyway_config (>= 1.3, < 3)
      railties
      yabeda (~> 0.8)
    yabeda-sidekiq (0.12.0)
      anyway_config (>= 1.3, < 3)
      sidekiq
      yabeda (~> 0.6)
    zeitwerk (2.6.13)
    zip_tricks (5.6.0)
    zipline (1.5.0)
@ -803,6 +889,7 @@ DEPENDENCIES
  addressable
  administrate
  administrate-field-enum
  after_commit_everywhere
  after_party
  ancestry
  anchored
@ -824,19 +911,22 @@ DEPENDENCIES
  delayed_cron_job
  delayed_job_active_record
  delayed_job_web
-  devise!
+  devise
  devise-i18n
  devise-two-factor
  discard
  dotenv-rails
  dry-monads
  factory_bot
  faraday-jwt
  flipper
  flipper-active_record
  flipper-active_support_cache_store
  flipper-ui
  fugit
  geo_coord
  geocoder
  gitlab-sidekiq-fetcher!
  gon
  graphql (= 2.0.24)
  graphql-batch (= 0.5.1)
@ -885,6 +975,7 @@ DEPENDENCIES
  rails-controller-testing
  rails-erd
  rails-i18n
  rails-pg-extras
  rake-progressbar
  redcarpet
  redis
@ -909,13 +1000,17 @@ DEPENDENCIES
  shoulda-matchers
  sib-api-v3-sdk
  sidekiq
  sidekiq-cron
  simple_xlsx_reader
  simplecov
  simplecov-cobertura
  skylight
  spreadsheet_architect
  spring
  spring-commands-rspec
  stackprof
  strong_migrations
  sys-proctable
  timecop
  turbo-rails
  typhoeus
@ -926,8 +1021,14 @@ DEPENDENCIES
  warden
  web-console
  webmock
  webrick
  yabeda-graphql
  yabeda-prometheus
  yabeda-puma-plugin
  yabeda-rails
  yabeda-sidekiq
  zipline
  zxcvbn-ruby
 BUNDLED WITH
-   2.5.4
+   2.5.9
--- a/machines/compute01/ds-fr/package/rubyEnv/gemset.nix
+++ b/machines/compute01/ds-fr/package/rubyEnv/gemset.nix
--- a/machines/compute01/ds-fr/package/update.sh
+++ b/machines/compute01/ds-fr/package/update.sh
@ -26,13 +26,13 @@ done
 CWD=$(pwd)
 TMP=$(mktemp -d)
-cd "$TMP"
+cd "$TMP" || exit 1
 # Fetch the latest source or the required version
 gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git"
 if [ -n "$version" ]; then
-	git clone --depth 1 --branch $version $gitUrl .
+	git clone --depth 1 --branch "$version" $gitUrl .
 else
 	git clone --depth 1 $gitUrl .
@ -48,10 +48,10 @@ cp gemset.nix Gemfile Gemfile.lock "$CWD/rubyEnv/"
 # Print the new source details
 SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version")
-# Print Yarn deps hash
+# Switch to bun
-hash=$(nix-shell -p prefetch-yarn-deps --run "prefetch-yarn-deps yarn.lock")
+nix-shell -p bun --run "bun install --frozen-lockfile --no-cache --no-progress --ignore-scripts"
-DEPS_HASH=$(nix-hash --to-sri --type sha256 "$hash")
+DEPS_HASH=$(nix-hash --sri --type sha256 node_modules)
 cat <<EOF >"$CWD/meta.nix"
 {
@ -61,6 +61,6 @@ cat <<EOF >"$CWD/meta.nix"
 }
 EOF
-nixfmt "$CWD"
+nix-shell -p nixfmt-rfc-style --run "nixfmt $CWD"
 rm -rf "$TMP"
--- a/machines/compute01/k-radius/module.nix
+++ b/machines/compute01/k-radius/module.nix
@ -1,200 +0,0 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib)
    mkEnableOption
    mkIf
    mkOption
    types
    ;
  settingsFormat = pkgs.formats.toml { };
  py-pkgs = import ./packages/python { inherit pkgs; };
  pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit (py-pkgs) pydantic; };
  rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
  cfg = config.services.k-radius;
 in
 {
  options.services.k-radius = {
    enable = mkEnableOption "a freeradius service linked to kanidm.";
    settings = mkOption { inherit (settingsFormat) type; };
    freeradius = mkOption {
      type = types.package;
      default = pkgs.freeradius.overrideAttrs (
        old: {
          buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
        }
      );
    };
    configDir = mkOption {
      type = types.path;
      default = "/var/lib/radius/raddb";
      description = "The path of the freeradius server configuration directory.";
    };
    authTokenFile = mkOption {
      type = types.path;
      description = "File to the auth token for the service account.";
    };
    radiusClients = mkOption {
      type = types.attrsOf (
        types.submodule {
          options = {
            secret = mkOption { type = types.path; };
            ipaddr = mkOption { type = types.str; };
          };
        }
      );
      default = { };
      description = "A mapping of clients and their authentication tokens.";
    };
    certs = {
      ca = mkOption {
        type = types.str;
        description = "The signing CA of the RADIUS certificate.";
      };
      dh = mkOption {
        type = types.str;
        description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
      };
      cert = mkOption {
        type = types.str;
        description = "The certificate for the RADIUS server.";
      };
      key = mkOption {
        type = types.str;
        description = "The signing key for the RADIUS certificate.";
      };
    };
    privateKeyPasswordFile = mkOption { type = types.path; };
  };
  config = mkIf cfg.enable {
    users = {
      users.radius = {
        group = "radius";
        description = "Radius daemon user";
        isSystemUser = true;
      };
      groups.radius = { };
    };
    services.k-radius.settings = {
      ca_path = cfg.certs.ca;
      radius_cert_path = cfg.certs.cert;
      radius_key_path = cfg.certs.key;
      radius_dh_path = cfg.certs.dh;
      radius_ca_path = cfg.certs.ca;
    };
    systemd.services.radius = {
      description = "FreeRadius server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      wants = [ "network.target" ];
      preStart = ''
        cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
        cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir}
        chmod -R u+w ${cfg.configDir}
        # disable auth via methods kanidm doesn't support
        rm ${cfg.configDir}/mods-available/sql
        rm ${cfg.configDir}/mods-enabled/{passwd,totp}
        # enable the python and cache modules
        ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
        ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
        # write the clients configuration
        rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
        ${builtins.concatStringsSep "\n" (
          builtins.attrValues (
            builtins.mapAttrs
              (
                name:
                { secret, ipaddr }:
                ''
                  cat <<EOF >> ${cfg.configDir}/clients.conf
                  client ${name} {
                      ipaddr = ${ipaddr}
                      secret = $(cat "${secret}")
                      proto  = *
                  }
                  EOF
                ''
              )
              cfg.radiusClients
          )
        )}
        # Copy the kanidm configuration
        cat <<EOF > /var/lib/radius/kanidm.toml
        auth_token = "$(cat "${cfg.authTokenFile}")"
        EOF
        cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
        chmod u+w /var/lib/radius/kanidm.toml
        # Copy the certificates to the correct directory
        rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
        cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
        ${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
        cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
        cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
        # Write the password of the private_key in the eap module
        sed -i ${cfg.configDir}/mods-available/eap \
          -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
        # Check the configuration
        # ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
      '';
      path = [
        pkgs.openssl
        pkgs.gnused
      ];
      serviceConfig = {
        ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
        ExecReload = [
          "${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
          "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
        ];
        User = "radius";
        Group = "radius";
        DynamicUser = true;
        Restart = "on-failure";
        RestartSec = 2;
        LogsDirectory = "radius";
        StateDirectory = "radius";
        RuntimeDirectory = "radius";
        Environment = [
          "KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
          "PYTHONPATH=${rlm_python.pythonPath}"
        ];
      };
    };
  };
 }
--- a/machines/compute01/k-radius/packages/pykanidm.nix
+++ b/machines/compute01/k-radius/packages/pykanidm.nix
@ -1,50 +0,0 @@
 {
  lib,
  fetchFromGitHub,
  python3,
  pydantic,
 }:
 let
  pname = "kanidm";
  version = "0.0.3";
 in
 python3.pkgs.buildPythonPackage {
  inherit pname version;
  format = "pyproject";
  disabled = python3.pythonOlder "3.8";
  src =
    (fetchFromGitHub {
      owner = pname;
      repo = pname;
      # Latest 1.1.0-rc.15 tip
      rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d";
      hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg=";
    })
    + "/pykanidm";
  nativeBuildInputs = with python3.pkgs; [ poetry-core ];
  propagatedBuildInputs = with python3.pkgs; [
    aiohttp
    pydantic
    toml
    (authlib.overridePythonAttrs (_: { doCheck = false; }))
  ];
  doCheck = false;
  pythonImportsCheck = [ "kanidm" ];
  meta = with lib; {
    description = "Kanidm client library";
    homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm";
    license = licenses.mpl20;
    maintainers = with maintainers; [
      arianvp
      hexa
    ];
  };
 }
--- a/machines/compute01/k-radius/packages/python/01-remove-benchmark-flags.patch
+++ b/machines/compute01/k-radius/packages/python/01-remove-benchmark-flags.patch
@ -1,18 +0,0 @@
 diff --git a/pyproject.toml b/pyproject.toml
 index 1602e32..507048d 100644
 --- a/pyproject.toml
 +++ b/pyproject.toml
@@ -72,13 +72,6 @@ filterwarnings = [
 ]
 timeout = 30
 xfail_strict = true
 -# min, max, mean, stddev, median, iqr, outliers, ops, rounds, iterations
 -addopts = [
 -    '--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations',
 -    '--benchmark-group-by', 'group',
 -    '--benchmark-warmup', 'on',
 -    '--benchmark-disable',  # this is enable by `make benchmark` when you actually want to run benchmarks
 -]
 [tool.coverage.run]
 source = ['pydantic_core']
--- a/machines/compute01/k-radius/packages/python/default.nix
+++ b/machines/compute01/k-radius/packages/python/default.nix
@ -1,20 +0,0 @@
 { pkgs }:
 let
  inherit (pkgs) lib;
  callPackage = lib.callPackageWith (pkgs // pkgs.python3.pkgs // self);
  self = builtins.listToAttrs (
    builtins.map
      (name: {
        inherit name;
        value = callPackage (./. + "/${name}.nix") { };
      })
      [
        "pydantic"
        "pydantic-core"
      ]
  );
 in
 self
--- a/machines/compute01/k-radius/packages/python/pydantic-core.nix
+++ b/machines/compute01/k-radius/packages/python/pydantic-core.nix
@ -1,84 +0,0 @@
 {
  stdenv,
  lib,
  buildPythonPackage,
  fetchFromGitHub,
  cargo,
  rustPlatform,
  rustc,
  libiconv,
  typing-extensions,
  pytestCheckHook,
  hypothesis,
  pytest-timeout,
  pytest-mock,
  dirty-equals,
 }:
 let
  pydantic-core = buildPythonPackage rec {
    pname = "pydantic-core";
    version = "2.14.5";
    format = "pyproject";
    src = fetchFromGitHub {
      owner = "pydantic";
      repo = "pydantic-core";
      rev = "refs/tags/v${version}";
      hash = "sha256-UguZpA3KEutOgIavjx8Ie//0qJq+4FTZNQTwb/ZIgb8=";
    };
    patches = [ ./01-remove-benchmark-flags.patch ];
    cargoDeps = rustPlatform.fetchCargoTarball {
      inherit src;
      name = "${pname}-${version}";
      hash = "sha256-mMgw922QjHmk0yimXfolLNiYZntTsGydQywe7PTNnwc=";
    };
    nativeBuildInputs = [
      cargo
      rustPlatform.cargoSetupHook
      rustPlatform.maturinBuildHook
      rustc
      typing-extensions
    ];
    buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
    propagatedBuildInputs = [ typing-extensions ];
    pythonImportsCheck = [ "pydantic_core" ];
    # escape infinite recursion with pydantic via dirty-equals
    doCheck = false;
    passthru.tests.pytest = pydantic-core.overrideAttrs { doCheck = true; };
    nativeCheckInputs = [
      pytestCheckHook
      hypothesis
      pytest-timeout
      dirty-equals
      pytest-mock
    ];
    disabledTests = [
      # RecursionError: maximum recursion depth exceeded while calling a Python object
      "test_recursive"
    ];
    disabledTestPaths = [
      # no point in benchmarking in nixpkgs build farm
      "tests/benchmarks"
    ];
    meta = with lib; {
      changelog = "https://github.com/pydantic/pydantic-core/releases/tag/v${version}";
      description = "Core validation logic for pydantic written in rust";
      homepage = "https://github.com/pydantic/pydantic-core";
      license = licenses.mit;
      maintainers = with maintainers; [ blaggacao ];
    };
  };
 in
 pydantic-core
--- a/machines/compute01/k-radius/packages/python/pydantic.nix
+++ b/machines/compute01/k-radius/packages/python/pydantic.nix
@ -1,92 +0,0 @@
 {
  lib,
  buildPythonPackage,
  fetchFromGitHub,
  pythonOlder,
  # build-system
  hatchling,
  hatch-fancy-pypi-readme,
  # native dependencies
  libxcrypt,
  # dependencies
  annotated-types,
  pydantic-core,
  typing-extensions,
  # tests
  cloudpickle,
  email-validator,
  dirty-equals,
  faker,
  pytestCheckHook,
  pytest-mock,
 }:
 buildPythonPackage rec {
  pname = "pydantic";
  version = "2.5.2";
  pyproject = true;
  disabled = pythonOlder "3.7";
  src = fetchFromGitHub {
    owner = "pydantic";
    repo = "pydantic";
    rev = "refs/tags/v${version}";
    hash = "sha256-D0gYcyrKVVDhBgV9sCVTkGq/kFmIoT9l0i5bRM1qxzM=";
  };
  buildInputs = lib.optionals (pythonOlder "3.9") [ libxcrypt ];
  nativeBuildInputs = [
    hatch-fancy-pypi-readme
    hatchling
  ];
  propagatedBuildInputs = [
    annotated-types
    pydantic-core
    typing-extensions
  ];
  passthru.optional-dependencies = {
    email = [ email-validator ];
  };
  nativeCheckInputs = [
    cloudpickle
    dirty-equals
    faker
    pytest-mock
    pytestCheckHook
  ] ++ lib.flatten (lib.attrValues passthru.optional-dependencies);
  preCheck = ''
    export HOME=$(mktemp -d)
    substituteInPlace pyproject.toml \
      --replace "'--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations'," "" \
      --replace "'--benchmark-group-by', 'group'," "" \
      --replace "'--benchmark-warmup', 'on'," "" \
      --replace "'--benchmark-disable'," ""
  '';
  disabledTestPaths = [
    "tests/benchmarks"
    # avoid cyclic dependency
    "tests/test_docs.py"
  ];
  pythonImportsCheck = [ "pydantic" ];
  meta = with lib; {
    description = "Data validation and settings management using Python type hinting";
    homepage = "https://github.com/pydantic/pydantic";
    changelog = "https://github.com/pydantic/pydantic/blob/v${version}/HISTORY.md";
    license = licenses.mit;
    maintainers = with maintainers; [ wd15 ];
  };
 }
--- a/machines/compute01/k-radius/packages/rlm_python.nix
+++ b/machines/compute01/k-radius/packages/rlm_python.nix
@ -1,45 +0,0 @@
 {
  stdenv,
  fetchFromGitHub,
  python3,
  pykanidm,
 }:
 let
  pythonPath = with python3.pkgs; makePythonPath [ pykanidm ];
 in
 stdenv.mkDerivation rec {
  pname = "rlm_python";
  version = "1.1.0-rc.15";
  src = fetchFromGitHub {
    owner = "kanidm";
    repo = "kanidm";
    rev = "v${version}";
    hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok=";
  };
  patches = [ ./python_path.patch ];
  postPatch = ''
    substituteInPlace rlm_python/mods-available/python3 \
      --replace "@kanidm_python@" "${pythonPath}"
  '';
  installPhase = ''
    mkdir -p $out/etc/raddb/
    cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/
  '';
  phases = [
    "unpackPhase"
    "patchPhase"
    "installPhase"
  ];
  passthru = {
    inherit pythonPath;
  };
  preferLocalBuild = true;
 }
--- a/machines/compute01/kanidm/default.nix
+++ b/machines/compute01/kanidm/default.nix
@ -1,24 +1,38 @@
-{ config, sources, ... }:
+{
  config,
  lib,
  nixpkgs,
  ...
 }:
 let
  inherit (lib) escapeRegex concatStringsSep;
  domain = "sso.dgnum.eu";
  cert = config.security.acme.certs.${domain};
-  allowedSubDomains = [
+  allowedDomains = builtins.map escapeRegex (
-    "cloud"
+    (builtins.map (s: "${s}.dgnum.eu") [
-    "git"
+      # DGNum subdomains
-    "videos"
+      "cloud"
-    "social"
+      "git"
-    "demarches"
+      "videos"
-    "netbird"
+      "social"
-  ];
+      "demarches"
      "netbird"
    ])
    ++ [
      # Extra domains
      "netbird-beta.hubrecht.ovh"
    ]
  );
 in
 {
  services.kanidm = {
    enableServer = true;
-    package = (import sources.nixos-unstable { }).kanidm;
+    package = nixpkgs.unstable.kanidm;
    serverSettings = {
      inherit domain;
@ -53,7 +67,7 @@ in
          set $origin $http_origin;
-          if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
+          if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
              set $origin 'https://${domain}';
          }
--- a/machines/compute01/kanidm/secrets/secrets.nix
+++ b/machines/compute01/kanidm/secrets/secrets.nix
@ -1,9 +1,4 @@
-let
+(import ../../../../keys).mkSecrets [ "compute01" ] [
  lib = import ../../../../lib { };
  publicKeys = lib.getNodeKeys "compute01";
 in
 lib.setDefault { inherit publicKeys; } [
  "kanidm-password_admin"
  "kanidm-password_idm_admin"
 ]
--- a/machines/compute01/librenms/default.nix
+++ b/machines/compute01/librenms/default.nix
@ -12,12 +12,10 @@ in
    package =
      (pkgs.librenms.override { inherit (config.services.librenms) dataDir logDir; }).overrideAttrs
-        (
+        (old: {
-          old: {
+          patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
-            patches = (old.patches or [ ]) ++ [ ./kanidm.patch ];
+          vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
-            vendorHash = "sha256-2RgtMXQp4fTE+WloO36rtfytO4Sh2q0plt8WkWxEGHI=";
+        });
          }
        );
    hostname = host;
--- a/machines/compute01/librenms/module.nix
+++ b/machines/compute01/librenms/module.nix
@ -198,13 +198,11 @@ in
    poolConfig = mkOption {
      type =
        with types;
-        attrsOf (
+        attrsOf (oneOf [
-          oneOf [
+          str
-            str
+          int
-            int
+          bool
-            bool
+        ]);
          ]
        );
      default = {
        "pm" = "dynamic";
        "pm.max_children" = 32;
@ -221,9 +219,9 @@ in
    nginx = mkOption {
      type = types.submodule (
-        recursiveUpdate
+        recursiveUpdate (import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" {
-          (import "${modulesPath}/services/web-servers/nginx/vhost-options.nix" { inherit config lib; })
+          inherit config lib;
-          { }
+        }) { }
      );
      default = { };
      example = literalExpression ''
@ -392,9 +390,9 @@ in
        }
        // (lib.optionalAttrs cfg.distributedPoller.enable {
          "distributed_poller" = true;
-          "distributed_poller_name" =
+          "distributed_poller_name" = lib.mkIf (
-            lib.mkIf (cfg.distributedPoller.name != null)
+            cfg.distributedPoller.name != null
-              cfg.distributedPoller.name;
+          ) cfg.distributedPoller.name;
          "distributed_poller_group" = cfg.distributedPoller.group;
          "distributed_billing" = cfg.distributedPoller.distributedBilling;
          "distributed_poller_memcached_host" = cfg.distributedPoller.memcachedHost;
--- a/machines/compute01/mastodon.nix
+++ b/machines/compute01/mastodon.nix
@ -9,8 +9,12 @@ in
    localDomain = host;
    smtp = {
-      # TODO: smtp setup
+      fromAddress = "noreply@infra.dgnum.eu";
-      fromAddress = "social@services.dgnum.eu";
+      host = "kurisu.lahfa.xyz";
      port = 465;
      user = "web-services@infra.dgnum.eu";
      passwordFile = config.age.secrets.mastodon-smtp-password.path;
      authenticate = true;
    };
    streamingProcesses = 4;
@ -22,6 +26,8 @@ in
      # LOCAL_DOMAIN = "dgnum.eu";
      WEB_DOMAIN = host;
      SMTP_TLS = "true";
      RAILS_LOG_LEVEL = "warn";
      # ObjectStorage configuration
--- a/machines/compute01/nextcloud.nix
+++ b/machines/compute01/nextcloud.nix
@ -9,22 +9,16 @@ in
    enable = true;
    hostName = host;
-    package = pkgs.nextcloud28;
+    package = pkgs.nextcloud29;
    https = true;
    config = {
      overwriteProtocol = "https";
      dbtype = "pgsql";
      adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
      adminuser = "thubrecht";
      defaultPhoneRegion = "FR";
      trustedProxies = [ "::1" ];
      objectstore.s3 = {
        enable = true;
@ -61,7 +55,7 @@ in
      "opcache.max_accelerated_files" = "10000";
      "opcache.memory_consumption" = "128";
      "opcache.revalidate_freq" = "1";
-      "opcache.fast_shutdown" = "1";
+      "opcache.fast_shutdown" = "0";
      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
      catch_workers_output = "yes";
    };
@ -71,11 +65,17 @@ in
    autoUpdateApps.enable = true;
-    extraOptions = {
+    settings = {
      overwriteprotocol = "https";
      overwritehost = host;
      "overwrite.cli.url" = "https://${host}";
      updatechecker = false;
      default_phone_region = "FR";
      trusted_proxies = [ "::1" ];
      allow_local_remote_servers = true;
      maintenance_window_start = 1;
@ -97,15 +97,12 @@ in
  };
  virtualisation.oci-containers = {
    # # Since 22.05, the default driver is podman but it doesn't work
    # # with podman. It would however be nice to switch to podman.
    # backend = "docker";
    containers.collabora = {
      image = "collabora/code";
      imageFile = pkgs.dockerTools.pullImage {
        imageName = "collabora/code";
-        imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
+        imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
-        sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
+        sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
      };
      ports = [ "9980:9980" ];
      environment = {
@ -113,6 +110,7 @@ in
        extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
      };
      extraOptions = [
        "--network=host"
        "--cap-add"
        "MKNOD"
        "--cap-add"
--- a/machines/compute01/ollama-proxy.nix
+++ b/machines/compute01/ollama-proxy.nix
@ -0,0 +1,27 @@
 {
  pkgs,
  nodes,
  meta,
  ...
 }:
 {
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts."ollama01.beta.dgnum.eu" = {
      enableACME = true;
      forceSSL = true;
      locations."/" = {
        proxyPass = "http://${meta.network.krz01.netbirdIp}:${toString nodes.krz01.config.services.ollama.port}";
        basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
          raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
        '';
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
 }
--- a/machines/compute01/plausible.nix
+++ b/machines/compute01/plausible.nix
@ -14,7 +14,7 @@ in
      smtp = {
        user = "web-services@infra.dgnum.eu";
-        passwordFile = config.age.secrets."_smtp-password-file".path;
+        passwordFile = config.age.secrets."plausible-smtp_password_file".path;
        hostPort = 465;
        hostAddr = "kurisu.lahfa.xyz";
        enableSSL = true;
@ -27,11 +27,11 @@ in
      disableRegistration = false;
-      secretKeybaseFile = config.age.secrets."plausible_secret-key-base-file".path;
+      secretKeybaseFile = config.age.secrets."plausible-secret_key_base_file".path;
    };
    adminUser = {
-      passwordFile = config.age.secrets."plausible_admin-user-password-file".path;
+      passwordFile = config.age.secrets."plausible-admin_user_password_file".path;
      email = "tom.hubrecht@dgnum.eu";
      name = "thubrecht";
      activate = true;
--- a/machines/compute01/postgresql.nix
+++ b/machines/compute01/postgresql.nix
@ -0,0 +1,34 @@
 { pkgs, ... }:
 {
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
    settings = {
      checkpoint_completion_target = 0.90625;
      default_statistics_target = 100;
      effective_cache_size = "32GB";
      effective_io_concurrency = 200;
      maintenance_work_mem = "2GB";
      max_connections = 500;
      max_parallel_maintenance_workers = 4;
      max_parallel_workers = 12;
      max_parallel_workers_per_gather = 4;
      max_wal_size = "4GB";
      max_worker_processes = 12;
      min_wal_size = "1GB";
      random_page_cost = 1.125;
      shared_buffers = "16GB";
      wal_buffers = "16MB";
      work_mem = "83886kB";
    };
  };
  dgn-console = {
    # Update the versions below for upgrading
    pg-upgrade-to = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
    pg-upgrade-from = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
  };
 }
--- a/machines/compute01/satosa/module.nix
+++ b/machines/compute01/satosa/module.nix
@ -23,12 +23,10 @@ let
  mkYamlFiles =
    files: builtins.attrValues (builtins.mapAttrs (name: yamlFormat.generate "${name}.yaml") files);
-  pyEnv = cfg.package.python.withPackages (
+  pyEnv = cfg.package.python.withPackages (ps: [
-    ps: [
+    cfg.package
-      cfg.package
+    ps.gunicorn
-      ps.gunicorn
+  ]);
    ]
  );
 in
 {
  options.services.satosa = {
--- a/machines/compute01/satosa/package/satosa.nix
+++ b/machines/compute01/satosa/package/satosa.nix
@ -1,7 +1,7 @@
 {
  lib,
  python3,
-  fetchPypi,
+  fetchFromGitHub,
  cookies-samesite-compat,
  pyop,
 }:
@ -11,17 +11,13 @@ python3.pkgs.buildPythonPackage rec {
  version = "8.4.0";
  pyproject = true;
-  src = fetchPypi {
+  src = fetchFromGitHub {
-    pname = "SATOSA";
+    owner = "IdentityPython";
-    inherit version;
+    repo = "SATOSA";
-    hash = "sha256-KREROjb157RJJVRr9YefzoR/eflR/U7ZmG6yOH5DjcU=";
+    rev = "v${version}";
    hash = "sha256-q7XmZ3EnAFO1OXIhXIF4Vd0H8uaayFIHFZpWiZUsAFA=";
  };
  nativeBuildInputs = [
    python3.pkgs.setuptools
    python3.pkgs.wheel
  ];
  propagatedBuildInputs = with python3.pkgs; [
    chevron
    click
@ -50,7 +46,7 @@ python3.pkgs.buildPythonPackage rec {
    description = "Protocol proxy (SAML/OIDC)";
    homepage = "https://pypi.org/project/SATOSA";
    license = licenses.asl20;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ thubrecht ];
    mainProgram = "satosa";
  };
 }
--- a/machines/compute01/secrets/arkheon-env_file
+++ b/machines/compute01/secrets/arkheon-env_file
--- a/machines/compute01/secrets/dgsi-email_host_password_file
+++ b/machines/compute01/secrets/dgsi-email_host_password_file
@ -0,0 +1,28 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
 oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
 -> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
 bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
 -> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
 HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
 -> ssh-rsa krWCLQ
 k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
 re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
 eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
 AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
 +QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
 DdkJAqSrNkHianC5MEGgpA
 -> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
 C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
 -> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
 iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
 -> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
 uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
 -> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
 xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
 -> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
 5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
 -> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
 HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
 --- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
 ｻ<EFBFBD>虎 <20><>ｩ煩	ﾈ9<1猤ｶﾜ簒<EFBE9C>pWJSWpsV/ﾑ#<23>ｳﾘ9ﾀ{ﾀﾟcHB<><42><EFBFBD>5<EFBFBD>ｬ^ｧ
--- a/machines/compute01/secrets/dgsi-kanidm_auth_token_file
+++ b/machines/compute01/secrets/dgsi-kanidm_auth_token_file
--- a/machines/compute01/secrets/dgsi-kanidm_secret_file
+++ b/machines/compute01/secrets/dgsi-kanidm_secret_file
@ -0,0 +1,30 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
 YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
 -> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
 W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
 -> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
 mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
 -> ssh-rsa krWCLQ
 QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
 UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
 1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
 oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
 8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
 cS3kE9LfNst2zBKHBGBOHQ
 -> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
 ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
 -> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
 SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
 -> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
 HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
 -> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
 n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
 -> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
 Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
 -> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
 zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
 -> l$R6Y:c1-grease
 MY0HS+ErZAtAhg
 --- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
 7Ú”gpò7šæ«¹Š\ŠE„àø~Â$±\¹Ä”Q„™H‹R¥˜Èî¼¼2'k4Ž¥zÿqAÌ‡ì'ÍNò!{‹@qxÎ‹,ƒ+iTû
--- a/machines/compute01/secrets/dgsi-secret_key_file
+++ b/machines/compute01/secrets/dgsi-secret_key_file
@ -0,0 +1,31 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
 7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
 -> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
 BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
 -> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
 WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
 -> ssh-rsa krWCLQ
 GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
 fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
 j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
 MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
 tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
 gU32t9qy5EvTbzliWpAvxw
 -> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
 mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
 -> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
 QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
 -> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
 E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
 -> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
 x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
 -> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
 TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
 -> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
 SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
 -> `--grease N]PH
 fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
 7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
 --- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
 :È/Àn	ž±Ý§¦p=fu²hã–T¶ÅêFÂ—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰’…m3Ü&<26>g¤(ö<>5Û¶Ã›
--- a/machines/compute01/secrets/dgsi-x509_cert_file
+++ b/machines/compute01/secrets/dgsi-x509_cert_file
--- a/machines/compute01/secrets/dgsi-x509_key_file
+++ b/machines/compute01/secrets/dgsi-x509_key_file
--- a/machines/compute01/secrets/mastodon-smtp-password
+++ b/machines/compute01/secrets/mastodon-smtp-password
--- a/machines/compute01/secrets/plausible-admin_user_password_file
+++ b/machines/compute01/secrets/plausible-admin_user_password_file
--- a/machines/compute01/secrets/plausible-secret_key_base_file
+++ b/machines/compute01/secrets/plausible-secret_key_base_file
@ -0,0 +1,28 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA T6TOJOuejaoxw3zdeLzGm0CrSkDCCIRenL7wMGnDtlU
 dubdAXhc32S6BszHddOcMA6aStZLOvc+36s3nZsYFMU
 -> ssh-ed25519 QlRB9Q akzRDbZzo0LwoS1cOwE/tYdz7M+6bhgI81d37d1GtBw
 KsGqFhkjlcJNquMi2+1TfQDBy9qguwh5ED9KBg4Y2hU
 -> ssh-ed25519 r+nK/Q bL6A9O6UnjjyY+iLvbQSvSTjXX38FLsNjaSngoQXHxY
 YZ7Y11inKpzA2m6lro9XXX2qkW6FmkeFGZ3Ak6X+U2w
 -> ssh-rsa krWCLQ
 dZVUqAyqrP3KHZlpu70IBU8U3I9IP71RzjbiF1rp4rOdz4iQ9ik88ai+hXVuadcN
 DMl/7pIkVky6EL8JxFXTQhLivJUpO3NcN3iAS+CLKC+0EFVc03sLyCjn8IExO85r
 Lec37ICk9n4LUNEA91A2h4C8U9TbDxCt7MLrIKcQtfFcd+4U1o9g3n19xo9PK1Ho
 mcqTbUVgW1nOLxsEeCp5zsCQ+/8tFLcnK08yUB0RlWK+PDFZkk8u8Q2SYZjnaeEp
 cwOhUnm/1a15IbW2oGCrVaEd/ymnLDJc6S7vXGpFDWHmOzvJ4Av9KZlGFYaWCjbV
 7bGIgWkiQ7iJvTxzu0ZEqw
 -> ssh-ed25519 /vwQcQ /DR3Kox7XkbdYQH7SyIc9atjwwe7Ah7hH/63RlzDd0g
 k/199lCIfxR7l4ETJMEr1Ch1Zx8v3M5zn0b8mg6ip2k
 -> ssh-ed25519 0R97PA H1PS+SlW5FNOf15eO6MKJ/nnVJQkfFMub0IzTS4PhDo
 77zwCD0tbrLu4J0vS0RxPK3YZucFV1VYkUVoMTHjf2o
 -> ssh-ed25519 JGx7Ng 2WIYPKkWXplInR8v1q22ygs7uYNfIzETeiCt5+MKQQQ
 9Gsyr30kaNhxn+fUCBicvoA+hHiWpUf0d0pxRZauhMY
 -> ssh-ed25519 5SY7Kg QTnBfvkMcnXpGITtaHr+mRZGogI1kTUqO4byfyMZhGE
 89A/PPHVPeBQvTxCeXH8ITVDMkcsYUMbwatyw8NQ04E
 -> ssh-ed25519 p/Mg4Q n6hQLuUv3QOMADJF0zpcALYqVUVi5tZHmKGmVZA0IVQ
 ZXa+3y33kyo4vQxcEa2XTMIwjH2HE+bAKZw993PgROk
 -> ssh-ed25519 tDqJRg Hf1KIZjUTTaHo18P1vWxaSehyKTFElBOovrCN0uJFCc
 H8qGw8vIqp4bNiyon2uvTkrrd8lIYnMWnIfzS+w4QRQ
 --- QOKOfU20JY1Sj+K20UUxgtPZ7JxKuZ1GtK+OKBZ1Zhg
 Íúâ?º}àæ2æŽýiÐM}6BÖw#b2Ï´žËŠ¹ÍÊžvu´¿,Ö'.–ŒWÔ”øIPýã'ixYÍ€*·šKoÎtXI#À‘ß6b`„1pÃŠ¬òÍœˆqð
×"§lâSf(ˆ`UöëÄê6ø kT°Á'µÎÔM@ÈÖå„hŸï®›{WYŸ‘ØÝÏÂ<SN;UŒœ
Ý¨ÿ
--- a/machines/compute01/secrets/plausible-smtp_password_file
+++ b/machines/compute01/secrets/plausible-smtp_password_file
@ -0,0 +1,28 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
 oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
 -> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
 bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
 -> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
 HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
 -> ssh-rsa krWCLQ
 k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
 re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
 eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
 AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
 +QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
 DdkJAqSrNkHianC5MEGgpA
 -> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
 C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
 -> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
 iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
 -> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
 uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
 -> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
 xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
 -> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
 5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
 -> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
 HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
 --- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
 ｻ<EFBFBD>虎 <20><>ｩ煩	ﾈ9<1猤ｶﾜ簒<EFBE9C>pWJSWpsV/ﾑ#<23>ｳﾘ9ﾀ{ﾀﾟcHB<><42><EFBFBD>5<EFBFBD>ｬ^ｧ
--- a/machines/compute01/secrets/radius-auth_token_file
+++ b/machines/compute01/secrets/radius-auth_token_file
--- a/machines/compute01/secrets/radius-ca_pem_file
+++ b/machines/compute01/secrets/radius-ca_pem_file
--- a/machines/compute01/secrets/radius-cert_pem_file
+++ b/machines/compute01/secrets/radius-cert_pem_file
--- a/machines/compute01/secrets/radius-dh_pem_file
+++ b/machines/compute01/secrets/radius-dh_pem_file
@ -1,31 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 tDqJRg R3h8Ph1ooMaR/bmz09yRzVRq1mR3L7o87wMhsysC5kU
 Go50Us/u8CgZS7Up20RH8NlRS0+ESBw30wa8SZ5dqoo
 -> ssh-ed25519 jIXfPA gMaMIQvUIu5bK5mRWP6SSZQArMzhg4bDZDcjwx9dyDY
 Vv8H7oTBvogaoW4dhdm81TOe995CSGeBxB8LtFgJqwc
 -> ssh-ed25519 QlRB9Q 1CxZ2F8EMykWDzrAzN6NSPtjLmMJ99zf8UWLyV3e+Ag
 ak7M8/mCeQOMKFPllTsA79glffS/vu51vHIRT3F8qLE
 -> ssh-ed25519 r+nK/Q qcuIACZn+1ofDpWW1IBmY0IIj4WZNQhxtUJlHgh11ws
 OJhEfDQHkg3s5CCBcVfba9S4OG4hBjJIYkCoLAIFwOI
 -> ssh-rsa krWCLQ
 1XseIDq7c94X7Dpp1sC3oBLhZSd4w7UJ7QI03SGmqVTd3VVwP5IV430vrSIFETMI
 LopkMvCtF1XpIJQ+nHoxsukG/0kefh5Iodmd6anQNp0iVU/tWkQzWbkHlVlkxJ2M
 o3fMRAaVyH5GvQkIT5ndWma34vqwydAinM2mchi0hy0ibP5lkk8K7OtafNP4eYNh
 m7necRRI8yCuE1wBRy8sBpo5mEqGj1uINxXiF6yUI05pCBXHG1qDiFkDHfw8va9k
 Qitfwv2Clkk/hQG6aEYuruoXwq4SZxSCswMpP5Nz70I+e5YkZw8G50ICaVBXxuAP
 ABByGBZ/QKLw66NpE7rbSA
 -> ssh-ed25519 /vwQcQ 1P92WFx8+9DaL2dPwmX+Bva+h7Hy9qXszDTyPvd81kc
 gLVhBlE4lAMcod32/Y8xzypVCDu4vRca3aem3OHiocU
 -> ssh-ed25519 0R97PA rZblJRi2bYJig4HyzOXdtpUEEkGDlHS456aKlqxwGX4
 qjIkEyHjDxzmf34bS7qWJ9lexMXu2QMmcD9RP4MpkYQ
 -> ssh-ed25519 JGx7Ng IbCSvxAUY1gDTny5KurzONVaQwX/VgvNs1hAQ9iUQRE
 5ivoGkzEHAyTl3gUE+9nVYclF8/aqnyOF3a81fZfbW0
 -> t|-grease (u /1\q}65 ]@
 Dd2SJgnQFUSDlS4eSkKUaGwve8Rsv/4MNEwGRJftdtTvxv80bRuNBEFe+ah4YhiV
 LA3n6c+Te9Q
 --- wWhpJpx4IHeC1Qo4nH6iuEB3e9l5b8U5xOnsX8BoBgQ
 5¥t·Œ °ÒxÚ@<1E>`zÈÔgC’à	Ñ¬:4Œó¾&Â‡Spi8ñŸuæ"lÕ‚×)<29>:ìaŒÁÄ,4ÃsÌ*uÿ€ƒ±v#ÿ*ÎàÜÊ^Ý¶‚Ø«%´Ñº98¾,yB‚Ù
 "¶%Çã¤„†NÎÓ· íò¬}	[Ñ¿Ó(äØ{<11>ý0ô—f²<66>„|Šà-—&qF	kÖ¶¹µùÔÎLì,¹À„žD™áÎ©QÍ—½è<C2BD>4N}<7D>ÙÐJ´·‹ÇÓˆpç€]dUÏø¿<C3B8>I—:ÌôÑÉ
öì’°¦£‘sý¨õB#}¹
 ÞÃXzð‰N4·>ñ5iSan`‰¹.‚õÃPcHØÉAéßÈÿµH=¥ËæÂ~ö(Pçô±Š$ ,¡ã‹ù¯ZÐ¬ÆwçÚ	/×
 Á–+rC$†ýê&ØJñ ; ÉvÞjæ‰ÎY¹,š*`ºGå=ã¯M¼ƒƒeäAQö<51>\D˜ÿ@¥j¾$gö{Q´lhIoÊÏ‚IM)};@ìNü½b‰<62>k5Dgüoþ'ItW(Ïk
 ê6)ËŒä0£<30>tM¶É
Ó(Ûê¡<C3AA>n²k®Zu%m<17>¡bzÚõ–Š¿ÁìÍÿ
--- a/machines/compute01/secrets/radius-key_pem_file
+++ b/machines/compute01/secrets/radius-key_pem_file
--- a/machines/compute01/secrets/radius-private_key_password_file
+++ b/machines/compute01/secrets/radius-private_key_password_file
@ -1,26 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 tDqJRg sTm4u+QVtvUqNgMJhufIljdH63oCmvfbRz6NRa2ZbwI
 ZYjAINMp/ds7g+7Wjg26YRpRV+nznQPB1r7NzAHGfW0
 -> ssh-ed25519 jIXfPA z4LS/Igwab0moIzxG9b06T5rZiODkdJyjaFepJVcxQ8
 qNkDc+prvr1bNTSWJyygJj7yb8MOz2nR+Z8EMHUVVOs
 -> ssh-ed25519 QlRB9Q 6TQ0Vp3KB5yDIEt029hIB3aCnDjTDP0JG6LN2J9gtjU
 fZXeSxb7GJOJYvCr2nVf6BKf8QjaqOOuoi0I/xXV1qc
 -> ssh-ed25519 r+nK/Q eW4wTH9PNd0mzVFsxwS4mEEn5gVUCpYA/g+ifeUB+00
 kqED+vZVHn0SXTpgbaiMseI6vPCyTt5Gfu4pHxPvKp0
 -> ssh-rsa krWCLQ
 axyFJ/zhMoZ1mJLzWAbXbHjlAlLj7HraHyY6ddZBVibgRSEufdXsa8ABmdR6+EuM
 ty37+/TZOBv11ew/D1C7vQ7B/1JXgej2TAAmYt4vN3lVZdgJI+tQGiOf1nsqfI64
 p4ZbMi9G0wlzb+Z7Z5SLKo6HwharYI+vDEgh3Ua9Q+6bpZeXxxJHmkACikAI4xJV
 3lLo1iTeyJy/9u/WoHmEOuqJLeZdhmPZBozxTdDTWz9wMHy+NotfXFaIFTyUpocu
 OU19N95fyVyTRwmrGFcWs34O631Ejpo3oVLDvjXrFtV4HISSweB/YbU84EveFbz5
 28gTWKdeOQcHJfmaeJV/Rg
 -> ssh-ed25519 /vwQcQ cXNRE5eLKNh4lL7S7cMDfp79+TQyiJK3gTzYCuHeRHo
 4bz0al2kf/S6VEhObpLxy8tvB1t/tBVdB1Gi/7XinD4
 -> ssh-ed25519 0R97PA iGdUtE7KDRBNSXv1w0dJNPQWxAeDpIAePUU8t0qURV8
 OUoeLNWl0rLt6+FNf5plNmQIgrULwIgEL/W4HFTYeB8
 -> ssh-ed25519 JGx7Ng tPkAPvVDZOcP06+mrD5uK03dUJi4aMAvkoz21y9L6Ak
 tcUItLMra+EIYH6MA1ULMpr8bkUql448jnurev8N5wk
 -> \<?_-grease (+d_8zF H
 --- /CiW5jTjVkXDOdwmb4P80FswPEpgTt2GZnqT7KlOvC0
 ›=þ%©»gæÆQ³-¼ffÄUC.qÅÍ˜·H<C2B7>µ—ìäÙ=Vý£žØú<C398>ŽRåN
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@ -1,29 +1,31 @@
-let
+(import ../../../keys).mkSecrets [ "compute01" ] [
-  lib = import ../../../lib { };
+  # List of secrets for compute01
-  publicKeys = lib.getNodeKeys "compute01";
+  "arkheon-env_file"
 in
 lib.setDefault { inherit publicKeys; } [
  "bupstash-put_key"
  "dgsi-email_host_password_file"
  "dgsi-kanidm_auth_token_file"
  "dgsi-kanidm_secret_file"
  "dgsi-secret_key_file"
  "dgsi-x509_cert_file"
  "dgsi-x509_key_file"
  "ds-fr-secret_file"
  "grafana-smtp_password_file"
  "grafana-oauth_client_secret_file"
  "grafana-smtp_password_file"
  "hedgedoc-environment_file"
  "librenms-database_password_file"
  "librenms-environment_file"
  "mastodon-extra_env_file"
  "mastodon-smtp-password"
  "nextcloud-adminpass_file"
  "nextcloud-s3_secret_file"
  "outline-oidc_client_secret_file"
  "outline-smtp_password_file"
  "outline-storage_secret_key_file"
-  "radius-auth_token_file"
+  "plausible-admin_user_password_file"
-  "radius-ca_pem_file"
+  "plausible-secret_key_base_file"
-  "radius-cert_pem_file"
+  "plausible-smtp_password_file"
  "radius-dh_pem_file"
  "radius-key_pem_file"
  "radius-private_key_password_file"
  "satosa-env_file"
  "signal-irc-bridge-config"
  "telegraf-environment_file"
  "vaultwarden-environment_file"
  "zammad-secret_key_base_file"
--- a/machines/compute01/secrets/signal-irc-bridge-config
+++ b/machines/compute01/secrets/signal-irc-bridge-config
@ -0,0 +1,29 @@
 age-encryption.org/v1
 -> ssh-ed25519 jIXfPA Io/zqmrxU05V3yhgyGySW5f2hlQdBOqzXzv2I5x+nVs
 O5szAc5hiv4Kw+Xo90mhst3vGLqhtqSuaKxPTkCQCJw
 -> ssh-ed25519 QlRB9Q 9gQ+5aCcW+gi30S20om5+Zign9zXfgKlG9/59a2rdl4
 nXyckLZ6zNdG096GAPlK/gyold3XxOqeKB1Kiy/BCmI
 -> ssh-ed25519 r+nK/Q nctFMke6IvbEII3/Mq7wq9Cb30GO1yBqePJXdOFjExs
 fMEbZoSsvMiFS2wHD0RCcSqbigmFHCnhEagXDTYBIW8
 -> ssh-rsa krWCLQ
 i7lgxs2DFU6OYdR0wC9NBJAUrYOarTpIBu8JiQKKTymkGauTtpCkOgakEF7N/TLd
 1KFX6ww2lhmGwgi/4qYK5R21geqbLaogm5LsSrWgwI+nAqzAasD30i4MYWSfd1PS
 kewXfRmMOUc2feMN/FiLDlyxxdg3DQImEwwAUq3k4F7W7/ggi4qPKzqzGhlOG1kB
 Ma05hLsOhTVwbyRQzf9MFDUypYJ8KRsV5/rdxnGzTaJLlYbNoQpIG3lQZelggGpS
 N6f5kz0fHRkTqCrINJpmLVkvQDbNNDslsDcr86O0LEI7NPrBry5fUSxI+YOzCJCu
 3xnkIiYlcua2WGEXNd6vPQ
 -> ssh-ed25519 /vwQcQ L9OynFtsmYWQBB/PKHsJ4B2mdUFk8wkuPzaKBmvKERc
 LPHLANWrv90EFdF+cXEOFnOf1XaLWeyEDij+DYVrDJM
 -> ssh-ed25519 0R97PA 49YuJOzGjfLe8RixCtw8Z/EEngEGyNRQjb6sDXESQyM
 ICCw8XFpzJjZpOayDR6uoHqdv0vuEVg1uQyNrNONj8s
 -> ssh-ed25519 JGx7Ng fESc17fhVuC9dfNvDZKLq5EheYw+ufw0hpJqeDffxSE
 CWRV2wnZYh/bK5xgCDUASUmYMWSLbTXqnD1TFcbEHUU
 -> ssh-ed25519 5SY7Kg DgOrBwnV6Uxc5dMcNSR57HSgTW5DsG9Y9kcNYNevMGw
 W0HtwhGJ2jiU9jrfvGoEXthZ3ewxAL8ERNOUYSgWI1A
 -> ssh-ed25519 p/Mg4Q doo+f6eD3s2uoMwekzHcUFCsls8gNZjiI0Nyyd1sClA
 NZnBQy9PJeabIwp6N7D85sI/UbCIcC7FzQALoNOD5h0
 -> ssh-ed25519 tDqJRg tVVtvHVf/l4k+vr5A81tKTff49Rn1L1lrONq1DaGxDk
 vskCx+/l45iAtB8Mn6S9T7I0rKEGgesDfqBrrT0wewU
 --- HQzVXwtwdHyjKCBSbBOTiytzpLVc1eBCZZgW7sIgFEI
 9˜†%}‹/JÞ„U»cMä8É<38>ç™`®=%¿ÝîN}
è9tñœÇ§‰¡‹¨‰rî§°Œ}ˆ½KÿøžqøëO5GlùÑct’#"	Ò[Yw½e‰<65>_ûtˆ)f3Çòª´ÕGÊ2›¹j„Wý^ìr¹ôYa=ESÓ ýØ,<2C>“‘²Ú“rÐ_„£
ý8E ªª
Ž¬1çî•íÅ‡“sÂ<73>ü–¼<”µŸ‚£0QMU"Œ±Ú’ÅõõË†¬wSúœ4º=ï‰G(ˆ’º<<3C>?iZSW]Œ.pP93±zžl¸OSd·êS¯šçI8Äe×²·Ú7ÃUMù¯< ªº<C2AA>Ýžóì<>?îOc2Z¬Uº Ä•èc²Ã Ô—×7@ÄýôóŠò=¨Zæ™ihC“žXß”QŸcÉ¹[èo=kÏòñËÞL"ZÍ/uê´q
ÛGä›–çó
Ú[<5B>–ú,£«i×Ãäs<C3A4>Jÿ•=GBç~^€Ù'Aý´èÕ±©¹í*giÝ|Ý*ù’N·ÿŠË‘a]º˜áäši|áÔŽP'_(½±ÂQLŽØl„O 0ŠÈÛ´
 P94Ï¨äÛF½]³¡È{Öºeç4ý[McQu‚ÎÞî«¥JwÈƒ¼Ê“÷•ÁÛX@RÙÑÛŒú‰5M•Ý£‹V<E280B9>rjÇ—ó<E28094>„—½¢Ÿó7<C3B3>[¨8qÐb
--- a/machines/compute01/signal-irc-bridge.nix
+++ b/machines/compute01/signal-irc-bridge.nix
@ -0,0 +1,22 @@
 {
  config,
  sources,
  nixpkgs,
  ...
 }:
 {
  imports = [ (import (sources.signal-irc-bridge.outPath + "/module.nix")) ];
  services.signal-irc-bridge = {
    enable = true;
    package = nixpkgs.unstable.callPackage (sources.signal-irc-bridge.outPath + "/package.nix") { };
    configFile = config.age.secrets."signal-irc-bridge-config".path;
  };
  services.nginx.virtualHosts."bridge.dgnum.eu" = {
    forceSSL = true;
    enableACME = true;
    locations."/files/".alias = "/var/lib/signal-irc/hermes-media/";
  };
  users.users.nginx.extraGroups = [ "signal-irc" ];
 }
--- a/machines/compute01/stirling-pdf/01-spotless.patch
+++ b/machines/compute01/stirling-pdf/01-spotless.patch
@ -0,0 +1,35 @@
 diff --git a/build.gradle b/build.gradle
 index 78901d8e..3a14ceee 100644
 --- a/build.gradle
 +++ b/build.gradle
@@ -70,20 +70,6 @@ launch4j {
   messagesInstanceAlreadyExists="Stirling-PDF is already running."
 }
 -spotless {
 -    java {
 -        target project.fileTree('src/main/java')
 -
 -        googleJavaFormat('1.19.1').aosp().reorderImports(false)
 -
 -        importOrder('java', 'javax', 'org', 'com', 'net', 'io')
 -        toggleOffOn()
 -        trimTrailingWhitespace()
 -        indentWithSpaces()
 -        endWithNewline()
 -    }
 -}
 -
 dependencies {
     //security updates
     implementation 'ch.qos.logback:logback-classic:1.5.3'
@@ -171,9 +157,6 @@ dependencies {
     annotationProcessor 'org.projectlombok:lombok:1.18.32'
 }
 -tasks.withType(JavaCompile).configureEach {
 -    dependsOn 'spotlessApply'
 -}
 compileJava {
     options.compilerArgs << '-parameters'
 }
--- a/machines/compute01/stirling-pdf/02-propsfile.patch
+++ b/machines/compute01/stirling-pdf/02-propsfile.patch
@ -0,0 +1,12 @@
 diff --git a/build.gradle b/build.gradle
 index 78901d8e..2e7ff96b 100644
 --- a/build.gradle
 +++ b/build.gradle
@@ -166,6 +166,7 @@ task writeVersion  {
     def props = new Properties()
     props.setProperty('version', version)
     props.store(propsFile.newWriter(), null)
 +    propsFile.text = propsFile.readLines().tail().join('\n')
 }
 swaggerhubUpload {
--- a/machines/compute01/stirling-pdf/03-jar-timestamps.patch
+++ b/machines/compute01/stirling-pdf/03-jar-timestamps.patch
@ -0,0 +1,16 @@
 diff --git a/build.gradle b/build.gradle
 index 2e7ff96b..f3a4a15c 100644
 --- a/build.gradle
 +++ b/build.gradle
@@ -21,6 +21,11 @@ repositories {
     mavenCentral()
 }
 +tasks.withType(AbstractArchiveTask) {
 +    preserveFileTimestamps = false
 +    reproducibleFileOrder = true
 +}
 +
 licenseReport {
     renderers = [new JsonReportRenderer()]
 }
--- a/machines/compute01/stirling-pdf/04-local-maven-deps.patch
+++ b/machines/compute01/stirling-pdf/04-local-maven-deps.patch
@ -0,0 +1,25 @@
 diff --git a/build.gradle b/build.gradle
 index f3a4a15c..61fbd74e 100644
 --- a/build.gradle
 +++ b/build.gradle
@@ -18,7 +18,7 @@ version = '0.26.1'
 sourceCompatibility = '17'
 repositories {
 -    mavenCentral()
 +    maven { url '@deps@' }
 }
 tasks.withType(AbstractArchiveTask) {
 diff --git a/settings.gradle b/settings.gradle
 index f8139930..2c87f3cc 100644
 --- a/settings.gradle
 +++ b/settings.gradle
@@ -1 +1,7 @@
 +pluginManagement {
 +    repositories {
 +        maven { url '@deps@' }
 +    }
 +}
 +
 rootProject.name = 'Stirling-PDF'
--- a/machines/compute01/stirling-pdf/05-java-output-test.patch
+++ b/machines/compute01/stirling-pdf/05-java-output-test.patch
@ -0,0 +1,22 @@
 diff --git a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
 index cab78313..192922f3 100644
 --- a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
 +++ b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
@@ -19,7 +19,7 @@ public class ProcessExecutorTest {
         processExecutor = ProcessExecutor.getInstance(ProcessExecutor.Processes.LIBRE_OFFICE);
     }
 -    @Test
 +    /* @Test
     public void testRunCommandWithOutputHandling() throws IOException, InterruptedException {
         // Mock the command to execute
         List<String> command = new ArrayList<>();
@@ -32,7 +32,7 @@ public class ProcessExecutorTest {
         // Check the exit code and output messages
         assertEquals(0, result.getRc());
         assertNotNull(result.getMessages()); // Check if messages are not null
 -    }
 +    } */
     @Test
     public void testRunCommandWithOutputHandling_Error() {
--- a/machines/compute01/stirling-pdf/default.nix
+++ b/machines/compute01/stirling-pdf/default.nix
@ -0,0 +1,39 @@
 { nixpkgs, ... }:
 let
  ###
  # How to update:
  # - clone https://git.dgnum.eu/DGNum/Stirling-PDF
  # - switch to the branch dgn-v0.X.Y where X.Y is the version in production
  # - fetch upstream changes up to the tagged release in nixos-unstable
  # - rebase onto the upstream branch, so that the last commit is "feat: Add DGNum customization"
  # - push to a new branch dgn-v0.A.B where A.B is the new version
  # - finally, update the commit hash of the customization patch
  dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
 in
 {
  services.stirling-pdf = {
    enable = true;
    package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
      patches = (old.patches or [ ]) ++ [
        (builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
      ];
    });
    domain = "pdf.dgnum.eu";
    port = 8084;
    nginx = {
      enableACME = true;
      forceSSL = true;
    };
    environment = {
      UI_APP_NAME = "DGNum PDF";
      SYSTEM_DEFAULT_LOCALE = "fr-FR";
    };
  };
 }
--- a/machines/compute01/takumi.nix
+++ b/machines/compute01/takumi.nix
@ -0,0 +1 @@
 _: { dgn-chatops.enable = true; }
--- a/machines/geo01/secrets/secrets.nix
+++ b/machines/geo01/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
+(import ../../../keys).mkSecrets [ "geo01" ] [
-  lib = import ../../../lib { };
+  # List of secrets for geo01
-  publicKeys = lib.getNodeKeys "geo01";
+]
 in
 lib.setDefault { inherit publicKeys; } [ ]
--- a/machines/geo02/secrets/secrets.nix
+++ b/machines/geo02/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
+(import ../../../keys).mkSecrets [ "geo02" ] [
-  lib = import ../../../lib { };
+  # List of secrets for geo02
-  publicKeys = lib.getNodeKeys "geo02";
+]
 in
 lib.setDefault { inherit publicKeys; } [ ]
--- a/machines/krz01/K80-support.patch
+++ b/machines/krz01/K80-support.patch
@ -0,0 +1,179 @@
 From 2abd226ff3093c5a9e18a618fba466853e7ebaf7 Mon Sep 17 00:00:00 2001
 From: Raito Bezarius <masterancpp@gmail.com>
 Date: Tue, 8 Oct 2024 18:27:41 +0200
 Subject: [PATCH] K80 support
 Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 ---
 docs/development.md     |  6 +++-
 docs/gpu.md             |  1 +
 gpu/amd_linux.go        |  6 +++-
 gpu/gpu.go              | 63 ++++++++++++++++++++++++++++++++++++-----
 scripts/build_docker.sh |  2 +-
 scripts/build_linux.sh  |  2 +-
 6 files changed, 69 insertions(+), 11 deletions(-)
 diff --git a/docs/development.md b/docs/development.md
 index 2f7b9ecf..9da35931 100644
 --- a/docs/development.md
 +++ b/docs/development.md
@@ -51,7 +51,11 @@ Typically the build scripts will auto-detect CUDA, however, if your Linux distro
 or installation approach uses unusual paths, you can specify the location by
 specifying an environment variable `CUDA_LIB_DIR` to the location of the shared
 libraries, and `CUDACXX` to the location of the nvcc compiler. You can customize
 -a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "50;60;70")
 +a set of target CUDA architectures by setting `CMAKE_CUDA_ARCHITECTURES` (e.g. "35;37;50;60;70")
 +
 +To support GPUs older than Compute Capability 5.0, you will need to use an older version of
 +the Driver from [Unix Driver Archive](https://www.nvidia.com/en-us/drivers/unix/) (tested with 470) and [CUDA Toolkit Archive](https://developer.nvidia.com/cuda-toolkit-archive) (tested with cuda V11).  When you build Ollama, you will need to set two environment variable to adjust the minimum compute capability Ollama supports via `export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3\" \"-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5\"'"` and the `CMAKE_CUDA_ARCHITECTURES`.  To find the Compute Capability of your older GPU, refer to [GPU Compute Capability](https://developer.nvidia.com/cuda-gpus).
 +
 Then generate dependencies:
 diff --git a/docs/gpu.md b/docs/gpu.md
 index a6b559f0..66627611 100644
 --- a/docs/gpu.md
 +++ b/docs/gpu.md
@@ -28,6 +28,7 @@ Check your compute compatibility to see if your card is supported:
 | 5.0                | GeForce GTX         | `GTX 750 Ti` `GTX 750` `NVS 810`                                                                            |
 |                    | Quadro              | `K2200` `K1200` `K620` `M1200` `M520` `M5000M` `M4000M` `M3000M` `M2000M` `M1000M` `K620M` `M600M` `M500M`  |
 +For building locally to support older GPUs, see [developer.md](./development.md#linux-cuda-nvidia)
 ### GPU Selection
 diff --git a/gpu/amd_linux.go b/gpu/amd_linux.go
 index 6b08ac2e..768fb97a 100644
 --- a/gpu/amd_linux.go
 +++ b/gpu/amd_linux.go
@@ -159,7 +159,11 @@ func AMDGetGPUInfo() []GpuInfo {
 			return []GpuInfo{}
 		}
 -		if int(major) < RocmComputeMin {
 +		minVer, err := strconv.Atoi(RocmComputeMajorMin)
 +		if err != nil {
 +			slog.Error("invalid RocmComputeMajorMin setting", "value", RocmComputeMajorMin, "error", err)
 +		}
 +		if int(major) < minVer {
 			slog.Warn(fmt.Sprintf("amdgpu too old gfx%d%x%x", major, minor, patch), "gpu", gpuID)
 			continue
 		}
 diff --git a/gpu/gpu.go b/gpu/gpu.go
 index 781e23df..60d68c33 100644
 --- a/gpu/gpu.go
 +++ b/gpu/gpu.go
@@ -16,6 +16,7 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
 +	"strconv"
 	"strings"
 	"sync"
 	"unsafe"
@@ -38,9 +39,11 @@ const (
 var gpuMutex sync.Mutex
 // With our current CUDA compile flags, older than 5.0 will not work properly
 -var CudaComputeMin = [2]C.int{5, 0}
 +// (string values used to allow ldflags overrides at build time)
 +var CudaComputeMajorMin = "5"
 +var CudaComputeMinorMin = "0"
 -var RocmComputeMin = 9
 +var RocmComputeMajorMin = "9"
 // TODO find a better way to detect iGPU instead of minimum memory
 const IGPUMemLimit = 1 * format.GibiByte // 512G is what they typically report, so anything less than 1G must be iGPU
@@ -175,11 +178,57 @@ func GetGPUInfo() GpuInfoList {
 	var memInfo C.mem_info_t
 	resp := []GpuInfo{}
 -	// NVIDIA first
 -	for i := 0; i < gpuHandles.deviceCount; i++ {
 -		// TODO once we support CPU compilation variants of GPU libraries refine this...
 -		if cpuVariant == "" && runtime.GOARCH == "amd64" {
 -			continue
 +	// Load ALL libraries
 +	cHandles = initCudaHandles()
 +	minMajorVer, err := strconv.Atoi(CudaComputeMajorMin)
 +	if err != nil {
 +		slog.Error("invalid CudaComputeMajorMin setting", "value", CudaComputeMajorMin, "error", err)
 +	}
 +	minMinorVer, err := strconv.Atoi(CudaComputeMinorMin)
 +	if err != nil {
 +		slog.Error("invalid CudaComputeMinorMin setting", "value", CudaComputeMinorMin, "error", err)
 +	}
 +
 +	// NVIDIA
 +	for i := range cHandles.deviceCount {
 +		if cHandles.cudart != nil || cHandles.nvcuda != nil {
 +			gpuInfo := CudaGPUInfo{
 +				GpuInfo: GpuInfo{
 +					Library: "cuda",
 +				},
 +				index: i,
 +			}
 +			var driverMajor int
 +			var driverMinor int
 +			if cHandles.cudart != nil {
 +				C.cudart_bootstrap(*cHandles.cudart, C.int(i), &memInfo)
 +			} else {
 +				C.nvcuda_bootstrap(*cHandles.nvcuda, C.int(i), &memInfo)
 +				driverMajor = int(cHandles.nvcuda.driver_major)
 +				driverMinor = int(cHandles.nvcuda.driver_minor)
 +			}
 +			if memInfo.err != nil {
 +				slog.Info("error looking up nvidia GPU memory", "error", C.GoString(memInfo.err))
 +				C.free(unsafe.Pointer(memInfo.err))
 +				continue
 +			}
 +
 +			if int(memInfo.major) < minMajorVer || (int(memInfo.major) == minMajorVer && int(memInfo.minor) < minMinorVer) {
 +				slog.Info(fmt.Sprintf("[%d] CUDA GPU is too old. Compute Capability detected: %d.%d", i, memInfo.major, memInfo.minor))
 +				continue
 +			}
 +			gpuInfo.TotalMemory = uint64(memInfo.total)
 +			gpuInfo.FreeMemory = uint64(memInfo.free)
 +			gpuInfo.ID = C.GoString(&memInfo.gpu_id[0])
 +			gpuInfo.Compute = fmt.Sprintf("%d.%d", memInfo.major, memInfo.minor)
 +			gpuInfo.MinimumMemory = cudaMinimumMemory
 +			gpuInfo.DependencyPath = depPath
 +			gpuInfo.Name = C.GoString(&memInfo.gpu_name[0])
 +			gpuInfo.DriverMajor = driverMajor
 +			gpuInfo.DriverMinor = driverMinor
 +
 +			// TODO potentially sort on our own algorithm instead of what the underlying GPU library does...
 +			cudaGPUs = append(cudaGPUs, gpuInfo)
 		}
 		gpuInfo := GpuInfo{
 			Library: "cuda",
 diff --git a/scripts/build_docker.sh b/scripts/build_docker.sh
 index e91c56ed..c03bc25f 100755
 --- a/scripts/build_docker.sh
 +++ b/scripts/build_docker.sh
@@ -3,7 +3,7 @@
 set -eu
 export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
 -export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
 +export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
 # We use 2 different image repositories to handle combining architecture images into multiarch manifest
 # (The ROCm image is x86 only and is not a multiarch manifest)
 diff --git a/scripts/build_linux.sh b/scripts/build_linux.sh
 index 27c4ff1f..e7e6d0dd 100755
 --- a/scripts/build_linux.sh
 +++ b/scripts/build_linux.sh
@@ -3,7 +3,7 @@
 set -eu
 export VERSION=${VERSION:-$(git describe --tags --first-parent --abbrev=7 --long --dirty --always | sed -e "s/^v//g")}
 -export GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"
 +export GOFLAGS=${GOFLAGS:-"'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=$VERSION\" \"-X=github.com/ollama/ollama/server.mode=release\"'"}
 BUILD_ARCH=${BUILD_ARCH:-"amd64 arm64"}
 export AMDGPU_TARGETS=${AMDGPU_TARGETS:=""}
 -- 
 2.46.0
--- a/machines/krz01/_configuration.nix
+++ b/machines/krz01/_configuration.nix
@ -0,0 +1,79 @@
 {
  config,
  lib,
  pkgs,
  meta,
  name,
  ...
 }:
 lib.extra.mkConfig {
  enabledModules = [
    # INFO: This list needs to stay sorted alphabetically
  ];
  enabledServices = [
    # INFO: This list needs to stay sorted alphabetically
    # Machine learning API machine
    "microvm-ml01"
    "microvm-router01"
    "nvidia-tesla-k80"
    "proxmox"
  ];
  extraConfig = {
    microvm = {
      host.enable = true;
    };
    dgn-hardware = {
      useZfs = true;
      zfsPools = [
        "dpool"
        "ppool0"
      ];
    };
    services.netbird.enable = true;
    # We are going to use CUDA here.
    nixpkgs.config.cudaSupport = true;
    hardware.graphics.enable = true;
    environment.systemPackages = [
      ((pkgs.openai-whisper-cpp.override { cudaPackages = pkgs.cudaPackages_11; }).overrideAttrs (old: {
        src = pkgs.fetchFromGitHub {
          owner = "ggerganov";
          repo = "whisper.cpp";
          rev = "v1.7.1";
          hash = "sha256-EDFUVjud79ZRCzGbOh9L9NcXfN3ikvsqkVSOME9F9oo=";
        };
        env = {
          WHISPER_CUBLAS = "";
          GGML_CUDA = "1";
        };
        # We only need Compute Capability 3.7.
        CUDA_ARCH_FLAGS = [ "sm_37" ];
        # We are GPU-only anyway.
        patches = (old.patches or [ ]) ++ [
          ./no-weird-microarch.patch
          ./all-nvcc-arch.patch
        ];
      }))
    ];
    services = {
      ollama = {
        enable = true;
        host = meta.network.${name}.netbirdIp;
        package = pkgs.callPackage ./ollama.nix {
          cudaPackages = pkgs.cudaPackages_11;
          # We need to thread our nvidia x11 driver for CUDA.
          extraLibraries = [ config.hardware.nvidia.package ];
        };
      };
    };
    networking.firewall.interfaces.wt0.allowedTCPPorts = [ config.services.ollama.port ];
  };
  root = ./.;
 }
--- a/machines/krz01/_hardware-configuration.nix
+++ b/machines/krz01/_hardware-configuration.nix
@ -0,0 +1,50 @@
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
  boot = {
    initrd = {
      availableKernelModules = [
        "ehci_pci"
        "ahci"
        "mpt3sas"
        "usbhid"
        "sd_mod"
      ];
      kernelModules = [ ];
    };
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
  };
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/92bf4d66-2693-4eca-9b26-f86ae09d468d";
    fsType = "ext4";
  };
  boot.initrd.luks.devices."mainfs" = {
    device = "/dev/disk/by-uuid/26f9737b-28aa-4c3f-bd3b-b028283cef88";
    keyFileSize = 1;
    keyFile = "/dev/zero";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/280C-8844";
    fsType = "vfat";
    options = [
      "fmask=0022"
      "dmask=0022"
    ];
  };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/krz01/all-nvcc-arch.patch
+++ b/machines/krz01/all-nvcc-arch.patch
@ -0,0 +1,26 @@
 From 2278389ef9ac9231349440aa68f9544ddc69cdc7 Mon Sep 17 00:00:00 2001
 From: Raito Bezarius <masterancpp@gmail.com>
 Date: Wed, 9 Oct 2024 13:37:08 +0200
 Subject: [PATCH] fix: sm_37 for nvcc
 Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 ---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Makefile b/Makefile
 index 2ccb750..70dfd9b 100644
 --- a/Makefile
 +++ b/Makefile
@@ -537,7 +537,7 @@ endif #GGML_CUDA_NVCC
 ifdef CUDA_DOCKER_ARCH
 	MK_NVCCFLAGS += -Wno-deprecated-gpu-targets -arch=$(CUDA_DOCKER_ARCH)
 else ifndef CUDA_POWER_ARCH
 -	MK_NVCCFLAGS += -arch=native
 +	MK_NVCCFLAGS += -arch=sm_37
 endif # CUDA_DOCKER_ARCH
 ifdef GGML_CUDA_FORCE_DMMV
 -- 
 2.46.0
--- a/machines/krz01/disable-git.patch
+++ b/machines/krz01/disable-git.patch
@ -0,0 +1,20 @@
 diff --git c/llm/generate/gen_common.sh i/llm/generate/gen_common.sh
 index 3825c155..238a74a7 100644
 --- c/llm/generate/gen_common.sh
 +++ i/llm/generate/gen_common.sh
@@ -69,6 +69,7 @@ git_module_setup() {
 }
 apply_patches() {
 +    return
     # apply temporary patches until fix is upstream
     for patch in ../patches/*.patch; do
         git -c 'user.name=nobody' -c 'user.email=<>' -C ${LLAMACPP_DIR} am ${patch}
@@ -133,6 +134,7 @@ install() {
 # Keep the local tree clean after we're done with the build
 cleanup() {
 +    return
     (cd ${LLAMACPP_DIR}/ && git checkout CMakeLists.txt)
     if [ -n "$(ls -A ../patches/*.diff)" ]; then
--- a/machines/krz01/microvm-ml01.nix
+++ b/machines/krz01/microvm-ml01.nix
@ -0,0 +1,22 @@
 _: {
  microvm.autostart = [ "ml01" ];
  microvm.vms.ml01 = {
    config = {
      networking.hostName = "ml01";
      microvm = {
        hypervisor = "cloud-hypervisor";
        vcpu = 4;
        mem = 4096;
        balloonMem = 2048;
        shares = [
          {
            source = "/nix/store";
            mountPoint = "/nix/.ro-store";
            tag = "ro-store";
            proto = "virtiofs";
          }
        ];
      };
    };
  };
 }
--- a/machines/krz01/microvm-router01.nix
+++ b/machines/krz01/microvm-router01.nix
@ -0,0 +1,16 @@
 _: {
  microvm.autostart = [ "router01" ];
  microvm.vms.router01 = {
    config = {
      networking.hostName = "router01";
      microvm.shares = [
        {
          source = "/nix/store";
          mountPoint = "/nix/.ro-store";
          tag = "ro-store";
          proto = "virtiofs";
        }
      ];
    };
  };
 }
--- a/machines/krz01/no-weird-microarch.patch
+++ b/machines/krz01/no-weird-microarch.patch
@ -0,0 +1,34 @@
 From 51568b61ef63ecd97867562571411082c32751d3 Mon Sep 17 00:00:00 2001
 From: Raito Bezarius <masterancpp@gmail.com>
 Date: Wed, 9 Oct 2024 13:36:51 +0200
 Subject: [PATCH] fix: avx & f16c in Makefile
 Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
 ---
 Makefile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/Makefile b/Makefile
 index 32b7cbb..2ccb750 100644
 --- a/Makefile
 +++ b/Makefile
@@ -361,12 +361,12 @@ ifndef RISCV
 ifeq ($(UNAME_M),$(filter $(UNAME_M),x86_64 i686 amd64))
 	# Use all CPU extensions that are available:
 -	MK_CFLAGS     += -march=native -mtune=native
 -	HOST_CXXFLAGS += -march=native -mtune=native
 +	# MK_CFLAGS     += -march=native -mtune=native
 +	# HOST_CXXFLAGS += -march=native -mtune=native
 	# Usage AVX-only
 -	#MK_CFLAGS   += -mfma -mf16c -mavx
 -	#MK_CXXFLAGS += -mfma -mf16c -mavx
 +	MK_CFLAGS   += -mf16c -mavx
 +	MK_CXXFLAGS += -mf16c -mavx
 	# Usage SSSE3-only (Not is SSE3!)
 	#MK_CFLAGS   += -mssse3
 -- 
 2.46.0
--- a/machines/krz01/nvidia-tesla-k80.nix
+++ b/machines/krz01/nvidia-tesla-k80.nix
@ -0,0 +1,8 @@
 { config, ... }:
 {
  nixpkgs.config.nvidia.acceptLicense = true;
  # Tesla K80 is not supported by the latest driver.
  hardware.nvidia.package = config.boot.kernelPackages.nvidia_x11_legacy470;
  # Don't ask.
  services.xserver.videoDrivers = [ "nvidia" ];
 }
--- a/machines/krz01/ollama.nix
+++ b/machines/krz01/ollama.nix
@ -0,0 +1,243 @@
 {
  lib,
  buildGoModule,
  fetchFromGitHub,
  buildEnv,
  linkFarm,
  overrideCC,
  makeWrapper,
  stdenv,
  addDriverRunpath,
  nix-update-script,
  cmake,
  gcc11,
  clblast,
  libdrm,
  rocmPackages,
  cudaPackages,
  darwin,
  autoAddDriverRunpath,
  extraLibraries ? [ ],
  nixosTests,
  testers,
  ollama,
  ollama-rocm,
  ollama-cuda,
  config,
  # one of `[ null false "rocm" "cuda" ]`
  acceleration ? null,
 }:
 assert builtins.elem acceleration [
  null
  false
  "rocm"
  "cuda"
 ];
 let
  pname = "ollama";
  version = "2024-09-10-cc35";
  src = fetchFromGitHub {
    owner = "aliotard";
    repo = "ollama";
    rev = "34827c01f7723c7f5f9f5e392fe85f5a4a5d5fc0";
    hash = "sha256-xFNuqcW7YWeyCyw5QLBnCHHTSMITR6LJkJT0CXZC+Y8=";
    fetchSubmodules = true;
  };
  vendorHash = "sha256-hSxcREAujhvzHVNwnRTfhi0MKI3s8HNavER2VLz6SYk=";
  validateFallback = lib.warnIf (config.rocmSupport && config.cudaSupport) (lib.concatStrings [
    "both `nixpkgs.config.rocmSupport` and `nixpkgs.config.cudaSupport` are enabled, "
    "but they are mutually exclusive; falling back to cpu"
  ]) (!(config.rocmSupport && config.cudaSupport));
  shouldEnable =
    mode: fallback: (acceleration == mode) || (fallback && acceleration == null && validateFallback);
  rocmRequested = shouldEnable "rocm" config.rocmSupport;
  cudaRequested = shouldEnable "cuda" config.cudaSupport;
  enableRocm = rocmRequested && stdenv.isLinux;
  enableCuda = cudaRequested && stdenv.isLinux;
  rocmLibs = [
    rocmPackages.clr
    rocmPackages.hipblas
    rocmPackages.rocblas
    rocmPackages.rocsolver
    rocmPackages.rocsparse
    rocmPackages.rocm-device-libs
    rocmPackages.rocm-smi
  ];
  rocmClang = linkFarm "rocm-clang" { llvm = rocmPackages.llvm.clang; };
  rocmPath = buildEnv {
    name = "rocm-path";
    paths = rocmLibs ++ [ rocmClang ];
  };
  cudaLibs = [
    cudaPackages.cuda_cudart
    cudaPackages.libcublas
    cudaPackages.cuda_cccl
  ];
  cudaToolkit = buildEnv {
    name = "cuda-merged";
    paths = map lib.getLib cudaLibs ++ [
      (lib.getOutput "static" cudaPackages.cuda_cudart)
      (lib.getBin (cudaPackages.cuda_nvcc.__spliced.buildHost or cudaPackages.cuda_nvcc))
    ];
  };
  metalFrameworks = with darwin.apple_sdk_11_0.frameworks; [
    Accelerate
    Metal
    MetalKit
    MetalPerformanceShaders
  ];
  wrapperOptions =
    [
      # ollama embeds llama-cpp binaries which actually run the ai models
      # these llama-cpp binaries are unaffected by the ollama binary's DT_RUNPATH
      # LD_LIBRARY_PATH is temporarily required to use the gpu
      # until these llama-cpp binaries can have their runpath patched
      "--suffix LD_LIBRARY_PATH : '${addDriverRunpath.driverLink}/lib'"
      "--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib extraLibraries)}'"
    ]
    ++ lib.optionals enableRocm [
      "--suffix LD_LIBRARY_PATH : '${rocmPath}/lib'"
      "--set-default HIP_PATH '${rocmPath}'"
    ]
    ++ lib.optionals enableCuda [
      "--suffix LD_LIBRARY_PATH : '${lib.makeLibraryPath (map lib.getLib cudaLibs)}'"
    ];
  wrapperArgs = builtins.concatStringsSep " " wrapperOptions;
  goBuild =
    if enableCuda then buildGoModule.override { stdenv = overrideCC stdenv gcc11; } else buildGoModule;
  inherit (lib) licenses platforms maintainers;
 in
 goBuild {
  inherit
    pname
    version
    src
    vendorHash
    ;
  env =
    lib.optionalAttrs enableRocm {
      ROCM_PATH = rocmPath;
      CLBlast_DIR = "${clblast}/lib/cmake/CLBlast";
    }
    // lib.optionalAttrs enableCuda { CUDA_LIB_DIR = "${cudaToolkit}/lib"; }
    // {
      CMAKE_CUDA_ARCHITECTURES = "35;37";
    };
  nativeBuildInputs =
    [ cmake ]
    ++ lib.optionals enableRocm [ rocmPackages.llvm.bintools ]
    ++ lib.optionals enableCuda [ cudaPackages.cuda_nvcc ]
    ++ lib.optionals (enableRocm || enableCuda) [
      makeWrapper
      autoAddDriverRunpath
    ]
    ++ lib.optionals stdenv.isDarwin metalFrameworks;
  buildInputs =
    lib.optionals enableRocm (rocmLibs ++ [ libdrm ])
    ++ lib.optionals enableCuda cudaLibs
    ++ lib.optionals stdenv.isDarwin metalFrameworks;
  patches = [
    # disable uses of `git` in the `go generate` script
    # ollama's build script assumes the source is a git repo, but nix removes the git directory
    # this also disables necessary patches contained in `ollama/llm/patches/`
    # those patches are applied in `postPatch`
    ./disable-git.patch
  ];
  postPatch = ''
    # replace inaccurate version number with actual release version
    substituteInPlace version/version.go --replace-fail 0.0.0 '${version}'
    # apply ollama's patches to `llama.cpp` submodule
    for diff in llm/patches/*; do
      patch -p1 -d llm/llama.cpp < $diff
    done
  '';
  overrideModAttrs = _: _: {
    # don't run llama.cpp build in the module fetch phase
    preBuild = "";
  };
  preBuild = ''
    # disable uses of `git`, since nix removes the git directory
    export OLLAMA_SKIP_PATCHING=true
    # build llama.cpp libraries for ollama
    go generate ./...
  '';
  postFixup =
    ''
      # the app doesn't appear functional at the moment, so hide it
      mv "$out/bin/app" "$out/bin/.ollama-app"
    ''
    + lib.optionalString (enableRocm || enableCuda) ''
      # expose runtime libraries necessary to use the gpu
      wrapProgram "$out/bin/ollama" ${wrapperArgs}
    '';
  ldflags = [
    "-s"
    "-w"
    "-X=github.com/ollama/ollama/version.Version=${version}"
    "-X=github.com/ollama/ollama/server.mode=release"
    "-X=github.com/ollama/ollama/gpu.CudaComputeMajorMin=3"
    "-X=github.com/ollama/ollama/gpu.CudaComputeMinorMin=5"
  ];
  passthru = {
    tests =
      {
        inherit ollama;
        version = testers.testVersion {
          inherit version;
          package = ollama;
        };
      }
      // lib.optionalAttrs stdenv.isLinux {
        inherit ollama-rocm ollama-cuda;
        service = nixosTests.ollama;
        service-cuda = nixosTests.ollama-cuda;
        service-rocm = nixosTests.ollama-rocm;
      };
    updateScript = nix-update-script { };
  };
  meta = {
    description =
      "Get up and running with large language models locally"
      + lib.optionalString rocmRequested ", using ROCm for AMD GPU acceleration"
      + lib.optionalString cudaRequested ", using CUDA for NVIDIA GPU acceleration";
    homepage = "https://github.com/ollama/ollama";
    changelog = "https://github.com/ollama/ollama/releases/tag/v${version}";
    license = licenses.mit;
    platforms = if (rocmRequested || cudaRequested) then platforms.linux else platforms.unix;
    mainProgram = "ollama";
    maintainers = with maintainers; [
      abysssol
      dit7ya
      elohmeier
      roydubnium
    ];
  };
 }
--- a/Show more
+++ b/Show more
		`@ -1,2 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ`
		`@ -1,2 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F`
			ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=
		`@ -1,2 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5`
		`@ -1 +0,0 @@`
			`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris`