feat(nat): enabling for dgnum members for tests

For a router01.

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>

.forgejo/workflows/eval.yaml

@@ -9,6 +9,16 @@ on:
       - main
 
 jobs:
+  build_krz01:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build krz01
+        run: |
+          # Enter the shell
+          nix-shell --run 'colmena build --on krz01'
+
   build_compute01:
     runs-on: nix
     steps:
@@ -99,6 +109,27 @@ jobs:
           # Enter the shell
           nix-shell --run 'colmena build --on bridge01'
 
+  push_to_cache_krz01:
+    runs-on: nix
+    needs:
+      - build_krz01
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Push to cache
+        run: nix-shell --run push-to-nix-cache
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          NODES: '[ "krz01" ]'
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_krz01
+          path: uploaded.txt
+
   push_to_cache_compute01:
     runs-on: nix
     needs:
@@ -204,6 +235,27 @@ jobs:
           name: outputs_geo02
           path: uploaded.txt
 
+  push_to_cache_vault01:
+    runs-on: nix
+    needs:
+      - build_vault01
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Push to cache
+        run: nix-shell --run push-to-nix-cache
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          NODES: '[ "vault01" ]'
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_vault01
+          path: uploaded.txt
+
   push_to_cache_web01:
     runs-on: nix
     needs:

README.md

@@ -9,6 +9,21 @@ You're expected to read this document before commiting to the repo.
 
 Some documentation for the development tools are provided in the aforementioned file.
 
+# Using the binary cache
+
+Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
+```
+{ lib, ... }:
+let
+  dgnum-infra = PINNED_PATH_TO_INFRA;
+in {
+  nix.settings = (import dgnum-infra { }).mkCacheSettings {
+    caches = [ "infra" ];
+  };
+}
+```
+
+
 # Adding a new machine
 
 The first step is to create a minimal viable NixOS host, using tha means necessary.

default.nix

@@ -49,7 +49,7 @@ let
         enable = true;
         stages = [ "pre-push" ];
         settings.ignore = [
-          "lon.nix"
+          "**/lon.nix"
           "**/npins"
         ];
       };
@@ -76,6 +76,8 @@ in
 
   dns = import ./meta/dns.nix;
 
+  mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
+
   shells = {
     default = pkgs.mkShell {
       name = "dgnum-infra";
@@ -85,7 +87,6 @@ in
           version = "1.8.0-unstable";
           src = builtins.storePath sources.nixos-generators;
         }))
-        pkgs.attic-client
         pkgs.npins
 
         (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })

iso/configuration.nix

@@ -11,7 +11,7 @@ in
 
   boot = {
     blacklistedKernelModules = [ "snd_pcsp" ];
-    kernelPackages = pkgs.linuxPackages_6_1;
+    kernelPackages = pkgs.linuxPackages_latest;
     tmp.cleanOnBoot = true;
 
     loader = {
@@ -22,6 +22,7 @@ in
     supportedFilesystems = [
       "exfat"
       "zfs"
+      "bcachefs"
     ];
 
     swraid.enable = lib.mkForce false;

keys/machines/krz01.keys

@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4o65gWOgNrxbSd3kiQIGZUM+YD6kuZOQtblvzUGsfB root@krz01
+

machines/compute01/_configuration.nix

@@ -1,16 +1,19 @@
 { lib, ... }:
 
 lib.extra.mkConfig {
+  # List of modules to enable
   enabledModules = [
-    # List of modules to enable
+    # INFO: This list needs to stay sorted alphabetically
     "dgn-backups"
+    "dgn-chatops"
     "dgn-web"
   ];
 
+  # List of services to enable
   enabledServices = [
-    # List of services to enable
+    # INFO: This list needs to stay sorted alphabetically
     "arkheon"
-    "signal-irc-bridge"
+    "dgsi"
     "ds-fr"
     "grafana"
     "hedgedoc"
@@ -23,8 +26,10 @@ lib.extra.mkConfig {
     "postgresql"
     "rstudio-server"
     "satosa"
+    "signal-irc-bridge"
     "signald"
     "stirling-pdf"
+    "takumi"
     "telegraf"
     "vaultwarden"
     "zammad"

machines/compute01/dgsi/default.nix

@@ -0,0 +1,222 @@
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  sources,
+  ...
+}:
+
+let
+  inherit (lib) toLower;
+
+  python =
+    let
+      python3 = pkgs.python312;
+      nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
+    in
+    python3.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs)
+          django-allauth
+          django-allauth-cas
+          django-browser-reload
+          django-bulma-forms
+          django-sass-processor
+          django-sass-processor-dart-sass
+          django-unfold
+          pykanidm
+          python-cas
+          loadcredential
+          xlwt
+          ;
+      };
+    };
+
+  pythonEnv = python.withPackages (
+    ps:
+    [
+      ps.django
+      ps.gunicorn
+      ps.psycopg
+      ps.django-compressor
+      ps.django-import-export
+
+      # Local packages
+      ps.django-allauth
+      ps.django-allauth-cas
+      ps.django-browser-reload
+      ps.django-bulma-forms
+      ps.django-sass-processor
+      ps.django-sass-processor-dart-sass
+      ps.django-unfold
+      ps.loadcredential
+      ps.pykanidm
+      ps.python-cas
+    ]
+    ++ ps.django-allauth.optional-dependencies.saml
+  );
+
+  staticDrv = pkgs.stdenv.mkDerivation {
+    name = "dgsi-static";
+
+    src = sources.dgsi;
+    sourceRoot = "source/src";
+
+    nativeBuildInputs = [
+      pkgs.dart-sass
+      pythonEnv
+    ];
+
+    configurePhase = ''
+      export DGSI_STATIC_ROOT=$out/static
+      export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
+      export DGSI_KANIDM_CLIENT="dgsi_test"
+      export DGSI_KANIDM_AUTH_TOKEN="fake.token"
+      export DGSI_X509_KEY=""
+      export DGSI_X509_CERT=""
+    '';
+
+    doBuild = false;
+
+    installPhase = ''
+      mkdir -p $out/static
+      python3 manage.py compilescss
+      python3 manage.py collectstatic
+    '';
+  };
+in
+
+{
+  users = {
+    users.nginx.extraGroups = [ "django-apps" ];
+    groups.django-apps = { };
+  };
+
+  systemd = {
+    services = {
+      dj-dgsi = {
+        description = "DGSI web app";
+
+        requires = [ "dj-dgsi.socket" ];
+        wantedBy = [ "multi-user.target" ];
+        after = [
+          "network.target"
+          "postgresql.service"
+        ];
+
+        serviceConfig = {
+          DynamicUser = true;
+          LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
+            "EMAIL_HOST_PASSWORD"
+            "KANIDM_AUTH_TOKEN"
+            "KANIDM_SECRET"
+            "SECRET_KEY"
+            "X509_CERT"
+            "X509_KEY"
+          ];
+          RuntimeDirectory = "django-apps/dgsi";
+          StateDirectory = "django-apps/dgsi";
+          UMask = "0027";
+          User = "dj-dgsi";
+          Group = "django-apps";
+          WorkingDirectory = sources.dgsi;
+          ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";
+          KillMode = "mixed";
+          Type = "notify";
+          ExecStart = utils.escapeSystemdExecArgs [
+            (lib.getExe' pythonEnv "gunicorn")
+            "--workers"
+            4
+            "--bind"
+            "unix:/run/django-apps/dgsi.sock"
+            "--pythonpath"
+            "src"
+            "app.wsgi"
+          ];
+        };
+
+        environment = {
+          DGSI_ALLOWED_HOSTS = builtins.toJSON [
+            "profil.dgnum.eu"
+            "dgsi.dgnum.eu"
+          ];
+
+          DGSI_EMAIL_HOST = "kurisu.lahfa.xyz";
+          DGSI_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
+          DGSI_EMAIL_USE_SSL = builtins.toJSON true;
+          DGSI_FROM_EMAIL = "La Délégation Générale Numérique <noreply@infra.dgnum.eu>";
+          DGSI_SERVER_EMAIL = "dgsi@infra.dgnum.eu";
+
+          DGSI_KANIDM_CLIENT = "dgsi";
+          DGSI_KANIDM_URI = "https://sso.dgnum.eu";
+
+          DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
+          DGSI_STATIC_ROOT = "${staticDrv}/static";
+
+          DGSI_DATABASES = builtins.toJSON {
+            default = {
+              ENGINE = "django.db.backends.postgresql";
+              NAME = "dj-dgsi";
+            };
+          };
+          DJANGO_SETTINGS_MODULE = "app.settings";
+        };
+
+        path = [ pythonEnv ];
+
+        preStart = ''
+          python3 src/manage.py migrate --no-input
+        '';
+      };
+    };
+
+    sockets."dj-dgsi" = {
+      description = "Socket for the DGSI Django Application";
+      wantedBy = [ "sockets.target" ];
+
+      socketConfig = {
+        ListenStream = "/run/django-apps/dgsi.sock";
+        SocketMode = "600";
+        SocketUser = config.services.nginx.user;
+      };
+    };
+
+    mounts = [
+      {
+        where = "/run/django-apps/dgsi/media";
+        what = "/var/lib/django-apps/dgsi/media";
+        options = "bind";
+
+        after = [ "dj-dgsi.service" ];
+        partOf = [ "dj-dgsi.service" ];
+        upheldBy = [ "dj-dgsi.service" ];
+      }
+    ];
+  };
+
+  dgn-redirections.permanent."dgsi.dgnum.eu" = "profil.dgnum.eu";
+
+  services = {
+    postgresql = {
+      ensureDatabases = [ "dj-dgsi" ];
+      ensureUsers = [
+        {
+          name = "dj-dgsi";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    nginx.virtualHosts."profil.dgnum.eu" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations = {
+        "/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
+        "/static/".root = staticDrv;
+        "/media/".root = "/run/django-apps/dgsi";
+      };
+    };
+  };
+}

machines/compute01/nextcloud.nix

@@ -55,7 +55,7 @@ in
       "opcache.max_accelerated_files" = "10000";
       "opcache.memory_consumption" = "128";
       "opcache.revalidate_freq" = "1";
-      "opcache.fast_shutdown" = "1";
+      "opcache.fast_shutdown" = "0";
       "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
       catch_workers_output = "yes";
     };

machines/compute01/secrets/dgsi-email_host_password_file

@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
+oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
+-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
+bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
+-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
+HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
+-> ssh-rsa krWCLQ
+k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
+re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
+eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
+AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
++QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
+DdkJAqSrNkHianC5MEGgpA
+-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
+C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
+-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
+iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
+-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
+uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
+-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
+xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
+-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
+5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
+-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
+HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
+--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
+ｻ<EFBFBD>虎 <20><>ｩ煩	ﾈ9<1猤ｶﾜ簒<EFBE9C>pWJSWpsV/ﾑ#<23>ｳﾘ9ﾀ{ﾀﾟcHB<><42><EFBFBD>5<EFBFBD>ｬ^ｧ

machines/compute01/secrets/dgsi-kanidm_secret_file

@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
+YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
+-> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
+W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
+-> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
+mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
+-> ssh-rsa krWCLQ
+QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
+UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
+1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
+oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
+8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
+cS3kE9LfNst2zBKHBGBOHQ
+-> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
+ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
+-> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
+SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
+-> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
+HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
+-> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
+n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
+-> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
+Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
+-> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
+zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
+-> l$R6Y:c1-grease
+MY0HS+ErZAtAhg
+--- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
+7Ú”gpò7šæ«¹Š\Š
E„àø~Â$±\¹Ä”Q„™H‹R¥˜Èî¼¼2'k4Ž¥zÿqȦì'ÍNò!{‹@qx΋,ƒ+iTû

machines/compute01/secrets/dgsi-secret_key_file

@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
+7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
+-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
+BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
+-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
+WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
+-> ssh-rsa krWCLQ
+GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
+fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
+j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
+MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
+tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
+gU32t9qy5EvTbzliWpAvxw
+-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
+mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
+-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
+QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
+-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
+E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
+-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
+x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
+-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
+TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
+-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
+SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
+-> `--grease N]PH
+fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
+7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
+--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
+:È/Àn	ž±Ý§¦p=fu²hã–T¶ÅêF—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰’…m3Ü&<26>g¤(ö<>5۶Û

machines/compute01/secrets/secrets.nix

@@ -6,9 +6,15 @@ in
 lib.setDefault { inherit publicKeys; } [
   "arkheon-env_file"
   "bupstash-put_key"
+  "dgsi-email_host_password_file"
+  "dgsi-kanidm_auth_token_file"
+  "dgsi-kanidm_secret_file"
+  "dgsi-secret_key_file"
+  "dgsi-x509_cert_file"
+  "dgsi-x509_key_file"
   "ds-fr-secret_file"
-  "grafana-smtp_password_file"
   "grafana-oauth_client_secret_file"
+  "grafana-smtp_password_file"
   "hedgedoc-environment_file"
   "librenms-database_password_file"
   "librenms-environment_file"

machines/compute01/stirling-pdf/default.nix

@@ -1,7 +1,16 @@
 { nixpkgs, ... }:
 
 let
-  dgn-id = "f756a0f47e704db815a7af6786f6eb0aec628d6b";
+  ###
+  # How to update:
+  # - clone https://git.dgnum.eu/DGNum/Stirling-PDF
+  # - switch to the branch dgn-v0.X.Y where X.Y is the version in production
+  # - fetch upstream changes up to the tagged release in nixos-unstable
+  # - rebase onto the upstream branch, so that the last commit is "feat: Add DGNum customization"
+  # - push to a new branch dgn-v0.A.B where A.B is the new version
+  # - finally, update the commit hash of the customization patch
+
+  dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
 in
 
 {

machines/compute01/takumi.nix

@@ -0,0 +1 @@
+_: { dgn-chatops.enable = true; }

machines/krz01/_configuration.nix

@@ -0,0 +1,31 @@
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # INFO: This list needs to stay sorted alphabetically
+  ];
+
+  enabledServices = [
+    # INFO: This list needs to stay sorted alphabetically
+    # TODO: re-enable me when #139 is merged. "proxmox"
+    "nvidia-tesla-k80"
+    "microvm-router01"
+  ];
+
+  extraConfig = {
+    microvm.host.enable = true;
+    dgn-hardware = {
+      useZfs = true;
+      zfsPools = [
+        "dpool"
+        "ppool0"
+      ];
+    };
+
+    services.netbird.enable = true;
+
+    users.users.root.hashedPassword = "$y$j9T$eNZQgDN.J5y7KTG2hXgat1$J1i5tjx5dnSZu.C9B7swXi5zMFIkUnmRrnmyLHFAt8/";
+  };
+
+  root = ./.;
+}

machines/krz01/_hardware-configuration.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ehci_pci"
+        "ahci"
+        "mpt3sas"
+        "usbhid"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/92bf4d66-2693-4eca-9b26-f86ae09d468d";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."mainfs" = {
+    device = "/dev/disk/by-uuid/26f9737b-28aa-4c3f-bd3b-b028283cef88";
+    keyFileSize = 1;
+    keyFile = "/dev/zero";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/280C-8844";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/krz01/microvm-router01.nix

@@ -0,0 +1,16 @@
+_: {
+  microvm.autostart = [ "router01" ];
+  microvm.vms.router01 = {
+    config = {
+      networking.hostName = "router01";
+      microvm.shares = [
+        {
+          source = "/nix/store";
+          mountPoint = "/nix/.ro-store";
+          tag = "ro-store";
+          proto = "virtiofs";
+        }
+      ];
+    };
+  };
+}

machines/krz01/nvidia-tesla-k80.nix

@@ -0,0 +1,5 @@
+{ config, ... }:
+{
+  # Tesla K80 is not supported by the latest driver.
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages_legacy_470;
+}

machines/krz01/proxmox/default.nix

@@ -0,0 +1,14 @@
+{ sources, lib, ... }:
+let
+  proxmox-nixos = import sources.proxmox-nixos;
+in
+{
+  imports = [ proxmox-nixos.nixosModules.proxmox-ve ];
+  services.proxmox-ve.enable = true;
+  nixpkgs.overlays = [ proxmox-nixos.overlays.x86_64-linux ];
+  networking.firewall = {
+    trustedInterfaces = [ "wt0" ];
+    allowedTCPPorts = lib.mkForce [ 22 ];
+  };
+
+}

machines/krz01/secrets/secrets.nix

@@ -0,0 +1,5 @@
+let
+  lib = import ../../../lib { };
+in
+
+lib.setDefault { publicKeys = lib.getNodeKeys "krz01"; } [ ]

machines/storage01/_configuration.nix

@@ -9,7 +9,6 @@ lib.extra.mkConfig {
 
   enabledServices = [
     # List of services to enable
-    "atticd"
     "tvix-cache"
     "forgejo"
     "forgejo-runners"
@@ -18,6 +17,7 @@ lib.extra.mkConfig {
     "netbird"
     "peertube"
     "prometheus"
+    "redirections"
   ];
 
   extraConfig = {

machines/storage01/atticd.nix

@@ -1,82 +0,0 @@
-{ config, nixpkgs, ... }:
-
-let
-  host = "cachix.dgnum.eu";
-in
-{
-  services = {
-    atticd = {
-      enable = true;
-
-      credentialsFile = config.age.secrets."atticd-credentials_file".path;
-
-      settings = {
-        listen = "127.0.0.1:9099";
-        api-endpoint = "https://${host}/";
-
-        allowed-hosts = [ host ];
-
-        chunking = {
-          # The minimum NAR size to trigger chunking
-          #
-          # If 0, chunking is disabled entirely for newly-uploaded NARs.
-          # If 1, all NARs are chunked.
-          nar-size-threshold = 0; # 64 KiB
-
-          # The preferred minimum size of a chunk, in bytes
-          min-size = 16 * 1024; # 16 KiB
-
-          # The preferred average size of a chunk, in bytes
-          avg-size = 64 * 1024; # 64 KiB
-
-          # The preferred maximum size of a chunk, in bytes
-          max-size = 256 * 1024; # 256 KiB
-        };
-
-        database.url = "postgresql://atticd?host=/run/postgresql";
-
-        storage = {
-          type = "s3";
-          region = "garage";
-          bucket = "attic-dgnum";
-          endpoint = "https://s3.dgnum.eu";
-        };
-      };
-
-      useFlakeCompatOverlay = false;
-      package = nixpkgs.unstable.attic-server;
-    };
-
-    nginx = {
-      enable = true;
-
-      virtualHosts.${host} = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:9099";
-
-          extraConfig = ''
-            client_max_body_size 10G;
-          '';
-        };
-      };
-    };
-
-    postgresql = {
-      enable = true;
-
-      ensureDatabases = [ "atticd" ];
-
-      ensureUsers = [
-        {
-          name = "atticd";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
-  };
-
-  systemd.services.atticd.environment.RUST_LOG = "warn";
-}

machines/storage01/garage.nix

@@ -8,15 +8,18 @@ let
   metadata_dir = "/data/fast/garage/meta";
 
   domains = [
-    "boussole-sante.normalesup.eu"
-    "simi.normalesup.eu"
     "bandarretdurgence.ens.fr"
+    "boussole-sante.normalesup.eu"
+    "lanuit.ens.fr"
+    "simi.normalesup.eu"
   ];
 
   buckets = [
-    "castopod-dgnum"
-    "peertube-videos-dgnum"
     "banda-website"
+    "castopod-dgnum"
+    "hackens-website"
+    "nuit-website"
+    "peertube-videos-dgnum"
   ] ++ domains;
 
   mkHosted = host: builtins.map (b: "${b}.${host}");
@@ -25,14 +28,14 @@ in
   services.garage = {
     enable = true;
 
-    package = pkgs.garage_0_9;
+    package = pkgs.garage_1_0_1;
 
     settings = {
       inherit data_dir metadata_dir;
 
       db_engine = "lmdb";
 
-      replication_mode = "none";
+      replication_mode = "none"; # TODO: deprecated
       compression_level = 7;
 
       rpc_bind_addr = "[::]:3901";
@@ -64,7 +67,7 @@ in
       data_dir
       metadata_dir
     ];
-    TimeoutSec = 3000;
+    TimeoutSec = 600;
   };
 
   users.users.garage = {

machines/storage01/redirections.nix

@@ -0,0 +1,9 @@
+{
+  dgn-redirections = {
+    permanent = {
+      "www.lanuit.ens.fr" = "lanuit.ens.fr";
+      "lanuit.ens.psl.eu" = "lanuit.ens.fr";
+      "www.lanuit.ens.psl.eu" = "lanuit.ens.fr";
+    };
+  };
+}

machines/storage01/secrets/atticd-credentials_file

@@ -1,30 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 jIXfPA HECtxDO0OV6To/Qs3A+2N8+3xqsHp6pz6d4ArgsgXS4
-mnmDwWZ6d1aW5Qejzv2Jo112ee78wKVx90R7r5wQbYo
--> ssh-ed25519 QlRB9Q Rx3bV/DkoCCvQCMwJGOfibG8Rif5Ap+W6EqWlFOhUQc
-jxEFUWqxedwIK3mNyOG+5dyFFZbJZ3XNFXnk0fe0vyw
--> ssh-ed25519 r+nK/Q J591Cg/4oP26LT7Tl/wrdDipR/gpg1WMsiKJN0ygbjw
-WToE5xtuF2FOqtvRgz1SZStYGjTsKRxguIioan+vluU
--> ssh-rsa krWCLQ
-hhp33AzK6wYWM6k7ZroV0J5i8C5MQXjQY9sksPQdABRQUd6XTmYOIOdA0ste0EA9
-hqbbHQwbFy0oE/QKfnUZWbgJo5Us1DWKxip55L875CPfVcmxvC2ADRO5JKKNkQa/
-P4zBALPqf+BXrafcGN4hT8D9gywIWdQ2zPSpKbJE+OdPcUrBVH/ndMUVoLfTEKL9
-B3XgqRvLNkgsdu7FMEPnelWT3WrxkBME7AathdXcEYXSxiTmaKqxDzRtcNLdh+y2
-6XfQU6lLMT+WWPD/Ro7UzLrWUnFJMYK0SinkOuX+PKxMq95lCc5kI3tZ7JL7bC5E
-vBGnX9w0unyR//LLqrOPWA
--> ssh-ed25519 /vwQcQ eYSTWAYs/L+cYt/16TrKaIqoc9TFJQncM02Vd8hOg3A
-lWalXa1ZBtrjXOB+sznWCjStFHF4ulLaBilEc3b7qWc
--> ssh-ed25519 0R97PA 78K7uF/mXT4pgTbnmfpyxY2czgs+DNueusuatUx7MCQ
-C/pWPdVCWZuHFuM5fzJHdGZomM3Wbt22iwfLbLSznh0
--> ssh-ed25519 JGx7Ng xFzEGNVIiC0cXCbcSKUfmVLAdRBH7xu6/2E7nVoRwjI
-+TgvIl03KGm5N55+jGc7UcyRHjMvAFm3Kbvx5Ma4HQ4
--> ssh-ed25519 5SY7Kg 7YO/crKVWSsr3Hy5HPr0/R3oPdCA2kWduZYeSlcxGnI
-N0IpdylU+3ybInseGSKPONxeNr8mh/ZlBGCvY2c0WTA
--> ssh-ed25519 p/Mg4Q y1ekwzz3sSHGrLmb0NqF6VWfalARy+PykE77hVqD7Xc
-0s9QrDsLH6XdzetyIXJEB2MrwwUi8CDpu7SEemm8zJ4
--> ssh-ed25519 rHotTw 7SMzV/pEmDISPL/fMjafXM3URZpbUPTg+9AngZ0GZTc
-eIi1+i9JVBLvfQMkmMv5S0N8qgwVtyklX/J+6MdtlSc
---- Gjl7lNWG9gyMlg256Oa5i5bFLm1Cup1upjsEDVurgDo
-uÂ;.ÿñË>pÔïÑ–<C391>òh¸<68>2ÎŒ›}£PJ4èú‘©‰Ñ×íè==#¯¾Úÿ¹8e¤UÊÉŠÇ$1»!–z<E28093>jlA‡[@;ò‚s®<>ŒÉáAB±á-§Rå=È0Ò·d“ðµú†Ê¢þ{«ÒF¹—h›ò–à ù@%ˆŠä´›|×{	¢åeÚÝÛ¯âøsbë«]Óèå¨ø.m8 8Bn"(Ûæ¤âïW½í!zxn\Ã(5:ïíÒÞ-ZD’ËÇÃ)}HŠü˜¦×ál}Sƒ‘˜ëFrn
-øL¦-wÉÑ—¼j)ê	â¶èÐ&:¥îÓCÞÆ2ÝÒÅÀÏB»ÛzïàŽŸt•WÍ!£8|lïí0
-¾¸y8óÃkñbÔy×ËäÏ臃‹¹·k’¤¨ÉÍ™ê°n/-’'ÃZ<C383>ÅŸ
 ¾îƾ\Ûâê‰ù†uŸÍeu®"E ±/d

machines/storage01/secrets/secrets.nix

@@ -3,7 +3,6 @@ let
   publicKeys = lib.getNodeKeys "storage01";
 in
 lib.setDefault { inherit publicKeys; } [
-  "atticd-credentials_file"
   "bupstash-put_key"
   "forgejo-mailer_password_file"
   "forgejo_runners-token_file"

machines/storage01/tvix-cache/cache-settings.nix

@@ -0,0 +1,14 @@
+let
+  cache-info = {
+    infra = {
+      public-key = "infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=";
+      url = "https://tvix-store.dgnum.eu/infra";
+    };
+  };
+in
+
+{ caches }:
+{
+  trusted-substituters = builtins.map (cache: cache-info.${cache}.url) caches;
+  trusted-public-keys = builtins.map (cache: cache-info.${cache}.public-key) caches;
+}

machines/storage01/tvix-cache/default.nix

@@ -1,9 +1,13 @@
 { pkgs, config, ... }:
 let
-  settingsFormat = pkgs.formats.toml { };
-
-  dataDir = "/data/slow/tvix-store";
 
+  # How to add a cache:
+  #  - Add the relevant services (likely only a pathinfoservice) to the
+  #    composition config (store-config.composition).
+  #  - Add an endpoint (store-config.endpoints).
+  #  - Append a proxy configuration to nginx in order to make the store
+  #    accessible.
+  #  - Update cache-info.nix so users can add the cache to their configuration
   store-config = {
     composition = {
       blobservices.default = {
@@ -12,22 +16,17 @@ let
         object_store_options = { };
       };
       directoryservices = {
-        sled = {
+        redb = {
-          type = "sled";
+          type = "redb";
           is_temporary = false;
-          path = "${dataDir}/directory.sled";
+          path = "${dataDir}/directory.redb";
-        };
-        object = {
-          type = "objectstore";
-          object_store_url = "file://${dataDir}/directory.objectstore";
-          object_store_options = { };
         };
       };
       pathinfoservices = {
         infra = {
-          type = "sled";
+          type = "redb";
           is_temporary = false;
-          path = "${dataDir}/pathinfo.sled";
+          path = "${dataDir}/pathinfo.redb";
         };
         infra-signing = {
           type = "keyfile-signing";
@@ -41,24 +40,31 @@ let
       "127.0.0.1:8056" = {
         endpoint_type = "Http";
         blob_service = "default";
-        directory_service = "object";
+        directory_service = "redb";
         path_info_service = "infra";
       };
       "127.0.0.1:8058" = {
         endpoint_type = "Http";
         blob_service = "default";
-        directory_service = "object";
+        directory_service = "redb";
         path_info_service = "infra-signing";
       };
       # Add grpc for management and because it is nice
       "127.0.0.1:8057" = {
         endpoint_type = "Grpc";
         blob_service = "default";
-        directory_service = "object";
+        directory_service = "redb";
         path_info_service = "infra";
       };
     };
   };
+
+  settingsFormat = pkgs.formats.toml { };
+
+  webHost = "tvix-store.dgnum.eu";
+
+  dataDir = "/data/slow/tvix-store";
+
   systemdHardening = {
     PrivateDevices = true;
     PrivateTmp = true;
@@ -75,10 +81,12 @@ let
     RuntimeDirectoryMode = "0750";
     StateDirectoryMode = "0750";
   };
+
   toml = {
     composition = settingsFormat.generate "composition.toml" store-config.composition;
     endpoints = settingsFormat.generate "endpoints.toml" store-config.endpoints;
   };
+
   package = pkgs.callPackage ./package { };
 in
 {
@@ -88,7 +96,7 @@ in
     "nginx"
   ];
 
-  services.nginx.virtualHosts."tvix-store.dgnum.eu" = {
+  services.nginx.virtualHosts.${webHost} = {
     enableACME = true;
     forceSSL = true;
     locations = {
@@ -110,14 +118,12 @@ in
           auth_basic_user_file ${config.age.secrets."nginx-tvix-store-password-ci".path};
         '';
       };
-      "/.well-known/nix-signing-keys/" = {
-        alias = "${./pubkeys}/";
-        extraConfig = "autoindex on;";
-      };
     };
   };
+
   # TODO add tvix-store cli here
   # environment.systemPackages = [ ];
+
   users.users.tvix-store = {
     isSystemUser = true;
     group = "tvix-store";

machines/storage01/tvix-cache/package/default.nix

@@ -5,11 +5,11 @@
   runCommand,
 }:
 let
-  tvix-hash = "sha256-KNl+Lv0aMqSFVFt6p/GdmNDddzccW4wKfZB7W6Gv5F0=";
+  tvix-hash = "sha256-It3brj6SX+9OIGyKsITnNLjzDnB7CBCZDS+S7arRiWY=";
   tvix-src = fetchgit {
     name = "tvix";
     url = "https://git.dgnum.eu/mdebray/tvl-depot";
-    rev = "920b7118d5b0917e426367107f7b7b66089a8d7b";
+    rev = "3389c550b92d8b631f75e5a77e244fe698e4b4b2";
     hash = tvix-hash;
   };
   protos = runCommand "tvix-protos" { } ''
@@ -25,8 +25,8 @@ rustPlatform.buildRustPackage rec {
 
   src = fetchgit {
     url = "https://git.lix.systems/sinavir/multitenant-tvix-binary-cache.git";
-    rev = "0d7d4cf66242facecba485b1085e285e8d46c038";
+    rev = "0d4c5ca8f75e156f9485fc085e93e85260e2e843";
-    hash = "sha256-IU3OS3ePJeBNiY8HbhoYW5b03Nq8BJ4AWe+bGv4dAuw=";
+    hash = "sha256-OmXud+MhF2M02ofqDOnmazf190vu91i6RZ2y0NdA8oU=";
   };
 
   PROTO_ROOT = protos;
@@ -36,6 +36,7 @@ rustPlatform.buildRustPackage rec {
   cargoLock = {
     lockFile = ./Cargo.lock;
     outputHashes = {
+      "bigtable_rs-0.2.10" = "sha256-2NC3rHbS2rdD0Rnovymn1xaR22KaR6yzWr298wOPxlY=";
       "nar-bridge-0.1.0" = tvix-hash;
     };
   };

machines/storage01/tvix-cache/pubkeys/infra

@@ -1 +0,0 @@
-infra.tvix-store.dgnum.eu-1:8CAY64o3rKjyw2uA5mzr/aTzstnc+Uj4g8OC6ClG1m8=

machines/vault01/networking.nix

@@ -238,7 +238,11 @@ in
         content = ''
           chain postrouting {
             type nat hook postrouting priority 100;
-            ip saddr 10.0.0.0/16 ether saddr 5c:64:8e:f4:09:06 snat ip to 129.199.195.130-129.199.195.158
+            ip saddr 10.0.0.0/16 ip saddr != 10.0.255.0/24 snat ip to 129.199.195.130-129.199.195.158
+            ether saddr e0:2b:e9:b5:b4:cc snat to 129.199.195.130 comment "Elias"
+            ether saddr { 1c:f8:d0:68:03:9f, e6:ce:e2:b6:e3:82 } snat to 129.199.195.131 comment "Lubin"
+            ether saddr d0:49:7c:46:f6:39 snat to 129.199.195.132 comment "Jean-Marc"
+            ether saddr { 5c:64:8e:f4:09:06 } snat to 129.199.195.158 comment "APs"
           }
         '';
       };

machines/web01/redirections.nix

@@ -14,7 +14,7 @@ in
   dgn-redirections = {
     inherit retiredHost;
 
-    redirections = {
+    permanent = {
       "calendrier.eleves.ens.fr" = "calendrier.dgnum.eu";
       "docs.beta.rz.ens.wtf" = "pads.dgnum.eu";
       "git.rz.ens.wtf" = "git.dgnum.eu";
@@ -32,6 +32,10 @@ in
       "www.lanuit.ens.fr" = "lanuit.ens.fr";
     };
 
+    temporary = {
+      "pub.dgnum.eu".to = "https://www.instagram.com/dgnum_eu/";
+    };
+
     retired = mkSubs {
       "ens.fr" = [
         "alevins"

machines/web01/static/npins/sources.json

@@ -33,17 +33,6 @@
       "url": null,
       "hash": "05cdz26n8r8cihmcn772dwb05krzzxyyhqv5rasw4yd2s1dzsmwx"
     },
-    "lanuit.ens.fr": {
-      "type": "Git",
-      "repository": {
-        "type": "Git",
-        "url": "https://git.dgnum.eu/DGNum/lanuit.ens.fr.git"
-      },
-      "branch": "main",
-      "revision": "f4dc07090fbd74970929b2cf411c74b090618c8f",
-      "url": null,
-      "hash": "0hpym1r8d8hgp4g7p6lk26fgcv9ia6993z91as1gfjs9ff3wgk0a"
-    },
     "qda.ens.fr": {
       "type": "Git",
       "repository": {
@@ -90,4 +79,4 @@
     }
   },
   "version": 3
-}
+}

machines/web02/cas-eleves/01-pytest-cas.patch

@@ -1,4 +1,14 @@
-diff --git a/cas_server/tests/test_federate.py b/cas_server/tests/test_federate.py
+diff --git a/setup.py b/setup.py
+index 7c7b02d..3f677ff 100644
+--- a/setup.py
++++ b/setup.py
+@@ -67,6 +67,4 @@ if __name__ == '__main__':
+         url="https://github.com/nitmir/django-cas-server",
+         download_url="https://github.com/nitmir/django-cas-server/releases/latest",
+         zip_safe=False,
+-        setup_requires=['pytest-runner'],
+-        tests_require=['pytest', 'pytest-django', 'pytest-pythonpath', 'pytest-warnings', 'mock>=1'],
+     )
 index 2b389d3..dcdfafd 100644
 --- a/cas_server/tests/test_federate.py
 +++ b/cas_server/tests/test_federate.py

machines/web02/cas-eleves/default.nix

@@ -126,7 +126,7 @@ in
     };
   };
 
-  dgn-redirections.redirections."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
+  dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
 
   services = {
     postgresql = {

meta/dns.nix

@@ -67,6 +67,10 @@ let
           "sso" # Kanidm
           "support" # Zammad support
           "telegraf" # Telegraf
+
+          # DGSI
+          "dgsi"
+          "profil"
         ];
 
         storage01.dual = [
@@ -99,6 +103,7 @@ let
           "netbox" # Netbox
           "podcasts" # Castopod
           "push" # Ntfy.sh
+          "pub" # Url de promotion (qrcodes etc...)
 
           # Static websites
           "eleves"

meta/network.nix

@@ -29,6 +29,29 @@
     netbirdIp = "100.80.75.197";
   };
 
+  krz01 = {
+    interfaces = {
+      eno1 = {
+        ipv4 = [
+          {
+            address = "129.199.146.21";
+            prefixLength = 24;
+          }
+          {
+            address = "192.168.1.145";
+            prefixLength = 24;
+          }
+        ];
+
+        gateways = [ "129.199.146.254" ];
+        enableDefaultDNS = true;
+      };
+    };
+
+    hostId = "bd11e8fc";
+    netbirdIp = "100.80.103.206";
+  };
+
   geo01 = {
     interfaces = {
       eno1 = {

meta/nodes.nix

@@ -30,7 +30,7 @@
       targetHost = "fd26:baf9:d250:8000::ffff";
       sshOptions = [
         "-J"
-        "vault01.hyp01.infra.dgnum.eu"
+        "root@vault01.hyp01.infra.dgnum.eu"
       ];
     };
   };
@@ -70,6 +70,13 @@
     nixpkgs = "24.05";
   };
 
+  krz01 = {
+    site = "pav01";
+
+    stateVersion = "24.05";
+    nixpkgs = "24.05";
+  };
+
   storage01 = {
     site = "pav01";
     stateVersion = "23.11";

meta/verify.nix

@@ -4,7 +4,7 @@ let
   sources = import ../npins;
   pkgs = import sources.nixpkgs { };
 
-  dns = import sources."dns.nix";
+  dns = import sources."dns.nix" { inherit pkgs; };
 
   lib = import sources.nix-lib {
     inherit (pkgs) lib;
@@ -28,7 +28,7 @@ in
     else
       pkgs.writers.writeJSON "meta.json" config;
 
-  dns = dns.util.${builtins.currentSystem}.writeZone "dgnum.eu" (
+  dns = dns.util.writeZone "dgnum.eu" (
     pkgs.lib.recursiveUpdate { SOA.serial = 0; } (import ./dns.nix { inherit dns lib; })
   );
 }

modules/default.nix

@@ -46,6 +46,7 @@
       "dgn-acme"
       "dgn-backups"
       "dgn-console"
+      "dgn-chatops"
       "dgn-firewall"
       "dgn-hardware"
       "dgn-netbox-agent"
@@ -60,8 +61,8 @@
     ])
     ++ [
       "${sources.agenix}/modules/age.nix"
-      "${sources.attic}/nixos/atticd.nix"
       "${sources.arkheon}/module.nix"
+      "${sources."microvm.nix"}/nixos-modules/host"
     ]
     ++ ((import sources.nix-modules { inherit lib; }).importModules (
       [

modules/dgn-chatops/.envrc

@@ -0,0 +1 @@
+use nix

modules/dgn-chatops/default.nix

@@ -0,0 +1,75 @@
+#  Copyright :
+#  - Ryan Lahfa <ryan.lahfa@dgnum.eu>         2024
+#
+#  Ce logiciel est un programme informatique servant à déployer des
+#  configurations de serveurs via NixOS.
+#
+#  Ce logiciel est régi par la licence CeCILL soumise au droit français et
+#  respectant les principes de diffusion des logiciels libres. Vous pouvez
+#  utiliser, modifier et/ou redistribuer ce programme sous les conditions
+#  de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
+#  sur le site "http://www.cecill.info".
+#
+#  En contrepartie de l'accessibilité au code source et des droits de copie,
+#  de modification et de redistribution accordés par cette licence, il n'est
+#  offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
+#  seule une responsabilité restreinte pèse sur l'auteur du programme, le
+#  titulaire des droits patrimoniaux et les concédants successifs.
+#
+#  A cet égard l'attention de l'utilisateur est attirée sur les risques
+#  associés au chargement, à l'utilisation, à la modification et/ou au
+#  développement et à la reproduction du logiciel par l'utilisateur étant
+#  donné sa spécificité de logiciel libre, qui peut le rendre complexe à
+#  manipuler et qui le réserve donc à des développeurs et des professionnels
+#  avertis possédant des connaissances informatiques approfondies. Les
+#  utilisateurs sont donc invités à charger et tester l'adéquation du
+#  logiciel à leurs besoins dans des conditions permettant d'assurer la
+#  sécurité de leurs systèmes et ou de leurs données et, plus généralement,
+#  à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
+#
+#  Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
+#  pris connaissance de la licence CeCILL, et que vous en avez accepté les
+#  termes.
+
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.dgn-chatops;
+  inherit (lib) mkEnableOption mkIf;
+  python3 = pkgs.python311;
+  python3Pkgs = python3.pkgs;
+  ircrobots = python3Pkgs.callPackage ./ircrobots.nix { };
+  tortoise-orm = python3Pkgs.callPackage ./tortoise-orm.nix { };
+  ps = python3Pkgs.makePythonPath [
+    ircrobots
+    tortoise-orm
+    python3Pkgs.aiohttp
+  ];
+in
+{
+  options.dgn-chatops = {
+    enable = mkEnableOption "the ChatOps layer";
+  };
+
+  # Our ChatOps bot.
+  config = mkIf cfg.enable {
+    systemd.services.irc-takumi = {
+      description = "DGNum IRC automation bot, Takumi";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      environment = {
+        PYTHONPATH = ps;
+      };
+      serviceConfig = {
+        RuntimeDirectory = "takumi";
+        StateDirectory = "takumi";
+        DynamicUser = true;
+        ExecStart = "${lib.getExe python3} ${./takumi.py}";
+      };
+    };
+  };
+}

modules/dgn-chatops/ircrobots.nix

@@ -0,0 +1,56 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitea,
+  pythonOlder,
+  anyio,
+  asyncio-rlock,
+  asyncio-throttle,
+  ircstates,
+  async-stagger,
+  async-timeout,
+  python,
+}:
+
+buildPythonPackage rec {
+  pname = "ircrobots";
+  version = "0.7.0";
+  format = "setuptools";
+  disabled = pythonOlder "3.7";
+
+  src = fetchFromGitea {
+    domain = "git.dgnum.eu";
+    owner = "DGNum";
+    repo = pname;
+    # No tag yet :(.
+    rev = "63aa84b40450bd534fc232eee10e8088028c9f6d";
+    hash = "sha256-gXiPy6wjPEtc9v0cG0lb2QVXDlU5Q8ncxJO0lBm2RSE=";
+  };
+
+  postPatch = ''
+    # too specific pins https://github.com/jesopo/ircrobots/issues/3
+    sed -iE 's/anyio.*/anyio/' requirements.txt
+  '';
+
+  propagatedBuildInputs = [
+    anyio
+    asyncio-rlock
+    asyncio-throttle
+    ircstates
+    async-stagger
+    async-timeout
+  ];
+
+  checkPhase = ''
+    ${python.interpreter} -m unittest test
+  '';
+
+  pythonImportsCheck = [ "ircrobots" ];
+
+  meta = with lib; {
+    description = "Asynchronous bare-bones IRC bot framework for python3";
+    license = licenses.mit;
+    homepage = "https://github.com/jesopo/ircrobots";
+    maintainers = with maintainers; [ hexa ];
+  };
+}

modules/dgn-chatops/pypika-tortoise.nix

@@ -0,0 +1,31 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  poetry-core,
+}:
+
+buildPythonPackage rec {
+  pname = "pypika-tortoise";
+  version = "0.1.6";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "tortoise";
+    repo = "pypika-tortoise";
+    rev = "v${version}";
+    hash = "sha256-xx5FUMHh6413fsvwrEA+Q0tBmJWy00h5O6YijvrJyCE=";
+  };
+
+  build-system = [ poetry-core ];
+
+  pythonImportsCheck = [ "pypika" ];
+
+  meta = {
+    description = "";
+    homepage = "https://github.com/tortoise/pypika-tortoise";
+    changelog = "https://github.com/tortoise/pypika-tortoise/blob/${src.rev}/CHANGELOG.md";
+    license = lib.licenses.asl20;
+    maintainers = with lib.maintainers; [ raitobezarius ];
+  };
+}

modules/dgn-chatops/pyproject.toml

@@ -0,0 +1,20 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "takumi"
+version = "1.1.0"
+authors = [
+  { name = "Ryan Lahfa", email = "ryan@dgnum.eu" },
+]
+description = "Fully automatic day-to-day operations at DGNum"
+requires-python = ">=3.11"
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "Operating System :: OS Independent",
+]
+
+[project.urls]
+Homepage = "https://git.dgnum.eu/DGNum/infrastructure"
+Issues = "https://git.dgnum.eu/DGNum/infrastructure/issues"

modules/dgn-chatops/shell.nix

@@ -0,0 +1,29 @@
+{
+  pkgs ? import <nixpkgs> { },
+  python3 ? pkgs.python3,
+}:
+let
+  takumi = python3.pkgs.buildPythonPackage rec {
+    pname = "takumi";
+    version = "1.1.0";
+    pyproject = true;
+
+    src = ./.;
+
+    build-system = [ python3.pkgs.hatchling ];
+
+    dependencies = [
+      (python3.pkgs.callPackage ./ircrobots.nix { })
+      (python3.pkgs.callPackage ./tortoise-orm.nix { })
+      python3.pkgs.aiohttp
+    ];
+
+    postInstall = ''
+      mkdir -p $out/bin
+      cp -v takumi.py $out/bin/takumi.py
+      chmod +x $out/bin/takumi.py
+      wrapProgram $out/bin/takumi.py --prefix PYTHONPATH : "$PYTHONPATH"
+    '';
+  };
+in
+pkgs.mkShell { packages = [ takumi ]; }

modules/dgn-chatops/takumi.py

@@ -0,0 +1,121 @@
+#!/usr/bin/env python3
+import asyncio
+
+from irctokens.line import build, Line
+from ircrobots.bot import Bot as BaseBot
+from ircrobots.server import Server as BaseServer
+from ircrobots.params import ConnectionParams
+
+import aiohttp
+
+BRIDGE_NICKNAME = "hermes"
+
+SERVERS = [
+    ("dgnum", "irc.dgnum.eu")
+]
+
+TEAMS = {
+    "fai": ("tomate", "elias", "JeMaGius", "Luj", "catvayor", "Raito"),
+    "marketing": ("cst1", "elias"),
+    "bureau": ("Raito", "JeMaGius", "Luj", "gdd")
+}
+
+# times format is 0700-29092024
+TRIGGER = '!'
+async def create_meet(title: str, times: list[str], timezone: str = "UTC") -> str:
+    async with aiohttp.ClientSession() as session:
+        payload = {
+            'name': title,
+            'times': times,
+            'timezone': timezone
+        }
+        async with session.post('https://api.meet.dgnum.eu/event', json=payload) as response:
+            response.raise_for_status()
+            id = (await response.json()).get('id')
+            if not id:
+                raise RuntimeError('No ID attributed to a meet')
+            return f'https://meet.dgnum.eu/{id}'
+
+def expand_times(times: list[str]) -> list[str]:
+    expanded = []
+    # TODO: verify the date exist in the calendar
+    # TODO: verify that we don't write any duplicates.
+    for time in times:
+        if '-' not in time:
+            for i in range(7, 20):
+                expanded.append(f'{i:02}00-{time}')
+        else:
+            expanded.append(time)
+    return expanded
+
+def bridge_stripped(possible_command: str, origin_nick: str) -> str | None:
+    if origin_nick.lower() == BRIDGE_NICKNAME:
+        stripped_user = possible_command.split(':')[1].lstrip()
+        return stripped_user if stripped_user.startswith(TRIGGER) else None
+    else:
+        return possible_command if possible_command.startswith(TRIGGER) else None
+
+class Server(BaseServer):
+    def extract_valid_command(self, line: Line) -> str | None:
+        me = self.nickname_lower
+        if line.command == "PRIVMSG" and \
+                self.has_channel(line.params[0]) and \
+                line.hostmask is not None and \
+                self.casefold(line.hostmask.nickname) != me and \
+                self.has_user(line.hostmask.nickname):
+            return bridge_stripped(line.params[1], line.hostmask.nickname)
+
+
+    async def line_read(self, line: Line):
+        print(f"{self.name} < {line.format()}")
+        if line.command == "001":
+            print(f"connected to {self.isupport.network}")
+            await self.send(build("JOIN", ["#dgnum-bridge-test"]))
+
+        # In case `!probe_meet <title> <team> <time_1> <time_2> … <time_N> [<timezone>]`
+        if (command := self.extract_valid_command(line)) is not None:
+            text = command.lstrip(TRIGGER)
+            if text.startswith('probe_meet') or text.startswith('pm'):
+                args = text.split(' ')
+                if len(args) < 4:
+                    await self.send(build("PRIVMSG", [line.params[0], "usage is !probe_meet <title> <team> <time_1> [<time_2> <time_3> … <time_N>] ; time is in [00-hour-]DDMMYYYY format."]))
+                    return
+
+                title, team = args[1], args[2]
+                print(f"creating meet '{title}' for team '{team}'")
+                try:
+                    times = expand_times(args[3:])
+                    link = await create_meet(title, times)
+                    if team not in TEAMS:
+                        await self.send(build("PRIVMSG", [line.params[0], f"team {team} does not exist"]))
+                        return
+
+                    targets = TEAMS[team]
+                    ping_mentions = ', '.join(targets)
+                    await self.send(build("PRIVMSG", [line.params[0], f'{ping_mentions} {link}']))
+                except ValueError as e:
+                    print(e)
+                    await self.send(build("PRIVMSG", [line.params[0], "time format is [00-hour-]DDMMYYYY, hour is optional, by default it's 07:00 to 19:00 in Europe/Paris timezone"]))
+                except aiohttp.ClientError as e:
+                    print(e)
+                    await self.send(build("PRIVMSG", [line.params[0], "failed to create the meet on meet.dgnum.eu, API error, check the logs"]))
+
+
+    async def line_send(self, line: Line):
+        print(f"{self.name} > {line.format()}")
+
+class Bot(BaseBot):
+    def create_server(self, name: str):
+        return Server(self, name)
+
+async def main():
+    bot = Bot()
+    for name, host in SERVERS:
+        # For IPv4-only connections.
+        params = ConnectionParams("Takumi", host, 6698)
+        await bot.add_server(name, params)
+
+    await bot.run()
+
+if __name__ == "__main__":
+    asyncio.run(main())

modules/dgn-chatops/tortoise-orm.nix

@@ -0,0 +1,71 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  poetry-core,
+  aiosqlite,
+  iso8601,
+  callPackage,
+  pytz,
+  ciso8601,
+  orjson,
+  uvloop,
+  aiomysql,
+  asyncmy,
+  asyncpg,
+  psycopg,
+  pydantic,
+  pythonRelaxDepsHook,
+}:
+
+buildPythonPackage rec {
+  pname = "tortoise-orm";
+  version = "0.21.6";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "tortoise";
+    repo = "tortoise-orm";
+    rev = version;
+    hash = "sha256-Gu7MSJbPjaGUN6tmHwkmx7Bdy/+V1wZjmTCQrTDDPkw=";
+  };
+
+  buildInputs = [ pythonRelaxDepsHook ];
+
+  pythonRelaxDeps = [
+    "aiosqlite"
+    "iso8601"
+  ];
+
+  build-system = [ poetry-core ];
+
+  dependencies = [
+    aiosqlite
+    iso8601
+    pydantic
+    (callPackage ./pypika-tortoise.nix { })
+    pytz
+  ];
+
+  optional-dependencies = {
+    accel = [
+      ciso8601
+      orjson
+      uvloop
+    ];
+    aiomysql = [ aiomysql ];
+    asyncmy = [ asyncmy ];
+    asyncpg = [ asyncpg ];
+    psycopg = [ psycopg ];
+  };
+
+  pythonImportsCheck = [ "tortoise" ];
+
+  meta = {
+    description = "";
+    homepage = "https://github.com/tortoise/tortoise-orm";
+    changelog = "https://github.com/tortoise/tortoise-orm/blob/${src.rev}/CHANGELOG.rst";
+    license = lib.licenses.asl20;
+    maintainers = with lib.maintainers; [ raitobezarius ];
+  };
+}

modules/dgn-hardware.nix

@@ -43,6 +43,7 @@ in
 
   config = mkIf cfg.enable (mkMerge [
     {
+      microvm.host.enable = lib.mkDefault false;
       hardware.enableRedistributableFirmware = true;
       hardware.cpu.intel.updateMicrocode = true;
 

modules/dgn-records/__arkheon-token_file

@@ -1,44 +1,46 @@
 age-encryption.org/v1
--> ssh-ed25519 jIXfPA FhSZKBAccqBqfeayNqY3fhYSi+0NMxsxS3WsdvuVu2M
+-> ssh-ed25519 jIXfPA sHMGZvBA3KQ+vgyPRvthm7RrZv+cpA8rVaLMG11tWzc
-xT37RUaShiHdPBUnjWntSY43LqXsR8Pgz5kUZ/mgz2w
+wb74jb8YFbu4hTaKECNpaCV5besptdBoXXstKd+eLTI
--> ssh-ed25519 QlRB9Q xwok3cJ6SlGxlGi/UesKHVf+O4q9mn7btLweXJzeknI
+-> ssh-ed25519 QlRB9Q RILFFiLngUvfSPOmw6ZLmFLVyIIQqzib7LTV8hZP/w4
-LrigakDhwhHCHEaJ0eQx6TIke9vYLqXwwaUjusWOvSk
+na6S3iWEs3cxff30X59wD0SUNEP0/9LcuCyCUi7wgxg
--> ssh-ed25519 r+nK/Q DS8/iUfczVGxB/Hl6EkweNAGSM0ZhWqrFy4xn82QNH8
+-> ssh-ed25519 r+nK/Q Mtrr3NKJG1MBw150IZK1ZTKCglktIK8mV2M7FiLz9EQ
-0Z8KOLZtxh2c0JTeiPbz3ZDF3CYrDs7bmwKjjemTs0o
+zEEJwKeucMsZePFTZF/Cxfcuqn7KiSoBmBnNVKX1jAY
 -> ssh-rsa krWCLQ
-CDqVAHHD/1keQdgJZX5/hkiYMpZae1MocI5LjtWWg+QDkw1Bp6bNZLou8Uc2RG0H
+r3OX+AaSGO0zLoEAvAo3UrtWwU/Vjyfdp+qy4haB3tpl305I6Y6O6n2iHnc1PFgw
-xZIB+z1XSXf7iMla5l7RWbW+g61T38QKWoAwvAGFz+XOstBTDY4bWgSv1g6vm+6x
+qQ7Sa0GekbxNcwD7MzAmKbsm9wmnrF2hX03gFDI5isEPxaLC6ha207Ykauc2q1JC
-XuQLxCkj4cmy3dUsvaiiQXsstuMGOWSUbp2OQWfErzoVegHVCr/XKSAI1vMwQOWN
+/SOZ/OUiizBUuO5OjywYz2AJUfEabmd+X1fw5QxAPSfp57KBZDJCGSpEDeJigU7M
-9tJUJCKEo2DTr5OmIL7kSWguVZYy77ta7JxmGbPrNQ7LJuRoZkUgX4V37SFgDKN4
+1n1XsT6eCyNDIIozRzIIyxLZU+tDDswjvjCaDJ/t2BE76LienwMRZK4P4tSn8DQP
-QgpupxXP/3oDhDSzZYbS6Fw+b7U01BwPyziY1kOYztv2qSoBJFMVtZS3oJEu4ChU
+Jbm7bb5T2P1VAK4qIMP04DXQ861Kr2DvpLA/aPtHd9yMcZn5wQWMCVDgsL3ko0fU
-7MRHaN15cGZRsC5zIQAg9w
+VThQwBW4qe59CCxA68TUcQ
--> ssh-ed25519 /vwQcQ ZPWBCoQ7imVFfTkUYrp4NGRnz3vskNtMgbV41F1s8BE
+-> ssh-ed25519 /vwQcQ KYM+4CPxNwxwh3liBBJYIqlWzpDO3h/dl54rEKQXGHU
-oTrgDNisd8Sqmxo0ZDpVSO5iURWNLrIlKABjys+gHhw
+uteNJEqwLKUC3Gjm0BiRmb3uLb3bzRfpf3c1Da3vGjY
--> ssh-ed25519 0R97PA CgUUW9m8+M1rpsCPAPyRC8VKvilDKMA8VkDqqDfbpAs
+-> ssh-ed25519 0R97PA Sc9QAI4UNY6x0fZAoQOpUjzFzwev196x+7fjeIry3AU
-qJ/pa3VLh6650lDN5YPyYtxsDYMiRyTtK1yu+JeF3ww
+puUi8W0jCbMW3cN7PjoDM+vXnHjdQ2RLfX0kdpsaWhI
--> ssh-ed25519 JGx7Ng r8OMU9Grvd8yxzzUzeEH4iCPp8NBHVcQKQe13AJOKjE
+-> ssh-ed25519 JGx7Ng LzO5qvnVWhF3+cR4J3nJv9IB55/FYKillkJ2jKadfQA
-eYC+/VMsoetiVFTGdlAL3xDDe6WziBYU4Fr6XN/HlJI
+r3F+FKdpoKTB0/e5Vz5JFh9u8BKBOjn9XXE4dJEriuw
--> ssh-ed25519 5SY7Kg 4T4xlrNW8yqI23A3GH7dRDyhbUA62ldS2/R7YCsHz0U
+-> ssh-ed25519 5SY7Kg Uz/EgMgi0ACJStIvz06efUQpeU6VAuXVj+Veki0LkXA
-ukewT84UtQcAQNNSNogi3WOjoNeA7p50D1JHJ+39lYs
+ukCkNIQMYbZBCBfd5R5dKWJwOcIKHzS9HN9CNk5iSF4
--> ssh-ed25519 p/Mg4Q EBlu4oYIa4hX5mGExy2xwyHbnDli9xY7MebUOr+hTzw
+-> ssh-ed25519 p/Mg4Q 9+IsF8fUNcQhRxRddI6WQyKP8Ky0HV4jAUvS0ySDDwM
-TqmNgHL1xxyI+i4h3KgskVsWrlYUnuT5MJWcYj2crps
+7WamT/OA2Os6uE/hKzWkfjlwOKQpZ6j+fcgkvsk6wCY
--> ssh-ed25519 DqHxWQ KiCWC6eJOUScSlPNpC2G2FbfD/fQ2b14KHhuw+QKNTI
+-> ssh-ed25519 DqHxWQ WndaDm+ApRfFj+KL5cJgJqwaZXUYrXHpQ6AxDtGb5FY
-Un89T6OXiXWTBZqwdXPvyckxcBIhp2wmC4A5723b/5g
+u5RHgWaY28QfA3jsD54PLR50Jl5KQyVpPv4CFhLPiYI
--> ssh-ed25519 tDqJRg k5YZwwURv21NC/0tt2r3CBuUPDhfO/Y7c3ISVhMGQkA
+-> ssh-ed25519 tDqJRg Wgx7QpoPeendwBsWB+jAN5K+1uhxPsEHMugOPeC+Ono
-sdm+SpychoEekD6JK6Wz2CCcfDpwPD6rlLyB3RJES08
+CRWVWTQB2eCVSKAwIzNNaWefAmniVtF5hu8xYeTGF0Q
--> ssh-ed25519 9pVK7Q 2kUnZCmNsAu90KA+st/ZFnez8rg4zqIZ3AZQsqHW0y8
+-> ssh-ed25519 9pVK7Q kB5gWwwNNcCnjN5+1j7alWzqEgYMDQ3IvA8/0ltfLwo
-YlCXQ5g8vnNboPVHdSKyrdwRNvjwp9VHP+RV2WP7z00
+Tp7n6v/s4swKjOqEDKEKhM8agghKEvaz+zymG+b72f8
--> ssh-ed25519 /BRpBQ w+kqiukijvXdlvKdTfVvNYv6pLTifaZeagzU1VWQLwE
+-> ssh-ed25519 /BRpBQ 6B5ODsRsRx8EIOrzBnAAw1bYsAQMvssSC1xxbAh+bGE
-RKNPvu971viqMHBXpgE9D8L9ievWxIS5ANU8QADqwRY
+Xmhe74XTMwfcGvk620XixhR/6GtOt2fynSMdJ7riZxs
--> ssh-ed25519 +MNHsw m+K/VIApzxBfYxc4/dPod+9TwBBTrtGa/B28QhawAD8
+-> ssh-ed25519 /x+F2Q /idVQW3v18G3e++zLmmcpZTvSW6YTfYKYX0xalx3DTU
-gwJLtE5zIiNtKZ/YdroneSLLuZzvoAXaJYsqPzPkyLc
+ybNKGMgW5ChQU2HXHfM0Od6GWC+HRKDemibhzi+NCA4
--> ssh-ed25519 rHotTw NSgFCgFQxKc7DSrNq/77PAnAKxSG055gutF2aUUDLzA
+-> ssh-ed25519 +MNHsw +5EkjYR0CD0tF3jazvyz6WtzIG+84czuEsGzPmucOVI
-uL3QhQHmtQrrUPllFtVf7QiLIMWkT0EYIokxUVkLMrc
+AqBXlugxP84nJ9jK1dPWWRJAAAzZjKl0RKd1+aXeIJg
--> ssh-ed25519 +mFdtQ otE9brZku3sOSb9IvvTW/eioWDFvMJlsxSUvOcPNwiU
+-> ssh-ed25519 rHotTw IzGcfj5jNooeVt7+iJwnxUfka95NVEtE9dStQUt+gCE
-7vV6u7zLv2EfSz3qmY9Sboj2Z5LBwSTxrl4FWm3mYAs
++lrjFHAgNOxI4JS6tGXcDSnbdn6/qwt2tI2WdVX2tO4
--> ssh-ed25519 0IVRbA kwQNIVhpFtgIlJAAoqk1fqUP9OHN9YGWcYXbT+/bHE0
+-> ssh-ed25519 +mFdtQ AieFjWmv27LvUbZXCBEqmvfTQM7SLXL12qIOzZLxdi8
-gDOPJMeDI2eDx+emxUNSb/MW7IRPj8ni3mOLgZV9F0Y
+s0qzhUO2FDqr/w8B4cbnX8NuXfZM+nv4gj6SF0DreCY
--> ssh-ed25519 IY5FSQ gtGe4X/Vx4oWn0IIUwv6qpWZ250slvT/QMdwVQQrsAQ
+-> ssh-ed25519 0IVRbA +S10pCaLByp+UrfbZXIIhMvUW79NPSSr5qHbm8Q8nxY
-yeJ8+BibBiwq2944ruZdek/4tpAqyMnG0RsyzkXQpRg
+fLU4Shu/luX9gLrJDM8rY+HRpHuuLKJAz0BSiLfXkj8
---- QhDkZSHLpgsvAUk5YhkhD8MNNX6Vlj7CWeQfJ6oEmk0
+-> ssh-ed25519 IY5FSQ FJGXPcN7XjZTl3zc8iLSmc2IfhHx/xqIqnNz7j0dXGg
-|`ŸP!ùá+ôÃg&ói¤;¶šªâlÔNn„Äõ¬¸ç¤ °ü’4´kWó§#èƒ<C3A8><C692>±€w
+D99jvNKh7yzafKB9qzOX6xNjhf3WS4bYBcc91dVX6Ow
+--- USWnD/9XEj6tW0aHMZiVK1Guf43b/8wWcsafnVT0+h4
+RqÏHª,XHs8ÌÛÔtAbAGI<47>áΤÂ,åÖÝ¥¿è:<G=bFb†ÀTGSGäÊÙ	_
˜

modules/dgn-redirections/default.nix

@@ -3,7 +3,13 @@
 let
   inherit (lib) mkOption;
 
-  inherit (lib.types) attrsOf listOf str;
+  inherit (lib.types)
+    attrsOf
+    ints
+    listOf
+    str
+    submodule
+    ;
 
   mkRetired =
     hosts:
@@ -18,19 +24,33 @@ let
       }) hosts
     );
 
-  mkRedirection = _: globalRedirect: {
+  mkPermanent = _: globalRedirect: {
     inherit globalRedirect;
 
     enableACME = true;
     forceSSL = true;
   };
 
+  mkTemporary =
+    _:
+    {
+      to,
+      code,
+      location,
+    }:
+    {
+      enableACME = true;
+      forceSSL = true;
+
+      locations.${location}.return = "${toString code} ${to}";
+    };
+
   cfg = config.dgn-redirections;
 in
 
 {
   options.dgn-redirections = {
-    redirections = mkOption {
+    permanent = mkOption {
       type = attrsOf str;
       default = { };
       description = ''
@@ -40,6 +60,57 @@ in
       '';
     };
 
+    temporary = mkOption {
+      type = attrsOf (submodule {
+        options = {
+          to = mkOption {
+            type = str;
+            description = "Target of the redirection";
+          };
+          code = mkOption {
+            type = ints.between 300 399;
+            default = 302;
+            example = 308;
+            description = ''
+              HTTP status used by the redirection. Possible usecases
+              include temporary (302, 307) redirects, keeping the request method and
+              body (307, 308), or explicitly resetting the method to GET (303).
+              See <https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections>.
+            '';
+          };
+          location = mkOption {
+            type = str;
+            default = "/";
+            description = "nginx-style location for the source of the redirection";
+          };
+        };
+      });
+      default = { };
+      example = {
+        "source.dgnum.eu" = {
+          to = "https://target.dgnum.eu/path_to_page";
+          code = 307;
+          location = "/subpath/";
+        };
+      };
+      description = ''
+        Attribute set of temporary redirections. The attribute is the source
+        domain.
+
+        For:
+        ```
+        {
+          "source.dgnum.eu" = {
+            to = "https://target.dgnum.eu/path_to_page";
+            code = 307;
+          };
+        }
+        ```
+        a 307 redirect from all the urls within the domain `source.dgnum.eu` to
+        `https://target.dgnum.eu/path_to_page` will be made.
+      '';
+    };
+
     retired = mkOption {
       type = listOf str;
       default = [ ];
@@ -59,6 +130,7 @@ in
 
   config = {
     services.nginx.virtualHosts =
-      (builtins.mapAttrs mkRedirection cfg.redirections) // (mkRetired cfg.retired);
+      (builtins.mapAttrs mkPermanent cfg.permanent // builtins.mapAttrs mkTemporary cfg.temporary)
+      // (mkRetired cfg.retired);
   };
 }

npins/sources.json

@@ -27,18 +27,6 @@
       "url": "https://github.com/RaitoBezarius/arkheon/archive/113724a1a206905e68319676f73d095fcc043a42.tar.gz",
       "hash": "0yh8g020d7z67iqpg7xywk4dxxa64dxa1igd45nb8w653c82w6gq"
     },
-    "attic": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "zhaofengli",
-        "repo": "attic"
-      },
-      "branch": "main",
-      "revision": "aec90814a4ecbc40171d57eeef97c5cab4aaa7b4",
-      "url": "https://github.com/zhaofengli/attic/archive/aec90814a4ecbc40171d57eeef97c5cab4aaa7b4.tar.gz",
-      "hash": "0dmcy9r9vks4xnfa4y68vjf3fgc4dz1ix4df9rykq3lprr3q4mcx"
-    },
     "cas-eleves": {
       "type": "Git",
       "repository": {
@@ -50,6 +38,17 @@
       "url": null,
       "hash": "09z5l5yh4zm0mf9hb3xc18gjk2dgv3l1icywrsxax00y1i1zlvna"
     },
+    "dgsi": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.dgnum.eu/DGNum/dgsi.git"
+      },
+      "branch": "main",
+      "revision": "129641cc1fdd657c070c54f3b93aa0cd7c5a5b1d",
+      "url": null,
+      "hash": "0s4bkj7y6iqch8xislxyx7w5rn0xz95rvj9gfwcvm3p7sqj92ldj"
+    },
     "disko": {
       "type": "GitRelease",
       "repository": {
@@ -60,24 +59,25 @@
       "pre_releases": false,
       "version_upper_bound": null,
       "release_prefix": null,
-      "version": "v1.7.0",
+      "version": "v1.8.0",
-      "revision": "e55f9a8678adc02024a4877c2a403e3f6daf24fe",
+      "revision": "624fd86460e482017ed9c3c3c55a3758c06a4e7f",
-      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.7.0",
+      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.0",
-      "hash": "16zjxysjhk3sgd8b4x5mvx9ilnq35z3zfpkv1la33sqkr8xh1amn"
+      "hash": "06ifryv6rw25cz8zda4isczajdgrvcl3aqr145p8njxx5jya2d77"
     },
     "dns.nix": {
       "type": "GitRelease",
       "repository": {
-        "type": "Git",
+        "type": "GitHub",
-        "url": "https://git.hubrecht.ovh/hubrecht/dns.nix"
+        "owner": "nix-community",
+        "repo": "dns.nix"
       },
       "pre_releases": false,
       "version_upper_bound": null,
       "release_prefix": null,
-      "version": "v1.2.1",
+      "version": "v1.2.0",
-      "revision": "66979725afe2164491be38ffff78460cc9b0ffd7",
+      "revision": "a3196708a56dee76186a9415c187473b94e6cbae",
-      "url": null,
+      "url": "https://api.github.com/repos/nix-community/dns.nix/tarball/v1.2.0",
-      "hash": "1bashjbh71dqs32yld7ihw2vz0vrad73pc35crf3qck8ssgpzv7d"
+      "hash": "011b6ahj4qcf7jw009qgbf6k5dvjmgls88khwzgjr9kxlgbypb90"
     },
     "git-hooks": {
       "type": "Git",
@@ -87,9 +87,9 @@
         "repo": "git-hooks.nix"
       },
       "branch": "master",
-      "revision": "7570de7b9b504cfe92025dd1be797bf546f66528",
+      "revision": "1211305a5b237771e13fcca0c51e60ad47326a9a",
-      "url": "https://github.com/cachix/git-hooks.nix/archive/7570de7b9b504cfe92025dd1be797bf546f66528.tar.gz",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/1211305a5b237771e13fcca0c51e60ad47326a9a.tar.gz",
-      "hash": "1snjia7d5x7nqz8j6zgj45fb9kvza86yrhgc8bpjn9b0lc1i88xp"
+      "hash": "1qz8d9g7rhwjk4p2x0rx59alsf0dpjrb6kpzs681gi3rjr685ivq"
     },
     "kadenios": {
       "type": "Git",
@@ -144,9 +144,9 @@
         "url": "https://git.lix.systems/lix-project/lix.git"
       },
       "branch": "main",
-      "revision": "cc183fdbc14ce105a5661d646983f791978b9d5c",
+      "revision": "ed9b7f4f84fd60ad8618645cc1bae2d686ff0db6",
       "url": null,
-      "hash": "1bgh8z445yhv0b46yimr2ic33hplm33xj50ivgsbykdf30xks95n"
+      "hash": "05kxga8fs9h4qm0yvp5l7jvsda7hzqs7rvxcn8r52dqg3c80hva9"
     },
     "lix-module": {
       "type": "Git",
@@ -155,9 +155,9 @@
         "url": "https://git.lix.systems/lix-project/nixos-module.git"
       },
       "branch": "main",
-      "revision": "353b25f0b6da5ede15206d416345a2ec4195b5c8",
+      "revision": "fd186f535a4ac7ae35d98c1dd5d79f0a81b7976d",
       "url": null,
-      "hash": "0aq9l1qhz01wm232gskq2mywik98zv2r8qn42bjw3kdb185wf9kl"
+      "hash": "0jxpqaz12lqibg03iv36sa0shfvamn2yhg937llv3kl4csijd34f"
     },
     "lon": {
       "type": "Git",
@@ -178,9 +178,21 @@
         "url": "https://git.dgnum.eu/DGNum/metis"
       },
       "branch": "master",
-      "revision": "23839b284e18fefe642292be8f11fcf501b170b3",
+      "revision": "9eaa1f289751b6b62f700e8e0e0ddbfbaa98c021",
       "url": null,
-      "hash": "0rxamafpfg39wsfz4wnfapl1hiyyzizvjv3d23n1sdmy0yi8kgf1"
+      "hash": "0m9il1lllw59a6l9vwfi1bika7g4pxs20clc48kklpflnk0scb1f"
+    },
+    "microvm.nix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "RaitoBezarius",
+        "repo": "microvm.nix"
+      },
+      "branch": "main",
+      "revision": "49899c9a4fdf75320785e79709bf1608c34caeb8",
+      "url": "https://github.com/RaitoBezarius/microvm.nix/archive/49899c9a4fdf75320785e79709bf1608c34caeb8.tar.gz",
+      "hash": "0sz6azdpiz4bd36x23bcdhx6mwyqj8zl5cczjgv48xqfmysy8zwy"
     },
     "nix-lib": {
       "type": "GitRelease",
@@ -203,9 +215,9 @@
         "url": "https://git.hubrecht.ovh/hubrecht/nix-modules.git"
       },
       "branch": "main",
-      "revision": "32e76ee64352587663766e1a3945a6fe0917e35d",
+      "revision": "2fd7c7810b2a901020ddd2d0cc82810b83a313fc",
       "url": null,
-      "hash": "16vnpnby6s174y4nzb26z2pc49ba7lw7vpf6r7p4dqci92b0yg5j"
+      "hash": "0rag870ll745r5isnk6hlxv0b0sbgriba5k6nihahcwsal2f4830"
     },
     "nix-patches": {
       "type": "GitRelease",
@@ -228,9 +240,9 @@
         "url": "https://git.hubrecht.ovh/hubrecht/nix-pkgs"
       },
       "branch": "main",
-      "revision": "c3257569375903f94ad1af9fe8b77186bd824332",
+      "revision": "3e731378f3984313ef902c5e5a49e002e6e2c27e",
       "url": null,
-      "hash": "01kmivbk0ji5n7fifydq0wvlv34v1ima66r6icxrfykshh635w4p"
+      "hash": "1vy2dj9fyy653w6idvi1r73s0nd2a332a1xkppddjip6rk0i030p"
     },
     "nixos-23.11": {
       "type": "Channel",
@@ -241,8 +253,8 @@
     "nixos-24.05": {
       "type": "Channel",
       "name": "nixos-24.05",
-      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.4798.f4c846aee8e1/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.5518.ecbc1ca8ffd6/nixexprs.tar.xz",
-      "hash": "0i08jxfa55ifpdmcwg2isgszprxaikjalinmcqjfzk336hzvh7if"
+      "hash": "1yr2v17d8jg9567rvadv62bpr6i47fp73by2454yjxh1m9ric2cm"
     },
     "nixos-generators": {
       "type": "Git",
@@ -252,21 +264,33 @@
         "repo": "nixos-generators"
       },
       "branch": "master",
-      "revision": "214efbd73241d72a8f48b8b9a73bb54895cd51a7",
+      "revision": "9ae128172f823956e54947fe471bc6dfa670ecb4",
-      "url": "https://github.com/nix-community/nixos-generators/archive/214efbd73241d72a8f48b8b9a73bb54895cd51a7.tar.gz",
+      "url": "https://github.com/nix-community/nixos-generators/archive/9ae128172f823956e54947fe471bc6dfa670ecb4.tar.gz",
-      "hash": "00cavr7wlaa6mc16245gn5d5bq7y67fg7l4bgkx3q5109jay1837"
+      "hash": "1zn3lykymimzh21q4fixw6ql42n8j82dqwm5axifhcnl8dsdgrvr"
     },
     "nixos-unstable": {
       "type": "Channel",
       "name": "nixos-unstable",
-      "url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre677397.574d1eac1c20/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixos/unstable/nixos-24.11pre688563.bc947f541ae5/nixexprs.tar.xz",
-      "hash": "0j66kv4xq4csa5hwizlab5a7j47hd44182xvz541ll3cdfd5a7gx"
+      "hash": "1jsaxwi128fiach3dj8rdj5agqivsr4sidb8lmdnl7g07fl9x0kj"
     },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre678893.5775c2583f18/nixexprs.tar.xz",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre689466.7d49afd36b55/nixexprs.tar.xz",
-      "hash": "09r3fc2xk4nxzhmkn7wvk99i8qibrhh6lhd3mz6iz64imj1k5r9r"
+      "hash": "0r4zb6j8in4dk7gxciapfm49dqbdd0c7ajjzj9iy2xrrj5aj32qp"
+    },
+    "proxmox-nixos": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "SaumonNet",
+        "repo": "proxmox-nixos"
+      },
+      "branch": "main",
+      "revision": "7869ffc2e0db36f314fb60f1ab0087b760700b00",
+      "url": "https://github.com/SaumonNet/proxmox-nixos/archive/7869ffc2e0db36f314fb60f1ab0087b760700b00.tar.gz",
+      "hash": "0cam36s3ar366y41rvihjqghkdjl9a1n1wzym8p2mkar1r9x7haj"
     },
     "signal-irc-bridge": {
       "type": "Git",
@@ -275,9 +299,9 @@
         "url": "https://git.dgnum.eu/mdebray/signal-irc-bridge"
       },
       "branch": "master",
-      "revision": "688a5c324e032f7716aa69fb7097971fa26bed1d",
+      "revision": "9123e6fbe5cdc2d2ae16579d989d45398232f74c",
       "url": null,
-      "hash": "153mb2m3ap3v3y1inygqic551vawz1i08pbx2v1viaind3nd2l6m"
+      "hash": "15p61k0ylri7bbqz4vsy8rmhy62va4yd8cjiwm4lb0gvgbcbkdr2"
     },
     "stateless-uptime-kuma": {
       "type": "Git",
@@ -286,9 +310,9 @@
         "url": "https://git.dgnum.eu/mdebray/stateless-uptime-kuma"
       },
       "branch": "master",
-      "revision": "c6baf60295e4bee4e4c13cf5c628ccd3ab89b141",
+      "revision": "390363e6a977d71a96c53d7f8b252038dfee2e2e",
       "url": null,
-      "hash": "1ivkvvq4jz5kh873jppypnhzm3vb8gdrvia7zsy67p6wnvzvhxkv"
+      "hash": "11vvfxw2sznc155x0xlgl00g6n9sr90xa0b1hr14vchg7gkz46r5"
     },
     "wp4nix": {
       "type": "Git",
@@ -298,9 +322,9 @@
         "server": "https://git.helsinki.tools/"
       },
       "branch": "master",
-      "revision": "a1c485d16f0df1f55634787b63961846288b3d31",
+      "revision": "4c47608f349dd45e4895e1f61f19ad9e8dfcc0bf",
-      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=a1c485d16f0df1f55634787b63961846288b3d31",
+      "url": "https://git.helsinki.tools/api/v4/projects/helsinki-systems%2Fwp4nix/repository/archive.tar.gz?sha=4c47608f349dd45e4895e1f61f19ad9e8dfcc0bf",
-      "hash": "09xmhv821x2w704lbg43ayr83ycb0rvqfh6fq0c9l4x9v23wv9cw"
+      "hash": "1pnjhbljihf2ras9lbp1f6izzxghccfygkkf2ikkahjr1vbicdbq"
     }
   },
   "version": 3

scripts/cache.sh

@@ -1,12 +0,0 @@
-ENDPOINT=${ATTIC_ENDPOINT:-https://cachix.dgnum.eu}
-
-if [ "$1" == "off" ]; then
-	echo "Please edit $XDG_CONFIG_HOME/nix/nix.conf to remove the cache"
-elif [ "$1" == "on" ]; then
-	@attic@/bin/attic login dgnum "$ENDPOINT"
-	@attic@/bin/attic use dgnum:infra
-else
-	echo "Help:"
-	echo "  cache {on|off}"
-fi
-

scripts/default.nix

@@ -10,7 +10,6 @@ let
       git
       jq
       ;
-    attic = pkgs.attic-client;
   };
 
   mkShellScript =
@@ -33,9 +32,7 @@ let
     "check-deployment"
     "launch-vm"
     "list-nodes"
-    "push-to-cache"
     "push-to-nix-cache"
-    "cache"
   ];
 in
 

scripts/push-to-cache.sh

@@ -1,13 +0,0 @@
-set -e
-set -u
-set -o pipefail
-
-ENDPOINT=${ATTIC_ENDPOINT:-https://cachix.dgnum.eu}
-
-@attic@/bin/attic login dgnum "$ENDPOINT" "$ATTIC_TOKEN"
-
-@colmena@/bin/colmena eval -E '{ nodes, lib, ... }: lib.mapAttrsToList (_: v: v.config.system.build.toplevel.drvPath) nodes' |\
-@jq@/bin/jq -r '.[]' |\
-xargs -n 10 nix-store -q -R --include-outputs |\
-sed '/\.drv$/d' |\
-xargs @attic@/bin/attic push dgnum:infra