fix(web01): www.lanuit.ens.fr redirection is not used anymore

fix(web03): Use a different domain for webhooks endpoint
feat(meta/dns): Add private subdomain linking to the netbird ips
2024-11-04 20:07:33 +01:00 · 2024-10-31 10:58:07 +01:00 · 2024-10-31 10:58:07 +01:00 · 2024-10-30 23:21:36 +01:00 · 2024-10-24 00:27:15 +02:00 · 2024-10-23 23:40:21 +02:00
234 changed files with 12004 additions and 3090 deletions
--- a/.forgejo/workflows/check-meta.yaml
+++ b/.forgejo/workflows/check-meta.yaml
@ -1,5 +1,8 @@
 name: Check meta
 on:
+  pull_request:
+    branches:
+      - main
  push:
    paths:
      - 'meta/*'
--- a/.forgejo/workflows/ds-fr.yaml
+++ b/.forgejo/workflows/ds-fr.yaml
@ -1,8 +1,7 @@
 name: ds-fr update
 on:
  schedule:
-    # Run at 8 o'clock every day
-    - cron: "26 18 * * *"
+    - cron: "26 18 * * wed"

 jobs:
  npins_update:
--- a/.forgejo/workflows/eval.yaml
+++ b/.forgejo/workflows/eval.yaml
@ -9,62 +9,192 @@ on:
      - main

 jobs:
-  build_compute01:
+  build_and_cache_compute01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3

-      - name: Build compute01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on compute01'
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "compute01"

-  build_storage01:
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_compute01
+          path: paths.txt
+
+  build_and_cache_storage01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3

-      - name: Build storage01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on storage01'
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "storage01"

-  build_vault01:
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_storage01
+          path: paths.txt
+
+  build_and_cache_rescue01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3

-      - name: Build vault01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on vault01'
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "rescue01"

-  build_web01:
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_rescue01
+          path: paths.txt
+
+  build_and_cache_geo01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3

-      - name: Build web01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on web01'
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "geo01"

-  build_web02:
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_geo01
+          path: paths.txt
+
+  build_and_cache_geo02:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3

-      - name: Build web02
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on web02'
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "geo02"

-  build_rescue01:
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_geo02
+          path: paths.txt
+
+  build_and_cache_vault01:
    runs-on: nix
    steps:
      - uses: actions/checkout@v3

-      - name: Build rescue01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on rescue01'
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "vault01"
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_vault01
+          path: paths.txt
+
+  build_and_cache_web01:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "web01"
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_web01
+          path: paths.txt
+
+  build_and_cache_web02:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "web02"
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_web02
+          path: paths.txt
+
+  build_and_cache_web03:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "web03"
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_web02
+          path: paths.txt
+
+  build_and_cache_bridge01:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Build and cache the node
+        run: nix-shell --run cache-node
+        env:
+          STORE_ENDPOINT: "https://tvix-store.dgnum.eu/infra-signing/"
+          STORE_USER: "admin"
+          STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+          BUILD_NODE: "bridge01"
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: outputs_web02
+          path: paths.txt
--- a/.forgejo/workflows/lint.yaml
+++ b/.forgejo/workflows/lint.yaml
@ -1,5 +1,5 @@
 name: lint
-on: push
+on: [push, pull_request]

 jobs:
  check:
@ -8,4 +8,4 @@ jobs:
      - uses: actions/checkout@v3

      - name: Run pre-commit on all files
-        run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.
+        run: nix-shell --run 'pre-commit run --all-files --hook-stage pre-push --show-diff-on-failure' -A shells.pre-commit ./.
--- a/README.md
+++ b/README.md
@ -3,6 +3,115 @@
 The dgnum infrastructure.

 # Contributing
-Some instruction on how to contribute are available (in french) in [/CONTRIBUTING.md](CONTRIBUTING.md). You're expected to read this document before commiting to the repo.
+
+Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.md](CONTRIBUTE.md).
+You're expected to read this document before commiting to the repo.

 Some documentation for the development tools are provided in the aforementioned file.
+
+# Using the binary cache
+
+Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
+```
+{ lib, ... }:
+let
+  dgnum-infra = PINNED_PATH_TO_INFRA;
+in {
+  nix.settings = (import dgnum-infra { }).mkCacheSettings {
+    caches = [ "infra" ];
+  };
+}
+```
+
+
+# Adding a new machine
+
+The first step is to create a minimal viable NixOS host, using tha means necessary.
+The second step is to find a name for this host, it must be unique from the other hosts.
+
+> [!TIP]
+> For the rest of this part, we assume that the host is named `host02`
+
+## Download the keys
+
+The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
+
+It can be retreived with :
+
+```bash
+ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
+```
+
+## Initialize the machine folder and configuration
+
+- Create a folder `host02` under `machines/`
+- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
+- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
+
+```nix
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+  ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
+```
+
+## Fill in the metadata
+
+### Network configuration
+
+The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
+
+```bash
+head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
+```
+
+### Other details
+
+The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
+
+- `site`, where the node is physically located
+- `stateVersion`
+- `nixpkgs`, the nixpkgs version to use
+
+## Initialize secrets
+
+Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
+
+```nix
+(import ../../../keys).mkSecrets [ "host02" ] [
+  # List of secrets for host02
+]
+```
+
+This will be used for future secret management.
+
+## Update encrypted files
+
+Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
+
+```bash
+agenix -r
+```
+
+## Commit and create a PR
+
+Once all of this is done, check that the configuration builds correctly :
+
+```bash
+colmena build --on host02
+```
+
+Apply it, and create a Pull Request.
--- a/default.nix
+++ b/default.nix
@ -34,26 +34,36 @@
  termes.
 */

-let
-  sources = import ./npins;
-  pkgs = import sources.nixpkgs { };
+{
+  sources ? import ./npins,
+  pkgs ? import sources.nixpkgs { },
+  nix-pkgs ? import sources.nix-pkgs { inherit pkgs; },
+}:

-  pre-commit-check = (import sources.pre-commit-hooks).run {
+let
+  git-checks = (import (builtins.storePath sources.git-hooks)).run {
    src = ./.;

    hooks = {
-      # Nix Hooks
-      statix.enable = true;
-      deadnix.enable = true;
-      rfc101 = {
+      statix = {
        enable = true;
-
-        name = "RFC-101 formatting";
-        entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
-        files = "\\.nix$";
+        stages = [ "pre-push" ];
+        settings.ignore = [
+          "**/lon.nix"
+          "**/npins"
+        ];
+      };
+
+      deadnix = {
+        enable = true;
+        stages = [ "pre-push" ];
+      };
+
+      nixfmt-rfc-style = {
+        enable = true;
+        stages = [ "pre-push" ];
      };

-      # Misc Hooks
      commitizen.enable = true;
    };
  };
@ -66,26 +76,27 @@ in

  dns = import ./meta/dns.nix;

+  mkCacheSettings = import ./machines/storage01/tvix-cache/cache-settings.nix;
+
  shells = {
    default = pkgs.mkShell {
      name = "dgnum-infra";

-      packages =
-        (
-          with pkgs;
-          [
-            npins
-            nixos-generators
-          ]
-          ++ (builtins.map (p: callPackage p { }) [
-            (sources.disko + "/package.nix")
-            ./lib/colmena
-          ])
-        )
-        ++ (import ./scripts { inherit pkgs; });
+      packages = [
+        (pkgs.nixos-generators.overrideAttrs (_: {
+          version = "1.8.0-unstable";
+          src = builtins.storePath sources.nixos-generators;
+        }))
+        pkgs.npins
+
+        (pkgs.callPackage ./lib/colmena { inherit (nix-pkgs) colmena; })
+        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
+        (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
+
+      ] ++ (import ./scripts { inherit pkgs; });

      shellHook = ''
-        ${pre-commit-check.shellHook}
+        ${git-checks.shellHook}
      '';

      preferLocalBuild = true;
@ -95,7 +106,7 @@ in
      name = "pre-commit-shell";

      shellHook = ''
-        ${pre-commit-check.shellHook}
+        ${git-checks.shellHook}
      '';
    };
  };
--- a/hive.nix
+++ b/hive.nix
@ -1,78 +1,113 @@
 let
-  sources = import ./npins;
+  sources' = import ./npins;

-  lib = import (sources.nix-lib + "/src/trivial.nix");
+  # Patch sources directly
+  sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
+    .applyPatches' sources';

-  patch = import sources.nix-patches { patchFile = ./patches; };
+  nix-lib = import ./lib/nix-lib;
+
+  patch = import ./lib/nix-patches { patchFile = ./patches; };

  nodes' = import ./meta/nodes.nix;
  nodes = builtins.attrNames nodes';

  mkNode = node: {
    # Import the base configuration for each node
-    imports = builtins.map (lib.mkRel (./machines/${node})) [
-      "_configuration.nix"
-      "_hardware-configuration.nix"
-    ];
+    imports = [ ./machines/${node}/_configuration.nix ];
  };

-  mkNixpkgs =
-    node:
+  nixpkgs' = import ./meta/nixpkgs.nix;
+  # All supported nixpkgs versions, instanciated
+  nixpkgs = nix-lib.mapSingleFuse mkNixpkgs nixpkgs'.supported;
+
+  # Get the configured nixos version for the node,
+  # defaulting to the one defined in meta/nixpkgs
+  version = node: nodes'.${node}.nixpkgs or nixpkgs'.default;
+
+  # Builds a patched version of nixpkgs, only as the source
+  mkNixpkgs' =
+    v:
    patch.mkNixpkgsSrc rec {
-      src = sources.${version};
-      version = "nixos-${nodes'.${node}.nixpkgs or (import ./meta/nixpkgs.nix)}";
+      src = sources'.${name};
+      name = "nixos-${v}";
    };

-  mkNixpkgs' = node: import (mkNixpkgs node) { };
+  # Instanciates the required nixpkgs version
+  mkNixpkgs = version: import (mkNixpkgs' version) { };

  ###
  # Function to create arguments based on the node
  #
  mkArgs = node: rec {
-    lib = import sources.nix-lib {
-      inherit (mkNixpkgs' node) lib;
-
-      keysRoot = ./keys;
+    lib = nixpkgs.${version node}.lib // {
+      extra = nix-lib;
    };

    meta = (import ./meta) lib;
+
+    nodeMeta = meta.nodes.${node};
  };
 in
-# nodes = builtins.attrNames metadata.nodes;
+
 {
  meta = {
-    nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes;
+    nodeNixpkgs = nix-lib.mapSingleFuse (n: nixpkgs.${version n}) nodes;

    specialArgs = {
-      inherit sources;
+      inherit nixpkgs sources;
+
+      dgn-keys = import ./keys;
    };

-    nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
+    nodeSpecialArgs = nix-lib.mapSingleFuse mkArgs nodes;
  };

  defaults =
-    { meta, name, ... }:
+    {
+      pkgs,
+      name,
+      nodeMeta,
+      ...
+    }:
    {
      # Import the default modules
-      imports = [ ./modules ];
+      imports = [
+        ./modules
+        (import "${sources.lix-module}/module.nix" {
+          lix = pkgs.applyPatches {
+            name = "lix-2.90.patched";
+            src = sources.lix;
+            patches = [ ./patches/00-disable-installChecks-lix.patch ];
+          };
+        })
+      ];

      # Include default secrets
-      age-secrets.sources = [ (./machines + "/${name}/secrets") ];
+      age-secrets.sources = [ ./machines/${name}/secrets ];

      # Deployment config is specified in meta.nodes.${node}.deployment
-      inherit (meta.nodes.${name}) deployment;
+      inherit (nodeMeta) deployment;

-      # Set NIX_PATH to the patched version of nixpkgs
-      nix.nixPath = [ "nixpkgs=${mkNixpkgs name}" ];
-      nix.optimise.automatic = true;
+      nix = {
+        # Set NIX_PATH to the patched version of nixpkgs
+        nixPath = [ "nixpkgs=${mkNixpkgs' (version name)}" ];
+        optimise.automatic = true;
+
+        gc = {
+          automatic = true;
+          dates = "weekly";
+          options = "--delete-older-than 7d";
+        };
+      };

      # Allow unfree packages
      nixpkgs.config.allowUnfree = true;

      # Use the stateVersion declared in the metadata
      system = {
-        inherit (meta.nodes.${name}) stateVersion;
+        inherit (nodeMeta) stateVersion;
      };
    };
 }
-// (lib.mapSingleFuse mkNode nodes)
+// (nix-lib.mapSingleFuse mkNode nodes)
--- a/iso/build-iso.sh
+++ b/iso/build-iso.sh
@ -1,5 +1,5 @@
 #!/usr/bin/env bash

-NIXPKGS=$(nix-build nixpkgs.nix)
+NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)

 nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso
--- a/iso/configuration.nix
+++ b/iso/configuration.nix
@ -1,9 +1,9 @@
 { lib, pkgs, ... }:

 let
-  dgn-lib = import ../lib { };
+  dgn-keys = import ../keys;

-  dgn-members = (import ../meta).members.groups.iso;
+  dgn-members = (import ../meta lib).organization.groups.root;
 in

 {
@ -11,7 +11,7 @@ in

  boot = {
    blacklistedKernelModules = [ "snd_pcsp" ];
-    kernelPackages = pkgs.linuxPackages_6_1;
+    kernelPackages = pkgs.linuxPackages_latest;
    tmp.cleanOnBoot = true;

    loader = {
@ -22,6 +22,7 @@ in
    supportedFilesystems = [
      "exfat"
      "zfs"
+      "bcachefs"
    ];

    swraid.enable = lib.mkForce false;
@ -33,7 +34,5 @@ in
    openssh.enable = true;
  };

-  users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
-    m: dgn-lib.mkRel ../keys "${m}.keys"
-  ) dgn-members;
+  users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
 }
--- a/iso/nixpkgs.nix
+++ b/iso/nixpkgs.nix
@ -1,5 +1,6 @@
 let
-  inherit (import ../npins) nixpkgs;
+  version = (import ../meta/nixpkgs.nix).default;
+  nixpkgs = (import ../npins)."nixos-${version}";
 in

 (import nixpkgs { }).srcOnly {
--- a/keys/default.nix
+++ b/keys/default.nix
@ -0,0 +1,84 @@
+let
+  _sources = import ../npins;
+
+  meta = import ../meta (import _sources.nixpkgs { }).lib;
+
+  getAttr = flip builtins.getAttr;
+
+  inherit (import ../lib/nix-lib) flip setDefault unique;
+in
+
+rec {
+  # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
+  #          If not, you will face an angry maintainer
+  _keys = {
+    # SSH keys of the nodes
+    bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
+    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
+    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
+    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
+    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
+    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
+    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
+    web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
+    web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
+    web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
+
+    # SSH keys of the DGNum members
+    catvayor = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
+    ];
+    cst1 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
+    ];
+    ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
+    gdd = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
+    ];
+    jemagius = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
+    ];
+    luj = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
+    ];
+    mdebray = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
+    ];
+    raito = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
+    ];
+    thubrecht = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
+    ];
+  };
+
+  getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
+
+  mkSecrets =
+    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
+
+  getNodeKeys' =
+    node:
+    let
+      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
+        meta.nodes.${node}.admins ++ [ node ]
+      ) meta.nodes.${node}.adminGroups;
+    in
+    unique (getKeys names);
+
+  getNodeKeys = node: rootKeys ++ getNodeKeys' node;
+
+  # List of keys for the root group
+  rootKeys = getKeys meta.organization.groups.root;
+
+  # List of 'machine' keys
+  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
+}
--- a/keys/gdd.keys
+++ b/keys/gdd.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ
--- a/keys/jemagius.keys
+++ b/keys/jemagius.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=
--- a/keys/luj.keys
+++ b/keys/luj.keys
@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower
--- a/keys/machines/compute01.keys
+++ b/keys/machines/compute01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu
--- a/keys/machines/geo01.keys
+++ b/keys/machines/geo01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4
--- a/keys/machines/geo02.keys
+++ b/keys/machines/geo02.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket
--- a/keys/machines/rescue01.keys
+++ b/keys/machines/rescue01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf
--- a/keys/machines/storage01.keys
+++ b/keys/machines/storage01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ
--- a/keys/machines/vault01.keys
+++ b/keys/machines/vault01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW
--- a/keys/machines/web01.keys
+++ b/keys/machines/web01.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5
--- a/keys/machines/web02.keys
+++ b/keys/machines/web02.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm
--- a/keys/mdebray.keys
+++ b/keys/mdebray.keys
@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris
--- a/keys/raito.keys
+++ b/keys/raito.keys
@ -1,3 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU
--- a/keys/thubrecht.keys
+++ b/keys/thubrecht.keys
@ -1,3 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,33 +0,0 @@
-_:
-
-let
-  sources = import ../npins;
-
-  lib = import sources.nix-lib {
-    inherit ((import sources.nixpkgs { })) lib;
-
-    keysRoot = ../keys;
-  };
-
-  meta = import ../meta lib;
-
-  inherit (lib.extra) getAllKeys;
-in
-
-lib.extra
-// rec {
-  # Get publickeys associated to a node
-  getNodeKeys =
-    node:
-    let
-      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
-        meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
-      ) meta.nodes.${node}.adminGroups;
-    in
-    rootKeys ++ (getAllKeys names);
-
-  rootKeys = getAllKeys meta.organization.groups.root;
-
-  machineKeys =
-    rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
-}
--- a/lib/nix-lib/default.nix
+++ b/lib/nix-lib/default.nix
@ -0,0 +1,197 @@
+# Copyright Tom Hubrecht, (2023)
+#
+#  Tom Hubrecht <tom@hubrecht.ovh>
+#
+#  This software is governed by the CeCILL  license under French law and
+#  abiding by the rules of distribution of free software.  You can  use,
+#  modify and/ or redistribute the software under the terms of the CeCILL
+#  license as circulated by CEA, CNRS and INRIA at the following URL
+#  "http://www.cecill.info".
+#
+#  As a counterpart to the access to the source code and  rights to copy,
+#  modify and redistribute granted by the license, users are provided only
+#  with a limited warranty  and the software's author,  the holder of the
+#  economic rights,  and the successive licensors  have only  limited
+#  liability.
+#
+#  In this respect, the user's attention is drawn to the risks associated
+#  with loading,  using,  modifying and/or developing or reproducing the
+#  software by the user in light of its specific status of free software,
+#  that may mean  that it is complicated to manipulate,  and  that  also
+#  therefore means  that it is reserved for developers  and  experienced
+#  professionals having in-depth computer knowledge. Users are therefore
+#  encouraged to load and test the software's suitability as regards their
+#  requirements in conditions enabling the security of their systems and/or
+#  data to be ensured and,  more generally, to use and operate it in the
+#  same conditions as regards security.
+#
+#  The fact that you are presently reading this means that you have had
+#  knowledge of the CeCILL license and that you accept its terms.
+
+let
+  # Reimplement optional functions
+  _optional =
+    default: b: value:
+    if b then value else default;
+in
+
+rec {
+  inherit (import ./nixpkgs.nix)
+    flip
+    hasPrefix
+    recursiveUpdate
+    splitString
+    unique
+    ;
+
+  /*
+    Fuses a list of attribute sets into a single attribute set.
+
+    Type: [attrs] -> attrs
+
+     Example:
+       x = [ { a = 1; } { b = 2; } ]
+       fuseAttrs x
+       => { a = 1; b = 2; }
+  */
+  fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
+
+  fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
+
+  /*
+    Applies a function to `attrsList` before fusing the resulting list
+    of attribute sets.
+
+    Type: ('a -> attrs) -> ['a] -> attrs
+
+    Example:
+     x = [ "to" "ta" "ti" ]
+     f = s: { ${s} = s + s; }
+     mapFuse f x
+     => { to = "toto"; ta = "tata"; ti = "titi"; }
+  */
+  mapFuse =
+    # 'a -> attrs
+    f:
+    # ['a]
+    attrsList:
+    fuseAttrs (builtins.map f attrsList);
+
+  /*
+    Equivalent of lib.singleton but for an attribute set.
+
+    Type: str -> 'a -> attrs
+
+     Example:
+       singleAttr "a" 1
+       => { a = 1; }
+  */
+  singleAttr = name: value: { ${name} = value; };
+
+  # Enables a list of modules.
+  enableAttrs' =
+    enable:
+    mapFuse (m: {
+      ${m}.${enable} = true;
+    });
+
+  enableModules = enableAttrs' "enable";
+
+  /*
+    Create an attribute set from a list of values, mapping those
+    values through the function `f`.
+
+    Example:
+     mapSingleFuse (x: "val-${x}") [ "a" "b" ]
+     => { a = "val-a"; b = "val-b" }
+  */
+  mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
+
+  /*
+    Creates a relative path as a string
+
+    Type: path -> str -> path
+
+     Example:
+       mkRel /home/test/ "file.txt"
+       => "/home/test/file.txt"
+  */
+  mkRel = path: file: path + "/${file}";
+
+  setDefault =
+    default:
+    mapFuse (name: {
+      ${name} = default;
+    });
+
+  mkBaseSecrets =
+    root:
+    mapFuse (secret: {
+      ${secret}.file = mkRel root secret;
+    });
+
+  getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
+
+  subAttr = attrs: name: attrs.${name};
+
+  subAttrs = attrs: builtins.map (subAttr attrs);
+
+  optionalList = _optional [ ];
+
+  optionalAttrs = _optional { };
+
+  optionalString = _optional "";
+  /*
+    Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
+    sets together.
+
+    Type: [attrs] -> attrs
+  */
+  recursiveFuse = builtins.foldl' recursiveUpdate { };
+
+  mkImport =
+    root: file:
+    let
+      path = mkRel root file;
+    in
+    path + (optionalString (!(builtins.pathExists path)) ".nix");
+
+  mkImports = root: builtins.map (mkImport root);
+
+  /*
+    Creates a confugiration by merging enabled modules,
+    services and extraConfig.
+
+    Example:
+     mkConfig {
+       enabledModules = [ "ht-defaults" ];
+       enabledServices = [ "toto" ];
+       extraConfig = { services.nginx.enable = true; };
+       root = ./.;
+     }
+     =>
+     {
+       imports = [ ./toto ];
+       ht-defaults.enable = true;
+       services.nginx.enable = true;
+     }
+  */
+  mkConfig =
+    {
+      # List of modules to enable with `enableModules`
+      enabledModules,
+      # List of services to import
+      enabledServices,
+      # Extra configuration, defaults to `{ }`
+      extraConfig ? { },
+      # Path relative to which the enabled services will be imported
+      root,
+    }:
+    recursiveFuse [
+      (enableModules enabledModules)
+
+      { imports = mkImports root ([ "_hardware-configuration" ] ++ enabledServices); }
+
+      extraConfig
+    ];
+}
--- a/lib/nix-lib/nixpkgs.nix
+++ b/lib/nix-lib/nixpkgs.nix
@ -0,0 +1,416 @@
+###
+# Collection of nixpkgs library functions, those are necessary for defining our own lib
+#
+# They have been simplified and builtins are used in some places, instead of lib shims.
+
+rec {
+  /**
+    Does the same as the update operator '//' except that attributes are
+    merged until the given predicate is verified.  The predicate should
+    accept 3 arguments which are the path to reach the attribute, a part of
+    the first attribute set and a part of the second attribute set.  When
+    the predicate is satisfied, the value of the first attribute set is
+    replaced by the value of the second attribute set.
+
+    # Inputs
+
+    `pred`
+
+    : Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdateUntil` usage example
+
+    ```nix
+    recursiveUpdateUntil (path: l: r: path == ["foo"]) {
+      # first attribute set
+      foo.bar = 1;
+      foo.baz = 2;
+      bar = 3;
+    } {
+      #second attribute set
+      foo.bar = 1;
+      foo.quz = 2;
+      baz = 4;
+    }
+
+    => {
+      foo.bar = 1; # 'foo.*' from the second set
+      foo.quz = 2; #
+      bar = 3;     # 'bar' from the first set
+      baz = 4;     # 'baz' from the second set
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdateUntil =
+    pred: lhs: rhs:
+    let
+      f =
+        attrPath:
+        builtins.zipAttrsWith (
+          n: values:
+          let
+            here = attrPath ++ [ n ];
+          in
+          if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
+            builtins.head values
+          else
+            f here values
+        );
+    in
+    f [ ] [
+      rhs
+      lhs
+    ];
+
+  /**
+    A recursive variant of the update operator ‘//’.  The recursion
+    stops when one of the attribute values is not an attribute set,
+    in which case the right hand side value takes precedence over the
+    left hand side value.
+
+    # Inputs
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdate` usage example
+
+    ```nix
+    recursiveUpdate {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "/dev/hda";
+    } {
+      boot.loader.grub.device = "";
+    }
+
+    returns: {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "";
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdate =
+    lhs: rhs:
+    recursiveUpdateUntil (
+      _: lhs: rhs:
+      !(builtins.isAttrs lhs && builtins.isAttrs rhs)
+    ) lhs rhs;
+
+  /**
+    Determine whether a string has given prefix.
+
+    # Inputs
+
+    `pref`
+    : Prefix to check for
+
+    `str`
+    : Input string
+
+    # Type
+
+    ```
+    hasPrefix :: string -> string -> bool
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.hasPrefix` usage example
+
+    ```nix
+    hasPrefix "foo" "foobar"
+    => true
+    hasPrefix "foo" "barfoo"
+    => false
+    ```
+
+    :::
+  */
+  hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
+
+  /**
+    Escape occurrence of the elements of `list` in `string` by
+    prefixing it with a backslash.
+
+    # Inputs
+
+    `list`
+    : 1\. Function argument
+
+    `string`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    escape :: [string] -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escape` usage example
+
+    ```nix
+    escape ["(" ")"] "(foo)"
+    => "\\(foo\\)"
+    ```
+
+    :::
+  */
+  escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
+
+  /**
+    Convert a string `s` to a list of characters (i.e. singleton strings).
+    This allows you to, e.g., map a function over each character.  However,
+    note that this will likely be horribly inefficient; Nix is not a
+    general purpose programming language. Complex string manipulations
+    should, if appropriate, be done in a derivation.
+    Also note that Nix treats strings as a list of bytes and thus doesn't
+    handle unicode.
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    stringToCharacters :: string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.stringToCharacters` usage example
+
+    ```nix
+    stringToCharacters ""
+    => [ ]
+    stringToCharacters "abc"
+    => [ "a" "b" "c" ]
+    stringToCharacters "🦄"
+    => [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
+    ```
+
+    :::
+  */
+  stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
+
+  /**
+    Turn a string `s` into an exact regular expression
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    escapeRegex :: string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escapeRegex` usage example
+
+    ```nix
+    escapeRegex "[^a-z]*"
+    => "\\[\\^a-z]\\*"
+    ```
+
+    :::
+  */
+  escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
+
+  /**
+    Appends string context from string like object `src` to `target`.
+
+    :::{.warning}
+    This is an implementation
+    detail of Nix and should be used carefully.
+    :::
+
+    Strings in Nix carry an invisible `context` which is a list of strings
+    representing store paths. If the string is later used in a derivation
+    attribute, the derivation will properly populate the inputDrvs and
+    inputSrcs.
+
+    # Inputs
+
+    `src`
+    : The string to take the context from. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    `target`
+    : The string to append the context to. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    # Type
+
+    ```
+    addContextFrom :: string -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.addContextFrom` usage example
+
+    ```nix
+    pkgs = import <nixpkgs> { };
+    addContextFrom pkgs.coreutils "bar"
+    => "bar"
+    ```
+
+    The context can be displayed using the `toString` function:
+
+    ```nix
+    nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
+    {
+      "/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
+    }
+    ```
+
+    :::
+  */
+  addContextFrom = src: target: builtins.substring 0 0 src + target;
+
+  /**
+    Cut a string with a separator and produces a list of strings which
+    were separated by this separator.
+
+    # Inputs
+
+    `sep`
+    : 1\. Function argument
+
+    `s`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    splitString :: string -> string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.splitString` usage example
+
+    ```nix
+    splitString "." "foo.bar.baz"
+    => [ "foo" "bar" "baz" ]
+    splitString "/" "/usr/local/bin"
+    => [ "" "usr" "local" "bin" ]
+    ```
+
+    :::
+  */
+  splitString =
+    sep: s:
+    let
+      splits = builtins.filter builtins.isString (
+        builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
+      );
+    in
+    builtins.map (addContextFrom s) splits;
+
+  /**
+    Remove duplicate elements from the `list`. O(n^2) complexity.
+
+    # Inputs
+
+    `list`
+
+    : Input list
+
+    # Type
+
+    ```
+    unique :: [a] -> [a]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.lists.unique` usage example
+
+    ```nix
+    unique [ 3 2 3 4 ]
+    => [ 3 2 4 ]
+    ```
+
+    :::
+  */
+  unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
+
+  /**
+    Flip the order of the arguments of a binary function.
+
+    # Inputs
+
+    `f`
+
+    : 1\. Function argument
+
+    `a`
+
+    : 2\. Function argument
+
+    `b`
+
+    : 3\. Function argument
+
+    # Type
+
+    ```
+    flip :: (a -> b -> c) -> (b -> a -> c)
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.trivial.flip` usage example
+
+    ```nix
+    flip concat [1] [2]
+    => [ 2 1 ]
+    ```
+
+    :::
+  */
+  flip =
+    f: a: b:
+    f b a;
+}
--- a/lib/nix-patches/default.nix
+++ b/lib/nix-patches/default.nix
@ -0,0 +1,110 @@
+# Copyright Tom Hubrecht, (2023-2024)
+#
+# Tom Hubrecht <tom@hubrecht.ovh>
+#
+# This software is governed by the CeCILL  license under French law and
+# abiding by the rules of distribution of free software.  You can  use,
+# modify and/ or redistribute the software under the terms of the CeCILL
+# license as circulated by CEA, CNRS and INRIA at the following URL
+# "http://www.cecill.info".
+#
+# As a counterpart to the access to the source code and  rights to copy,
+# modify and redistribute granted by the license, users are provided only
+# with a limited warranty  and the software's author,  the holder of the
+# economic rights,  and the successive licensors  have only  limited
+# liability.
+#
+# In this respect, the user's attention is drawn to the risks associated
+# with loading,  using,  modifying and/or developing or reproducing the
+# software by the user in light of its specific status of free software,
+# that may mean  that it is complicated to manipulate,  and  that  also
+# therefore means  that it is reserved for developers  and  experienced
+# professionals having in-depth computer knowledge. Users are therefore
+# encouraged to load and test the software's suitability as regards their
+# requirements in conditions enabling the security of their systems and/or
+# data to be ensured and,  more generally, to use and operate it in the
+# same conditions as regards security.
+#
+# The fact that you are presently reading this means that you have had
+# knowledge of the CeCILL license and that you accept its terms.
+
+{
+  patchFile,
+  excludeGitHubManual ? true,
+  fetchers ? { },
+}:
+
+rec {
+  base =
+    { pkgs }:
+    rec {
+      mkUrlPatch =
+        attrs:
+        pkgs.fetchpatch (
+          {
+            hash = pkgs.lib.fakeHash;
+          }
+          // attrs
+          // (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
+            excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
+          })
+        );
+
+      mkGitHubPatch =
+        { id, ... }@attrs:
+        mkUrlPatch (
+          (builtins.removeAttrs attrs [ "id" ])
+          // {
+            url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
+          }
+        );
+
+      mkCommitPatch =
+        { sha, ... }@attrs:
+        mkUrlPatch (
+          (builtins.removeAttrs attrs [ "sha" ])
+          // {
+            url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
+          }
+        );
+
+      patchFunctions = {
+        commit = mkCommitPatch;
+        github = mkGitHubPatch;
+        remote = pkgs.fetchpatch;
+        static = attrs: attrs.path;
+        url = mkUrlPatch;
+      } // fetchers;
+
+      mkPatch =
+        {
+          _type ? "github",
+          ...
+        }@attrs:
+        if builtins.hasAttr _type patchFunctions then
+          patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
+        else
+          throw "Unknown patch type: ${builtins.toString _type}.";
+
+      mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
+
+      applyPatches =
+        {
+          src,
+          name,
+          patches ? mkPatches name,
+        }:
+        if patches == [ ] then
+          src
+        else
+          pkgs.applyPatches {
+            inherit patches src;
+
+            name = "${name}-patched";
+          };
+
+      applyPatches' = name: src: applyPatches { inherit name src; };
+    };
+
+  mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
+}
--- a/machines/bridge01/_configuration.nix
+++ b/machines/bridge01/_configuration.nix
@ -0,0 +1,20 @@
+{ lib, pkgs, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+    "network"
+  ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+
+    environment.systemPackages = [ pkgs.bcachefs-tools ];
+  };
+
+  root = ./.;
+}
--- a/machines/bridge01/_hardware-configuration.nix
+++ b/machines/bridge01/_hardware-configuration.nix
@ -0,0 +1,53 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ modulesPath, pkgs, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ehci_pci"
+        "ahci"
+        "sd_mod"
+        "sr_mod"
+      ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+    kernelPackages = pkgs.linuxPackages_latest;
+
+    supportedFilesystems.bcachefs = true;
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "UUID=3da58b64-a2fd-428d-bde8-3a185e2f73fd";
+      fsType = "bcachefs";
+      options = [ "compression=zstd" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/4D0A-AF11";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.vlan-admin.useDHCP = lib.mkDefault true;
+  # networking.interfaces.vlan-uplink-oob.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+}
--- a/machines/bridge01/network.nix
+++ b/machines/bridge01/network.nix
@ -0,0 +1,79 @@
+_:
+
+{
+  networking = {
+    useNetworkd = true;
+    useDHCP = false;
+
+    nftables.enable = true;
+    firewall.allowedUDPPorts = [ 67 ];
+  };
+
+  systemd.network = {
+    networks = {
+      "10-eno1" = {
+        name = "eno1";
+        networkConfig = {
+          VLAN = [
+            "vlan-admin"
+            "vlan-uplink-oob"
+          ];
+
+          LinkLocalAddressing = false;
+          LLDP = false;
+          EmitLLDP = false;
+          IPv6AcceptRA = false;
+          IPv6SendRA = false;
+        };
+        # address = [ "192.168.222.1/24" ];
+      };
+
+      "10-vlan-admin" = {
+        name = "vlan-admin";
+        # DHCP for the BMC
+        networkConfig.DHCPServer = "yes";
+
+        dhcpServerConfig = {
+          PoolOffset = 128;
+          EmitDNS = false;
+          EmitNTP = false;
+          EmitSIP = false;
+          EmitPOP3 = false;
+          EmitSMTP = false;
+          EmitLPR = false;
+          UplinkInterface = ":none";
+        };
+
+        address = [
+          "fd26:baf9:d250:8000::ffff/64"
+          "192.168.222.1/24"
+        ];
+      };
+
+      "10-vlan-uplink-oob" = {
+        name = "vlan-uplink-oob";
+        networkConfig.DHCP = "ipv4";
+      };
+    };
+
+    netdevs = {
+      "10-vlan-admin" = {
+        netdevConfig = {
+          Name = "vlan-admin";
+          Kind = "vlan";
+        };
+
+        vlanConfig.Id = 3000;
+      };
+
+      "10-vlan-uplink-oob" = {
+        netdevConfig = {
+          Name = "vlan-uplink-oob";
+          Kind = "vlan";
+        };
+
+        vlanConfig.Id = 500;
+      };
+    };
+  };
+}
--- a/machines/bridge01/secrets/secrets.nix
+++ b/machines/bridge01/secrets/secrets.nix
@ -0,0 +1,3 @@
+(import ../../../keys).mkSecrets [ "bridg01" ] [
+  # List of secrets for bridge01
+]
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@ -1,39 +1,42 @@
 { lib, ... }:

 lib.extra.mkConfig {
+  # List of modules to enable
  enabledModules = [
-    # List of modules to enable
+    # INFO: This list needs to stay sorted alphabetically
    "dgn-backups"
-    "dgn-fail2ban"
+    "dgn-chatops"
    "dgn-web"
  ];

+  # List of services to enable
  enabledServices = [
-    # List of services to enable
+    # INFO: This list needs to stay sorted alphabetically
    "arkheon"
+    "dgsi"
    "ds-fr"
    "grafana"
    "hedgedoc"
-    "k-radius"
    "kanidm"
    "librenms"
    "mastodon"
    "nextcloud"
+    "ollama-proxy"
    "outline"
+    "plausible"
+    "postgresql"
    "rstudio-server"
    "satosa"
+    "signal-irc-bridge"
+    "signald"
+    "stirling-pdf"
+    "takumi"
    "telegraf"
    "vaultwarden"
    "zammad"
-    "signald"
  ];

  extraConfig = {
-    dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
-      "sshd-bruteforce"
-      "sshd-timeout"
-    ];
-
    dgn-hardware.useZfs = true;

    services.netbird.enable = true;
--- a/machines/compute01/dgsi/default.nix
+++ b/machines/compute01/dgsi/default.nix
@ -0,0 +1,222 @@
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  sources,
+  ...
+}:
+
+let
+  inherit (lib) toLower;
+
+  python =
+    let
+      python3 = pkgs.python312;
+      nix-pkgs = import sources.nix-pkgs { inherit pkgs python3; };
+    in
+    python3.override {
+      packageOverrides = _: _: {
+        inherit (nix-pkgs)
+          django-allauth
+          django-allauth-cas
+          django-browser-reload
+          django-bulma-forms
+          django-sass-processor
+          django-sass-processor-dart-sass
+          django-unfold
+          pykanidm
+          python-cas
+          loadcredential
+          xlwt
+          ;
+      };
+    };
+
+  pythonEnv = python.withPackages (
+    ps:
+    [
+      ps.django
+      ps.gunicorn
+      ps.psycopg
+      ps.django-compressor
+      ps.django-import-export
+
+      # Local packages
+      ps.django-allauth
+      ps.django-allauth-cas
+      ps.django-browser-reload
+      ps.django-bulma-forms
+      ps.django-sass-processor
+      ps.django-sass-processor-dart-sass
+      ps.django-unfold
+      ps.loadcredential
+      ps.pykanidm
+      ps.python-cas
+    ]
+    ++ ps.django-allauth.optional-dependencies.saml
+  );
+
+  staticDrv = pkgs.stdenv.mkDerivation {
+    name = "dgsi-static";
+
+    src = sources.dgsi;
+    sourceRoot = "source/src";
+
+    nativeBuildInputs = [
+      pkgs.dart-sass
+      pythonEnv
+    ];
+
+    configurePhase = ''
+      export DGSI_STATIC_ROOT=$out/static
+      export CREDENTIALS_DIRECTORY=$(pwd)/../.credentials
+      export DGSI_KANIDM_CLIENT="dgsi_test"
+      export DGSI_KANIDM_AUTH_TOKEN="fake.token"
+      export DGSI_X509_KEY=""
+      export DGSI_X509_CERT=""
+    '';
+
+    doBuild = false;
+
+    installPhase = ''
+      mkdir -p $out/static
+      python3 manage.py compilescss
+      python3 manage.py collectstatic
+    '';
+  };
+in
+
+{
+  users = {
+    users.nginx.extraGroups = [ "django-apps" ];
+    groups.django-apps = { };
+  };
+
+  systemd = {
+    services = {
+      dj-dgsi = {
+        description = "DGSI web app";
+
+        requires = [ "dj-dgsi.socket" ];
+        wantedBy = [ "multi-user.target" ];
+        after = [
+          "network.target"
+          "postgresql.service"
+        ];
+
+        serviceConfig = {
+          DynamicUser = true;
+          LoadCredential = map (name: "${name}:${config.age.secrets."dgsi-${toLower name}_file".path}") [
+            "EMAIL_HOST_PASSWORD"
+            "KANIDM_AUTH_TOKEN"
+            "KANIDM_SECRET"
+            "SECRET_KEY"
+            "X509_CERT"
+            "X509_KEY"
+          ];
+          RuntimeDirectory = "django-apps/dgsi";
+          StateDirectory = "django-apps/dgsi";
+          UMask = "0027";
+          User = "dj-dgsi";
+          Group = "django-apps";
+          WorkingDirectory = sources.dgsi;
+          ExecReload = "${lib.getExe' pkgs.coreutils "kill"} -s HUP $MAINPID";
+          KillMode = "mixed";
+          Type = "notify";
+          ExecStart = utils.escapeSystemdExecArgs [
+            (lib.getExe' pythonEnv "gunicorn")
+            "--workers"
+            4
+            "--bind"
+            "unix:/run/django-apps/dgsi.sock"
+            "--pythonpath"
+            "src"
+            "app.wsgi"
+          ];
+        };
+
+        environment = {
+          DGSI_ALLOWED_HOSTS = builtins.toJSON [
+            "profil.dgnum.eu"
+            "dgsi.dgnum.eu"
+          ];
+
+          DGSI_EMAIL_HOST = "kurisu.lahfa.xyz";
+          DGSI_EMAIL_HOST_USER = "web-services@infra.dgnum.eu";
+          DGSI_EMAIL_USE_SSL = builtins.toJSON true;
+          DGSI_FROM_EMAIL = "La Délégation Générale Numérique <noreply@infra.dgnum.eu>";
+          DGSI_SERVER_EMAIL = "dgsi@infra.dgnum.eu";
+
+          DGSI_KANIDM_CLIENT = "dgsi";
+          DGSI_KANIDM_URI = "https://sso.dgnum.eu";
+
+          DGSI_MEDIA_ROOT = "/var/lib/django-apps/dgsi/media";
+          DGSI_STATIC_ROOT = "${staticDrv}/static";
+
+          DGSI_DATABASES = builtins.toJSON {
+            default = {
+              ENGINE = "django.db.backends.postgresql";
+              NAME = "dj-dgsi";
+            };
+          };
+          DJANGO_SETTINGS_MODULE = "app.settings";
+        };
+
+        path = [ pythonEnv ];
+
+        preStart = ''
+          python3 src/manage.py migrate --no-input
+        '';
+      };
+    };
+
+    sockets."dj-dgsi" = {
+      description = "Socket for the DGSI Django Application";
+      wantedBy = [ "sockets.target" ];
+
+      socketConfig = {
+        ListenStream = "/run/django-apps/dgsi.sock";
+        SocketMode = "600";
+        SocketUser = config.services.nginx.user;
+      };
+    };
+
+    mounts = [
+      {
+        where = "/run/django-apps/dgsi/media";
+        what = "/var/lib/django-apps/dgsi/media";
+        options = "bind";
+
+        after = [ "dj-dgsi.service" ];
+        partOf = [ "dj-dgsi.service" ];
+        upheldBy = [ "dj-dgsi.service" ];
+      }
+    ];
+  };
+
+  dgn-redirections.permanent."dgsi.dgnum.eu" = "profil.dgnum.eu";
+
+  services = {
+    postgresql = {
+      ensureDatabases = [ "dj-dgsi" ];
+      ensureUsers = [
+        {
+          name = "dj-dgsi";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    nginx.virtualHosts."profil.dgnum.eu" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations = {
+        "/".proxyPass = "http://unix:/run/django-apps/dgsi.sock";
+        "/static/".root = staticDrv;
+        "/media/".root = "/run/django-apps/dgsi";
+      };
+    };
+  };
+}
--- a/machines/compute01/ds-fr/default.nix
+++ b/machines/compute01/ds-fr/default.nix
@ -6,6 +6,8 @@ in
 {
  imports = [ ./module.nix ];

+  dgn-web.internalPorts.ds-fr = 3000;
+
  services.demarches-simplifiees = {
    enable = true;

--- a/machines/compute01/ds-fr/package/default.nix
+++ b/machines/compute01/ds-fr/package/default.nix
@ -3,9 +3,7 @@
  stdenv,
  fetchFromGitHub,
  git,
-  fetchYarnDeps,
-  yarn,
-  fixup_yarn_lock,
+  bun,
  nodejs,
  ruby_3_2,
  bundlerEnv,
@ -18,7 +16,7 @@ let
  inherit (lib) getExe;

  # Head of the DGNum repo
-  dgn-id = "12e4a32ca5d909a90ca6f7e53081cc6b6b14c416";
+  dgn-id = "f270f1cdd09e643a9c666c94df1841234430de49";

  pname = "ds-fr";
  meta = import ./meta.nix;
@ -50,20 +48,46 @@ let
    };
  };

+  node_modules = stdenv.mkDerivation {
+    pname = "${pname}-node_modules";
+    inherit src version;
+
+    impureEnvVars = lib.fetchers.proxyImpureEnvVars ++ [
+      "GIT_PROXY_COMMAND"
+      "SOCKS_SERVER"
+    ];
+
+    nativeBuildInputs = [ bun ];
+
+    dontConfigure = true;
+
+    buildPhase = ''
+      bun install --no-progress --frozen-lockfile --ignore-scripts 
+      rm -r node_modules/.cache
+
+      # Remove inconsistent file
+      rm node_modules/.bin/grunt
+    '';
+
+    installPhase = ''
+      mv node_modules $out
+    '';
+
+    dontFixup = true;
+
+    outputHash = meta.deps-hash or lib.fakeHash;
+    outputHashAlgo = "sha256";
+    outputHashMode = "recursive";
+  };
+
  dsModules = stdenv.mkDerivation {
    pname = "${pname}-modules";
    inherit src version;

-    offlineCache = fetchYarnDeps {
-      yarnLock = "${src}/yarn.lock";
-      hash = meta.deps-hash;
-    };
-
    buildInputs = [ rubyEnv ];
    nativeBuildInputs = [
-      fixup_yarn_lock
+      bun
      nodejs
-      yarn
      rubyEnv.wrappedRuby
    ];

@ -84,18 +108,13 @@ let
    APP_HOST = "precompile_placeholder";

    buildPhase = ''
-      export HOME=$(mktemp -d)
-      yarn config --offline set yarn-offline-mirror $offlineCache
-      fixup_yarn_lock yarn.lock
-      yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
+      cp -R ${node_modules} node_modules
+      chmod u+w -R node_modules

-      patchShebangs node_modules/
+      patchShebangs node_modules
      patchShebangs bin/

      bin/rake assets:precompile
-
-      yarn cache clean --offline
-      rm -rf node_modules/
    '';

    installPhase = ''
--- a/machines/compute01/ds-fr/package/meta.nix
+++ b/machines/compute01/ds-fr/package/meta.nix
@ -1,5 +1,5 @@
 {
-  version = "2024-03-26-01";
-  src-hash = "sha256-JLwbeCGZNFxzZnh6bcheNUkrg/51UG4IM9pln+ridSs=";
-  deps-hash = "sha256-ZtZ1iqKHWGPR5+BDOtOvrpgdndfP5IiqrLkju96YAM4=";
+  version = "2024-04-24-01";
+  src-hash = "sha256-+FjthJZb1KqqFttFmXr/FN5qaFcY9RGTKAqhdLGVFSg=";
+  deps-hash = "sha256-Vj8WCB+LSHJM67qbsZ5CPc+jK1KWO1MXnSFp/LH0Ow8=";
 }
--- a/machines/compute01/ds-fr/package/rubyEnv/Gemfile
+++ b/machines/compute01/ds-fr/package/rubyEnv/Gemfile
@ -10,6 +10,7 @@ gem 'active_storage_validations'
 gem 'addressable'
 gem 'administrate'
 gem 'administrate-field-enum' # Allow using Field::Enum in administrate
+gem 'after_commit_everywhere'
 gem 'after_party'
 gem 'ancestry'
 gem 'anchored'
@ -22,10 +23,10 @@ gem 'chunky_png'
 gem 'clamav-client', require: 'clamav/client'
 gem 'daemons'
 gem 'deep_cloneable' # Enable deep clone of active record models
-gem 'delayed_cron_job' # Cron jobs
+gem 'delayed_cron_job', require: false # Cron jobs
 gem 'delayed_job_active_record'
 gem 'delayed_job_web'
-gem 'devise', git: 'https://github.com/heartcombo/devise.git', ref: "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1" # Gestion des comptes utilisateurs, drop ref on next release: 4.9.4
+gem 'devise'
 gem 'devise-i18n'
 gem 'devise-two-factor'
 gem 'discard'
@ -76,6 +77,7 @@ gem 'puma' # Use Puma as the app server
 gem 'pundit'
 gem 'rack-attack'
 gem 'rails-i18n' # Locales par défaut
+gem 'rails-pg-extras'
 gem 'rake-progressbar', require: false
 gem 'redcarpet'
 gem 'redis'
@ -89,15 +91,23 @@ gem 'sentry-ruby'
 gem 'sentry-sidekiq'
 gem 'sib-api-v3-sdk'
 gem 'sidekiq'
+gem 'sidekiq-cron'
 gem 'skylight'
 gem 'spreadsheet_architect'
 gem 'strong_migrations' # lint database migrations
+gem 'sys-proctable'
 gem 'turbo-rails'
 gem 'typhoeus'
 gem 'ulid-ruby', require: 'ulid'
 gem 'view_component'
 gem 'vite_rails'
 gem 'warden'
+gem 'webrick', require: false
+gem 'yabeda-graphql'
+gem 'yabeda-prometheus'
+gem 'yabeda-puma-plugin'
+gem 'yabeda-rails'
+gem 'yabeda-sidekiq'
 gem 'zipline'
 gem 'zxcvbn-ruby', require: 'zxcvbn'

@ -115,6 +125,8 @@ group :test do
  gem 'selenium-devtools'
  gem 'selenium-webdriver'
  gem 'shoulda-matchers', require: false
+  gem 'simplecov', require: false
+  gem 'simplecov-cobertura', require: false
  gem 'timecop'
  gem 'vcr'
  gem 'webmock'
--- a/machines/compute01/ds-fr/package/rubyEnv/Gemfile.lock
+++ b/machines/compute01/ds-fr/package/rubyEnv/Gemfile.lock
@ -6,18 +6,6 @@ GIT
      json (>= 2.5)
      sidekiq (~> 7.0)

-GIT
-  remote: https://github.com/heartcombo/devise.git
-  revision: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
-  ref: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
-  specs:
-    devise (4.9.3)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
-      responders
-      warden (~> 1.2.3)
-
 GEM
  remote: https://rubygems.org/
  specs:
@ -116,10 +104,15 @@ GEM
    administrate-field-enum (0.0.9)
      administrate (~> 0.12)
    aes_key_wrap (1.1.0)
+    after_commit_everywhere (1.4.0)
+      activerecord (>= 4.2)
+      activesupport
    after_party (1.11.2)
    ancestry (4.3.3)
      activerecord (>= 5.2.6)
    anchored (1.1.0)
+    anyway_config (2.6.3)
+      ruby-next-core (~> 1.0)
    ast (2.4.2)
    attr_required (1.0.2)
    axe-core-api (4.8.2)
@ -143,7 +136,7 @@ GEM
      erubi (~> 1.4)
      parser (>= 2.4)
      smart_properties
-    bigdecimal (3.1.6)
+    bigdecimal (3.1.7)
    bindata (2.5.0)
    bindex (0.8.1)
    bootsnap (1.18.3)
@ -175,7 +168,7 @@ GEM
      nokogiri (~> 1.10, >= 1.10.4)
      rubyzip (>= 1.3.0, < 3)
    charlock_holmes (0.7.7)
-    chartkick (5.0.5)
+    chartkick (5.0.6)
    choice (0.2.0)
    chunky_png (1.4.0)
    clamav-client (3.2.0)
@ -208,6 +201,12 @@ GEM
      sinatra (>= 1.4.4)
    descendants_tracker (0.0.4)
      thread_safe (~> 0.3, >= 0.3.1)
+    devise (4.9.4)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 4.1.0)
+      responders
+      warden (~> 1.2.3)
    devise-i18n (1.12.0)
      devise (>= 4.9.0)
    devise-two-factor (5.0.0)
@ -218,6 +217,7 @@ GEM
    diff-lcs (1.5.1)
    discard (1.3.0)
      activerecord (>= 4.2, < 8)
+    docile (1.4.0)
    dotenv (2.8.1)
    dotenv-rails (2.8.1)
      dotenv (= 2.8.1)
@ -226,6 +226,7 @@ GEM
    dry-core (1.0.1)
      concurrent-ruby (~> 1.0)
      zeitwerk (~> 2.6)
+    dry-initializer (3.1.1)
    dry-monads (1.6.0)
      concurrent-ruby (~> 1.0)
      dry-core (~> 1.0, < 2)
@ -234,7 +235,7 @@ GEM
    email_validator (2.2.4)
      activemodel
    erubi (1.12.0)
-    et-orbi (1.2.7)
+    et-orbi (1.2.11)
      tzinfo
    ethon (0.16.0)
      ffi (>= 1.15.0)
@ -277,7 +278,7 @@ GEM
      fog-core (~> 2.1)
      fog-json (>= 1.0)
    formatador (1.1.0)
-    fugit (1.9.0)
+    fugit (1.10.1)
      et-orbi (~> 1, >= 1.2.7)
      raabro (~> 1.4)
    geo_coord (0.2.0)
@ -349,7 +350,7 @@ GEM
    invisible_captcha (2.2.0)
      rails (>= 5.2)
    io-console (0.7.2)
-    irb (1.11.2)
+    irb (1.12.0)
      rdoc
      reline (>= 0.4.2)
    job-iteration (1.4.1)
@ -358,7 +359,7 @@ GEM
      rails-dom-testing (>= 1, < 3)
      railties (>= 4.2.0)
      thor (>= 0.14, < 2.0)
-    json (2.7.1)
+    json (2.7.2)
    json-jwt (1.16.6)
      activesupport (>= 4.2)
      aes_key_wrap
@ -366,12 +367,15 @@ GEM
      bindata
      faraday (~> 2.0)
      faraday-follow_redirects
-    json_schemer (2.1.1)
+    json_schemer (2.2.1)
+      base64
+      bigdecimal
      hana (~> 1.3)
      regexp_parser (~> 2.0)
      simpleidn (~> 0.2)
    jsonapi-renderer (0.2.2)
-    jwt (2.7.1)
+    jwt (2.8.1)
+      base64
    kaminari (1.2.2)
      activesupport (>= 4.1.0)
      kaminari-actionview (= 1.2.2)
@ -398,7 +402,7 @@ GEM
      letter_opener (~> 1.7)
      railties (>= 5.2)
      rexml
-    listen (3.8.0)
+    listen (3.9.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    lograge (0.14.0)
@ -415,7 +419,7 @@ GEM
      net-imap
      net-pop
      net-smtp
-    maintenance_tasks (2.6.0)
+    maintenance_tasks (2.7.0)
      actionpack (>= 6.0)
      activejob (>= 6.0)
      activerecord (>= 6.0)
@ -425,7 +429,7 @@ GEM
    marcel (1.0.2)
    matrix (0.4.2)
    memory_profiler (1.0.1)
-    method_source (1.0.0)
+    method_source (1.1.0)
    mime-types (3.5.2)
      mime-types-data (~> 3.2015)
    mime-types-data (3.2024.0206)
@ -433,8 +437,8 @@ GEM
      rake
    mini_magick (4.12.0)
    mini_mime (1.1.5)
-    mini_portile2 (2.8.5)
-    minitest (5.22.2)
+    mini_portile2 (2.8.6)
+    minitest (5.22.3)
    msgpack (1.7.2)
    multi_json (1.15.0)
    mustermann (3.0.0)
@ -450,8 +454,8 @@ GEM
      timeout
    net-smtp (0.4.0.1)
      net-protocol
-    nio4r (2.7.0)
-    nokogiri (1.16.2)
+    nio4r (2.7.1)
+    nokogiri (1.16.4)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    openid_connect (2.3.0)
@ -474,8 +478,8 @@ GEM
      ast (~> 2.4.1)
      racc
    pdf-core (0.9.0)
-    pg (1.5.4)
-    phonelib (0.8.7)
+    pg (1.5.6)
+    phonelib (0.8.8)
    prawn (2.4.0)
      pdf-core (~> 0.9.0)
      ttfunk (~> 1.7)
@ -493,17 +497,18 @@ GEM
      actionmailer (>= 3)
      net-smtp
      premailer (~> 1.7, >= 1.7.9)
+    prometheus-client (4.2.2)
    promise.rb (0.7.4)
    psych (5.1.2)
      stringio
-    public_suffix (5.0.4)
+    public_suffix (5.0.5)
    puma (6.4.2)
      nio4r (~> 2.0)
    pundit (2.3.1)
      activesupport (>= 3.0.0)
    raabro (1.4.0)
    racc (1.7.3)
-    rack (2.2.8.1)
+    rack (2.2.9)
    rack-attack (6.7.0)
      rack (>= 1.0, < 4)
    rack-mini-profiler (3.3.1)
@ -555,9 +560,12 @@ GEM
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
      nokogiri (~> 1.14)
-    rails-i18n (7.0.8)
+    rails-i18n (7.0.9)
      i18n (>= 0.7, < 2)
      railties (>= 6.0.0, < 8)
+    rails-pg-extras (5.3.1)
+      rails
+      ruby-pg-extras (= 5.3.1)
    railties (7.0.8.1)
      actionpack (= 7.0.8.1)
      activesupport (= 7.0.8.1)
@ -566,20 +574,20 @@ GEM
      thor (~> 1.0)
      zeitwerk (~> 2.5)
    rainbow (3.1.1)
-    rake (13.1.0)
+    rake (13.2.1)
    rake-progressbar (0.0.5)
    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
-    rdoc (6.6.2)
+    rdoc (6.6.3.1)
      psych (>= 4.0.0)
    redcarpet (3.6.0)
-    redis (5.1.0)
-      redis-client (>= 0.17.0)
-    redis-client (0.20.0)
+    redis (5.2.0)
+      redis-client (>= 0.22.0)
+    redis-client (0.22.1)
      connection_pool
    regexp_parser (2.9.0)
-    reline (0.4.2)
+    reline (0.5.3)
      io-console (~> 0.5)
    request_store (1.5.1)
      rack (>= 1.4)
@ -604,20 +612,20 @@ GEM
    rspec-mocks (3.13.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (6.1.1)
+    rspec-rails (6.1.2)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
-      rspec-core (~> 3.12)
-      rspec-expectations (~> 3.12)
-      rspec-mocks (~> 3.12)
-      rspec-support (~> 3.12)
+      rspec-core (~> 3.13)
+      rspec-expectations (~> 3.13)
+      rspec-mocks (~> 3.13)
+      rspec-support (~> 3.13)
    rspec-retry (0.6.2)
      rspec-core (> 3.3)
-    rspec-support (3.13.0)
+    rspec-support (3.13.1)
    rspec_junit_formatter (0.6.0)
      rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.60.2)
+    rubocop (1.63.3)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
@ -625,29 +633,36 @@ GEM
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.30.0)
-      parser (>= 3.2.1.0)
+    rubocop-ast (1.31.2)
+      parser (>= 3.3.0.4)
    rubocop-capybara (2.20.0)
      rubocop (~> 1.41)
    rubocop-factory_bot (2.25.1)
      rubocop (~> 1.41)
-    rubocop-performance (1.20.2)
+    rubocop-performance (1.21.0)
      rubocop (>= 1.48.1, < 2.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
-    rubocop-rails (2.23.1)
+      rubocop-ast (>= 1.31.1, < 2.0)
+    rubocop-rails (2.24.1)
      activesupport (>= 4.2.0)
      rack (>= 1.1)
      rubocop (>= 1.33.0, < 2.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
-    rubocop-rspec (2.26.1)
+      rubocop-ast (>= 1.31.1, < 2.0)
+    rubocop-rspec (2.29.1)
      rubocop (~> 1.40)
      rubocop-capybara (~> 2.17)
      rubocop-factory_bot (~> 2.22)
+      rubocop-rspec_rails (~> 2.28)
+    rubocop-rspec_rails (2.28.3)
+      rubocop (~> 1.40)
    ruby-graphviz (1.2.5)
      rexml
+    ruby-next-core (1.0.2)
+    ruby-pg-extras (5.3.1)
+      pg
+      terminal-table
    ruby-progressbar (1.13.0)
    ruby-vips (2.2.0)
      ffi (~> 1.12)
@ -678,38 +693,52 @@ GEM
    scss_lint (0.60.0)
      sass (~> 3.5, >= 3.5.5)
    selectize-rails (0.12.6)
-    selenium-devtools (0.121.0)
+    selenium-devtools (0.123.0)
      selenium-webdriver (~> 4.2)
-    selenium-webdriver (4.17.0)
+    selenium-webdriver (4.19.0)
      base64 (~> 0.2)
      rexml (~> 3.2, >= 3.2.5)
      rubyzip (>= 1.2.2, < 3.0)
      websocket (~> 1.0)
-    sentry-delayed_job (5.16.1)
+    sentry-delayed_job (5.17.3)
      delayed_job (>= 4.0)
-      sentry-ruby (~> 5.16.1)
-    sentry-rails (5.16.1)
+      sentry-ruby (~> 5.17.3)
+    sentry-rails (5.17.3)
      railties (>= 5.0)
-      sentry-ruby (~> 5.16.1)
-    sentry-ruby (5.16.1)
+      sentry-ruby (~> 5.17.3)
+    sentry-ruby (5.17.3)
+      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
-    sentry-sidekiq (5.16.1)
-      sentry-ruby (~> 5.16.1)
+    sentry-sidekiq (5.17.3)
+      sentry-ruby (~> 5.17.3)
      sidekiq (>= 3.0)
-    shoulda-matchers (6.1.0)
+    shoulda-matchers (6.2.0)
      activesupport (>= 5.2.0)
    sib-api-v3-sdk (9.1.0)
      addressable (~> 2.3, >= 2.3.0)
      json (~> 2.1, >= 2.1.0)
      typhoeus (~> 1.0, >= 1.0.1)
-    sidekiq (7.2.1)
+    sidekiq (7.2.2)
      concurrent-ruby (< 2)
      connection_pool (>= 2.3.0)
      rack (>= 2.2.4)
      redis-client (>= 0.19.0)
+    sidekiq-cron (1.12.0)
+      fugit (~> 1.8)
+      globalid (>= 1.0.1)
+      sidekiq (>= 6)
    simple_xlsx_reader (1.0.4)
      nokogiri
      rubyzip
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-cobertura (2.1.0)
+      rexml
+      simplecov (~> 0.19)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.4)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
    sinatra (3.2.0)
@ -717,13 +746,13 @@ GEM
      rack (~> 2.2, >= 2.2.4)
      rack-protection (= 3.2.0)
      tilt (~> 2.0)
-    skylight (6.0.3)
+    skylight (6.0.4)
      activesupport (>= 5.2.0)
    smart_properties (1.17.0)
    spreadsheet_architect (5.0.0)
      caxlsx (>= 3.3.0, < 4)
      rodf (>= 1.0.0, < 2)
-    spring (4.1.3)
+    spring (4.2.1)
    spring-commands-rspec (1.0.4)
      spring (>= 0.9.1)
    sprockets (4.2.1)
@ -735,24 +764,26 @@ GEM
      sprockets (>= 3.0.0)
    stackprof (0.2.26)
    stringio (3.1.0)
-    strong_migrations (1.7.0)
+    strong_migrations (1.8.0)
      activerecord (>= 5.2)
    swd (2.0.3)
      activesupport (>= 3)
      attr_required (>= 0.0.5)
      faraday (~> 2.0)
      faraday-follow_redirects
+    sys-proctable (1.3.0)
+      ffi (~> 1.1)
    sysexits (1.2.0)
    temple (0.8.2)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
-    thor (1.3.0)
+    thor (1.3.1)
    thread_safe (0.3.6)
    tilt (2.3.0)
    timecop (0.9.8)
    timeout (0.4.1)
    ttfunk (1.7.0)
-    turbo-rails (2.0.2)
+    turbo-rails (2.0.5)
      actionpack (>= 6.0.0)
      activejob (>= 6.0.0)
      railties (>= 6.0.0)
@ -770,7 +801,7 @@ GEM
      activemodel (>= 3.0.0)
      public_suffix
    vcr (6.2.0)
-    view_component (3.10.0)
+    view_component (3.12.1)
      activesupport (>= 5.2.0, < 8.0)
      concurrent-ruby (~> 1.0)
      method_source (~> 1.0)
@ -796,10 +827,11 @@ GEM
      activesupport
      faraday (~> 2.0)
      faraday-follow_redirects
-    webmock (3.20.0)
+    webmock (3.23.0)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
      hashdiff (>= 0.4.0, < 2.0.0)
+    webrick (1.8.1)
    websocket (1.2.10)
    websocket-driver (0.7.6)
      websocket-extensions (>= 0.1.0)
@ -813,6 +845,30 @@ GEM
      nokogiri (~> 1.11)
    xpath (3.2.0)
      nokogiri (~> 1.8)
+    yabeda (0.12.0)
+      anyway_config (>= 1.0, < 3)
+      concurrent-ruby
+      dry-initializer
+    yabeda-graphql (0.2.3)
+      graphql (>= 1.9, < 3)
+      yabeda (~> 0.2)
+    yabeda-prometheus (0.9.1)
+      prometheus-client (>= 3.0, < 5.0)
+      rack
+      yabeda (~> 0.10)
+    yabeda-puma-plugin (0.7.1)
+      json
+      puma
+      yabeda (~> 0.5)
+    yabeda-rails (0.9.0)
+      activesupport
+      anyway_config (>= 1.3, < 3)
+      railties
+      yabeda (~> 0.8)
+    yabeda-sidekiq (0.12.0)
+      anyway_config (>= 1.3, < 3)
+      sidekiq
+      yabeda (~> 0.6)
    zeitwerk (2.6.13)
    zip_tricks (5.6.0)
    zipline (1.5.0)
@ -833,6 +889,7 @@ DEPENDENCIES
  addressable
  administrate
  administrate-field-enum
+  after_commit_everywhere
  after_party
  ancestry
  anchored
@ -854,7 +911,7 @@ DEPENDENCIES
  delayed_cron_job
  delayed_job_active_record
  delayed_job_web
-  devise!
+  devise
  devise-i18n
  devise-two-factor
  discard
@ -918,6 +975,7 @@ DEPENDENCIES
  rails-controller-testing
  rails-erd
  rails-i18n
+  rails-pg-extras
  rake-progressbar
  redcarpet
  redis
@ -942,13 +1000,17 @@ DEPENDENCIES
  shoulda-matchers
  sib-api-v3-sdk
  sidekiq
+  sidekiq-cron
  simple_xlsx_reader
+  simplecov
+  simplecov-cobertura
  skylight
  spreadsheet_architect
  spring
  spring-commands-rspec
  stackprof
  strong_migrations
+  sys-proctable
  timecop
  turbo-rails
  typhoeus
@ -959,8 +1021,14 @@ DEPENDENCIES
  warden
  web-console
  webmock
+  webrick
+  yabeda-graphql
+  yabeda-prometheus
+  yabeda-puma-plugin
+  yabeda-rails
+  yabeda-sidekiq
  zipline
  zxcvbn-ruby

 BUNDLED WITH
-   2.5.4
+   2.5.9
--- a/machines/compute01/ds-fr/package/rubyEnv/gemset.nix
+++ b/machines/compute01/ds-fr/package/rubyEnv/gemset.nix
@ -330,6 +330,20 @@
    };
    version = "1.1.0";
  };
+  after_commit_everywhere = {
+    dependencies = [
+      "activerecord"
+      "activesupport"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "18hq21w6v36i615pi81960cjj0h7vrnpp54qbbk6gsz44g8rpd3y";
+      type = "gem";
+    };
+    version = "1.4.0";
+  };
  after_party = {
    groups = [ "default" ];
    platforms = [ ];
@ -361,6 +375,17 @@
    };
    version = "1.1.0";
  };
+  anyway_config = {
+    dependencies = [ "ruby-next-core" ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "10bnmxr4wfkqc35m2d1l9apw23g9v21b0sfgq0z3afczblz6415f";
+      type = "gem";
+    };
+    version = "2.6.3";
+  };
  ast = {
    groups = [
      "default"
@ -493,10 +518,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "00db5v09k1z3539g1zrk7vkjrln9967k08adh6qx33ng97a2gg5w";
+      sha256 = "0cq1c29zbkcxgdihqisirhcw76xc768z2zpd5vbccpq0l1lv76g7";
      type = "gem";
    };
-    version = "3.1.6";
+    version = "3.1.7";
  };
  bindata = {
    groups = [ "default" ];
@ -657,10 +682,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1wnqscsnwjs809q33v3hmcr7isv35022bwd002mwviy5ic29dw32";
+      sha256 = "14vir1240ynwmad0a0qrklx8m7kzvayd2jwi51xh3hnlf529iicn";
      type = "gem";
    };
-    version = "5.0.5";
+    version = "5.0.6";
  };
  choice = {
    groups = [
@ -897,13 +922,11 @@
    groups = [ "default" ];
    platforms = [ ];
    source = {
-      fetchSubmodules = false;
-      rev = "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1";
-      sha256 = "1vlcyp6qng7ws4gaw51rz6dhxwldryvfm6fsk33gf7drm7xvr5qf";
-      type = "git";
-      url = "https://github.com/heartcombo/devise.git";
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "1y57fpcvy1kjd4nb7zk7mvzq62wqcpfynrgblj558k3hbvz4404j";
+      type = "gem";
    };
-    version = "4.9.3";
+    version = "4.9.4";
  };
  devise-i18n = {
    dependencies = [ "devise" ];
@ -957,6 +980,19 @@
    };
    version = "1.3.0";
  };
+  docile = {
+    groups = [
+      "default"
+      "test"
+    ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "1lxqxgq71rqwj1lpl9q1mbhhhhhhdkkj7my341f2889pwayk85sz";
+      type = "gem";
+    };
+    version = "1.4.0";
+  };
  dotenv = {
    groups = [ "default" ];
    platforms = [ ];
@ -1005,6 +1041,16 @@
    };
    version = "1.0.1";
  };
+  dry-initializer = {
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "1v3dah1r96b10m8xjixmdmymg7dr16wn5715id4vxjkw6vm7s9jd";
+      type = "gem";
+    };
+    version = "3.1.1";
+  };
  dry-monads = {
    dependencies = [
      "concurrent-ruby"
@ -1064,10 +1110,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1d2z4ky2v15dpcz672i2p7lb2nc793dasq3yq3660h2az53kss9v";
+      sha256 = "0r6zylqjfv0xhdxvldr0kgmnglm57nm506pcm6085f0xqa68cvnj";
      type = "gem";
    };
-    version = "1.2.7";
+    version = "1.2.11";
  };
  ethon = {
    dependencies = [ "ffi" ];
@ -1280,10 +1326,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "08fjxnzqvql8mg8wbpddg6fl9lrsp38dwhiyfpfsz550524f2ap9";
+      sha256 = "10m9b2gvwfvmm61000mq7n8q7pk2xkxmizgfydpis66n2ybrhwh5";
      type = "gem";
    };
-    version = "1.9.0";
+    version = "1.10.1";
  };
  geo_coord = {
    groups = [ "default" ];
@ -1672,10 +1718,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1f8wms39b7z83x6pflq2sjh3sikpk0xjh680igbpkp1j3pl0fpx0";
+      sha256 = "17ak21ybbprj9vg0hk8pb1r2yk9vlh50v9bdwh3qvlmpzcvljqq7";
      type = "gem";
    };
-    version = "1.11.2";
+    version = "1.12.0";
  };
  job-iteration = {
    dependencies = [ "activejob" ];
@ -1711,10 +1757,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0r9jmjhg2ly3l736flk7r2al47b5c8cayh0gqkq0yhjqzc9a6zhq";
+      sha256 = "0b4qsi8gay7ncmigr0pnbxyb17y3h8kavdyhsh7nrlqwr35vb60q";
      type = "gem";
    };
-    version = "2.7.1";
+    version = "2.7.2";
  };
  json-jwt = {
    dependencies = [
@ -1736,6 +1782,8 @@
  };
  json_schemer = {
    dependencies = [
+      "base64"
+      "bigdecimal"
      "hana"
      "regexp_parser"
      "simpleidn"
@ -1744,10 +1792,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "02gnz7wajg7f5n67vlswfi8yjvwahypy36z6hrg0qfx3cc3589qg";
+      sha256 = "0gp7zh16wk8qijcp9n4x460a5ks0mhacs0vb2f6rffi3v9k2fg4m";
      type = "gem";
    };
-    version = "2.1.1";
+    version = "2.2.1";
  };
  jsonapi-renderer = {
    groups = [ "default" ];
@ -1760,14 +1808,15 @@
    version = "0.2.2";
  };
  jwt = {
+    dependencies = [ "base64" ];
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "16z11alz13vfc4zs5l3fk6n51n2jw9lskvc4h4prnww0y797qd87";
+      sha256 = "02m3vza49pb9dirwpn8vmzbcypi3fc6l3a9dh253jwm1121g7ajb";
      type = "gem";
    };
-    version = "2.7.1";
+    version = "2.8.1";
  };
  kaminari = {
    dependencies = [
@ -1905,10 +1954,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "13rgkfar8pp31z1aamxf5y7cfq88wv6rxxcwy7cmm177qq508ycn";
+      sha256 = "0rwwsmvq79qwzl6324yc53py02kbrcww35si720490z5w0j497nv";
      type = "gem";
    };
-    version = "3.8.0";
+    version = "3.9.0";
  };
  lograge = {
    dependencies = [
@ -1987,10 +2036,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0ighmn1nnv31bykarkwf0pqgrqab09jxk0xp9hh6zwpfqi7b915n";
+      sha256 = "1jybdhfr6mv4kgq5ph91r06r071jnvzx0lhm3988l1y3wqrdfmq8";
      type = "gem";
    };
-    version = "2.6.0";
+    version = "2.7.0";
  };
  marcel = {
    groups = [ "default" ];
@ -2034,10 +2083,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1pnyh44qycnf9mzi1j6fywd5fkskv3x7nmsqrrws0rjn5dd4ayfp";
+      sha256 = "1igmc3sq9ay90f8xjvfnswd1dybj1s3fi0dwd53inwsvqk4h24qq";
      type = "gem";
    };
-    version = "1.0.0";
+    version = "1.1.0";
  };
  mime-types = {
    dependencies = [ "mime-types-data" ];
@ -2107,10 +2156,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1kl9c3kdchjabrihdqfmcplk3lq4cw1rr9f378y6q22qwy5dndvs";
+      sha256 = "149r94xi6b3jbp6bv72f8383b95ndn0p5sxnq11gs1j9jadv0ajf";
      type = "gem";
    };
-    version = "2.8.5";
+    version = "2.8.6";
  };
  minitest = {
    groups = [
@ -2121,10 +2170,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0667vf0zglacry87nkcl3ns8421aydvz71vfa3g3yjhiq8zh19f5";
+      sha256 = "07lq26b86giy3ha3fhrywk9r1ajhc2pm2mzj657jnpnbj1i6g17a";
      type = "gem";
    };
-    version = "5.22.2";
+    version = "5.22.3";
  };
  msgpack = {
    groups = [ "default" ];
@ -2236,10 +2285,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0xkjz56qc7hl7zy7i7bhiyw5pl85wwjsa4p70rj6s958xj2sd1lm";
+      sha256 = "15iwbiij52x6jhdbl0rkcldnhfndmsy0sbnsygkr9vhskfqrp72m";
      type = "gem";
    };
-    version = "2.7.0";
+    version = "2.7.1";
  };
  nokogiri = {
    dependencies = [
@ -2254,10 +2303,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "173zavvxlwyi48lfskk48wcrdbkvjlhjhvy4jpcrfx72rpjjx4k8";
+      sha256 = "0i8g0i370jhn2sclml0bg9qlrgf4csi6sy7czbhx8kjbl71idhb2";
      type = "gem";
    };
-    version = "1.16.2";
+    version = "1.16.4";
  };
  openid_connect = {
    dependencies = [
@ -2348,20 +2397,20 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0pfj771p5a29yyyw58qacks464sl86d5m3jxjl5rlqqw2m3v5xq4";
+      sha256 = "071b55bhsz7mivlnp2kv0a11msnl7xg5awvk8mlflpl270javhsb";
      type = "gem";
    };
-    version = "1.5.4";
+    version = "1.5.6";
  };
  phonelib = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1d97488hh70n56gdyra1ajynfp36fp1ca1hy55dghf52vklyjgac";
+      sha256 = "1ish2nzp5jz9xw80npgc5gqsr9krc50wk3irfj71hkw4iccjdn62";
      type = "gem";
    };
-    version = "0.8.7";
+    version = "0.8.8";
  };
  prawn = {
    dependencies = [
@ -2433,6 +2482,16 @@
    };
    version = "1.12.0";
  };
+  prometheus-client = {
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "1zw39rp3b6jhm9273giv119lkgqvllisxb98k7vfx7367birbqcm";
+      type = "gem";
+    };
+    version = "4.2.2";
+  };
  "promise.rb" = {
    groups = [ "default" ];
    platforms = [ ];
@ -2467,10 +2526,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1bni4qjrsh2q49pnmmd6if4iv3ak36bd2cckrs6npl111n769k9m";
+      sha256 = "14y4vzjwf5gp0mqgs880kis0k7n2biq8i6ci6q2n315kichl1hvj";
      type = "gem";
    };
-    version = "5.0.4";
+    version = "5.0.5";
  };
  puma = {
    dependencies = [ "nio4r" ];
@ -2527,10 +2586,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "10mpk0hl6hnv324fp1pfimi2nw9acj0z4gyhrph36qg84pk1s4m7";
+      sha256 = "0hj0rkw2z9r1lcg2wlrcld2n3phwrcgqcp7qd1g9a7hwgalh2qzx";
      type = "gem";
    };
-    version = "2.2.8.1";
+    version = "2.2.9";
  };
  rack-attack = {
    dependencies = [ "rack" ];
@ -2727,10 +2786,24 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1k8jvm3l4gafw7hyvpky7yzjjnkr3iy7l59lyam8ah3kqhmzk7zf";
+      sha256 = "0s8kvic2ia34ngssz6h15wqj0k3wwblhyh0f9v0j3gy7ly0dp161";
      type = "gem";
    };
-    version = "7.0.8";
+    version = "7.0.9";
+  };
+  rails-pg-extras = {
+    dependencies = [
+      "rails"
+      "ruby-pg-extras"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "0sn9xi3qxs96vwg4adiks0p62x3lng10i254q8yijfm4hpdmlihl";
+      type = "gem";
+    };
+    version = "5.3.1";
  };
  railties = {
    dependencies = [
@ -2776,10 +2849,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1ilr853hawi09626axx0mps4rkkmxcs54mapz9jnqvpnlwd3wsmy";
+      sha256 = "17850wcwkgi30p7yqh60960ypn7yibacjjha0av78zaxwvd3ijs6";
      type = "gem";
    };
-    version = "13.1.0";
+    version = "13.2.1";
  };
  rake-progressbar = {
    groups = [ "default" ];
@ -2828,10 +2901,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "14wnrpd1kl43ynk1wwwgv9avsw84d1lrvlfyrjy3d4h7h7ndnqzp";
+      sha256 = "0ib3cnf4yllvw070gr4bz94sbmqx3haqc5f846fsvdcs494vgxrr";
      type = "gem";
    };
-    version = "6.6.2";
+    version = "6.6.3.1";
  };
  redcarpet = {
    groups = [ "default" ];
@ -2849,10 +2922,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1yv9z3cch7aay3rs2iildk7jnvhijhwyyxvcn2nfdn6yp9vn7kxz";
+      sha256 = "1d1ng78dwbzgfg1sljf9bnx2km5y3p3jc42a9npwcrmiard9fsrk";
      type = "gem";
    };
-    version = "5.1.0";
+    version = "5.2.0";
  };
  redis-client = {
    dependencies = [ "connection_pool" ];
@ -2860,10 +2933,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "136wddl18jl7zmlcigpf83fvfdmp369rhhc65n6jrdphwj7w76i3";
+      sha256 = "0zhh37gdchzip97z1c6al0bx9m017gfm21n2kl31gy435s0v64dl";
      type = "gem";
    };
-    version = "0.20.0";
+    version = "0.22.1";
  };
  regexp_parser = {
    groups = [
@ -2889,10 +2962,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0fhwdmw89zqb1fdxcd6lr57zabbfi08z8j6kqwngak0xnxi2j10l";
+      sha256 = "0d90nhsqvzp576dsz622fcz0r4zj9hvqlvb6y00f20zx3mx78iic";
      type = "gem";
    };
-    version = "0.4.2";
+    version = "0.5.3";
  };
  request_store = {
    dependencies = [ "rack" ];
@ -3059,10 +3132,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1clmx6qzdbpm1g8ycg38gjbqsbr8ccqi6hqyx88g8yckz1hrx55x";
+      sha256 = "02wr7fl189p1lnpaylz48dlp1n5y763w92gk59s0345hwfr4m1q2";
      type = "gem";
    };
-    version = "6.1.1";
+    version = "6.1.2";
  };
  rspec-retry = {
    dependencies = [ "rspec-core" ];
@ -3084,10 +3157,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0msjfw99dkbvmviv3wsid4k9h1prdgq7pnm52dcyf362p19mywhf";
+      sha256 = "03z7gpqz5xkw9rf53835pa8a9vgj4lic54rnix9vfwmp2m7pv1s8";
      type = "gem";
    };
-    version = "3.13.0";
+    version = "3.13.1";
  };
  rspec_junit_formatter = {
    dependencies = [ "rspec-core" ];
@ -3117,10 +3190,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0v67rgbhzanbf02fy5xasaxgmhxghlqb2cxjvbplinm2zfzs0380";
+      sha256 = "0i2zimjixmjs6r88mgpklj6kdxq63a24mjvvphhbnbwgclb1z8qp";
      type = "gem";
    };
-    version = "1.60.2";
+    version = "1.63.3";
  };
  rubocop-ast = {
    dependencies = [ "parser" ];
@ -3131,10 +3204,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1cs9cc5p9q70valk4na3lki4xs88b52486p2v46yx3q1n5969bgs";
+      sha256 = "1v3q8n48w8h809rqbgzihkikr4g3xk72m1na7s97jdsmjjq6y83w";
      type = "gem";
    };
-    version = "1.30.0";
+    version = "1.31.2";
  };
  rubocop-capybara = {
    dependencies = [ "rubocop" ];
@ -3173,10 +3246,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0cf7fn4dwf45r3nhnda0dhnwn8qghswyqbfxr2ippb3z8a6gmc8v";
+      sha256 = "16jayzjaaglhx69s6b83acpdzcxxccfkcn69gfpkimf2j64zlm7c";
      type = "gem";
    };
-    version = "1.20.2";
+    version = "1.21.0";
  };
  rubocop-rails = {
    dependencies = [
@ -3189,25 +3262,40 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1id396xvixh5w19bjsli477mn4dr48ff8n1243d2z0y4zr1ld52h";
+      sha256 = "06dcxrr71sn0kkw8fwh0w884zbig2ilxpkl66s7lcis9jmkggv83";
      type = "gem";
    };
-    version = "2.23.1";
+    version = "2.24.1";
  };
  rubocop-rspec = {
    dependencies = [
      "rubocop"
      "rubocop-capybara"
      "rubocop-factory_bot"
+      "rubocop-rspec_rails"
    ];
    groups = [ "development" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0n24wy34shczlr5fnim7vcbrgvs0hffzw89n06fxziim9iws406s";
+      sha256 = "04rfx0f0ns3vfz16fvbxgc9ivjh6gkpqfdi0qsg3grq660dfhkjk";
      type = "gem";
    };
-    version = "2.26.1";
+    version = "2.29.1";
+  };
+  rubocop-rspec_rails = {
+    dependencies = [ "rubocop" ];
+    groups = [
+      "default"
+      "development"
+    ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "0618lfncmvnvkwa1jb0kga1f2yiiw1809flkj4kg52nagh3z4scp";
+      type = "gem";
+    };
+    version = "2.28.3";
  };
  ruby-graphviz = {
    dependencies = [ "rexml" ];
@ -3223,6 +3311,30 @@
    };
    version = "1.2.5";
  };
+  ruby-next-core = {
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "0vxgamkq4crciyz9lb3vkblzqp6c6wxw9p4ahzqdgk5gy4xikc24";
+      type = "gem";
+    };
+    version = "1.0.2";
+  };
+  ruby-pg-extras = {
+    dependencies = [
+      "pg"
+      "terminal-table"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "1brz8c167ljb1jbv4b0a20nzj12ahk9cf94n6lxri054w7i6hh0x";
+      type = "gem";
+    };
+    version = "5.3.1";
+  };
  ruby-progressbar = {
    groups = [
      "default"
@ -3388,10 +3500,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1l2qf5w0bk01s50gzx8clzw4zchff9a01kk2s8fnpz65g7rgh4g9";
+      sha256 = "0fxhkxpczqg4f7gxdyvc6ccxy9hppnwl3ih03p42f6hbfy5q1x64";
      type = "gem";
    };
-    version = "0.121.0";
+    version = "0.123.0";
  };
  selenium-webdriver = {
    dependencies = [
@ -3404,10 +3516,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0g3l3invk95w1f72mpp0r4hc3vsc3070c1xd1wg76kfg2r182xnq";
+      sha256 = "0rjh9s5x7jqaxjfcz2m3hphhlajk9nxs6wdsnia62iba07bd32sc";
      type = "gem";
    };
-    version = "4.17.0";
+    version = "4.19.0";
  };
  sentry-delayed_job = {
    dependencies = [
@ -3418,10 +3530,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1rbhzb3nmrs5lrfmcshrg5wp9liblc14m63ljxb12nc4w5fnnwf8";
+      sha256 = "1bnglhd7cvy5y0kr50w4bgs89y72ym6zlgp751g2y50dp4ydl540";
      type = "gem";
    };
-    version = "5.16.1";
+    version = "5.17.3";
  };
  sentry-rails = {
    dependencies = [
@ -3432,21 +3544,24 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "16jyjm0rcj1y175bjmj6bhf7dclp5yw5dh1fna0xy4r07ysq864g";
+      sha256 = "0ncl8br0k6fas4n6c4xw4wr59kq5s2liqn1s4790m73k5p272xq1";
      type = "gem";
    };
-    version = "5.16.1";
+    version = "5.17.3";
  };
  sentry-ruby = {
-    dependencies = [ "concurrent-ruby" ];
+    dependencies = [
+      "bigdecimal"
+      "concurrent-ruby"
+    ];
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0fsqs1f7nb4y45qwlg14hz155r4pf8ny3j8gzpxlqafpd3dz2zkn";
+      sha256 = "1z5v5zzasy04hbgxbj9n8bb39ayllvps3snfgbc5rydh1d5ilyb1";
      type = "gem";
    };
-    version = "5.16.1";
+    version = "5.17.3";
  };
  sentry-sidekiq = {
    dependencies = [
@ -3457,10 +3572,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0ksmn3ca3rrdd33azmiprbd4hrcw3fr7hiya60sqp9apg6ir36v3";
+      sha256 = "0n1cr9g15hp08jsqabprd6q34ap61r71f33x28w1xr4ri4hllwfh";
      type = "gem";
    };
-    version = "5.16.1";
+    version = "5.17.3";
  };
  shoulda-matchers = {
    dependencies = [ "activesupport" ];
@ -3468,10 +3583,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1p83ca48h812h5gksw2q0x5289jsc4c417f8s6w9d4a12jzw86zi";
+      sha256 = "1pfq0w167v4055k0km64sxik1qslhsi32wl2jlidmfzkqmcw00m7";
      type = "gem";
    };
-    version = "6.1.0";
+    version = "6.2.0";
  };
  sib-api-v3-sdk = {
    dependencies = [
@ -3499,10 +3614,25 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "057vw807x98r4xmhyv2m2rxa8qqxr7ysn7asp5hmdvn9sa9kkm3c";
+      sha256 = "18ykb35ab3fsg6jj8h7kb3kbba41sls4nvwn6vxb731iyh10v4h9";
      type = "gem";
    };
-    version = "7.2.1";
+    version = "7.2.2";
+  };
+  sidekiq-cron = {
+    dependencies = [
+      "fugit"
+      "globalid"
+      "sidekiq"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "0v09lg8kza19jmigqv5hx2ibhm75j6pa639sfy4bv2208l50hqv6";
+      type = "gem";
+    };
+    version = "1.12.0";
  };
  simple_xlsx_reader = {
    dependencies = [
@ -3521,6 +3651,61 @@
    };
    version = "1.0.4";
  };
+  simplecov = {
+    dependencies = [
+      "docile"
+      "simplecov-html"
+      "simplecov_json_formatter"
+    ];
+    groups = [ "test" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "198kcbrjxhhzca19yrdcd6jjj9sb51aaic3b0sc3pwjghg3j49py";
+      type = "gem";
+    };
+    version = "0.22.0";
+  };
+  simplecov-cobertura = {
+    dependencies = [
+      "rexml"
+      "simplecov"
+    ];
+    groups = [ "test" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "00izmp202y48qvmvwrh5x56cc5ivbjhgkkkjklvqmqzj9pik4r9c";
+      type = "gem";
+    };
+    version = "2.1.0";
+  };
+  simplecov-html = {
+    groups = [
+      "default"
+      "test"
+    ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "0yx01bxa8pbf9ip4hagqkp5m0mqfnwnw2xk8kjraiywz4lrss6jb";
+      type = "gem";
+    };
+    version = "0.12.3";
+  };
+  simplecov_json_formatter = {
+    groups = [
+      "default"
+      "test"
+    ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "0a5l0733hj7sk51j81ykfmlk2vd5vaijlq9d5fn165yyx3xii52j";
+      type = "gem";
+    };
+    version = "0.1.4";
+  };
  simpleidn = {
    dependencies = [ "unf" ];
    groups = [ "default" ];
@ -3554,10 +3739,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0607y37q3lc748ld6w5qhp9kcj1h2vi5026hsg30vb6dsdrpcyy6";
+      sha256 = "035xplxkr21z73c7mzfaj7ak438w2j63118724s53fbnv8rrw790";
      type = "gem";
    };
-    version = "6.0.3";
+    version = "6.0.4";
  };
  smart_properties = {
    groups = [ "default" ];
@ -3591,10 +3776,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0dqpd70xcaxsa8m8zd6rq464dfczy1rm086bascv9c5b7qnn2yyp";
+      sha256 = "1bm5w3mp597vy0cjwx609k3jdh5zik36ffmna7hchrn9g96s45w5";
      type = "gem";
    };
-    version = "4.1.3";
+    version = "4.2.1";
  };
  spring-commands-rspec = {
    dependencies = [ "spring" ];
@ -3669,10 +3854,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1742r643p4nigjj45gjjmgl3d9i5ja7klda0bhmxp02ay971c3n6";
+      sha256 = "0p9g8jqcakpwmbs6f77ydmbiwbgx9c5nr6jgwxh4xx6xpig1bphq";
      type = "gem";
    };
-    version = "1.7.0";
+    version = "1.8.0";
  };
  swd = {
    dependencies = [
@ -3690,6 +3875,17 @@
    };
    version = "2.0.3";
  };
+  sys-proctable = {
+    dependencies = [ "ffi" ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "0m3fj6j1qpfszqnsvr6wpak0d9vw5ggylaqkalhl3m50kbbimxii";
+      type = "gem";
+    };
+    version = "1.3.0";
+  };
  sysexits = {
    groups = [
      "default"
@ -3736,10 +3932,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1hx77jxkrwi66yvs10wfxqa8s25ds25ywgrrf66acm9nbfg7zp0s";
+      sha256 = "1vq1fjp45az9hfp6fxljhdrkv75cvbab1jfrwcw738pnsiqk8zps";
      type = "gem";
    };
-    version = "1.3.0";
+    version = "1.3.1";
  };
  thread_safe = {
    groups = [
@ -3811,10 +4007,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "1vgz0y5ilnpgj3id9y5rshnq1hyhhjh4pjzb0hs9fv0p8kps4k07";
+      sha256 = "0ab2fr50fdzhpjlp78c17xmrd59ab32c55vrjd94wwr4khs7bxyf";
      type = "gem";
    };
-    version = "2.0.2";
+    version = "2.0.5";
  };
  typhoeus = {
    dependencies = [ "ethon" ];
@ -3930,10 +4126,10 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "12sm1z0lk7rhrd18i4d5zhlj4d142rsw3arpdf9nx3hpflx8ib4j";
+      sha256 = "12xi88jvx49p15nx2168wm0r00g90mb4cxzzsjxz92akjk92mkpj";
      type = "gem";
    };
-    version = "3.10.0";
+    version = "3.12.1";
  };
  virtus = {
    dependencies = [
@ -4034,10 +4230,20 @@
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
-      sha256 = "0rc3g9hhxi6v2l1cp9q3kcjd92bhmdbrb517l4v5pyzwq2nflcyc";
+      sha256 = "07zk8ljq5kyd1mm9qw3452fcnf7frg3irh9ql8ln2m8zbi1qf1qh";
      type = "gem";
    };
-    version = "3.20.0";
+    version = "3.23.0";
+  };
+  webrick = {
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "13qm7s0gr2pmfcl7dxrmq38asaza4w0i2n9my4yzs499j731wh8r";
+      type = "gem";
+    };
+    version = "1.8.1";
  };
  websocket = {
    groups = [
@ -4114,6 +4320,96 @@
    };
    version = "3.2.0";
  };
+  yabeda = {
+    dependencies = [
+      "anyway_config"
+      "concurrent-ruby"
+      "dry-initializer"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "1185mqhgjzpdxs7s6y424mxrranpk5l5x1w64pwfj226gn07b3qx";
+      type = "gem";
+    };
+    version = "0.12.0";
+  };
+  yabeda-graphql = {
+    dependencies = [
+      "graphql"
+      "yabeda"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "0y422499vbs4m1555yvqrdjyk7bdg16rnj224zaw1b77d8irmrks";
+      type = "gem";
+    };
+    version = "0.2.3";
+  };
+  yabeda-prometheus = {
+    dependencies = [
+      "prometheus-client"
+      "rack"
+      "yabeda"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "1zfmiiv131jwvcb9dx3cnlgrrvcfzbm8ili5gi9fpyygx3580zdq";
+      type = "gem";
+    };
+    version = "0.9.1";
+  };
+  yabeda-puma-plugin = {
+    dependencies = [
+      "json"
+      "puma"
+      "yabeda"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "0yxifgq9m11n73qz9jgxsapqp67ijm5gp6y5jbdvkdcf7c2p47d4";
+      type = "gem";
+    };
+    version = "0.7.1";
+  };
+  yabeda-rails = {
+    dependencies = [
+      "activesupport"
+      "anyway_config"
+      "railties"
+      "yabeda"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "1nl2jpx561mpwdxf63db9yshhwfmg8k72r8d9yxnsic2wahvy4b0";
+      type = "gem";
+    };
+    version = "0.9.0";
+  };
+  yabeda-sidekiq = {
+    dependencies = [
+      "anyway_config"
+      "sidekiq"
+      "yabeda"
+    ];
+    groups = [ "default" ];
+    platforms = [ ];
+    source = {
+      remotes = [ "https://rubygems.org" ];
+      sha256 = "142xrxc3r2l0185jzrn0r9zc6s9x7v87glrf78pi4mkan60y59q4";
+      type = "gem";
+    };
+    version = "0.12.0";
+  };
  zeitwerk = {
    groups = [
      "default"
--- a/machines/compute01/ds-fr/package/update.sh
+++ b/machines/compute01/ds-fr/package/update.sh
@ -26,13 +26,13 @@ done
 CWD=$(pwd)

 TMP=$(mktemp -d)
-cd "$TMP"
+cd "$TMP" || exit 1

 # Fetch the latest source or the required version
 gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git"

 if [ -n "$version" ]; then
-	git clone --depth 1 --branch $version $gitUrl .
+	git clone --depth 1 --branch "$version" $gitUrl .
 else
 	git clone --depth 1 $gitUrl .

@ -48,10 +48,10 @@ cp gemset.nix Gemfile Gemfile.lock "$CWD/rubyEnv/"
 # Print the new source details
 SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version")

-# Print Yarn deps hash
-hash=$(nix-shell -p prefetch-yarn-deps --run "prefetch-yarn-deps yarn.lock")
+# Switch to bun
+nix-shell -p bun --run "bun install --frozen-lockfile --no-cache --no-progress --ignore-scripts"

-DEPS_HASH=$(nix-hash --to-sri --type sha256 "$hash")
+DEPS_HASH=$(nix-hash --sri --type sha256 node_modules)

 cat <<EOF >"$CWD/meta.nix"
 {
@ -61,6 +61,6 @@ cat <<EOF >"$CWD/meta.nix"
 }
 EOF

-nixfmt "$CWD"
+nix-shell -p nixfmt-rfc-style --run "nixfmt $CWD"

 rm -rf "$TMP"
--- a/machines/compute01/grafana.nix
+++ b/machines/compute01/grafana.nix
@ -69,17 +69,11 @@ in
        }
      ];
    };
+  };

-    nginx.virtualHosts.${host} = {
-      enableACME = true;
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
-        proxyWebsockets = true;
-        recommendedProxySettings = true;
-      };
-    };
+  dgn-web.simpleProxies.grafana = {
+    inherit host port;
+    proxyWebsockets = true;
  };

  age-secrets.autoMatch = [ "grafana" ];
--- a/machines/compute01/hedgedoc.nix
+++ b/machines/compute01/hedgedoc.nix
@ -29,16 +29,6 @@ in
      };
    };

-    nginx.virtualHosts.${host} = {
-      forceSSL = true;
-      enableACME = true;
-
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
-        proxyWebsockets = true;
-      };
-    };
-
    postgresql = {
      enable = true;

@ -53,6 +43,11 @@ in
    };
  };

+  dgn-web.simpleProxies.hedgedoc = {
+    inherit host port;
+    proxyWebsockets = true;
+  };
+
  systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
    "hedgedoc"
    "hedgedoc/uploads"
--- a/machines/compute01/k-radius/module.nix
+++ b/machines/compute01/k-radius/module.nix
@ -1,196 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  inherit (lib)
-    mkEnableOption
-    mkIf
-    mkOption
-    types
-    ;
-
-  settingsFormat = pkgs.formats.toml { };
-
-  py-pkgs = import ./packages/python { inherit pkgs; };
-  pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit (py-pkgs) pydantic; };
-  rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
-
-  cfg = config.services.k-radius;
-in
-{
-  options.services.k-radius = {
-    enable = mkEnableOption "a freeradius service linked to kanidm.";
-
-    settings = mkOption { inherit (settingsFormat) type; };
-
-    freeradius = mkOption {
-      type = types.package;
-      default = pkgs.freeradius.overrideAttrs (old: {
-        buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
-      });
-    };
-
-    configDir = mkOption {
-      type = types.path;
-      default = "/var/lib/radius/raddb";
-      description = "The path of the freeradius server configuration directory.";
-    };
-
-    authTokenFile = mkOption {
-      type = types.path;
-      description = "File to the auth token for the service account.";
-    };
-
-    radiusClients = mkOption {
-      type = types.attrsOf (
-        types.submodule {
-          options = {
-            secret = mkOption { type = types.path; };
-            ipaddr = mkOption { type = types.str; };
-          };
-        }
-      );
-      default = { };
-      description = "A mapping of clients and their authentication tokens.";
-    };
-
-    certs = {
-      ca = mkOption {
-        type = types.str;
-        description = "The signing CA of the RADIUS certificate.";
-      };
-      dh = mkOption {
-        type = types.str;
-        description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
-      };
-      cert = mkOption {
-        type = types.str;
-        description = "The certificate for the RADIUS server.";
-      };
-      key = mkOption {
-        type = types.str;
-        description = "The signing key for the RADIUS certificate.";
-      };
-    };
-
-    privateKeyPasswordFile = mkOption { type = types.path; };
-  };
-
-  config = mkIf cfg.enable {
-    users = {
-      users.radius = {
-        group = "radius";
-        description = "Radius daemon user";
-        isSystemUser = true;
-      };
-
-      groups.radius = { };
-    };
-
-    services.k-radius.settings = {
-      ca_path = cfg.certs.ca;
-
-      radius_cert_path = cfg.certs.cert;
-      radius_key_path = cfg.certs.key;
-      radius_dh_path = cfg.certs.dh;
-      radius_ca_path = cfg.certs.ca;
-    };
-
-    systemd.services.radius = {
-      description = "FreeRadius server";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-      wants = [ "network.target" ];
-
-      preStart = ''
-        cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
-        cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir}
-
-        chmod -R u+w ${cfg.configDir}
-
-        # disable auth via methods kanidm doesn't support
-        rm ${cfg.configDir}/mods-available/sql
-        rm ${cfg.configDir}/mods-enabled/{passwd,totp}
-
-        # enable the python and cache modules
-        ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
-        ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
-
-        # write the clients configuration
-        rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
-        ${builtins.concatStringsSep "\n" (
-          builtins.attrValues (
-            builtins.mapAttrs (
-              name:
-              { secret, ipaddr }:
-              ''
-                cat <<EOF >> ${cfg.configDir}/clients.conf
-                client ${name} {
-                    ipaddr = ${ipaddr}
-                    secret = $(cat "${secret}")
-                    proto  = *
-                }
-                EOF
-              ''
-            ) cfg.radiusClients
-          )
-        )}
-
-        # Copy the kanidm configuration
-        cat <<EOF > /var/lib/radius/kanidm.toml
-        auth_token = "$(cat "${cfg.authTokenFile}")"
-        EOF
-
-        cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
-        chmod u+w /var/lib/radius/kanidm.toml
-
-        # Copy the certificates to the correct directory
-        rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
-
-        cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
-
-        ${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
-
-        cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
-
-        cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
-
-        # Write the password of the private_key in the eap module
-        sed -i ${cfg.configDir}/mods-available/eap \
-          -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
-
-        # Check the configuration
-        # ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
-      '';
-
-      path = [
-        pkgs.openssl
-        pkgs.gnused
-      ];
-
-      serviceConfig = {
-        ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
-        ExecReload = [
-          "${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
-          "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
-        ];
-        User = "radius";
-        Group = "radius";
-        DynamicUser = true;
-        Restart = "on-failure";
-        RestartSec = 2;
-        LogsDirectory = "radius";
-        StateDirectory = "radius";
-        RuntimeDirectory = "radius";
-        Environment = [
-          "KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
-          "PYTHONPATH=${rlm_python.pythonPath}"
-        ];
-      };
-    };
-  };
-}
--- a/machines/compute01/k-radius/packages/pykanidm.nix
+++ b/machines/compute01/k-radius/packages/pykanidm.nix
@ -1,52 +0,0 @@
-{
-  lib,
-  fetchFromGitHub,
-  python3,
-  pydantic,
-}:
-
-let
-  pname = "kanidm";
-  version = "0.0.3";
-in
-python3.pkgs.buildPythonPackage {
-  inherit pname version;
-  format = "pyproject";
-
-  disabled = python3.pythonOlder "3.8";
-
-  src =
-    (fetchFromGitHub {
-      owner = pname;
-      repo = pname;
-      # Latest 1.1.0-rc.15 tip
-      rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d";
-      hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg=";
-    })
-    + "/pykanidm";
-
-  nativeBuildInputs = with python3.pkgs; [ poetry-core ];
-
-  propagatedBuildInputs = with python3.pkgs; [
-    aiohttp
-    pydantic
-    toml
-    (authlib.overridePythonAttrs (_: {
-      doCheck = false;
-    }))
-  ];
-
-  doCheck = false;
-
-  pythonImportsCheck = [ "kanidm" ];
-
-  meta = with lib; {
-    description = "Kanidm client library";
-    homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm";
-    license = licenses.mpl20;
-    maintainers = with maintainers; [
-      arianvp
-      hexa
-    ];
-  };
-}
--- a/machines/compute01/k-radius/packages/python/01-remove-benchmark-flags.patch
+++ b/machines/compute01/k-radius/packages/python/01-remove-benchmark-flags.patch
@ -1,18 +0,0 @@
-diff --git a/pyproject.toml b/pyproject.toml
-index 1602e32..507048d 100644
--- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -72,13 +72,6 @@ filterwarnings = [
- ]
- timeout = 30
- xfail_strict = true
-# min, max, mean, stddev, median, iqr, outliers, ops, rounds, iterations
-addopts = [
-    '--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations',
-    '--benchmark-group-by', 'group',
-    '--benchmark-warmup', 'on',
-    '--benchmark-disable',  # this is enable by `make benchmark` when you actually want to run benchmarks
-]
- 
- [tool.coverage.run]
- source = ['pydantic_core']
--- a/machines/compute01/k-radius/packages/python/default.nix
+++ b/machines/compute01/k-radius/packages/python/default.nix
@ -1,20 +0,0 @@
-{ pkgs }:
-
-let
-  inherit (pkgs) lib;
-
-  callPackage = lib.callPackageWith (pkgs // pkgs.python3.pkgs // self);
-
-  self = builtins.listToAttrs (
-    builtins.map
-      (name: {
-        inherit name;
-        value = callPackage (./. + "/${name}.nix") { };
-      })
-      [
-        "pydantic"
-        "pydantic-core"
-      ]
-  );
-in
-self
--- a/machines/compute01/k-radius/packages/python/pydantic-core.nix
+++ b/machines/compute01/k-radius/packages/python/pydantic-core.nix
@ -1,84 +0,0 @@
-{
-  stdenv,
-  lib,
-  buildPythonPackage,
-  fetchFromGitHub,
-  cargo,
-  rustPlatform,
-  rustc,
-  libiconv,
-  typing-extensions,
-  pytestCheckHook,
-  hypothesis,
-  pytest-timeout,
-  pytest-mock,
-  dirty-equals,
-}:
-
-let
-  pydantic-core = buildPythonPackage rec {
-    pname = "pydantic-core";
-    version = "2.14.5";
-    format = "pyproject";
-
-    src = fetchFromGitHub {
-      owner = "pydantic";
-      repo = "pydantic-core";
-      rev = "refs/tags/v${version}";
-      hash = "sha256-UguZpA3KEutOgIavjx8Ie//0qJq+4FTZNQTwb/ZIgb8=";
-    };
-
-    patches = [ ./01-remove-benchmark-flags.patch ];
-
-    cargoDeps = rustPlatform.fetchCargoTarball {
-      inherit src;
-      name = "${pname}-${version}";
-      hash = "sha256-mMgw922QjHmk0yimXfolLNiYZntTsGydQywe7PTNnwc=";
-    };
-
-    nativeBuildInputs = [
-      cargo
-      rustPlatform.cargoSetupHook
-      rustPlatform.maturinBuildHook
-      rustc
-      typing-extensions
-    ];
-
-    buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
-
-    propagatedBuildInputs = [ typing-extensions ];
-
-    pythonImportsCheck = [ "pydantic_core" ];
-
-    # escape infinite recursion with pydantic via dirty-equals
-    doCheck = false;
-    passthru.tests.pytest = pydantic-core.overrideAttrs { doCheck = true; };
-
-    nativeCheckInputs = [
-      pytestCheckHook
-      hypothesis
-      pytest-timeout
-      dirty-equals
-      pytest-mock
-    ];
-
-    disabledTests = [
-      # RecursionError: maximum recursion depth exceeded while calling a Python object
-      "test_recursive"
-    ];
-
-    disabledTestPaths = [
-      # no point in benchmarking in nixpkgs build farm
-      "tests/benchmarks"
-    ];
-
-    meta = with lib; {
-      changelog = "https://github.com/pydantic/pydantic-core/releases/tag/v${version}";
-      description = "Core validation logic for pydantic written in rust";
-      homepage = "https://github.com/pydantic/pydantic-core";
-      license = licenses.mit;
-      maintainers = with maintainers; [ blaggacao ];
-    };
-  };
-in
-pydantic-core
--- a/machines/compute01/k-radius/packages/python/pydantic.nix
+++ b/machines/compute01/k-radius/packages/python/pydantic.nix
@ -1,92 +0,0 @@
-{
-  lib,
-  buildPythonPackage,
-  fetchFromGitHub,
-  pythonOlder,
-
-  # build-system
-  hatchling,
-  hatch-fancy-pypi-readme,
-
-  # native dependencies
-  libxcrypt,
-
-  # dependencies
-  annotated-types,
-  pydantic-core,
-  typing-extensions,
-
-  # tests
-  cloudpickle,
-  email-validator,
-  dirty-equals,
-  faker,
-  pytestCheckHook,
-  pytest-mock,
-}:
-
-buildPythonPackage rec {
-  pname = "pydantic";
-  version = "2.5.2";
-  pyproject = true;
-
-  disabled = pythonOlder "3.7";
-
-  src = fetchFromGitHub {
-    owner = "pydantic";
-    repo = "pydantic";
-    rev = "refs/tags/v${version}";
-    hash = "sha256-D0gYcyrKVVDhBgV9sCVTkGq/kFmIoT9l0i5bRM1qxzM=";
-  };
-
-  buildInputs = lib.optionals (pythonOlder "3.9") [ libxcrypt ];
-
-  nativeBuildInputs = [
-    hatch-fancy-pypi-readme
-    hatchling
-  ];
-
-  propagatedBuildInputs = [
-    annotated-types
-    pydantic-core
-    typing-extensions
-  ];
-
-  passthru.optional-dependencies = {
-    email = [ email-validator ];
-  };
-
-  nativeCheckInputs = [
-    cloudpickle
-    dirty-equals
-    faker
-    pytest-mock
-    pytestCheckHook
-  ] ++ lib.flatten (lib.attrValues passthru.optional-dependencies);
-
-  preCheck = ''
-    export HOME=$(mktemp -d)
-    substituteInPlace pyproject.toml \
-      --replace "'--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations'," "" \
-      --replace "'--benchmark-group-by', 'group'," "" \
-      --replace "'--benchmark-warmup', 'on'," "" \
-      --replace "'--benchmark-disable'," ""
-  '';
-
-  disabledTestPaths = [
-    "tests/benchmarks"
-
-    # avoid cyclic dependency
-    "tests/test_docs.py"
-  ];
-
-  pythonImportsCheck = [ "pydantic" ];
-
-  meta = with lib; {
-    description = "Data validation and settings management using Python type hinting";
-    homepage = "https://github.com/pydantic/pydantic";
-    changelog = "https://github.com/pydantic/pydantic/blob/v${version}/HISTORY.md";
-    license = licenses.mit;
-    maintainers = with maintainers; [ wd15 ];
-  };
-}
--- a/machines/compute01/k-radius/packages/rlm_python.nix
+++ b/machines/compute01/k-radius/packages/rlm_python.nix
@ -1,45 +0,0 @@
-{
-  stdenv,
-  fetchFromGitHub,
-  python3,
-  pykanidm,
-}:
-
-let
-  pythonPath = with python3.pkgs; makePythonPath [ pykanidm ];
-in
-stdenv.mkDerivation rec {
-  pname = "rlm_python";
-  version = "1.1.0-rc.15";
-
-  src = fetchFromGitHub {
-    owner = "kanidm";
-    repo = "kanidm";
-    rev = "v${version}";
-    hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok=";
-  };
-
-  patches = [ ./python_path.patch ];
-
-  postPatch = ''
-    substituteInPlace rlm_python/mods-available/python3 \
-      --replace "@kanidm_python@" "${pythonPath}"
-  '';
-
-  installPhase = ''
-    mkdir -p $out/etc/raddb/
-    cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/
-  '';
-
-  phases = [
-    "unpackPhase"
-    "patchPhase"
-    "installPhase"
-  ];
-
-  passthru = {
-    inherit pythonPath;
-  };
-
-  preferLocalBuild = true;
-}
--- a/machines/compute01/kanidm/default.nix
+++ b/machines/compute01/kanidm/default.nix
@ -1,31 +1,56 @@
-{ config, sources, ... }:
+{
+  config,
+  lib,
+  meta,
+  nixpkgs,
+  ...
+}:

 let
+  inherit (lib)
+    attrValues
+    catAttrs
+    escapeRegex
+    concatStringsSep
+    mapAttrs'
+    nameValuePair
+    ;
+
  domain = "sso.dgnum.eu";
+  port = 8443;

  cert = config.security.acme.certs.${domain};

-  allowedSubDomains = [
-    "cloud"
-    "git"
-    "videos"
-    "social"
-    "demarches"
-    "netbird"
-  ];
+  allowedDomains = builtins.map escapeRegex (
+    (builtins.map (s: "${s}.dgnum.eu") [
+      # DGNum subdomains
+      "cloud"
+      "git"
+      "videos"
+      "social"
+      "demarches"
+      "netbird"
+    ])
+    ++ [
+      # Extra domains
+      "netbird-beta.hubrecht.ovh"
+    ]
+  );
+
+  usernameFor = member: meta.organization.members.${member}.username;
 in
 {
  services.kanidm = {
    enableServer = true;

-    package = (import sources.nixos-unstable { }).kanidm;
+    package = nixpkgs.unstable.kanidm;

    serverSettings = {
      inherit domain;

      origin = "https://${domain}";

-      bindaddress = "127.0.0.1:8443";
+      bindaddress = "127.0.0.1:${builtins.toString port}";
      ldapbindaddress = "0.0.0.0:636";

      trust_x_forward_for = true;
@ -33,10 +58,113 @@ in
      tls_chain = "${cert.directory}/fullchain.pem";
      tls_key = "${cert.directory}/key.pem";
    };
+
+    provision = {
+      enable = true;
+
+      persons = mapAttrs' (
+        _:
+        {
+          email,
+          name,
+          username,
+          ...
+        }:
+        nameValuePair username {
+          displayName = name;
+          mailAddresses = [ email ];
+        }
+      ) meta.organization.members;
+
+      groups =
+        {
+          grp_active.members = catAttrs "username" (attrValues meta.organization.members);
+        }
+        // (mapAttrs' (
+          name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
+        ) meta.organization.groups);
+
+      # INFO: The authentication resources declared here can only be for internal services,
+      #       as regular members cannot be statically known.
+      systems.oauth2 = {
+        dgn_grafana = {
+          displayName = "Grafana [Analysis]";
+          originLanding = "https://grafana.dgnum.eu";
+          originUrl = "https://grafana.dgnum.eu/";
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+
+        dgn_librenms = {
+          allowInsecureClientDisablePkce = true;
+          displayName = "LibreNMS [Network]";
+          enableLegacyCrypto = true;
+          originLanding = "https://nms.dgnum.eu";
+          originUrl = "https://nms.dgnum.eu/";
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+
+        dgn_netbird = {
+          displayName = "Netbird [VPN]";
+          enableLocalhostRedirects = true;
+          originLanding = "https://netbird.dgnum.eu";
+          originUrl = "https://netbird.dgnum.eu/";
+          preferShortUsername = true;
+          public = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+
+        dgn_netbox = {
+          allowInsecureClientDisablePkce = true;
+          displayName = "Netbox [Inventory]";
+          enableLegacyCrypto = true;
+          originLanding = "https://netbox.dgnum.eu";
+          originUrl = "https://netbox.dgnum.eu/";
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+
+        dgn_outline = {
+          displayName = "Outline [Docs]";
+          originUrl = "https://docs.dgnum.eu/";
+          originLanding = "https://docs.dgnum.eu";
+          preferShortUsername = true;
+
+          scopeMaps.grp_active = [
+            "openid"
+            "profile"
+            "email"
+          ];
+        };
+      };
+    };
  };

  users.users.kanidm.extraGroups = [ cert.group ];

+  dgn-web.internalPorts.kanidm = port;
+
  services.nginx = {
    enable = true;

@ -44,7 +172,7 @@ in
      enableACME = true;
      forceSSL = true;
      locations."/" = {
-        proxyPass = "https://127.0.0.1:8443";
+        proxyPass = "https://127.0.0.1:${builtins.toString port}";

        extraConfig = ''
          if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
@ -53,7 +181,7 @@ in

          set $origin $http_origin;

-          if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
+          if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
              set $origin 'https://${domain}';
          }

--- a/machines/compute01/kanidm/secrets/secrets.nix
+++ b/machines/compute01/kanidm/secrets/secrets.nix
@ -1,9 +1,4 @@
-let
-  lib = import ../../../../lib { };
-  publicKeys = lib.getNodeKeys "compute01";
-in
-
-lib.setDefault { inherit publicKeys; } [
+(import ../../../../keys).mkSecrets [ "compute01" ] [
  "kanidm-password_admin"
  "kanidm-password_idm_admin"
 ]
--- a/machines/compute01/mastodon.nix
+++ b/machines/compute01/mastodon.nix
@ -9,8 +9,12 @@ in

    localDomain = host;
    smtp = {
-      # TODO: smtp setup
-      fromAddress = "social@services.dgnum.eu";
+      fromAddress = "noreply@infra.dgnum.eu";
+      host = "kurisu.lahfa.xyz";
+      port = 465;
+      user = "web-services@infra.dgnum.eu";
+      passwordFile = config.age.secrets.mastodon-smtp-password.path;
+      authenticate = true;
    };

    streamingProcesses = 4;
@ -22,6 +26,8 @@ in
      # LOCAL_DOMAIN = "dgnum.eu";
      WEB_DOMAIN = host;

+      SMTP_TLS = "true";
+
      RAILS_LOG_LEVEL = "warn";

      # ObjectStorage configuration
--- a/machines/compute01/nextcloud.nix
+++ b/machines/compute01/nextcloud.nix
@ -3,28 +3,24 @@
 let
  host = "cloud.dgnum.eu";
  nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
+
+  port = 9980;
 in
 {
  services.nextcloud = {
    enable = true;
    hostName = host;

-    package = pkgs.nextcloud28;
+    package = pkgs.nextcloud29;

    https = true;

    config = {
-      overwriteProtocol = "https";
-
      dbtype = "pgsql";

      adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
      adminuser = "thubrecht";

-      defaultPhoneRegion = "FR";
-
-      trustedProxies = [ "::1" ];
-
      objectstore.s3 = {
        enable = true;

@ -61,7 +57,7 @@ in
      "opcache.max_accelerated_files" = "10000";
      "opcache.memory_consumption" = "128";
      "opcache.revalidate_freq" = "1";
-      "opcache.fast_shutdown" = "1";
+      "opcache.fast_shutdown" = "0";
      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
      catch_workers_output = "yes";
    };
@ -71,11 +67,17 @@ in

    autoUpdateApps.enable = true;

-    extraOptions = {
+    settings = {
+      overwriteprotocol = "https";
+
      overwritehost = host;
      "overwrite.cli.url" = "https://${host}";
      updatechecker = false;

+      default_phone_region = "FR";
+
+      trusted_proxies = [ "::1" ];
+
      allow_local_remote_servers = true;
      maintenance_window_start = 1;

@ -97,22 +99,20 @@ in
  };

  virtualisation.oci-containers = {
-    # # Since 22.05, the default driver is podman but it doesn't work
-    # # with podman. It would however be nice to switch to podman.
-    # backend = "docker";
    containers.collabora = {
      image = "collabora/code";
      imageFile = pkgs.dockerTools.pullImage {
        imageName = "collabora/code";
-        imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
-        sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
+        imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
+        sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
      };
-      ports = [ "9980:9980" ];
+      ports = [ "${builtins.toString port}:${builtins.toString port}" ];
      environment = {
        domain = "cloud.dgnum.eu";
        extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
      };
      extraOptions = [
+        "--network=host"
        "--cap-add"
        "MKNOD"
        "--cap-add"
@ -121,6 +121,8 @@ in
    };
  };

+  dgn-web.internalPorts.collabora = port;
+
  services.nginx.virtualHosts = {
    ${host} = {
      enableACME = true;
@ -138,25 +140,25 @@ in
      extraConfig = ''
        # static files
        location ^~ /browser {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Host $host;
        }

        # WOPI discovery URL
        location ^~ /hosting/discovery {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Host $host;
        }

        # Capabilities
        location ^~ /hosting/capabilities {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Host $host;
        }

        # main websocket
        location ~ ^/cool/(.*)/ws$ {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;
@ -165,13 +167,13 @@ in

        # download, presentation and image upload
        location ~ ^/(c|l)ool {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Host $host;
        }

        # Admin Console websocket
        location ^~ /cool/adminws {
-          proxy_pass http://127.0.0.1:9980;
+          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;
--- a/machines/compute01/ollama-proxy.nix
+++ b/machines/compute01/ollama-proxy.nix
@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  services.nginx = {
+    virtualHosts."ollama01.beta.dgnum.eu" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://100.80.103.206:11434";
+        basicAuthFile = pkgs.writeText "ollama-htpasswd" ''
+          raito:$y$j9T$UDEHpLtM52hRGK0I4qT6M0$N75AhENLqgtJnTGaPzq51imhjZvuPr.ow81Co1ZTcX2
+        '';
+      };
+    };
+  };
+}
--- a/machines/compute01/outline.nix
+++ b/machines/compute01/outline.nix
@ -2,6 +2,7 @@

 let
  host = "docs.dgnum.eu";
+  port = 3003;
 in
 {
  services.outline = {
@ -35,21 +36,12 @@ in
    defaultLanguage = "fr_FR";

    forceHttps = false;
-    port = 3003;
+    inherit port;
  };

-  services.nginx.virtualHosts.${host} = {
-    enableACME = true;
-    forceSSL = true;
-
-    locations."/" = {
-      proxyPass = "http://localhost:3003";
-      proxyWebsockets = true;
-    };
-
-    locations."/robots.txt" = {
-      return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
-    };
+  dgn-web.simpleProxies.outline = {
+    inherit host port;
+    vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
  };

  age-secrets.autoMatch = [ "outline" ];
--- a/machines/compute01/plausible.nix
+++ b/machines/compute01/plausible.nix
@ -14,7 +14,7 @@ in

      smtp = {
        user = "web-services@infra.dgnum.eu";
-        passwordFile = config.age.secrets."_smtp-password-file".path;
+        passwordFile = config.age.secrets."plausible-smtp_password_file".path;
        hostPort = 465;
        hostAddr = "kurisu.lahfa.xyz";
        enableSSL = true;
@ -27,27 +27,18 @@ in

      disableRegistration = false;

-      secretKeybaseFile = config.age.secrets."plausible_secret-key-base-file".path;
+      secretKeybaseFile = config.age.secrets."plausible-secret_key_base_file".path;
    };

    adminUser = {
-      passwordFile = config.age.secrets."plausible_admin-user-password-file".path;
+      passwordFile = config.age.secrets."plausible-admin_user_password_file".path;
      email = "tom.hubrecht@dgnum.eu";
      name = "thubrecht";
      activate = true;
    };
  };

-  services.nginx = {
-    enable = true;
-
-    virtualHosts.${host} = {
-      enableACME = true;
-      forceSSL = true;
-
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
-      };
-    };
+  dgn-web.simpleProxies.plausible = {
+    inherit host port;
  };
 }
--- a/machines/compute01/postgresql.nix
+++ b/machines/compute01/postgresql.nix
@ -0,0 +1,34 @@
+{ pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+
+    package = pkgs.postgresql_16;
+
+    settings = {
+      checkpoint_completion_target = 0.90625;
+      default_statistics_target = 100;
+      effective_cache_size = "32GB";
+      effective_io_concurrency = 200;
+      maintenance_work_mem = "2GB";
+      max_connections = 500;
+      max_parallel_maintenance_workers = 4;
+      max_parallel_workers = 12;
+      max_parallel_workers_per_gather = 4;
+      max_wal_size = "4GB";
+      max_worker_processes = 12;
+      min_wal_size = "1GB";
+      random_page_cost = 1.125;
+      shared_buffers = "16GB";
+      wal_buffers = "16MB";
+      work_mem = "83886kB";
+    };
+  };
+
+  dgn-console = {
+    # Update the versions below for upgrading
+    pg-upgrade-to = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
+    pg-upgrade-from = pkgs.postgresql_16.withPackages (ps: [ ps.postgis ]);
+  };
+}
--- a/machines/compute01/satosa/default.nix
+++ b/machines/compute01/satosa/default.nix
@ -2,16 +2,15 @@

 let
  host = "saml-idp.dgnum.eu";
+  port = 8090;
 in
 {
-
  imports = [ ./module.nix ];

  services.satosa = {
    enable = true;

-    inherit host;
-    port = 8090;
+    inherit host port;

    envFile = config.age.secrets."satosa-env_file".path;

@ -148,9 +147,8 @@ in
    };
  };

-  services.nginx.virtualHosts.${host} = {
-    enableACME = true;
-    forceSSL = true;
+  dgn-web.simpleProxies.satosa = {
+    inherit host port;
  };

  age-secrets.autoMatch = [ "satosa" ];
--- a/machines/compute01/satosa/module.nix
+++ b/machines/compute01/satosa/module.nix
@ -190,14 +190,6 @@ in
      };
    };

-    services.nginx = mkIf cfg.configureNginx {
-      enable = true;
-
-      virtualHosts.${cfg.host} = {
-        locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
-      };
-    };
-
    users.users.satosa = {
      isSystemUser = true;
      group = "satosa";
--- a/machines/compute01/satosa/package/satosa.nix
+++ b/machines/compute01/satosa/package/satosa.nix
@ -1,7 +1,7 @@
 {
  lib,
  python3,
-  fetchPypi,
+  fetchFromGitHub,
  cookies-samesite-compat,
  pyop,
 }:
@ -11,17 +11,13 @@ python3.pkgs.buildPythonPackage rec {
  version = "8.4.0";
  pyproject = true;

-  src = fetchPypi {
-    pname = "SATOSA";
-    inherit version;
-    hash = "sha256-KREROjb157RJJVRr9YefzoR/eflR/U7ZmG6yOH5DjcU=";
+  src = fetchFromGitHub {
+    owner = "IdentityPython";
+    repo = "SATOSA";
+    rev = "v${version}";
+    hash = "sha256-q7XmZ3EnAFO1OXIhXIF4Vd0H8uaayFIHFZpWiZUsAFA=";
  };

-  nativeBuildInputs = [
-    python3.pkgs.setuptools
-    python3.pkgs.wheel
-  ];
-
  propagatedBuildInputs = with python3.pkgs; [
    chevron
    click
@ -50,7 +46,7 @@ python3.pkgs.buildPythonPackage rec {
    description = "Protocol proxy (SAML/OIDC)";
    homepage = "https://pypi.org/project/SATOSA";
    license = licenses.asl20;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ thubrecht ];
    mainProgram = "satosa";
  };
 }
--- a/machines/compute01/secrets/dgsi-email_host_password_file
+++ b/machines/compute01/secrets/dgsi-email_host_password_file
@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
+oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
+-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
+bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
+-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
+HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
+-> ssh-rsa krWCLQ
+k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
+re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
+eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
+AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
+DdkJAqSrNkHianC5MEGgpA
+-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
+C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
+-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
+iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
+-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
+uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
+-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
+xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
+-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
+5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
+-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
+HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
+--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
+ｻ<EFBFBD>虎 <20><>ｩ煩	ﾈ9<1猤ｶﾜ簒<EFBE9C>pWJSWpsV/ﾑ#<23>ｳﾘ9ﾀ{ﾀﾟcHB<><42><EFBFBD>5<EFBFBD>ｬ^ｧ
--- a/machines/compute01/secrets/dgsi-kanidm_auth_token_file
+++ b/machines/compute01/secrets/dgsi-kanidm_auth_token_file
--- a/machines/compute01/secrets/dgsi-kanidm_secret_file
+++ b/machines/compute01/secrets/dgsi-kanidm_secret_file
@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA zSfj75mxEod8RszD4XGaFIeMvcLnBgUHShIW5yFPdiE
+YXaCFZ07BMzehG/PCUFDEzRy+y4c+IESO9kcLx+eG8M
+-> ssh-ed25519 QlRB9Q 39DPdLnRMs5YSQOr/rY2nXO/8s/oCnYDkRex51tZayw
+W3GbNP7qbgW2b0RoZmcWH0kLtQaIV50APGcntjMfn8o
+-> ssh-ed25519 r+nK/Q dnX8kPKvyHS5U1N52QTDwonaHbBh8sv2DPBL1PoBO2E
+mxduSFeWB4tJlrHDEthNKGv/vxzeWUtNwq1b2nDP6Z0
+-> ssh-rsa krWCLQ
+QN1OOmCREY2LljXm0+TAsOSkjIQ0RXyX8w5TVOOus5QAt1WTJan/mm4X1SviWqmn
+UFDIeCoG2l5tBSyZr4VpnDeq7koWRA2eC7WnwWW47PQIRFSyjf+sy00rGR9kxVuL
+1M9gsAGa5sud/PvmgSPSLsGhhrPsH/ZxN9beyIXIwmssmjN34KygUz9+u4T8IkVz
+oxdq75LMzE2o0gcgC1EZ5+rDq0NSPQ9+1KgqwJuKlLKRXGdudgaVEUxX60g2ZnkX
+8fNEgxqEkQ5MNnPfwbVumF6SWmMWyZSJ0rwHC94O1RdRNDcD3yKimuBmNSv2X+3L
+cS3kE9LfNst2zBKHBGBOHQ
+-> ssh-ed25519 /vwQcQ ZD8aiyO6fWEM9zG0iPP1/lftRPNl+mmFLHvGxVpSWzg
+ZcTmN8zSHz8iLQmCLTZCdaqX5En/KrciR8KHwoXl8t0
+-> ssh-ed25519 0R97PA xLQYBS5ozP1e4NWVa9yahN2OQB0Luw7mm3nBYdoHyRI
+SKTRzLfGNFQ9fSX8ZFkKIYPZ4If5QrxcmSoBoGVG2Xk
+-> ssh-ed25519 JGx7Ng XPo1QJ8OS/ShEAaXWwzZCS1p5/C6mLNlk4Us63YTVQ8
+HGbfr8WBfCDKnIlATAeiE6JcLWCbn64vn1Cg7i9QGbA
+-> ssh-ed25519 5SY7Kg CFpRcZmZ7DTspxkmdD8x7dRh1mqOHpTF7GzW5xBtLxw
+n1n6/Ciwwo4rb3Cb6Yv/b1dHSvVAbCuDZ52maNpCexg
+-> ssh-ed25519 p/Mg4Q km6ZjasKtOlaQL8rdVXkjRP4sooql15PrW0lz6YZaDg
+Yrpi65IC3RJS3YSAChKjVyvowGxxmSPFkwa6CXUYVZ4
+-> ssh-ed25519 tDqJRg au3x6e4L1os7OH4WXbdST74LhMsHPjP6KYrTWKUc1i8
+zxKFk51MteTETWEu8peSH/lninM3zZkQi+Xjx5OQMTU
+-> l$R6Y:c1-grease
+MY0HS+ErZAtAhg
+--- w+3gxmkrZ+xxSAQHbERgvsqur0v6k2/U0KUsfegRGcI
+7Ú”gpò7šæ«¹Š\ŠE„àø~Â$±\¹Ä”Q„™H‹R¥˜Èî¼¼2'k4Ž¥zÿqAÌ‡ì'ÍNò!{‹@qxÎ‹,ƒ+iTû
--- a/machines/compute01/secrets/dgsi-secret_key_file
+++ b/machines/compute01/secrets/dgsi-secret_key_file
@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA xQaZW42vwq7pndbRqiATFVgl1QM3LbD5Sqzz61yinUY
+7N4GIIAnzwTPA2IgOPWLtE03kCZPihKu8ZAG9e7Bv7k
+-> ssh-ed25519 QlRB9Q mfs9SndrSY1meTEYiVxXLbS7Ecf0rjaQ3vX4626+9CI
+BDdh3a02EqMeO5jPlz6kjmjuLMldf/s9V7hDkIef+g4
+-> ssh-ed25519 r+nK/Q HqduuibujATQyp2TUswgrFyTdcdmPsNsZJ2pOLZ+MTc
+WjFm95dxVYKA2ekOgKzMrMmk1nxfuurmDyMXtUIGnIo
+-> ssh-rsa krWCLQ
+GzznBXY+5RpGFJKli2rOdzO5bun6REyjA78nV8RviQdAN/mGXEZfGFq4HFuQZM0e
+fYADtpZxOZ3vyY/9DqCguay3R02DcyTpAhdb6A3kdzApUVR/3ZKJXy0+l5qRqKD7
+j/cMfIxk/WpsHKHDWKXkG+FiTnF+V+ZtUom9W1aYFc1506OdDbjBVfTnBFs/+WVf
+MWd+Y0ANCFiNH+kjzvALRazkmJgt9SvYWBG6suym6YZ2073GFu85jUJB2juSDmBN
+tp0OJvNrjH5F/CcJXLMVrJz4Azin+2iM+re78cSVmZ1aqLf72RIrg/VhuuNy2MVn
+gU32t9qy5EvTbzliWpAvxw
+-> ssh-ed25519 /vwQcQ rVT/tH4fZ49hwxJTaZMZhzMgkS0MJILZmuL/J1CCPGY
+mW3BNdXsylo0Yhg2KYpGNLoDkd7DYX+NEGF8a7j5R5g
+-> ssh-ed25519 0R97PA vnXhW5pn1XgOJcMcD1cu7hQLlnIrJyp2Bu3TbThBIik
+QFQFocftqwsPS1AbGykbDkIWqaAdZ7I9njS2ZUXz+4w
+-> ssh-ed25519 JGx7Ng ljVNZ4AdZ3DLow2m3mf+6bf9zj6+t9RP7w8Bi7aMlAI
+E5Q9yEA3d2nPTZO2jFkGnsHyo3W19P/lSG6yl3RL6Vo
+-> ssh-ed25519 5SY7Kg 2LcgbYRROFSGfq0L5XBQMl6p62DreGceGqRFzKGi4X8
+x4V+gnzdm1HgjYwhBnYAldkchX4YCsUhqoq1iCaOZ6s
+-> ssh-ed25519 p/Mg4Q Y+o5nrSvL+xL43OHjEnesKV+9gCl4H4gBmBBjbqDABA
+TvGky1wSVanvpq2Xj2FUmRtJ205iq92g6PVDASAfyaE
+-> ssh-ed25519 tDqJRg X0Y8YCi5qOy3Du1/DIMMc4W7P6zQNTlwF4+QrisHCwM
+SzJPH+h5847WSl9CrJatqIf9CSnKGUQZDK6ROD5LqXU
+-> `--grease N]PH
+fdR7jONsDC5Fj/FU++dDsFJSa4sLmvnTzPbt3X96zJDHVQypmV+JMhQNudQGrq9K
+7oPr3+cA61qtqUv6v519zFLtRXkpY6FMiB2euGJufVZqGh9jDzfi0jNu6dUO7A
+--- a0TP8YPal5jgd3BSIm0THbaMHgLOiOgMqdlwQwUGzWk
+:È/Àn	ž±Ý§¦p=fu²hã–T¶ÅêFÂ—ÙêÂ¥nh¢„¾•œ¹ÀU2#„éµÆ©“ºôâ>Û“<4.<2E>uŸ‰’…m3Ü&<26>g¤(ö<>5Û¶Ã›
--- a/machines/compute01/secrets/dgsi-x509_cert_file
+++ b/machines/compute01/secrets/dgsi-x509_cert_file
--- a/machines/compute01/secrets/dgsi-x509_key_file
+++ b/machines/compute01/secrets/dgsi-x509_key_file
--- a/machines/compute01/secrets/mastodon-smtp-password
+++ b/machines/compute01/secrets/mastodon-smtp-password
--- a/machines/compute01/secrets/plausible-admin_user_password_file
+++ b/machines/compute01/secrets/plausible-admin_user_password_file
--- a/machines/compute01/secrets/plausible-secret_key_base_file
+++ b/machines/compute01/secrets/plausible-secret_key_base_file
@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA T6TOJOuejaoxw3zdeLzGm0CrSkDCCIRenL7wMGnDtlU
+dubdAXhc32S6BszHddOcMA6aStZLOvc+36s3nZsYFMU
+-> ssh-ed25519 QlRB9Q akzRDbZzo0LwoS1cOwE/tYdz7M+6bhgI81d37d1GtBw
+KsGqFhkjlcJNquMi2+1TfQDBy9qguwh5ED9KBg4Y2hU
+-> ssh-ed25519 r+nK/Q bL6A9O6UnjjyY+iLvbQSvSTjXX38FLsNjaSngoQXHxY
+YZ7Y11inKpzA2m6lro9XXX2qkW6FmkeFGZ3Ak6X+U2w
+-> ssh-rsa krWCLQ
+dZVUqAyqrP3KHZlpu70IBU8U3I9IP71RzjbiF1rp4rOdz4iQ9ik88ai+hXVuadcN
+DMl/7pIkVky6EL8JxFXTQhLivJUpO3NcN3iAS+CLKC+0EFVc03sLyCjn8IExO85r
+Lec37ICk9n4LUNEA91A2h4C8U9TbDxCt7MLrIKcQtfFcd+4U1o9g3n19xo9PK1Ho
+mcqTbUVgW1nOLxsEeCp5zsCQ+/8tFLcnK08yUB0RlWK+PDFZkk8u8Q2SYZjnaeEp
+cwOhUnm/1a15IbW2oGCrVaEd/ymnLDJc6S7vXGpFDWHmOzvJ4Av9KZlGFYaWCjbV
+7bGIgWkiQ7iJvTxzu0ZEqw
+-> ssh-ed25519 /vwQcQ /DR3Kox7XkbdYQH7SyIc9atjwwe7Ah7hH/63RlzDd0g
+k/199lCIfxR7l4ETJMEr1Ch1Zx8v3M5zn0b8mg6ip2k
+-> ssh-ed25519 0R97PA H1PS+SlW5FNOf15eO6MKJ/nnVJQkfFMub0IzTS4PhDo
+77zwCD0tbrLu4J0vS0RxPK3YZucFV1VYkUVoMTHjf2o
+-> ssh-ed25519 JGx7Ng 2WIYPKkWXplInR8v1q22ygs7uYNfIzETeiCt5+MKQQQ
+9Gsyr30kaNhxn+fUCBicvoA+hHiWpUf0d0pxRZauhMY
+-> ssh-ed25519 5SY7Kg QTnBfvkMcnXpGITtaHr+mRZGogI1kTUqO4byfyMZhGE
+89A/PPHVPeBQvTxCeXH8ITVDMkcsYUMbwatyw8NQ04E
+-> ssh-ed25519 p/Mg4Q n6hQLuUv3QOMADJF0zpcALYqVUVi5tZHmKGmVZA0IVQ
+ZXa+3y33kyo4vQxcEa2XTMIwjH2HE+bAKZw993PgROk
+-> ssh-ed25519 tDqJRg Hf1KIZjUTTaHo18P1vWxaSehyKTFElBOovrCN0uJFCc
+H8qGw8vIqp4bNiyon2uvTkrrd8lIYnMWnIfzS+w4QRQ
+--- QOKOfU20JY1Sj+K20UUxgtPZ7JxKuZ1GtK+OKBZ1Zhg
+Íúâ?º}àæ2æŽýiÐM}6BÖw#b2Ï´žËŠ¹ÍÊžvu´¿,Ö'.–ŒWÔ”øIPýã'ixYÍ€*·šKoÎtXI#À‘ß6b`„1pÃŠ¬òÍœˆqð
×"§lâSf(ˆ`UöëÄê6ø kT°Á'µÎÔM@ÈÖå„hŸï®›{WYŸ‘ØÝÏÂ<SN;UŒœ
Ý¨ÿ
--- a/machines/compute01/secrets/plausible-smtp_password_file
+++ b/machines/compute01/secrets/plausible-smtp_password_file
@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA CQffZYaxexZ2f+HeNj+SHeSak0kzNPiq6ExW7tUyCBs
+oJQhtMFD9KSnXSPGRb3zLwCB2/KEXo8cgxHN5ML83Qw
+-> ssh-ed25519 QlRB9Q V1PnEYJvFCdBRzN4z3iDtIzHLxxCimejdkqRS4zMCG8
+bVc87bxPmhofmoscGFBgQ+ffRlo216RiRkkV1MNoQyY
+-> ssh-ed25519 r+nK/Q YI+1MYnCvSq5/QfA2y01IQlJeMGF0AfNs91QlrVaVGs
+HSB8Gai96mjRbM68G3iRmXNkI4kqyJAWTMxWc8UOPr8
+-> ssh-rsa krWCLQ
+k2mssz4C9p8K+rJ6Jbbm+w7uLTqoUOiOKvlt2btEyw2Lup8PQNfyTNFSBvuBMmfj
+re1zuAufH0HIw3B0xWYauBSD4pasc7EFTr/OLoM8BRFMEb11IM5ZKJrO+hnWy0Sk
+eIs6cpkoBVi4GZmkRfbvaitk42i9JzjrKU0OeqLCWQbHmHkTb3acsGXCc6A6JSbF
+AVb+Eaak6EIdX1dP4PWyCxU2PkcBtYBcLoGH74r1o0i3SzvmuzKvlBntx5IzsAvY
+QNGJLNZl0+NePafAkvVY8UOrlzxj+tCgfunAGXIXlZlVfNcjZX9Wv30sJOtwpbw
+DdkJAqSrNkHianC5MEGgpA
+-> ssh-ed25519 /vwQcQ yxGAMhwDcoDjw5MJudEE95PakhZvNpYfmfWiM6wbQBg
+C1o3mNO2YFnBXamCcpAW0aQVGrNNcUpDtSn8+VLobmE
+-> ssh-ed25519 0R97PA XRWbcwt3wXR3AYg0rhzc6OUuAA+blVTf3SHERYy3MkA
+iCBd0E1NrV7tv3/0pD0FYWgUfGmB4M+VWfiixvVGv68
+-> ssh-ed25519 JGx7Ng R47xTx4IGC/qf/v6WOXvJTd20MbeTdZ/8ovAA6d0iyQ
+uBxcQVztpW4QaAR5rKfEVgtmrPk6l51+tY3brNjsTV4
+-> ssh-ed25519 5SY7Kg LNtU+/1YlPX6T6gO2lb/wEei7hsy2oud8cTQXFQy0HY
+xxPvBAIpFyCUqExjseerz6WlwWQEmw9fltzQBx51KI0
+-> ssh-ed25519 p/Mg4Q uWIz5shMnsLXsh160cCW8E6kh9v4LPunOonugjWdSEY
+5aRrIB5gxIplVWDGeMQ6g09togku6LxWRxBP7FbRNU0
+-> ssh-ed25519 tDqJRg G8rNpeGY29czDVMvvt4LZ7nffZ/JAHDzxuIs7C/0SEM
+HowgAvrQQcvUx93ZdK5q2bSsJDqaOxFf+x/lwTRss4I
+--- ktcSPCC1TpguyYJ2ua7IuGcEw+Z9YuqjzcmH18abjo4
+ｻ<EFBFBD>虎 <20><>ｩ煩	ﾈ9<1猤ｶﾜ簒<EFBE9C>pWJSWpsV/ﾑ#<23>ｳﾘ9ﾀ{ﾀﾟcHB<><42><EFBFBD>5<EFBFBD>ｬ^ｧ
--- a/machines/compute01/secrets/radius-auth_token_file
+++ b/machines/compute01/secrets/radius-auth_token_file
--- a/machines/compute01/secrets/radius-ca_pem_file
+++ b/machines/compute01/secrets/radius-ca_pem_file
--- a/machines/compute01/secrets/radius-cert_pem_file
+++ b/machines/compute01/secrets/radius-cert_pem_file
--- a/machines/compute01/secrets/radius-dh_pem_file
+++ b/machines/compute01/secrets/radius-dh_pem_file
@ -1,31 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 tDqJRg R3h8Ph1ooMaR/bmz09yRzVRq1mR3L7o87wMhsysC5kU
-Go50Us/u8CgZS7Up20RH8NlRS0+ESBw30wa8SZ5dqoo
-> ssh-ed25519 jIXfPA gMaMIQvUIu5bK5mRWP6SSZQArMzhg4bDZDcjwx9dyDY
-Vv8H7oTBvogaoW4dhdm81TOe995CSGeBxB8LtFgJqwc
-> ssh-ed25519 QlRB9Q 1CxZ2F8EMykWDzrAzN6NSPtjLmMJ99zf8UWLyV3e+Ag
-ak7M8/mCeQOMKFPllTsA79glffS/vu51vHIRT3F8qLE
-> ssh-ed25519 r+nK/Q qcuIACZn+1ofDpWW1IBmY0IIj4WZNQhxtUJlHgh11ws
-OJhEfDQHkg3s5CCBcVfba9S4OG4hBjJIYkCoLAIFwOI
-> ssh-rsa krWCLQ
-1XseIDq7c94X7Dpp1sC3oBLhZSd4w7UJ7QI03SGmqVTd3VVwP5IV430vrSIFETMI
-LopkMvCtF1XpIJQ+nHoxsukG/0kefh5Iodmd6anQNp0iVU/tWkQzWbkHlVlkxJ2M
-o3fMRAaVyH5GvQkIT5ndWma34vqwydAinM2mchi0hy0ibP5lkk8K7OtafNP4eYNh
-m7necRRI8yCuE1wBRy8sBpo5mEqGj1uINxXiF6yUI05pCBXHG1qDiFkDHfw8va9k
-Qitfwv2Clkk/hQG6aEYuruoXwq4SZxSCswMpP5Nz70I+e5YkZw8G50ICaVBXxuAP
-ABByGBZ/QKLw66NpE7rbSA
-> ssh-ed25519 /vwQcQ 1P92WFx8+9DaL2dPwmX+Bva+h7Hy9qXszDTyPvd81kc
-gLVhBlE4lAMcod32/Y8xzypVCDu4vRca3aem3OHiocU
-> ssh-ed25519 0R97PA rZblJRi2bYJig4HyzOXdtpUEEkGDlHS456aKlqxwGX4
-qjIkEyHjDxzmf34bS7qWJ9lexMXu2QMmcD9RP4MpkYQ
-> ssh-ed25519 JGx7Ng IbCSvxAUY1gDTny5KurzONVaQwX/VgvNs1hAQ9iUQRE
-5ivoGkzEHAyTl3gUE+9nVYclF8/aqnyOF3a81fZfbW0
-> t|-grease (u /1\q}65 ]@
-Dd2SJgnQFUSDlS4eSkKUaGwve8Rsv/4MNEwGRJftdtTvxv80bRuNBEFe+ah4YhiV
-LA3n6c+Te9Q
--- wWhpJpx4IHeC1Qo4nH6iuEB3e9l5b8U5xOnsX8BoBgQ
-5¥t·Œ °ÒxÚ@<1E>`zÈÔgC’à	Ñ¬:4Œó¾&Â‡Spi8ñŸuæ"lÕ‚×)<29>:ìaŒÁÄ,4ÃsÌ*uÿ€ƒ±v#ÿ*ÎàÜÊ^Ý¶‚Ø«%´Ñº98¾,yB‚Ù
-"¶%Çã¤„†NÎÓ· íò¬}	[Ñ¿Ó(äØ{<11>ý0ô—f²<66>„|Šà-—&qF	kÖ¶¹µùÔÎLì,¹À„žD™áÎ©QÍ—½è<C2BD>4N}<7D>ÙÐJ´·‹ÇÓˆpç€]dUÏø¿<C3B8>I—:ÌôÑÉ
öì’°¦£‘sý¨õB#}¹
-ÞÃXzð‰N4·>ñ5iSan`‰¹.‚õÃPcHØÉAéßÈÿµH=¥ËæÂ~ö(Pçô±Š$ ,¡ã‹ù¯ZÐ¬ÆwçÚ	/×
-Á–+rC$†ýê&ØJñ ; ÉvÞjæ‰ÎY¹,š*`ºGå=ã¯M¼ƒƒeäAQö<51>\D˜ÿ@¥j¾$gö{Q´lhIoÊÏ‚IM)};@ìNü½b‰<62>k5Dgüoþ'ItW(Ïk
-ê6)ËŒä0£<30>tM¶É
Ó(Ûê¡<C3AA>n²k®Zu%m<17>¡bzÚõ–Š¿ÁìÍÿ
--- a/machines/compute01/secrets/radius-key_pem_file
+++ b/machines/compute01/secrets/radius-key_pem_file
--- a/machines/compute01/secrets/radius-private_key_password_file
+++ b/machines/compute01/secrets/radius-private_key_password_file
@ -1,26 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 tDqJRg sTm4u+QVtvUqNgMJhufIljdH63oCmvfbRz6NRa2ZbwI
-ZYjAINMp/ds7g+7Wjg26YRpRV+nznQPB1r7NzAHGfW0
-> ssh-ed25519 jIXfPA z4LS/Igwab0moIzxG9b06T5rZiODkdJyjaFepJVcxQ8
-qNkDc+prvr1bNTSWJyygJj7yb8MOz2nR+Z8EMHUVVOs
-> ssh-ed25519 QlRB9Q 6TQ0Vp3KB5yDIEt029hIB3aCnDjTDP0JG6LN2J9gtjU
-fZXeSxb7GJOJYvCr2nVf6BKf8QjaqOOuoi0I/xXV1qc
-> ssh-ed25519 r+nK/Q eW4wTH9PNd0mzVFsxwS4mEEn5gVUCpYA/g+ifeUB+00
-kqED+vZVHn0SXTpgbaiMseI6vPCyTt5Gfu4pHxPvKp0
-> ssh-rsa krWCLQ
-axyFJ/zhMoZ1mJLzWAbXbHjlAlLj7HraHyY6ddZBVibgRSEufdXsa8ABmdR6+EuM
-ty37+/TZOBv11ew/D1C7vQ7B/1JXgej2TAAmYt4vN3lVZdgJI+tQGiOf1nsqfI64
-p4ZbMi9G0wlzb+Z7Z5SLKo6HwharYI+vDEgh3Ua9Q+6bpZeXxxJHmkACikAI4xJV
-3lLo1iTeyJy/9u/WoHmEOuqJLeZdhmPZBozxTdDTWz9wMHy+NotfXFaIFTyUpocu
-OU19N95fyVyTRwmrGFcWs34O631Ejpo3oVLDvjXrFtV4HISSweB/YbU84EveFbz5
-28gTWKdeOQcHJfmaeJV/Rg
-> ssh-ed25519 /vwQcQ cXNRE5eLKNh4lL7S7cMDfp79+TQyiJK3gTzYCuHeRHo
-4bz0al2kf/S6VEhObpLxy8tvB1t/tBVdB1Gi/7XinD4
-> ssh-ed25519 0R97PA iGdUtE7KDRBNSXv1w0dJNPQWxAeDpIAePUU8t0qURV8
-OUoeLNWl0rLt6+FNf5plNmQIgrULwIgEL/W4HFTYeB8
-> ssh-ed25519 JGx7Ng tPkAPvVDZOcP06+mrD5uK03dUJi4aMAvkoz21y9L6Ak
-tcUItLMra+EIYH6MA1ULMpr8bkUql448jnurev8N5wk
-> \<?_-grease (+d_8zF H
-
--- /CiW5jTjVkXDOdwmb4P80FswPEpgTt2GZnqT7KlOvC0
-›=þ%©»gæÆQ³-¼ffÄUC.qÅÍ˜·H<C2B7>µ—ìäÙ=Vý£žØú<C398>ŽRåN
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@ -1,30 +1,31 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "compute01";
-in
-
-lib.setDefault { inherit publicKeys; } [
+(import ../../../keys).mkSecrets [ "compute01" ] [
+  # List of secrets for compute01
  "arkheon-env_file"
  "bupstash-put_key"
+  "dgsi-email_host_password_file"
+  "dgsi-kanidm_auth_token_file"
+  "dgsi-kanidm_secret_file"
+  "dgsi-secret_key_file"
+  "dgsi-x509_cert_file"
+  "dgsi-x509_key_file"
  "ds-fr-secret_file"
-  "grafana-smtp_password_file"
  "grafana-oauth_client_secret_file"
+  "grafana-smtp_password_file"
  "hedgedoc-environment_file"
  "librenms-database_password_file"
  "librenms-environment_file"
  "mastodon-extra_env_file"
+  "mastodon-smtp-password"
  "nextcloud-adminpass_file"
  "nextcloud-s3_secret_file"
  "outline-oidc_client_secret_file"
  "outline-smtp_password_file"
  "outline-storage_secret_key_file"
-  "radius-auth_token_file"
-  "radius-ca_pem_file"
-  "radius-cert_pem_file"
-  "radius-dh_pem_file"
-  "radius-key_pem_file"
-  "radius-private_key_password_file"
+  "plausible-admin_user_password_file"
+  "plausible-secret_key_base_file"
+  "plausible-smtp_password_file"
  "satosa-env_file"
+  "signal-irc-bridge-config"
  "telegraf-environment_file"
  "vaultwarden-environment_file"
  "zammad-secret_key_base_file"
--- a/machines/compute01/secrets/signal-irc-bridge-config
+++ b/machines/compute01/secrets/signal-irc-bridge-config
@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA Io/zqmrxU05V3yhgyGySW5f2hlQdBOqzXzv2I5x+nVs
+O5szAc5hiv4Kw+Xo90mhst3vGLqhtqSuaKxPTkCQCJw
+-> ssh-ed25519 QlRB9Q 9gQ+5aCcW+gi30S20om5+Zign9zXfgKlG9/59a2rdl4
+nXyckLZ6zNdG096GAPlK/gyold3XxOqeKB1Kiy/BCmI
+-> ssh-ed25519 r+nK/Q nctFMke6IvbEII3/Mq7wq9Cb30GO1yBqePJXdOFjExs
+fMEbZoSsvMiFS2wHD0RCcSqbigmFHCnhEagXDTYBIW8
+-> ssh-rsa krWCLQ
+i7lgxs2DFU6OYdR0wC9NBJAUrYOarTpIBu8JiQKKTymkGauTtpCkOgakEF7N/TLd
+1KFX6ww2lhmGwgi/4qYK5R21geqbLaogm5LsSrWgwI+nAqzAasD30i4MYWSfd1PS
+kewXfRmMOUc2feMN/FiLDlyxxdg3DQImEwwAUq3k4F7W7/ggi4qPKzqzGhlOG1kB
+Ma05hLsOhTVwbyRQzf9MFDUypYJ8KRsV5/rdxnGzTaJLlYbNoQpIG3lQZelggGpS
+N6f5kz0fHRkTqCrINJpmLVkvQDbNNDslsDcr86O0LEI7NPrBry5fUSxI+YOzCJCu
+3xnkIiYlcua2WGEXNd6vPQ
+-> ssh-ed25519 /vwQcQ L9OynFtsmYWQBB/PKHsJ4B2mdUFk8wkuPzaKBmvKERc
+LPHLANWrv90EFdF+cXEOFnOf1XaLWeyEDij+DYVrDJM
+-> ssh-ed25519 0R97PA 49YuJOzGjfLe8RixCtw8Z/EEngEGyNRQjb6sDXESQyM
+ICCw8XFpzJjZpOayDR6uoHqdv0vuEVg1uQyNrNONj8s
+-> ssh-ed25519 JGx7Ng fESc17fhVuC9dfNvDZKLq5EheYw+ufw0hpJqeDffxSE
+CWRV2wnZYh/bK5xgCDUASUmYMWSLbTXqnD1TFcbEHUU
+-> ssh-ed25519 5SY7Kg DgOrBwnV6Uxc5dMcNSR57HSgTW5DsG9Y9kcNYNevMGw
+W0HtwhGJ2jiU9jrfvGoEXthZ3ewxAL8ERNOUYSgWI1A
+-> ssh-ed25519 p/Mg4Q doo+f6eD3s2uoMwekzHcUFCsls8gNZjiI0Nyyd1sClA
+NZnBQy9PJeabIwp6N7D85sI/UbCIcC7FzQALoNOD5h0
+-> ssh-ed25519 tDqJRg tVVtvHVf/l4k+vr5A81tKTff49Rn1L1lrONq1DaGxDk
+vskCx+/l45iAtB8Mn6S9T7I0rKEGgesDfqBrrT0wewU
+--- HQzVXwtwdHyjKCBSbBOTiytzpLVc1eBCZZgW7sIgFEI
+9˜†%}‹/JÞ„U»cMä8É<38>ç™`®=%¿ÝîN}
è9tñœÇ§‰¡‹¨‰rî§°Œ}ˆ½KÿøžqøëO5GlùÑct’#"	Ò[Yw½e‰<65>_ûtˆ)f3Çòª´ÕGÊ2›¹j„Wý^ìr¹ôYa=ESÓ ýØ,<2C>“‘²Ú“rÐ_„£
ý8E ªª
Ž¬1çî•íÅ‡“sÂ<73>ü–¼<”µŸ‚£0QMU"Œ±Ú’ÅõõË†¬wSúœ4º=ï‰G(ˆ’º<<3C>?iZSW]Œ.pP93±zžl¸OSd·êS¯šçI8Äe×²·Ú7ÃUMù¯< ªº<C2AA>Ýžóì<>?îOc2Z¬Uº Ä•èc²Ã Ô—×7@ÄýôóŠò=¨Zæ™ihC“žXß”QŸcÉ¹[èo=kÏòñËÞL"ZÍ/uê´q
ÛGä›–çó
Ú[<5B>–ú,£«i×Ãäs<C3A4>Jÿ•=GBç~^€Ù'Aý´èÕ±©¹í*giÝ|Ý*ù’N·ÿŠË‘a]º˜áäši|áÔŽP'_(½±ÂQLŽØl„O 0ŠÈÛ´
+P94Ï¨äÛF½]³¡È{Öºeç4ý[McQu‚ÎÞî«¥JwÈƒ¼Ê“÷•ÁÛX@RÙÑÛŒú‰5M•Ý£‹V<E280B9>rjÇ—ó<E28094>„—½¢Ÿó7<C3B3>[¨8qÐb
--- a/machines/compute01/signal-irc-bridge.nix
+++ b/machines/compute01/signal-irc-bridge.nix
@ -0,0 +1,22 @@
+{
+  config,
+  sources,
+  nixpkgs,
+  ...
+}:
+{
+  imports = [ (import (sources.signal-irc-bridge.outPath + "/module.nix")) ];
+
+  services.signal-irc-bridge = {
+    enable = true;
+    package = nixpkgs.unstable.callPackage (sources.signal-irc-bridge.outPath + "/package.nix") { };
+    configFile = config.age.secrets."signal-irc-bridge-config".path;
+  };
+
+  services.nginx.virtualHosts."bridge.dgnum.eu" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/files/".alias = "/var/lib/signal-irc/hermes-media/";
+  };
+  users.users.nginx.extraGroups = [ "signal-irc" ];
+}
--- a/machines/compute01/stirling-pdf/01-spotless.patch
+++ b/machines/compute01/stirling-pdf/01-spotless.patch
@ -0,0 +1,35 @@
+diff --git a/build.gradle b/build.gradle
+index 78901d8e..3a14ceee 100644
+--- a/build.gradle
+++ b/build.gradle
+@@ -70,20 +70,6 @@ launch4j {
+   messagesInstanceAlreadyExists="Stirling-PDF is already running."
+ }
+ 
+-spotless {
+-    java {
+-        target project.fileTree('src/main/java')
+-
+-        googleJavaFormat('1.19.1').aosp().reorderImports(false)
+-
+-        importOrder('java', 'javax', 'org', 'com', 'net', 'io')
+-        toggleOffOn()
+-        trimTrailingWhitespace()
+-        indentWithSpaces()
+-        endWithNewline()
+-    }
+-}
+-
+ dependencies {
+     //security updates
+     implementation 'ch.qos.logback:logback-classic:1.5.3'
+@@ -171,9 +157,6 @@ dependencies {
+     annotationProcessor 'org.projectlombok:lombok:1.18.32'
+ }
+ 
+-tasks.withType(JavaCompile).configureEach {
+-    dependsOn 'spotlessApply'
+-}
+ compileJava {
+     options.compilerArgs << '-parameters'
+ }
--- a/machines/compute01/stirling-pdf/02-propsfile.patch
+++ b/machines/compute01/stirling-pdf/02-propsfile.patch
@ -0,0 +1,12 @@
+diff --git a/build.gradle b/build.gradle
+index 78901d8e..2e7ff96b 100644
+--- a/build.gradle
+++ b/build.gradle
+@@ -166,6 +166,7 @@ task writeVersion  {
+     def props = new Properties()
+     props.setProperty('version', version)
+     props.store(propsFile.newWriter(), null)
+    propsFile.text = propsFile.readLines().tail().join('\n')
+ }
+ 
+ swaggerhubUpload {
--- a/machines/compute01/stirling-pdf/03-jar-timestamps.patch
+++ b/machines/compute01/stirling-pdf/03-jar-timestamps.patch
@ -0,0 +1,16 @@
+diff --git a/build.gradle b/build.gradle
+index 2e7ff96b..f3a4a15c 100644
+--- a/build.gradle
+++ b/build.gradle
+@@ -21,6 +21,11 @@ repositories {
+     mavenCentral()
+ }
+ 
+tasks.withType(AbstractArchiveTask) {
+    preserveFileTimestamps = false
+    reproducibleFileOrder = true
+}
+
+ licenseReport {
+     renderers = [new JsonReportRenderer()]
+ }
--- a/machines/compute01/stirling-pdf/04-local-maven-deps.patch
+++ b/machines/compute01/stirling-pdf/04-local-maven-deps.patch
@ -0,0 +1,25 @@
+diff --git a/build.gradle b/build.gradle
+index f3a4a15c..61fbd74e 100644
+--- a/build.gradle
+++ b/build.gradle
+@@ -18,7 +18,7 @@ version = '0.26.1'
+ sourceCompatibility = '17'
+ 
+ repositories {
+-    mavenCentral()
+    maven { url '@deps@' }
+ }
+ 
+ tasks.withType(AbstractArchiveTask) {
+diff --git a/settings.gradle b/settings.gradle
+index f8139930..2c87f3cc 100644
+--- a/settings.gradle
+++ b/settings.gradle
+@@ -1 +1,7 @@
+pluginManagement {
+    repositories {
+        maven { url '@deps@' }
+    }
+}
+
+ rootProject.name = 'Stirling-PDF'
--- a/machines/compute01/stirling-pdf/05-java-output-test.patch
+++ b/machines/compute01/stirling-pdf/05-java-output-test.patch
@ -0,0 +1,22 @@
+diff --git a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
+index cab78313..192922f3 100644
+--- a/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
+++ b/src/test/java/stirling/software/SPDF/utils/ProcessExecutorTest.java
+@@ -19,7 +19,7 @@ public class ProcessExecutorTest {
+         processExecutor = ProcessExecutor.getInstance(ProcessExecutor.Processes.LIBRE_OFFICE);
+     }
+ 
+-    @Test
+    /* @Test
+     public void testRunCommandWithOutputHandling() throws IOException, InterruptedException {
+         // Mock the command to execute
+         List<String> command = new ArrayList<>();
+@@ -32,7 +32,7 @@ public class ProcessExecutorTest {
+         // Check the exit code and output messages
+         assertEquals(0, result.getRc());
+         assertNotNull(result.getMessages()); // Check if messages are not null
+-    }
+    } */
+ 
+     @Test
+     public void testRunCommandWithOutputHandling_Error() {
--- a/machines/compute01/stirling-pdf/default.nix
+++ b/machines/compute01/stirling-pdf/default.nix
@ -0,0 +1,42 @@
+{ nixpkgs, ... }:
+
+let
+  ###
+  # How to update:
+  # - clone https://git.dgnum.eu/DGNum/Stirling-PDF
+  # - switch to the branch dgn-v0.X.Y where X.Y is the version in production
+  # - fetch upstream changes up to the tagged release in nixos-unstable
+  # - rebase onto the upstream branch, so that the last commit is "feat: Add DGNum customization"
+  # - push to a new branch dgn-v0.A.B where A.B is the new version
+  # - finally, update the commit hash of the customization patch
+
+  dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
+  port = 8084;
+in
+
+{
+  dgn-web.internalPorts.stirling-pdf = port;
+
+  services.stirling-pdf = {
+    enable = true;
+
+    package = nixpkgs.unstable.stirling-pdf.overrideAttrs (old: {
+      patches = (old.patches or [ ]) ++ [
+        (builtins.fetchurl "https://git.dgnum.eu/DGNum/Stirling-PDF/commit/${dgn-id}.patch")
+      ];
+    });
+
+    domain = "pdf.dgnum.eu";
+    inherit port;
+
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+    };
+
+    environment = {
+      UI_APP_NAME = "DGNum PDF";
+      SYSTEM_DEFAULT_LOCALE = "fr-FR";
+    };
+  };
+}
--- a/machines/compute01/takumi.nix
+++ b/machines/compute01/takumi.nix
@ -0,0 +1 @@
+_: { dgn-chatops.enable = true; }
--- a/machines/compute01/vaultwarden.nix
+++ b/machines/compute01/vaultwarden.nix
@ -2,6 +2,8 @@

 let
  host = "pass.dgnum.eu";
+  port = 10501;
+  wsPort = 10500;
 in
 {
  services.vaultwarden = {
@ -10,9 +12,9 @@ in
    config = {
      DOMAIN = "https://${host}";
      WEBSOCKET_ENABLED = true;
-      WEBSOCKET_PORT = 10500;
+      WEBSOCKET_PORT = wsPort;
      SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
-      ROCKET_PORT = 10501;
+      ROCKET_PORT = port;
      ROCKET_ADDRESS = "127.0.0.1";
      SIGNUPS_VERIFY = true;
      USE_SYSLOG = true;
@ -31,45 +33,38 @@ in
    environmentFile = config.age.secrets."vaultwarden-environment_file".path;
  };

-  services = {
-    nginx = {
-      enable = true;
+  dgn-web = {
+    internalPorts.vaultwarden-websockets = wsPort;

-      virtualHosts.${host} = {
-        forceSSL = true;
-        enableACME = true;
+    simpleProxies.vaultwarden = {
+      inherit host port;
+      proxyWebsockets = true;

-        locations = {
-          "/" = {
-            proxyPass = "http://127.0.0.1:10501";
-            proxyWebsockets = true;
-          };
+      vhostConfig.locations = {
+        "/notifications/hub" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString port}";
+          proxyWebsockets = true;
+        };

-          "/notifications/hub" = {
-            proxyPass = "http://127.0.0.1:10500";
-            proxyWebsockets = true;
-          };
-
-          "/notifications/hub/negotiate" = {
-            proxyPass = "http://127.0.0.1:10501";
-            proxyWebsockets = true;
-          };
+        "/notifications/hub/negotiate" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
+          proxyWebsockets = true;
        };
      };
    };
+  };

-    postgresql = {
-      enable = true;
+  services.postgresql = {
+    enable = true;

-      ensureDatabases = [ "vaultwarden" ];
+    ensureDatabases = [ "vaultwarden" ];

-      ensureUsers = [
-        {
-          name = "vaultwarden";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
+    ensureUsers = [
+      {
+        name = "vaultwarden";
+        ensureDBOwnership = true;
+      }
+    ];
  };

  dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
--- a/machines/geo01/secrets/secrets.nix
+++ b/machines/geo01/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "geo01";
-in
-lib.setDefault { inherit publicKeys; } [ ]
+(import ../../../keys).mkSecrets [ "geo01" ] [
+  # List of secrets for geo01
+]
--- a/machines/geo02/secrets/secrets.nix
+++ b/machines/geo02/secrets/secrets.nix
@ -1,5 +1,3 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "geo02";
-in
-lib.setDefault { inherit publicKeys; } [ ]
+(import ../../../keys).mkSecrets [ "geo02" ] [
+  # List of secrets for geo02
+]
--- a/machines/rescue01/_configuration.nix
+++ b/machines/rescue01/_configuration.nix
@ -3,7 +3,7 @@
 lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
-    "dgn-fail2ban"
+    "dgn-web"
  ];

  enabledServices = [
@ -12,11 +12,6 @@ lib.extra.mkConfig {
  ];

  extraConfig = {
-    dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
-      "sshd-bruteforce"
-      "sshd-timeout"
-    ];
-
    services.netbird.enable = true;
  };

--- a/machines/rescue01/secrets/secrets.nix
+++ b/machines/rescue01/secrets/secrets.nix
@ -1,5 +1,4 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "rescue01";
-in
-lib.setDefault { inherit publicKeys; } [ ]
+(import ../../../keys).mkSecrets [ "rescue01" ] [
+  # List of secrets for rescue01
+  "stateless-uptime-kuma-password"
+]
--- a/machines/rescue01/secrets/stateless-uptime-kuma-password
+++ b/machines/rescue01/secrets/stateless-uptime-kuma-password
@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 jIXfPA wZdqi7vBlMEOJiY1VvbsmqyBSO/jl6SWLRGw+0ylKWo
+UvKyh4Jh608Z9i9+6WuPu3mwnlC98aAr6jiV38JJGzk
+-> ssh-ed25519 QlRB9Q +DUjR2Wqwg2SevBY+YgvLEDkcnoWGRTfcVFbl27CQT4
+poWQnP4cOQGc5Xhgrgz2KKEOJ8dB+iCcqME5D/zJv5c
+-> ssh-ed25519 r+nK/Q GsidIKDaPJmx8igrgoAbWGywJQB0nV/cY8Zm0CIByho
+m4HrxUhPkp7gahyLO2gfQUnglkB715jaCrADg77ns34
+-> ssh-rsa krWCLQ
+VwNy3N6+l3Vgpo8AK7cJ2gRmHa+oBtB4w3n+E8gn7sugcEB16NDtjK861zwszUq7
+OfOPUZ5mE+RWz20XYWPAJIPEYNaiqc5vJzguFvZdlyJNInJLxANlIaHydE1AGA9v
+l07t9PAxxV5L40EiPHxjveEKaKiAAJVbWWfILX9f4U5vjKy5729IE/3aTRUbTD/M
+CXINLnzFWwDLi3x2yBrGUly2mLIb4KyDuE8jnPmtCFveKsVxVsDEeiXvi0yeT+xM
+viGvXJ9Ad6tAug4BE2suqwG1iPHsa98pFBqYM8gG2rp2WOFhzs0emkTu5LGYJOMr
+VR39Qxcdp1WjPr9e+l/MDQ
+-> ssh-ed25519 /vwQcQ GBXHQzwSFS+abM91umquafIEcUoI407reSuULz7SGGY
+WpW9aHq2Eq8pXpvGsEKoByQLj0tr04GxNQrf09ronrY
+-> ssh-ed25519 0R97PA BxlIEcd6G5GDLUxgoTzyUqRRxGIx49YCZSvzjVIBdjw
+oDqUd2O+oBdDrOvrQysdptF1LuvXK/dKurFnHUjgNfk
+-> ssh-ed25519 JGx7Ng Km6PmwRZ9HfGjEhkgb8P+ZCt+B/C+jg9bcvdwBvrS0Q
+D+UC5nkMnpYuJtz5X30iF1avU+jlEy4zOEPkyj5o2x8
+-> ssh-ed25519 5SY7Kg 3tf/eLI3ngqilOfEz8fayTDHWHNd14ANJTSt5lz1yDM
+QUhDPYuiZ9YloKgYqY5UdMVmawyMAOS/T4jbpvsNJpI
+-> ssh-ed25519 p/Mg4Q h/8lvmwcmoyTa6vW0N2AbgKt/dpNNqVmRW02NaYl7Wo
+OaFeo+ZPa2LY5zRJzv/exq4bv734FxZwX3ql1kpv5bk
+-> ssh-ed25519 +MNHsw iaiHp0x4Xzf886Q0Li6IleeO3wZUAQbYFHxn0jzdCk0
+W4gaBtwKPbonB2g9+Ts+teXPEPoWDCVoVn1vixiQ+7M
+--- 1ACvcwsxZKnjgKRAzJy8e4eBtxZXrwe00wPdDlMWnBo
+Œ<ƒ¼î|ë=©r<2Ÿµ.>ÃÇ~,5J²Ä … àé[ºë^+Í¸Z‰ñj›á×=Ï<Ï%Útë®ª
--- a/machines/rescue01/uptime-kuma.nix
+++ b/machines/rescue01/uptime-kuma.nix
@ -1,26 +1,156 @@
+{
+  config,
+  lib,
+  nodes,
+  sources,
+  ...
+}:
 let
+  inherit (lib)
+    concatLists
+    mapAttrsToList
+    mkForce
+    mkMerge
+    ;
+
+  inherit (config.statelessUptimeKuma.lib)
+    pingProbesFromHive
+    fromHive
+    httpProbesFromConfig
+    probesWithTag
+    ;
+
+  probesCfg = config.statelessUptimeKuma.probesConfig;
+
+  mkMonitors = name: builtins.attrNames (probesWithTag { inherit name; } probesCfg);
+
  host = "status.dgnum.eu";

  port = 3001;
-in
-{
-  services.uptime-kuma.enable = true;

-  services.nginx = {
-    enable = true;
+  httpExcludes = [
+    "localhost"
+    "ens.cal.dgnum.eu"
+    "luj-current.cal.dgnum.eu"
+    "s3.dgnum.eu"
+    "cdn.dgnum.eu"
+    "saml-idp.dgnum.eu"
+    "status.dgnum.eu"
+    "radius.dgnum.eu"
+  ] ++ (concatLists (mapAttrsToList (_: { config, ... }: config.dgn-redirections.retired) nodes));

-    virtualHosts.${host} = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${builtins.toString port}";
-        proxyWebsockets = true;
+  extraProbes = {
+    monitors = {
+      "prometheus.dgnum.eu" = {
+        type = mkForce "http";
+        accepted_statuscodes = [ "401" ];
+      };
+
+      "ollama01.beta.dgnum.eu" = {
+        type = mkForce "http";
+        accepted_statuscodes = [ "401" ];
+      };
+
+      "s3-admin.dgnum.eu" = {
+        type = mkForce "http";
+        accepted_statuscodes = [ "400" ];
+      };
+
+      "api.meet.dgnum.eu" = {
+        keyword = "Crab Fit API";
      };
    };
  };

-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
+  status_pages = {
+    "dgnum" = {
+      title = "DGNum";
+      description = "Etat de l'infra de la DGNum";
+      showTags = true;
+      publicGroupList = [
+        {
+          name = "Services";
+          weight = 1;
+          monitorList = mkMonitors "Service";
+        }
+        {
+          name = "Serveurs";
+          weight = 2;
+          monitorList = mkMonitors "Ping";
+        }
+        {
+          name = "VPN Interne";
+          weight = 2;
+          monitorList = mkMonitors "VPN";
+        }
+      ];
+    };
+  };
+
+  pingProbes = pingProbesFromHive {
+    inherit nodes;
+    mkHost = _: config: config.networking.fqdn;
+    tags = [ { name = "Ping"; } ];
+    excludes = [
+      "geo01"
+      "geo02"
+      "rescue01"
+    ];
+  };
+
+  vpnProbes = pingProbesFromHive {
+    inherit nodes;
+    prefix = "VPN - ";
+    mkHost = node: _: "${node}.dgnum";
+    tags = [ { name = "VPN"; } ];
+    excludes = [
+      "rescue01"
+      "web02"
+    ];
+  };
+
+  httpProbes = fromHive {
+    inherit nodes;
+    builder =
+      _: module:
+      httpProbesFromConfig {
+        inherit (module) config;
+        tags = [
+          {
+            name = "Host";
+            value = module.config.networking.fqdn;
+          }
+          { name = "Service"; }
+        ];
+        excludes = httpExcludes;
+      };
+  };
+in
+{
+  imports = [ (sources.stateless-uptime-kuma + "/nixos/module.nix") ];
+  nixpkgs.overlays = [ (import (sources.stateless-uptime-kuma + "/overlay.nix")) ];
+
+  services.uptime-kuma.enable = true;
+
+  dgn-web.simpleProxies.uptime-kuma = {
+    inherit host port;
+    proxyWebsockets = true;
+  };
+
+  statelessUptimeKuma = {
+    probesConfig = mkMerge [
+      pingProbes
+      httpProbes
+      extraProbes
+      vpnProbes
+      { inherit status_pages; }
+    ];
+
+    extraFlags = [ "-s" ];
+
+    host = "http://localhost:${builtins.toString port}/";
+    username = "dgnum";
+    passwordFile = config.age.secrets."stateless-uptime-kuma-password".path;
+    enableService = true;
+  };
 }
--- a/machines/storage01/_configuration.nix
+++ b/machines/storage01/_configuration.nix
@ -4,13 +4,12 @@ lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
    "dgn-backups"
-    "dgn-fail2ban"
    "dgn-web"
  ];

  enabledServices = [
    # List of services to enable
-    "atticd"
+    "tvix-cache"
    "forgejo"
    "forgejo-runners"
    "garage"
@ -18,11 +17,11 @@ lib.extra.mkConfig {
    "netbird"
    "peertube"
    "prometheus"
+    "redirections"
+    "victoria-metrics"
  ];

  extraConfig = {
-    dgn-fail2ban.jails.sshd-preauth.enabled = true;
-
    dgn-hardware.useZfs = true;

    services.netbird.enable = true;
--- a/machines/storage01/atticd.nix
+++ b/machines/storage01/atticd.nix
@ -1,85 +0,0 @@
-{
-  config,
-  pkgs,
-  sources,
-  ...
-}:
-
-let
-  host = "cachix.dgnum.eu";
-in
-{
-  services = {
-    atticd = {
-      enable = true;
-
-      credentialsFile = config.age.secrets."atticd-credentials_file".path;
-
-      settings = {
-        listen = "127.0.0.1:9090";
-        api-endpoint = "https://${host}/";
-
-        allowed-hosts = [ host ];
-
-        chunking = {
-          # The minimum NAR size to trigger chunking
-          #
-          # If 0, chunking is disabled entirely for newly-uploaded NARs.
-          # If 1, all NARs are chunked.
-          nar-size-threshold = 64 * 1024; # 64 KiB
-
-          # The preferred minimum size of a chunk, in bytes
-          min-size = 16 * 1024; # 16 KiB
-
-          # The preferred average size of a chunk, in bytes
-          avg-size = 64 * 1024; # 64 KiB
-
-          # The preferred maximum size of a chunk, in bytes
-          max-size = 256 * 1024; # 256 KiB
-        };
-
-        database.url = "postgresql://atticd?host=/run/postgresql";
-
-        storage = {
-          type = "s3";
-          region = "garage";
-          bucket = "attic-dgnum";
-          endpoint = "https://s3.dgnum.eu";
-        };
-      };
-
-      useFlakeCompatOverlay = false;
-      package = pkgs.callPackage "${sources.attic}/package.nix" { };
-    };
-
-    nginx = {
-      enable = true;
-
-      virtualHosts.${host} = {
-        enableACME = true;
-        forceSSL = true;
-
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:9090";
-
-          extraConfig = ''
-            client_max_body_size 100M;
-          '';
-        };
-      };
-    };
-
-    postgresql = {
-      enable = true;
-
-      ensureDatabases = [ "atticd" ];
-
-      ensureUsers = [
-        {
-          name = "atticd";
-          ensureDBOwnership = true;
-        }
-      ];
-    };
-  };
-}
--- a/machines/storage01/forgejo-runners.nix
+++ b/machines/storage01/forgejo-runners.nix
@ -1,6 +1,7 @@
 {
  config,
  pkgs,
+  nixpkgs,
  sources,
  ...
 }:
@ -29,6 +30,8 @@ let
        options = "--cpus=4";
      };
    };
+
+  nix-pkgs = import sources.nix-pkgs { inherit pkgs; };
 in
 {
  services.forgejo-nix-runners = {
@ -40,10 +43,10 @@ in
    tokenFile = config.age.secrets."forgejo_runners-token_file".path;

    dependencies = [
-      pkgs.colmena
+      nix-pkgs.colmena
      pkgs.npins
      pkgs.tea
-      (import sources.nixpkgs { }).nixfmt-rfc-style
+      nixpkgs.unstable.nixfmt-rfc-style
    ];

    containerOptions = [ "--cpus=4" ];
--- a/machines/storage01/forgejo.nix
+++ b/machines/storage01/forgejo.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, nixpkgs, ... }:

 let
  port = 3000;
@ -10,7 +10,7 @@ in
      enable = true;

      user = "git";
-      package = pkgs.forgejo;
+      package = nixpkgs.unstable.forgejo;
      stateDir = "/var/lib/git";

      database = {
@ -24,30 +24,18 @@ in
          APP_NAME = "Forge git de la DGNum";
        };

-        server = {
-          ROOT_URL = "https://${host}/";
-          DOMAIN = host;
-          HTTP_ADDRESS = "127.0.0.1";
-          HTTP_PORT = port;
-          APP_DATA_PATH = "/var/lib/git/data";
-        };
-
-        service = {
-          EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
-
-          DISABLE_REGISTRATION = false;
-          REGISTER_EMAIL_CONFIRM = true;
-        };
-
-        log.LEVEL = "Warn";
-
-        ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
-
        actions = {
          ENABLED = true;
          DEFAULT_ACTIONS_URL = "https://gitea.com";
        };

+        admin = {
+          DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
+          SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
+        };
+
+        log.LEVEL = "Warn";
+
        mailer = {
          ENABLED = true;
          FROM = "git@infra.dgnum.eu";
@ -56,22 +44,43 @@ in
          SMTP_PORT = 465;
          USER = "web-services@infra.dgnum.eu";
        };
+
+        session = {
+          SESSION_LIFE_TIME = 24 * 3600 * 7;
+          GC_INTERVAL_TIME = 24 * 3600 * 7;
+        };
+
+        server = {
+          ROOT_URL = "https://${host}/";
+          DOMAIN = host;
+          HTTP_ADDRESS = "127.0.0.1";
+          HTTP_PORT = port;
+          APP_DATA_PATH = "/var/lib/git/data";
+          OFFLINE_MODE = false;
+        };
+
+        service = {
+          EMAIL_DOMAIN_ALLOWLIST = "dgnum.eu,*";
+          ENABLE_NOTIFY_MAIL = true;
+
+          DISABLE_REGISTRATION = false;
+          REGISTER_EMAIL_CONFIRM = true;
+        };
+
+        ui.THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
+
+        "cron.cleanup_actions".ENABLED = true;
+        "cron.delete_old_actions".ENABLED = true;
+        "cron.git_gc_repos".ENABLED = true;
+        "cron.update_checker".ENABLED = false;
      };

      mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
    };
+  };

-    nginx = {
-      enable = true;
-
-      virtualHosts.${host} = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString port}";
-        };
-      };
-    };
+  dgn-web.simpleProxies.forgejo = {
+    inherit host port;
  };

  users.users.git = {
--- a/machines/storage01/garage.nix
+++ b/machines/storage01/garage.nix
@ -1,6 +1,13 @@
-{ config, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 let
+  inherit (lib) mapAttrs' nameValuePair;
+
  host = "s3.dgnum.eu";
  webHost = "cdn.dgnum.eu";

@ -8,49 +15,66 @@ let
  metadata_dir = "/data/fast/garage/meta";

  domains = [
+    "bandarretdurgence.ens.fr"
    "boussole-sante.normalesup.eu"
+    "lanuit.ens.fr"
    "simi.normalesup.eu"
  ];

  buckets = [
+    "monorepo-terraform-state"
+
+    "banda-website"
    "castopod-dgnum"
+    "hackens-website"
+    "nuit-website"
    "peertube-videos-dgnum"
  ] ++ domains;

  mkHosted = host: builtins.map (b: "${b}.${host}");
+
+  ports = {
+    admin_api = 3903;
+    k2v_api = 3904;
+    rpc = 3901;
+    s3_api = 3900;
+    s3_web = 3902;
+  };
 in
 {
+  dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
+
  services.garage = {
    enable = true;

-    package = pkgs.garage_0_9;
+    package = pkgs.garage_1_0_1;

    settings = {
      inherit data_dir metadata_dir;

      db_engine = "lmdb";

-      replication_mode = "none";
+      replication_mode = "none"; # TODO: deprecated
      compression_level = 7;

-      rpc_bind_addr = "[::]:3901";
-      rpc_public_addr = "127.0.0.1:3901";
+      rpc_bind_addr = "[::]:${toString ports.rpc}";
+      rpc_public_addr = "127.0.0.1:${toString ports.rpc}";

      s3_api = {
        s3_region = "garage";
-        api_bind_addr = "127.0.0.1:3900";
+        api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
        root_domain = ".${host}";
      };

      s3_web = {
-        bind_addr = "127.0.0.1:3902";
+        bind_addr = "127.0.0.1:${toString ports.s3_web}";
        root_domain = ".${webHost}";
        index = "index.html";
      };

-      k2v_api.api_bind_addr = "[::]:3904";
+      k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";

-      admin.api_bind_addr = "0.0.0.0:3903";
+      admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
    };

    environmentFile = config.age.secrets."garage-environment_file".path;
@ -62,6 +86,7 @@ in
      data_dir
      metadata_dir
    ];
+    TimeoutSec = 600;
  };

  users.users.garage = {
@ -71,6 +96,17 @@ in
  users.groups.garage = { };

  services.nginx.virtualHosts = {
+    "s3-admin.dgnum.eu" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/".extraConfig = ''
+        proxy_pass http://127.0.0.1:${toString ports.admin_api};
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+      '';
+    };
+
    ${host} = {
      enableACME = true;
      forceSSL = true;
@ -78,7 +114,7 @@ in
      serverAliases = mkHosted host buckets;

      locations."/".extraConfig = ''
-        proxy_pass http://127.0.0.1:3900;
+        proxy_pass http://127.0.0.1:${toString ports.s3_api};
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        # Disable buffering to a temporary file.
@ -94,7 +130,7 @@ in
      serverAliases = domains ++ (mkHosted webHost buckets);

      locations."/".extraConfig = ''
-        proxy_pass http://127.0.0.1:3902;
+        proxy_pass http://127.0.0.1:${toString ports.s3_web};
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
      '';
--- a/Show more
+++ b/Show more
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm`
				`@ -1 +0,0 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris`