fix(keys): Add nixosMachineKeys and rekey

This is needed for secret encryption since netconf and liminix machines
don't have an ssh key for now.

.envrc

@@ -1 +1,2 @@
+watch_file workflows/*
 use nix

.forgejo/workflows/check-meta.yaml

@@ -1,22 +1,21 @@
-name: Check meta
-on:
-  push:
-    paths:
-      - 'meta/*'
-
 jobs:
-  check_meta:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Check the validity of meta options
-        run: nix-build meta/verify.nix -A meta
-
   check_dns:
     runs-on: nix
     steps:
-      - uses: actions/checkout@v3
-
-      - name: Check the validity of the DNS configuration
-        run: nix-build meta/verify.nix -A dns --no-out-link
+    - uses: actions/checkout@v3
+    - name: Check the validity of the DNS configuration
+      run: nix-build meta/verify.nix -A dns
+  check_meta:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check the validity of meta options
+      run: nix-build meta/verify.nix -A meta
+name: Check meta
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    paths:
+    - meta/*

.forgejo/workflows/check-workflows.yaml

@@ -0,0 +1,16 @@
+jobs:
+  check_workflows:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check that the workflows are up to date
+      run: nix-shell -A check-workflows --run '[ $(git status --porcelain | wc -l)
+        -eq 0 ]'
+name: Check workflows
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    paths:
+    - workflows/*

.forgejo/workflows/ds-fr.yaml

@@ -1,57 +0,0 @@
-name: ds-fr update
-on:
-  schedule:
-    # Run at 8 o'clock every day
-    - cron: "26 18 * * *"
-
-jobs:
-  npins_update:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-
-      - name: Update DS and open PR if necessary
-        run: |
-          # Fetch the latest release tag
-          VERSION=$(curl -L \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            https://api.github.com/repos/demarches-simplifiees/demarches-simplifiees.fr/releases/latest \
-          | jq -r '.tag_name')
-
-          # Move to the ds-fr directory
-          cd machines/compute01/ds-fr/package
-
-          # Run the update script
-          ./update.sh -v "$VERSION"
-
-          if [ ! -z "$(git diff --name-only)" ]; then
-            echo "[+] Changes detected, pushing updates."
-
-            git switch -C ds-update
-
-            git add .
-
-            git config user.name "DGNum Chores"
-            git config user.email "tech@dgnum.eu"
-
-            git commit --message "chore(ds-fr): Update"
-            git push --set-upstream origin ds-update --force
-
-            # Connect to the server with the cli
-            tea login add \
-              -n dgnum-chores \
-              -t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-              -u https://git.dgnum.eu
-
-            # Create a pull request if needed
-            # i.e. no PR with the same title exists
-            if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(ds-fr): Update dgnum-chores')" ]; then
-              tea pr create \
-                --description "Automatic ds-fr update" \
-                --title "chore(ds-fr): Update" \
-                --head ds-update
-            fi
-          fi

.forgejo/workflows/eval-nodes.yaml

@@ -0,0 +1,185 @@
+jobs:
+  ap01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: ap01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache ap01
+      run: nix-shell -A eval-nodes --run cache-node
+  bridge01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: bridge01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache bridge01
+      run: nix-shell -A eval-nodes --run cache-node
+  compute01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: compute01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache compute01
+      run: nix-shell -A eval-nodes --run cache-node
+  geo01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: geo01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache geo01
+      run: nix-shell -A eval-nodes --run cache-node
+  geo02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: geo02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache geo02
+      run: nix-shell -A eval-nodes --run cache-node
+  hypervisor01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: hypervisor01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache hypervisor01
+      run: nix-shell -A eval-nodes --run cache-node
+  hypervisor02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: hypervisor02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache hypervisor02
+      run: nix-shell -A eval-nodes --run cache-node
+  hypervisor03:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: hypervisor03
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache hypervisor03
+      run: nix-shell -A eval-nodes --run cache-node
+  netcore02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: netcore02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache netcore02
+      run: nix-shell -A eval-nodes --run cache-node
+  rescue01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: rescue01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache rescue01
+      run: nix-shell -A eval-nodes --run cache-node
+  storage01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: storage01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache storage01
+      run: nix-shell -A eval-nodes --run cache-node
+  tower01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: tower01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache tower01
+      run: nix-shell -A eval-nodes --run cache-node
+  vault01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: vault01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache vault01
+      run: nix-shell -A eval-nodes --run cache-node
+  web01:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: web01
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache web01
+      run: nix-shell -A eval-nodes --run cache-node
+  web02:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: web02
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache web02
+      run: nix-shell -A eval-nodes --run cache-node
+  web03:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        BUILD_NODE: web03
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache web03
+      run: nix-shell -A eval-nodes --run cache-node
+name: Build all the nodes
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main

.forgejo/workflows/eval-shell.yaml

@@ -0,0 +1,19 @@
+jobs:
+  build-shell:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - env:
+        STORE_ENDPOINT: https://tvix-store.dgnum.eu/infra-signing/
+        STORE_PASSWORD: ${{ secrets.STORE_PASSWORD }}
+        STORE_USER: admin
+      name: Build and cache shell
+      run: nix-shell -A eval-shell --run "nix-build-and-cache -A devShell"
+name: Build the shell
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main

.forgejo/workflows/eval.yaml

@@ -1,70 +0,0 @@
-name: build configuration
-on:
-  pull_request:
-    types: [opened, synchronize, edited, reopened]
-    branches:
-      - main
-  push:
-    branches:
-      - main
-
-jobs:
-  build_compute01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build compute01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on compute01'
-
-  build_storage01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build storage01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on storage01'
-
-  build_vault01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build vault01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on vault01'
-
-  build_web01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build web01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on web01'
-
-  build_web02:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build web02
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on web02'
-
-  build_rescue01:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Build rescue01
-        run: |
-          # Enter the shell
-          nix-shell --run 'colmena build --on rescue01'

.forgejo/workflows/lint.yaml

@@ -1,11 +0,0 @@
-name: lint
-on: push
-
-jobs:
-  check:
-    runs-on: nix
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Run pre-commit on all files
-        run: nix-shell --run 'pre-commit run --all-files --show-diff-on-failure' -A shells.pre-commit ./.

.forgejo/workflows/npins-update.yaml

@@ -0,0 +1,28 @@
+jobs:
+  npins_update:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
+    - env:
+        GIT_AUTHOR_EMAIL: tech@dgnum.eu
+        GIT_AUTHOR_NAME: DGNum Chores
+        GIT_COMMITTER_EMAIL: tech@dgnum.eu
+        GIT_COMMITTER_NAME: DGNum Chores
+      name: Update dependencies and open PR if necessary
+      run: "npins update\n\nif [ ! -z \"$(git diff --name-only)\" ]; then\n  echo
+        \"[+] Changes detected, pushing updates.\"\n\n  git switch -C npins-update\n\
+        \n  git add npins\n\n  git commit --message \"chore(npins): Update\"\n  git
+        push --set-upstream origin npins-update --force\n\n  # Connect to the server
+        with the cli\n  tea login add \\\n    -n dgnum-chores \\\n    -t \"${{ secrets.TEA_DGNUM_CHORES_TOKEN
+        }}\" \\\n    -u https://git.dgnum.eu\n\n  # Create a pull request if needed\n\
+        \  # i.e. no PR with the same title exists\n  if [ -z \"$(tea pr ls -f='title,author'
+        -o simple | grep 'chore(npins): Update dgnum-chores')\" ]; then\n    tea pr
+        create \\\n      --description \"Automatic npins update\" \\\n      --title
+        \"chore(npins): Update\" \\\n      --head npins-update\n  fi\nfi\n"
+name: npins update
+on:
+  schedule:
+  - cron: 25 15 * * *

.forgejo/workflows/npins.yaml

@@ -1,58 +0,0 @@
-name: npins update
-on:
-  schedule:
-    # Run at 11 o'clock every wednesday
-    - cron: "25 15 * * *"
-
-jobs:
-  npins_update:
-    runs-on: nix
-    steps:
-      # - name: Install applications
-      #   run: apt-get update && apt-get install sudo
-      #
-      - uses: actions/checkout@v3
-        with:
-          depth: 0
-          token: ${{ secrets.TEA_DGNUM_CHORES_TOKEN }}
-      #
-      # - uses: https://github.com/cachix/install-nix-action@v22
-      #   with:
-      #     nix_path: nixpkgs=channel:nixos-unstable
-
-      # - name: Install tea
-      #   run: |
-      #     nix-env -f '<nixpkgs>' -i tea
-
-      - name: Update dependencies and open PR if necessary
-        run: |
-          npins update
-
-          if [ ! -z "$(git diff --name-only)" ]; then
-            echo "[+] Changes detected, pushing updates."
-
-            git switch -C npins-update
-
-            git add npins
-
-            git config user.name "DGNum Chores"
-            git config user.email "tech@dgnum.eu"
-
-            git commit --message "chore(npins): Update"
-            git push --set-upstream origin npins-update --force
-
-            # Connect to the server with the cli
-            tea login add \
-              -n dgnum-chores \
-              -t '${{ secrets.TEA_DGNUM_CHORES_TOKEN }}' \
-              -u https://git.dgnum.eu
-
-            # Create a pull request if needed
-            # i.e. no PR with the same title exists
-            if [ -z "$(tea pr ls -f='title,author' -o simple | grep 'chore(npins): Update dgnum-chores')" ]; then
-              tea pr create \
-                --description "Automatic npins update" \
-                --title "chore(npins): Update" \
-                --head npins-update
-            fi
-          fi

.forgejo/workflows/pre-commit.yaml

@@ -0,0 +1,15 @@
+jobs:
+  pre-commit:
+    runs-on: nix
+    steps:
+    - uses: actions/checkout@v3
+    - name: Check stage pre-commit
+      run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
+        pre-commit --show-diff-on-failure'
+    - name: Check stage pre-push
+      run: nix-shell -A pre-commit --run 'pre-commit run --all-files --hook-stage
+        pre-push --show-diff-on-failure'
+name: Run pre-commit on all files
+on:
+- push
+- pull_request

CONTRIBUTE.md

@@ -1,3 +1,9 @@
+<!--
+SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+
+SPDX-License-Identifier: EUPL-1.2
+-->
+
 # Contribuer
 
 Quelques éléments à savoir:

LICENSE

@@ -1,547 +0,0 @@
-  CONTRAT DE LICENCE DE LOGICIEL LIBRE CeCILL
-
-Version 2.1 du 2013-06-21
-
-
-    Avertissement
-
-Ce contrat est une licence de logiciel libre issue d'une concertation
-entre ses auteurs afin que le respect de deux grands principes préside à
-sa rédaction:
-
-  * d'une part, le respect des principes de diffusion des logiciels
-    libres: accès au code source, droits étendus conférés aux utilisateurs,
-  * d'autre part, la désignation d'un droit applicable, le droit
-    français, auquel elle est conforme, tant au regard du droit de la
-    responsabilité civile que du droit de la propriété intellectuelle et
-    de la protection qu'il offre aux auteurs et titulaires des droits
-    patrimoniaux sur un logiciel.
-
-Les auteurs de la licence CeCILL (Ce[a] C[nrs] I[nria] L[ogiciel] L[ibre])
-sont:
-
-Commissariat à l'énergie atomique et aux énergies alternatives - CEA,
-établissement public de recherche à caractère scientifique, technique et
-industriel, dont le siège est situé 25 rue Leblanc, immeuble Le Ponant
-D, 75015 Paris.
-
-Centre National de la Recherche Scientifique - CNRS, établissement
-public à caractère scientifique et technologique, dont le siège est
-situé 3 rue Michel-Ange, 75794 Paris cedex 16.
-
-Institut National de Recherche en Informatique et en Automatique -
-Inria, établissement public à caractère scientifique et technologique,
-dont le siège est situé Domaine de Voluceau, Rocquencourt, BP 105, 78153
-Le Chesnay cedex.
-
-
-    Préambule
-
-Ce contrat est une licence de logiciel libre dont l'objectif est de
-conférer aux utilisateurs la liberté de modification et de
-redistribution du logiciel régi par cette licence dans le cadre d'un
-modèle de diffusion en logiciel libre.
-
-L'exercice de ces libertés est assorti de certains devoirs à la charge
-des utilisateurs afin de préserver ce statut au cours des
-redistributions ultérieures.
-
-L'accessibilité au code source et les droits de copie, de modification
-et de redistribution qui en découlent ont pour contrepartie de n'offrir
-aux utilisateurs qu'une garantie limitée et de ne faire peser sur
-l'auteur du logiciel, le titulaire des droits patrimoniaux et les
-concédants successifs qu'une responsabilité restreinte.
-
-A cet égard l'attention de l'utilisateur est attirée sur les risques
-associés au chargement, à l'utilisation, à la modification et/ou au
-développement et à la reproduction du logiciel par l'utilisateur étant
-donné sa spécificité de logiciel libre, qui peut le rendre complexe à
-manipuler et qui le réserve donc à des développeurs ou des
-professionnels avertis possédant des connaissances informatiques
-approfondies. Les utilisateurs sont donc invités à charger et tester
-l'adéquation du logiciel à leurs besoins dans des conditions permettant
-d'assurer la sécurité de leurs systèmes et/ou de leurs données et, plus
-généralement, à l'utiliser et l'exploiter dans les mêmes conditions de
-sécurité. Ce contrat peut être reproduit et diffusé librement, sous
-réserve de le conserver en l'état, sans ajout ni suppression de clauses.
-
-Ce contrat est susceptible de s'appliquer à tout logiciel dont le
-titulaire des droits patrimoniaux décide de soumettre l'exploitation aux
-dispositions qu'il contient.
-
-Une liste de questions fréquemment posées se trouve sur le site web
-officiel de la famille des licences CeCILL
-(http://www.cecill.info/index.fr.html) pour toute clarification qui
-serait nécessaire.
-
-
-    Article 1 - DEFINITIONS
-
-Dans ce contrat, les termes suivants, lorsqu'ils seront écrits avec une
-lettre capitale, auront la signification suivante:
-
-Contrat: désigne le présent contrat de licence, ses éventuelles versions
-postérieures et annexes.
-
-Logiciel: désigne le logiciel sous sa forme de Code Objet et/ou de Code
-Source et le cas échéant sa documentation, dans leur état au moment de
-l'acceptation du Contrat par le Licencié.
-
-Logiciel Initial: désigne le Logiciel sous sa forme de Code Source et
-éventuellement de Code Objet et le cas échéant sa documentation, dans
-leur état au moment de leur première diffusion sous les termes du Contrat.
-
-Logiciel Modifié: désigne le Logiciel modifié par au moins une
-Contribution.
-
-Code Source: désigne l'ensemble des instructions et des lignes de
-programme du Logiciel et auquel l'accès est nécessaire en vue de
-modifier le Logiciel.
-
-Code Objet: désigne les fichiers binaires issus de la compilation du
-Code Source.
-
-Titulaire: désigne le ou les détenteurs des droits patrimoniaux d'auteur
-sur le Logiciel Initial.
-
-Licencié: désigne le ou les utilisateurs du Logiciel ayant accepté le
-Contrat.
-
-Contributeur: désigne le Licencié auteur d'au moins une Contribution.
-
-Concédant: désigne le Titulaire ou toute personne physique ou morale
-distribuant le Logiciel sous le Contrat.
-
-Contribution: désigne l'ensemble des modifications, corrections,
-traductions, adaptations et/ou nouvelles fonctionnalités intégrées dans
-le Logiciel par tout Contributeur, ainsi que tout Module Interne.
-
-Module: désigne un ensemble de fichiers sources y compris leur
-documentation qui permet de réaliser des fonctionnalités ou services
-supplémentaires à ceux fournis par le Logiciel.
-
-Module Externe: désigne tout Module, non dérivé du Logiciel, tel que ce
-Module et le Logiciel s'exécutent dans des espaces d'adressage
-différents, l'un appelant l'autre au moment de leur exécution.
-
-Module Interne: désigne tout Module lié au Logiciel de telle sorte
-qu'ils s'exécutent dans le même espace d'adressage.
-
-GNU GPL: désigne la GNU General Public License dans sa version 2 ou
-toute version ultérieure, telle que publiée par Free Software Foundation
-Inc.
-
-GNU Affero GPL: désigne la GNU Affero General Public License dans sa
-version 3 ou toute version ultérieure, telle que publiée par Free
-Software Foundation Inc.
-
-EUPL: désigne la Licence Publique de l'Union européenne dans sa version
-1.1 ou toute version ultérieure, telle que publiée par la Commission
-Européenne.
-
-Parties: désigne collectivement le Licencié et le Concédant.
-
-Ces termes s'entendent au singulier comme au pluriel.
-
-
-    Article 2 - OBJET
-
-Le Contrat a pour objet la concession par le Concédant au Licencié d'une
-licence non exclusive, cessible et mondiale du Logiciel telle que
-définie ci-après à l'article 5 <#etendue> pour toute la durée de
-protection des droits portant sur ce Logiciel.
-
-
-    Article 3 - ACCEPTATION
-
-3.1 L'acceptation par le Licencié des termes du Contrat est réputée
-acquise du fait du premier des faits suivants:
-
-  * (i) le chargement du Logiciel par tout moyen notamment par
-    téléchargement à partir d'un serveur distant ou par chargement à
-    partir d'un support physique;
-  * (ii) le premier exercice par le Licencié de l'un quelconque des
-    droits concédés par le Contrat.
-
-3.2 Un exemplaire du Contrat, contenant notamment un avertissement
-relatif aux spécificités du Logiciel, à la restriction de garantie et à
-la limitation à un usage par des utilisateurs expérimentés a été mis à
-disposition du Licencié préalablement à son acceptation telle que
-définie à l'article 3.1 <#acceptation-acquise> ci dessus et le Licencié
-reconnaît en avoir pris connaissance.
-
-
-    Article 4 - ENTREE EN VIGUEUR ET DUREE
-
-
-      4.1 ENTREE EN VIGUEUR
-
-Le Contrat entre en vigueur à la date de son acceptation par le Licencié
-telle que définie en 3.1 <#acceptation-acquise>.
-
-
-      4.2 DUREE
-
-Le Contrat produira ses effets pendant toute la durée légale de
-protection des droits patrimoniaux portant sur le Logiciel.
-
-
-    Article 5 - ETENDUE DES DROITS CONCEDES
-
-Le Concédant concède au Licencié, qui accepte, les droits suivants sur
-le Logiciel pour toutes destinations et pour la durée du Contrat dans
-les conditions ci-après détaillées.
-
-Par ailleurs, si le Concédant détient ou venait à détenir un ou
-plusieurs brevets d'invention protégeant tout ou partie des
-fonctionnalités du Logiciel ou de ses composants, il s'engage à ne pas
-opposer les éventuels droits conférés par ces brevets aux Licenciés
-successifs qui utiliseraient, exploiteraient ou modifieraient le
-Logiciel. En cas de cession de ces brevets, le Concédant s'engage à
-faire reprendre les obligations du présent alinéa aux cessionnaires.
-
-
-      5.1 DROIT D'UTILISATION
-
-Le Licencié est autorisé à utiliser le Logiciel, sans restriction quant
-aux domaines d'application, étant ci-après précisé que cela comporte:
-
- 1.
-
-    la reproduction permanente ou provisoire du Logiciel en tout ou
-    partie par tout moyen et sous toute forme.
-
- 2.
-
-    le chargement, l'affichage, l'exécution, ou le stockage du Logiciel
-    sur tout support.
-
- 3.
-
-    la possibilité d'en observer, d'en étudier, ou d'en tester le
-    fonctionnement afin de déterminer les idées et principes qui sont à
-    la base de n'importe quel élément de ce Logiciel; et ceci, lorsque
-    le Licencié effectue toute opération de chargement, d'affichage,
-    d'exécution, de transmission ou de stockage du Logiciel qu'il est en
-    droit d'effectuer en vertu du Contrat.
-
-
-      5.2 DROIT D'APPORTER DES CONTRIBUTIONS
-
-Le droit d'apporter des Contributions comporte le droit de traduire,
-d'adapter, d'arranger ou d'apporter toute autre modification au Logiciel
-et le droit de reproduire le logiciel en résultant.
-
-Le Licencié est autorisé à apporter toute Contribution au Logiciel sous
-réserve de mentionner, de façon explicite, son nom en tant qu'auteur de
-cette Contribution et la date de création de celle-ci.
-
-
-      5.3 DROIT DE DISTRIBUTION
-
-Le droit de distribution comporte notamment le droit de diffuser, de
-transmettre et de communiquer le Logiciel au public sur tout support et
-par tout moyen ainsi que le droit de mettre sur le marché à titre
-onéreux ou gratuit, un ou des exemplaires du Logiciel par tout procédé.
-
-Le Licencié est autorisé à distribuer des copies du Logiciel, modifié ou
-non, à des tiers dans les conditions ci-après détaillées.
-
-
-        5.3.1 DISTRIBUTION DU LOGICIEL SANS MODIFICATION
-
-Le Licencié est autorisé à distribuer des copies conformes du Logiciel,
-sous forme de Code Source ou de Code Objet, à condition que cette
-distribution respecte les dispositions du Contrat dans leur totalité et
-soit accompagnée:
-
- 1.
-
-    d'un exemplaire du Contrat,
-
- 2.
-
-    d'un avertissement relatif à la restriction de garantie et de
-    responsabilité du Concédant telle que prévue aux articles 8
-    <#responsabilite> et 9 <#garantie>,
-
-et que, dans le cas où seul le Code Objet du Logiciel est redistribué,
-le Licencié permette un accès effectif au Code Source complet du
-Logiciel pour une durée d'au moins 3 ans à compter de la distribution du
-logiciel, étant entendu que le coût additionnel d'acquisition du Code
-Source ne devra pas excéder le simple coût de transfert des données.
-
-
-        5.3.2 DISTRIBUTION DU LOGICIEL MODIFIE
-
-Lorsque le Licencié apporte une Contribution au Logiciel, les conditions
-de distribution du Logiciel Modifié en résultant sont alors soumises à
-l'intégralité des dispositions du Contrat.
-
-Le Licencié est autorisé à distribuer le Logiciel Modifié, sous forme de
-code source ou de code objet, à condition que cette distribution
-respecte les dispositions du Contrat dans leur totalité et soit
-accompagnée:
-
- 1.
-
-    d'un exemplaire du Contrat,
-
- 2.
-
-    d'un avertissement relatif à la restriction de garantie et de
-    responsabilité du Concédant telle que prévue aux articles 8
-    <#responsabilite> et 9 <#garantie>,
-
-et, dans le cas où seul le code objet du Logiciel Modifié est redistribué,
-
- 3.
-
-    d'une note précisant les conditions d'accès effectif au code source
-    complet du Logiciel Modifié, pendant une période d'au moins 3 ans à
-    compter de la distribution du Logiciel Modifié, étant entendu que le
-    coût additionnel d'acquisition du code source ne devra pas excéder
-    le simple coût de transfert des données.
-
-
-        5.3.3 DISTRIBUTION DES MODULES EXTERNES
-
-Lorsque le Licencié a développé un Module Externe les conditions du
-Contrat ne s'appliquent pas à ce Module Externe, qui peut être distribué
-sous un contrat de licence différent.
-
-
-        5.3.4 COMPATIBILITE AVEC D'AUTRES LICENCES
-
-Le Licencié peut inclure un code soumis aux dispositions d'une des
-versions de la licence GNU GPL, GNU Affero GPL et/ou EUPL dans le
-Logiciel modifié ou non et distribuer l'ensemble sous les conditions de
-la même version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
-
-Le Licencié peut inclure le Logiciel modifié ou non dans un code soumis
-aux dispositions d'une des versions de la licence GNU GPL, GNU Affero
-GPL et/ou EUPL et distribuer l'ensemble sous les conditions de la même
-version de la licence GNU GPL, GNU Affero GPL et/ou EUPL.
-
-
-    Article 6 - PROPRIETE INTELLECTUELLE
-
-
-      6.1 SUR LE LOGICIEL INITIAL
-
-Le Titulaire est détenteur des droits patrimoniaux sur le Logiciel
-Initial. Toute utilisation du Logiciel Initial est soumise au respect
-des conditions dans lesquelles le Titulaire a choisi de diffuser son
-oeuvre et nul autre n'a la faculté de modifier les conditions de
-diffusion de ce Logiciel Initial.
-
-Le Titulaire s'engage à ce que le Logiciel Initial reste au moins régi
-par le Contrat et ce, pour la durée visée à l'article 4.2 <#duree>.
-
-
-      6.2 SUR LES CONTRIBUTIONS
-
-Le Licencié qui a développé une Contribution est titulaire sur celle-ci
-des droits de propriété intellectuelle dans les conditions définies par
-la législation applicable.
-
-
-      6.3 SUR LES MODULES EXTERNES
-
-Le Licencié qui a développé un Module Externe est titulaire sur celui-ci
-des droits de propriété intellectuelle dans les conditions définies par
-la législation applicable et reste libre du choix du contrat régissant
-sa diffusion.
-
-
-      6.4 DISPOSITIONS COMMUNES
-
-Le Licencié s'engage expressément:
-
- 1.
-
-    à ne pas supprimer ou modifier de quelque manière que ce soit les
-    mentions de propriété intellectuelle apposées sur le Logiciel;
-
- 2.
-
-    à reproduire à l'identique lesdites mentions de propriété
-    intellectuelle sur les copies du Logiciel modifié ou non.
-
-Le Licencié s'engage à ne pas porter atteinte, directement ou
-indirectement, aux droits de propriété intellectuelle du Titulaire et/ou
-des Contributeurs sur le Logiciel et à prendre, le cas échéant, à
-l'égard de son personnel toutes les mesures nécessaires pour assurer le
-respect des dits droits de propriété intellectuelle du Titulaire et/ou
-des Contributeurs.
-
-
-    Article 7 - SERVICES ASSOCIES
-
-7.1 Le Contrat n'oblige en aucun cas le Concédant à la réalisation de
-prestations d'assistance technique ou de maintenance du Logiciel.
-
-Cependant le Concédant reste libre de proposer ce type de services. Les
-termes et conditions d'une telle assistance technique et/ou d'une telle
-maintenance seront alors déterminés dans un acte séparé. Ces actes de
-maintenance et/ou assistance technique n'engageront que la seule
-responsabilité du Concédant qui les propose.
-
-7.2 De même, tout Concédant est libre de proposer, sous sa seule
-responsabilité, à ses licenciés une garantie, qui n'engagera que lui,
-lors de la redistribution du Logiciel et/ou du Logiciel Modifié et ce,
-dans les conditions qu'il souhaite. Cette garantie et les modalités
-financières de son application feront l'objet d'un acte séparé entre le
-Concédant et le Licencié.
-
-
-    Article 8 - RESPONSABILITE
-
-8.1 Sous réserve des dispositions de l'article 8.2
-<#limite-responsabilite>, le Licencié a la faculté, sous réserve de
-prouver la faute du Concédant concerné, de solliciter la réparation du
-préjudice direct qu'il subirait du fait du Logiciel et dont il apportera
-la preuve.
-
-8.2 La responsabilité du Concédant est limitée aux engagements pris en
-application du Contrat et ne saurait être engagée en raison notamment:
-(i) des dommages dus à l'inexécution, totale ou partielle, de ses
-obligations par le Licencié, (ii) des dommages directs ou indirects
-découlant de l'utilisation ou des performances du Logiciel subis par le
-Licencié et (iii) plus généralement d'un quelconque dommage indirect. En
-particulier, les Parties conviennent expressément que tout préjudice
-financier ou commercial (par exemple perte de données, perte de
-bénéfices, perte d'exploitation, perte de clientèle ou de commandes,
-manque à gagner, trouble commercial quelconque) ou toute action dirigée
-contre le Licencié par un tiers, constitue un dommage indirect et
-n'ouvre pas droit à réparation par le Concédant.
-
-
-    Article 9 - GARANTIE
-
-9.1 Le Licencié reconnaît que l'état actuel des connaissances
-scientifiques et techniques au moment de la mise en circulation du
-Logiciel ne permet pas d'en tester et d'en vérifier toutes les
-utilisations ni de détecter l'existence d'éventuels défauts. L'attention
-du Licencié a été attirée sur ce point sur les risques associés au
-chargement, à l'utilisation, la modification et/ou au développement et à
-la reproduction du Logiciel qui sont réservés à des utilisateurs avertis.
-
-Il relève de la responsabilité du Licencié de contrôler, par tous
-moyens, l'adéquation du produit à ses besoins, son bon fonctionnement et
-de s'assurer qu'il ne causera pas de dommages aux personnes et aux biens.
-
-9.2 Le Concédant déclare de bonne foi être en droit de concéder
-l'ensemble des droits attachés au Logiciel (comprenant notamment les
-droits visés à l'article 5 <#etendue>).
-
-9.3 Le Licencié reconnaît que le Logiciel est fourni "en l'état" par le
-Concédant sans autre garantie, expresse ou tacite, que celle prévue à
-l'article 9.2 <#bonne-foi> et notamment sans aucune garantie sur sa
-valeur commerciale, son caractère sécurisé, innovant ou pertinent.
-
-En particulier, le Concédant ne garantit pas que le Logiciel est exempt
-d'erreur, qu'il fonctionnera sans interruption, qu'il sera compatible
-avec l'équipement du Licencié et sa configuration logicielle ni qu'il
-remplira les besoins du Licencié.
-
-9.4 Le Concédant ne garantit pas, de manière expresse ou tacite, que le
-Logiciel ne porte pas atteinte à un quelconque droit de propriété
-intellectuelle d'un tiers portant sur un brevet, un logiciel ou sur tout
-autre droit de propriété. Ainsi, le Concédant exclut toute garantie au
-profit du Licencié contre les actions en contrefaçon qui pourraient être
-diligentées au titre de l'utilisation, de la modification, et de la
-redistribution du Logiciel. Néanmoins, si de telles actions sont
-exercées contre le Licencié, le Concédant lui apportera son expertise
-technique et juridique pour sa défense. Cette expertise technique et
-juridique est déterminée au cas par cas entre le Concédant concerné et
-le Licencié dans le cadre d'un protocole d'accord. Le Concédant dégage
-toute responsabilité quant à l'utilisation de la dénomination du
-Logiciel par le Licencié. Aucune garantie n'est apportée quant à
-l'existence de droits antérieurs sur le nom du Logiciel et sur
-l'existence d'une marque.
-
-
-    Article 10 - RESILIATION
-
-10.1 En cas de manquement par le Licencié aux obligations mises à sa
-charge par le Contrat, le Concédant pourra résilier de plein droit le
-Contrat trente (30) jours après notification adressée au Licencié et
-restée sans effet.
-
-10.2 Le Licencié dont le Contrat est résilié n'est plus autorisé à
-utiliser, modifier ou distribuer le Logiciel. Cependant, toutes les
-licences qu'il aura concédées antérieurement à la résiliation du Contrat
-resteront valides sous réserve qu'elles aient été effectuées en
-conformité avec le Contrat.
-
-
-    Article 11 - DISPOSITIONS DIVERSES
-
-
-      11.1 CAUSE EXTERIEURE
-
-Aucune des Parties ne sera responsable d'un retard ou d'une défaillance
-d'exécution du Contrat qui serait dû à un cas de force majeure, un cas
-fortuit ou une cause extérieure, telle que, notamment, le mauvais
-fonctionnement ou les interruptions du réseau électrique ou de
-télécommunication, la paralysie du réseau liée à une attaque
-informatique, l'intervention des autorités gouvernementales, les
-catastrophes naturelles, les dégâts des eaux, les tremblements de terre,
-le feu, les explosions, les grèves et les conflits sociaux, l'état de
-guerre...
-
-11.2 Le fait, par l'une ou l'autre des Parties, d'omettre en une ou
-plusieurs occasions de se prévaloir d'une ou plusieurs dispositions du
-Contrat, ne pourra en aucun cas impliquer renonciation par la Partie
-intéressée à s'en prévaloir ultérieurement.
-
-11.3 Le Contrat annule et remplace toute convention antérieure, écrite
-ou orale, entre les Parties sur le même objet et constitue l'accord
-entier entre les Parties sur cet objet. Aucune addition ou modification
-aux termes du Contrat n'aura d'effet à l'égard des Parties à moins
-d'être faite par écrit et signée par leurs représentants dûment habilités.
-
-11.4 Dans l'hypothèse où une ou plusieurs des dispositions du Contrat
-s'avèrerait contraire à une loi ou à un texte applicable, existants ou
-futurs, cette loi ou ce texte prévaudrait, et les Parties feraient les
-amendements nécessaires pour se conformer à cette loi ou à ce texte.
-Toutes les autres dispositions resteront en vigueur. De même, la
-nullité, pour quelque raison que ce soit, d'une des dispositions du
-Contrat ne saurait entraîner la nullité de l'ensemble du Contrat.
-
-
-      11.5 LANGUE
-
-Le Contrat est rédigé en langue française et en langue anglaise, ces
-deux versions faisant également foi.
-
-
-    Article 12 - NOUVELLES VERSIONS DU CONTRAT
-
-12.1 Toute personne est autorisée à copier et distribuer des copies de
-ce Contrat.
-
-12.2 Afin d'en préserver la cohérence, le texte du Contrat est protégé
-et ne peut être modifié que par les auteurs de la licence, lesquels se
-réservent le droit de publier périodiquement des mises à jour ou de
-nouvelles versions du Contrat, qui posséderont chacune un numéro
-distinct. Ces versions ultérieures seront susceptibles de prendre en
-compte de nouvelles problématiques rencontrées par les logiciels libres.
-
-12.3 Tout Logiciel diffusé sous une version donnée du Contrat ne pourra
-faire l'objet d'une diffusion ultérieure que sous la même version du
-Contrat ou une version postérieure, sous réserve des dispositions de
-l'article 5.3.4 <#compatibilite>.
-
-
-    Article 13 - LOI APPLICABLE ET COMPETENCE TERRITORIALE
-
-13.1 Le Contrat est régi par la loi française. Les Parties conviennent
-de tenter de régler à l'amiable les différends ou litiges qui
-viendraient à se produire par suite ou à l'occasion du Contrat.
-
-13.2 A défaut d'accord amiable dans un délai de deux (2) mois à compter
-de leur survenance et sauf situation relevant d'une procédure d'urgence,
-les différends ou litiges seront portés par la Partie la plus diligente
-devant les Tribunaux compétents de Paris.

LICENSES/CC-BY-NC-ND-4.0.txt

@@ -0,0 +1,155 @@
+Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
+
+  Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses.
+
+Considerations for licensors: Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. More considerations for licensors.
+
+Considerations for the public: By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. More considerations for the public.
+
+Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License
+
+By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
+
+Section 1 – Definitions.
+
+     a.	Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
+
+     b.	Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
+
+     c.	Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
+
+     d.	Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
+
+     e.	Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
+
+     f.	Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
+
+     g.	Licensor means the individual(s) or entity(ies) granting rights under this Public License.
+
+     h.	NonCommercial means not primarily intended for or directed towards commercial advantage or monetary compensation. For purposes of this Public License, the exchange of the Licensed Material for other material subject to Copyright and Similar Rights by digital file-sharing or similar means is NonCommercial provided there is no payment of monetary compensation in connection with the exchange.
+
+     i.	Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
+
+     j.	Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
+
+     k.	You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
+
+Section 2 – Scope.
+
+     a.	License grant.
+
+          1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
+
+               A. reproduce and Share the Licensed Material, in whole or in part, for NonCommercial purposes only; and
+
+               B. produce and reproduce, but not Share, Adapted Material for NonCommercial purposes only.
+
+          2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
+
+          3. Term. The term of this Public License is specified in Section 6(a).
+
+          4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
+
+          5. Downstream recipients.
+               A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
+
+               B. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
+
+          6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
+
+     b.	Other rights.
+
+          1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
+
+          2. Patent and trademark rights are not licensed under this Public License.
+
+          3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties, including when the Licensed Material is used other than for NonCommercial purposes.
+
+Section 3 – License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the following conditions.
+
+     a.	Attribution.
+
+          1. If You Share the Licensed Material, You must:
+
+               A. retain the following if it is supplied by the Licensor with the Licensed Material:
+
+                    i.	identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
+
+                    ii.	a copyright notice;
+
+                    iii. a notice that refers to this Public License;
+
+                    iv.	a notice that refers to the disclaimer of warranties;
+
+                    v.	a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
+
+               B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
+
+               C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
+
+          For the avoidance of doubt, You do not have permission under this Public License to Share Adapted Material.
+
+          2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
+
+          3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
+
+Section 4 – Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
+
+     a.	for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database for NonCommercial purposes only and provided You do not Share Adapted Material;
+
+     b.	if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and
+
+     c.	You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
+For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
+
+Section 5 – Disclaimer of Warranties and Limitation of Liability.
+
+     a.	Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
+
+     b.	To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
+
+     c.	The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
+
+Section 6 – Term and Termination.
+
+     a.	This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
+
+     b.	Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
+
+          1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
+
+          2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
+
+     c.	For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
+
+     d.	Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
+
+Section 7 – Other Terms and Conditions.
+
+     a.	The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
+
+     b.	Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
+
+Section 8 – Interpretation.
+
+     a.	For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
+
+     b.	To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
+
+     c.	No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
+
+     d.	Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
+
+Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at creativecommons.org/policies, Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses.
+
+Creative Commons may be contacted at creativecommons.org.

LICENSES/CC0-1.0.txt

@@ -0,0 +1,121 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.

LICENSES/EUPL-1.2.txt

@@ -0,0 +1,190 @@
+EUROPEAN UNION PUBLIC LICENCE v. 1.2
+EUPL © the European Union 2007, 2016
+
+This European Union Public Licence (the ‘EUPL’) applies to the Work (as defined below) which is provided under the
+terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such
+use is covered by a right of the copyright holder of the Work).
+The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following
+notice immediately following the copyright notice for the Work:
+                          Licensed under the EUPL
+or has expressed by any other means his willingness to license under the EUPL.
+
+1.Definitions
+In this Licence, the following terms have the following meaning:
+— ‘The Licence’:this Licence.
+— ‘The Original Work’:the work or software distributed or communicated by the Licensor under this Licence, available
+as Source Code and also as Executable Code as the case may be.
+— ‘Derivative Works’:the works or software that could be created by the Licensee, based upon the Original Work or
+modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work
+required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in
+the country mentioned in Article 15.
+— ‘The Work’:the Original Work or its Derivative Works.
+— ‘The Source Code’:the human-readable form of the Work which is the most convenient for people to study and
+modify.
+— ‘The Executable Code’:any code which has generally been compiled and which is meant to be interpreted by
+a computer as a program.
+— ‘The Licensor’:the natural or legal person that distributes or communicates the Work under the Licence.
+— ‘Contributor(s)’:any natural or legal person who modifies the Work under the Licence, or otherwise contributes to
+the creation of a Derivative Work.
+— ‘The Licensee’ or ‘You’:any natural or legal person who makes any usage of the Work under the terms of the
+Licence.
+— ‘Distribution’ or ‘Communication’:any act of selling, giving, lending, renting, distributing, communicating,
+transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential
+functionalities at the disposal of any other natural or legal person.
+
+2.Scope of the rights granted by the Licence
+The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for
+the duration of copyright vested in the Original Work:
+— use the Work in any circumstance and for all usage,
+— reproduce the Work,
+— modify the Work, and make Derivative Works based upon the Work,
+— communicate to the public, including the right to make available or display the Work or copies thereof to the public
+and perform publicly, as the case may be, the Work,
+— distribute the Work or copies thereof,
+— lend and rent the Work or copies thereof,
+— sublicense rights in the Work or copies thereof.
+Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the
+applicable law permits so.
+In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed
+by law in order to make effective the licence of the economic rights here above listed.
+The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the
+extent necessary to make use of the rights granted on the Work under this Licence.
+
+3.Communication of the Source Code
+The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as
+Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with
+each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to
+the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to
+distribute or communicate the Work.
+
+4.Limitations on copyright
+Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the
+exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations
+thereto.
+
+5.Obligations of the Licensee
+The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those
+obligations are the following:
+
+Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to
+the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the
+Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work
+to carry prominent notices stating that the Work has been modified and the date of modification.
+
+Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this
+Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless
+the Original Work is expressly distributed only under this version of the Licence — for example by communicating
+‘EUPL v. 1.2 only’. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the
+Work or Derivative Work that alter or restrict the terms of the Licence.
+
+Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both
+the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done
+under the terms of this Compatible Licence. For the sake of this clause, ‘Compatible Licence’ refers to the licences listed
+in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with
+his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail.
+
+Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide
+a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available
+for as long as the Licensee continues to distribute or communicate the Work.
+Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names
+of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and
+reproducing the content of the copyright notice.
+
+6.Chain of Authorship
+The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or
+licensed to him/her and that he/she has the power and authority to grant the Licence.
+Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or
+licensed to him/her and that he/she has the power and authority to grant the Licence.
+Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions
+to the Work, under the terms of this Licence.
+
+7.Disclaimer of Warranty
+The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work
+and may therefore contain defects or ‘bugs’ inherent to this type of development.
+For the above reason, the Work is provided under the Licence on an ‘as is’ basis and without warranties of any kind
+concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or
+errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this
+Licence.
+This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work.
+
+8.Disclaimer of Liability
+Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be
+liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the
+Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss
+of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However,
+the Licensor will be liable under statutory product liability laws as far such laws apply to the Work.
+
+9.Additional agreements
+While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services
+consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole
+responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify,
+defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by
+the fact You have accepted any warranty or additional liability.
+
+10.Acceptance of the Licence
+The provisions of this Licence can be accepted by clicking on an icon ‘I agree’ placed under the bottom of a window
+displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of
+applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms
+and conditions.
+Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You
+by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution
+or Communication by You of the Work or copies thereof.
+
+11.Information to the public
+In case of any Distribution or Communication of the Work by means of electronic communication by You (for example,
+by offering to download the Work from a remote location) the distribution channel or media (for example, a website)
+must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence
+and the way it may be accessible, concluded, stored and reproduced by the Licensee.
+
+12.Termination of the Licence
+The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms
+of the Licence.
+Such a termination will not terminate the licences of any person who has received the Work from the Licensee under
+the Licence, provided such persons remain in full compliance with the Licence.
+
+13.Miscellaneous
+Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the
+Work.
+If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or
+enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid
+and enforceable.
+The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of
+the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence.
+New versions of the Licence will be published with a unique version number.
+All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take
+advantage of the linguistic version of their choice.
+
+14.Jurisdiction
+Without prejudice to specific agreement between parties,
+— any litigation resulting from the interpretation of this License, arising between the European Union institutions,
+bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice
+of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union,
+— any litigation arising between other parties and resulting from the interpretation of this License, will be subject to
+the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business.
+
+15.Applicable Law
+Without prejudice to specific agreement between parties,
+— this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat,
+resides or has his registered office,
+— this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside
+a European Union Member State.
+
+
+                                                         Appendix
+
+‘Compatible Licences’ according to Article 5 EUPL are:
+— GNU General Public License (GPL) v. 2, v. 3
+— GNU Affero General Public License (AGPL) v. 3
+— Open Software License (OSL) v. 2.1, v. 3.0
+— Eclipse Public License (EPL) v. 1.0
+— CeCILL v. 2.0, v. 2.1
+— Mozilla Public Licence (MPL) v. 2
+— GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3
+— Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software
+— European Union Public Licence (EUPL) v. 1.1, v. 1.2
+— Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+).
+
+The European Commission may update this Appendix to later versions of the above licences without producing
+a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the
+covered Source Code from exclusive appropriation.
+All other changes or additions to this Appendix require the production of a new EUPL version.

LICENSES/GPL-3.0-or-later.txt

@@ -0,0 +1,232 @@
+GNU GENERAL PUBLIC LICENSE
+Version 3, 29 June 2007
+
+Copyright © 2007 Free Software Foundation, Inc. <https://fsf.org/>
+
+Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
+
+Preamble
+
+The GNU General Public License is a free, copyleft license for software and other kinds of works.
+
+The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too.
+
+When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things.
+
+To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others.
+
+For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
+
+Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it.
+
+For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions.
+
+Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users.
+
+Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free.
+
+The precise terms and conditions for copying, distribution and modification follow.
+
+TERMS AND CONDITIONS
+
+0. Definitions.
+
+“This License” refers to version 3 of the GNU General Public License.
+
+“Copyright” also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.
+
+“The Program” refers to any copyrightable work licensed under this License. Each licensee is addressed as “you”. “Licensees” and “recipients” may be individuals or organizations.
+
+To “modify” a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a “modified version” of the earlier work or a work “based on” the earlier work.
+
+A “covered work” means either the unmodified Program or a work based on the Program.
+
+To “propagate” a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well.
+
+To “convey” a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying.
+
+An interactive user interface displays “Appropriate Legal Notices” to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion.
+
+1. Source Code.
+The “source code” for a work means the preferred form of the work for making modifications to it. “Object code” means any non-source form of a work.
+
+A “Standard Interface” means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language.
+
+The “System Libraries” of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A “Major Component”, in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.
+
+The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source.
+
+The Corresponding Source for a work in source code form is that same work.
+
+2. Basic Permissions.
+All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary.
+
+3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures.
+
+When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures.
+
+4. Conveying Verbatim Copies.
+You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee.
+
+5. Conveying Modified Source Versions.
+You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
+
+     a) The work must carry prominent notices stating that you modified it, and giving a relevant date.
+
+     b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”.
+
+     c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it.
+
+     d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.
+
+A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an “aggregate” if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate.
+
+6. Conveying Non-Source Forms.
+You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
+
+     a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange.
+
+     b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge.
+
+     c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b.
+
+     d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements.
+
+     e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d.
+
+A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work.
+
+A “User Product” is either (1) a “consumer product”, which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, “normally used” refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.
+
+“Installation Information” for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM).
+
+The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network.
+
+Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying.
+
+7. Additional Terms.
+“Additional permissions” are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
+
+     a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or
+
+     b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or
+
+     c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or
+
+     d) Limiting the use for publicity purposes of names of licensors or authors of the material; or
+
+     e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or
+
+     f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors.
+
+All other non-permissive additional terms are considered “further restrictions” within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way.
+
+8. Termination.
+You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11).
+
+However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
+
+Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10.
+
+9. Acceptance Not Required for Having Copies.
+You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so.
+
+10. Automatic Licensing of Downstream Recipients.
+Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License.
+
+An “entity transaction” is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.
+
+11. Patents.
+A “contributor” is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's “contributor version”.
+
+A contributor's “essential patent claims” are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, “control” includes the right to grant patent sublicenses in a manner consistent with the requirements of this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version.
+
+In the following three paragraphs, a “patent license” is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To “grant” such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. “Knowingly relying” means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it.
+
+A patent license is “discriminatory” if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law.
+
+12. No Surrender of Others' Freedom.
+If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program.
+
+13. Use with the GNU Affero General Public License.
+Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such.
+
+14. Revised Versions of this License.
+The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License “or any later version” applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program.
+
+Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version.
+
+15. Disclaimer of Warranty.
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+16. Limitation of Liability.
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+17. Interpretation of Sections 15 and 16.
+If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee.
+
+END OF TERMS AND CONDITIONS
+
+How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
+
+To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found.
+
+     <one line to give the program's name and a brief idea of what it does.>
+     Copyright (C) <year>  <name of author>
+
+     This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+     This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode:
+
+     <program>  Copyright (C) <year>  <name of author>
+     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+     This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an “about box”.
+
+You should also get your employer (if you work as a programmer) or school, if any, to sign a “copyright disclaimer” for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see <https://www.gnu.org/licenses/>.
+
+The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read <https://www.gnu.org/philosophy/why-not-lgpl.html>.

LICENSES/LicenseRef-Reserved.txt

@@ -0,0 +1 @@
+All rights reserved.

LICENSES/MIT.txt

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) <year> <copyright holders>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,8 +1,124 @@
+<!--
+SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+
+SPDX-License-Identifier: EUPL-1.2
+-->
+
 # ❄️ infrastructure
 
 The dgnum infrastructure.
 
 # Contributing
-Some instruction on how to contribute are available (in french) in [/CONTRIBUTING.md](CONTRIBUTING.md). You're expected to read this document before commiting to the repo.
+
+Some instruction on how to contribute are available (in french) in [/CONTRIBUTE.md](CONTRIBUTE.md).
+You're expected to read this document before commiting to the repo.
 
 Some documentation for the development tools are provided in the aforementioned file.
+
+# Using the binary cache
+
+Add the following module to your configuration (and pin this repo using your favorite tool: npins, lon, etc...):
+```
+{ lib, ... }:
+let
+  dgnum-infra = PINNED_PATH_TO_INFRA;
+in {
+  nix.settings = (import dgnum-infra { }).mkCacheSettings {
+    caches = [ "infra" ];
+  };
+}
+```
+
+
+# Adding a new machine
+
+The first step is to create a minimal viable NixOS host, using tha means necessary.
+The second step is to find a name for this host, it must be unique from the other hosts.
+
+> [!TIP]
+> For the rest of this part, we assume that the host is named `host02`
+
+## Download the keys
+
+The public SSH keys of `host02` have to be saved to `keys`, preferably only the `ssh-ed25519` one.
+
+It can be retreived with :
+
+```bash
+ssh-keyscan address.of.host02 2>/dev/null | awk '/ssh-ed25519/ {print $2,$3}'
+```
+
+## Initialize the machine folder and configuration
+
+- Create a folder `host02` under `machines/`
+- Copy the hardware configuration file generated by `nixos-generate-config` to `machines/host02/_hardware-configuration.nix`
+- Create a `machines/host02/_configuration.nix` file, it will contain the main configuration options, the basic content of this file should be the following
+
+```nix
+{ lib, ... }:
+
+lib.extra.mkConfig {
+  enabledModules = [
+    # List of modules to enable
+  ];
+
+  enabledServices = [
+    # List of services to enable
+  ];
+
+  extraConfig = {
+    services.netbird.enable = true;
+  };
+
+  root = ./.;
+}
+```
+
+## Fill in the metadata
+
+### Network configuration
+
+The network is declared in `meta/network.nix`, the necessary `hostId` value can be generated with :
+
+```bash
+head -c4 /dev/urandom | od -A none -t x4 | sed 's/ //'
+```
+
+### Other details
+
+The general metadata is declared in `meta/nodes.nix`, the main values to declare are :
+
+- `site`, where the node is physically located
+- `stateVersion`
+- `nixpkgs`, the nixpkgs version to use
+
+## Initialize secrets
+
+Create the directory `secrets` in the configuration folder, and add a `secrets.nix` file containing :
+
+```nix
+(import ../../../keys).mkSecrets [ "host02" ] [
+  # List of secrets for host02
+]
+```
+
+This will be used for future secret management.
+
+## Update encrypted files
+
+Both the Arkheon, Netbox and notification modules have secrets that are deployed on all machines. To make those services work correctly, run in `modules/dgn-records`, `modules/dgn-netbox-agent` and `modules/dgn-notify` :
+
+```bash
+agenix -r
+```
+
+## Commit and create a PR
+
+Once all of this is done, check that the configuration builds correctly :
+
+```bash
+colmena build --on host02
+```
+
+Apply it, and create a Pull Request.

REUSE.toml

@@ -0,0 +1,60 @@
+version = 1
+[[annotations]]
+SPDX-FileCopyrightText = "NONE"
+SPDX-License-Identifier = "CC0-1.0"
+path = ["**/.envrc", "**/Cargo.lock", "**/_hardware-configuration.nix", ".gitignore", "REUSE.toml", "shell.nix"]
+precedence = "closest"
+
+[[annotations]]
+SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
+SPDX-License-Identifier = "EUPL-1.2"
+path = [".forgejo/workflows/*"]
+precedence = "closest"
+
+[[annotations]]
+SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
+SPDX-License-Identifier = "CC-BY-NC-ND-4.0"
+path = ["machines/**/secrets/*", "modules/nixos/dgn-backups/keys/*", "modules/nixos/dgn-netbox-agent/secrets/netbox-agent", "modules/nixos/dgn-notify/mail", "modules/nixos/dgn-records/__arkheon-token_file"]
+precedence = "closest"
+
+[[annotations]]
+SPDX-FileCopyrightText = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>"
+SPDX-License-Identifier = "EUPL-1.2"
+path = ["machines/nixos/compute01/ds-fr/01-smtp-tls.patch", "machines/nixos/compute01/librenms/kanidm.patch", "machines/nixos/compute01/stirling-pdf/*.patch", "machines/nixos/vault01/k-radius/packages/01-python_path.patch", "machines/nixos/web01/crabfit/*.patch", "machines/nixos/web02/cas-eleves/01-pytest-cas.patch", "patches/lix/01-disable-installChecks.patch", "patches/nixpkgs/03-crabfit-karla.patch", "patches/nixpkgs/05-netbird-relay.patch"]
+precedence = "closest"
+
+[[annotations]]
+SPDX-FileCopyrightText = "2024 Maurice Debray <maurice.debray@dgnum.eu>"
+SPDX-License-Identifier = "EUPL-1.2"
+path = ["patches/nixpkgs/06-netbox-qrcode.patch"]
+precedence = "closest"
+
+[[annotations]]
+SPDX-FileCopyrightText = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>"
+SPDX-License-Identifier = "EUPL-1.2"
+path = ["modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch", "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch", "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch", "modules/nixos/extranix/0004-fix-indentation-of-ul.patch", "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"]
+precedence = "closest"
+
+[[annotations]]
+SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
+SPDX-License-Identifier = "MIT"
+path = "lib/colmena/*"
+precedence = "closest"
+
+[[annotations]]
+SPDX-FileCopyrightText = "The [npins](https://github.com/andir/npins) contributors"
+SPDX-License-Identifier = "EUPL-1.2"
+path = "**/npins/*"
+precedence = "closest"
+
+[[annotations]]
+SPDX-FileCopyrightText = "The [forgejo](https://codeberg.org/forgejo/forgejo) contributors"
+SPDX-License-Identifier = "GPL-3.0-or-later"
+path = "machines/nixos/compute01/extranix/static-data/images/forgejo.png"
+precedence = "closest"
+
+[[annotations]]
+SPDX-FileCopyrightText = "La Délégation Générale Numérique <contact@dgnum.eu>"
+SPDX-License-Identifier = "LicenseRef-Reserved"
+path = ["machines/nixos/compute01/extranix/static-data/images/dgnum.png", "machines/nixos/compute01/extranix/static-data/images/favicon.ico", "machines/nixos/compute01/extranix/static-data/images/favicon.png"]
+precedence = "closest"

default.nix

@@ -1,62 +1,167 @@
-/*
-  Copyright :
-  - Maurice Debray <maurice.debray@dgnum.eu>  2023
-  - Tom Hubrecht <tom.hubrecht@dgnum.eu>      2023
+# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
 
-  Ce logiciel est un programme informatique servant à déployer des
-  configurations de serveurs via NixOS.
-
-  Ce logiciel est régi par la licence CeCILL soumise au droit français et
-  respectant les principes de diffusion des logiciels libres. Vous pouvez
-  utiliser, modifier et/ou redistribuer ce programme sous les conditions
-  de la licence CeCILL telle que diffusée par le CEA, le CNRS et l'INRIA
-  sur le site "http://www.cecill.info".
-
-  En contrepartie de l'accessibilité au code source et des droits de copie,
-  de modification et de redistribution accordés par cette licence, il n'est
-  offert aux utilisateurs qu'une garantie limitée. Pour les mêmes raisons,
-  seule une responsabilité restreinte pèse sur l'auteur du programme, le
-  titulaire des droits patrimoniaux et les concédants successifs.
-
-  A cet égard l'attention de l'utilisateur est attirée sur les risques
-  associés au chargement, à l'utilisation, à la modification et/ou au
-  développement et à la reproduction du logiciel par l'utilisateur étant
-  donné sa spécificité de logiciel libre, qui peut le rendre complexe à
-  manipuler et qui le réserve donc à des développeurs et des professionnels
-  avertis possédant des connaissances informatiques approfondies. Les
-  utilisateurs sont donc invités à charger et tester l'adéquation du
-  logiciel à leurs besoins dans des conditions permettant d'assurer la
-  sécurité de leurs systèmes et ou de leurs données et, plus généralement,
-  à l'utiliser et l'exploiter dans les mêmes conditions de sécurité.
-
-  Le fait que vous puissiez accéder à cet en-tête signifie que vous avez
-  pris connaissance de la licence CeCILL, et que vous en avez accepté les
-  termes.
-*/
+{
+  sources ? import ./npins,
+  pkgs ? import sources.nixpkgs { },
+}:
 
 let
-  sources = import ./npins;
-  pkgs = import sources.nixpkgs { };
+  inherit (pkgs.lib)
+    isFunction
+    mapAttrs
+    mapAttrs'
+    nameValuePair
+    removeSuffix
+    ;
 
-  pre-commit-check = (import sources.pre-commit-hooks).run {
+  nix-reuse = import sources.nix-reuse { inherit pkgs; };
+  nix-actions = import sources.nix-actions { inherit pkgs; };
+
+  git-checks = (import sources.git-hooks).run {
     src = ./.;
 
     hooks = {
-      # Nix Hooks
-      statix.enable = true;
-      deadnix.enable = true;
-      rfc101 = {
+      statix = {
         enable = true;
-
-        name = "RFC-101 formatting";
-        entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
-        files = "\\.nix$";
+        stages = [ "pre-push" ];
+        settings.ignore = [
+          "**/lon.nix"
+          "**/npins"
+        ];
+      };
+
+      deadnix = {
+        enable = true;
+        stages = [ "pre-push" ];
+      };
+
+      nixfmt-rfc-style = {
+        enable = true;
+        stages = [ "pre-push" ];
+        package = pkgs.nixfmt-rfc-style;
+      };
+
+      reuse = nix-reuse.hook {
+        enable = true;
+        stages = [ "pre-push" ];
       };
 
-      # Misc Hooks
       commitizen.enable = true;
     };
   };
+
+  reuse = nix-reuse.install {
+    defaultLicense = "EUPL-1.2";
+    defaultCopyright = "La Délégation Générale Numérique <contact@dgnum.eu>";
+
+    downloadLicenses = true;
+    generatedPaths = [
+      "**/.envrc"
+      "**/Cargo.lock"
+      "**/_hardware-configuration.nix"
+      ".gitignore"
+      "REUSE.toml"
+      "shell.nix"
+    ];
+
+    annotations = [
+      # Auto-generated workflow files using nix-actions
+      { path = [ ".forgejo/workflows/*" ]; }
+
+      # Secrets
+      {
+        path = [
+          "machines/**/secrets/*"
+          "modules/nixos/dgn-backups/keys/*"
+          "modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
+          "modules/nixos/dgn-notify/mail"
+          "modules/nixos/dgn-records/__arkheon-token_file"
+        ];
+        license = "CC-BY-NC-ND-4.0";
+      }
+
+      # Patches
+      {
+        path = [
+          "machines/nixos/compute01/ds-fr/01-smtp-tls.patch"
+          "machines/nixos/compute01/librenms/kanidm.patch"
+          "machines/nixos/compute01/stirling-pdf/*.patch"
+          "machines/nixos/vault01/k-radius/packages/01-python_path.patch"
+          "machines/nixos/web01/crabfit/*.patch"
+          "machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
+          "patches/lix/01-disable-installChecks.patch"
+          "patches/nixpkgs/03-crabfit-karla.patch"
+          "patches/nixpkgs/05-netbird-relay.patch"
+        ];
+        copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
+      }
+      {
+        path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ];
+        copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>";
+      }
+      {
+        path = [
+          "modules/nixos/extranix/0001-revert-don-t-parse-md-in-js.patch"
+          "modules/nixos/extranix/0002-chore-remove-useless-dependencies.patch"
+          "modules/nixos/extranix/0003-feat-separate-HTML-description-of-MD-description.patch"
+          "modules/nixos/extranix/0004-fix-indentation-of-ul.patch"
+          "modules/nixos/extranix/0005-feat-match-all-substring-by-default.patch"
+        ];
+        copyright = "2024 Lubin Bailly <lubin.bailly@dgnum.eu>";
+      }
+
+      # colmena wrapper
+      {
+        path = "lib/colmena/*";
+        license = "MIT";
+      }
+
+      # npins generated files
+      {
+        path = "**/npins/*";
+        license = "EUPL-1.2";
+        copyright = "The [npins](https://github.com/andir/npins) contributors";
+      }
+
+      # images
+      {
+        path = "machines/nixos/compute01/extranix/static-data/images/forgejo.png";
+        license = "GPL-3.0-or-later";
+        copyright = "The [forgejo](https://codeberg.org/forgejo/forgejo) contributors";
+      }
+      {
+        path = [
+          "machines/nixos/compute01/extranix/static-data/images/dgnum.png"
+          "machines/nixos/compute01/extranix/static-data/images/favicon.ico"
+          "machines/nixos/compute01/extranix/static-data/images/favicon.png"
+        ];
+        license = "LicenseRef-Reserved";
+      }
+    ];
+  };
+
+  workflows = nix-actions.install {
+    src = ./.;
+
+    workflows = mapAttrs' (
+      name: _:
+      nameValuePair (removeSuffix ".nix" name) (
+        let
+          w = import ./workflows/${name};
+          args = {
+            inherit nix-actions;
+            inherit (pkgs) lib;
+          };
+        in
+        if (isFunction w) then (w args) else w
+      )
+    ) (builtins.readDir ./workflows);
+  };
+
+  scripts = import ./scripts { inherit pkgs sources; };
 in
 
 {
@@ -66,37 +171,46 @@ in
 
   dns = import ./meta/dns.nix;
 
-  shells = {
-    default = pkgs.mkShell {
-      name = "dgnum-infra";
+  mkCacheSettings = import ./machines/nixos/storage01/tvix-cache/cache-settings.nix;
 
-      packages =
-        (
-          with pkgs;
-          [
-            npins
-            nixos-generators
-          ]
-          ++ (builtins.map (p: callPackage p { }) [
-            (sources.disko + "/package.nix")
-            ./lib/colmena
-          ])
-        )
-        ++ (import ./scripts { inherit pkgs; });
+  devShell = pkgs.mkShell {
+    name = "dgnum-infra";
 
-      shellHook = ''
-        ${pre-commit-check.shellHook}
-      '';
+    packages = [
+      (pkgs.nixos-generators.overrideAttrs (_: {
+        version = "1.8.0-unstable";
+        src = sources.nixos-generators;
+      }))
+      pkgs.npins
 
-      preferLocalBuild = true;
-    };
+      # SSO testing
+      pkgs.kanidm
+      pkgs.freeradius
+      pkgs.picocom # for serial access
 
-    pre-commit = pkgs.mkShell {
-      name = "pre-commit-shell";
+      (pkgs.callPackage ./lib/colmena {
+        colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
+      })
+      (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
+      (pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
+    ] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
 
-      shellHook = ''
-        ${pre-commit-check.shellHook}
-      '';
+    shellHook = builtins.concatStringsSep "\n" [
+      git-checks.shellHook
+      reuse.shellHook
+      workflows.shellHook
+    ];
+
+    preferLocalBuild = true;
+
+    ###
+    # Alternative shells
+
+    passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
+      pre-commit.shellHook = git-checks.shellHook;
+      check-workflows.shellHook = workflows.shellHook;
+      eval-nodes.packages = [ scripts.cache-node ];
+      eval-shell.packages = [ scripts.nix-build-and-cache ];
     };
   };
 }

hive.nix

@@ -1,78 +1,222 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+# SPDX-FileContributor: Maurice Debray <maurice.debray@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
 let
-  sources = import ./npins;
+  sources' = import ./npins;
 
-  lib = import (sources.nix-lib + "/src/trivial.nix");
+  # Patch sources directly
+  sources = builtins.mapAttrs (patch.base { pkgs = import sources'.nixos-unstable { }; })
+    .applyPatches' sources';
 
-  patch = import sources.nix-patches { patchFile = ./patches; };
+  nix-lib = import ./lib/nix-lib;
+  inherit (nix-lib) mapSingleFuse;
 
-  nodes' = import ./meta/nodes.nix;
+  patch = import ./lib/nix-patches { patchFile = ./patches; };
+
+  nodes' = import ./meta/nodes;
   nodes = builtins.attrNames nodes';
 
   mkNode = node: {
-    # Import the base configuration for each node
-    imports = builtins.map (lib.mkRel (./machines/${node})) [
-      "_configuration.nix"
-      "_hardware-configuration.nix"
-    ];
+    deployment.systemType = system node;
   };
 
-  mkNixpkgs =
-    node:
+  nixpkgs' = import ./meta/nixpkgs.nix;
+  # All supported nixpkgs versions × systems, instanciated
+  nixpkgs = mapSingleFuse (s: mapSingleFuse (mkSystemNixpkgs s) nixpkgs'.versions) nixpkgs'.systems;
+
+  # Get the configured nixos version for the node,
+  # defaulting to the one defined in meta/nixpkgs
+  version = node: nodes'.${node}.nixpkgs.version;
+  system = node: nodes'.${node}.nixpkgs.system;
+  category = node: nixpkgs'.categories.${system node};
+
+  nodePkgs = node: nixpkgs.${system node}.${version node};
+
+  # Builds a patched version of nixpkgs, only as the source
+  mkNixpkgs' =
+    v:
     patch.mkNixpkgsSrc rec {
-      src = sources.${version};
-      version = "nixos-${nodes'.${node}.nixpkgs or (import ./meta/nixpkgs.nix)}";
+      src = sources'.${name};
+      name = "nixos-${v}";
     };
 
-  mkNixpkgs' = node: import (mkNixpkgs node) { };
+  # Build up the nixpkgs configuration for Liminix embedded systems
+  mkLiminixConfig =
+    system: _:
+    (import "${sources.liminix}/devices/${system}").system
+    // {
+      overlays = [ (import "${sources.liminix}/overlay.nix") ];
+      config = {
+        allowUnsupportedSystem = true; # mipsel
+        permittedInsecurePackages = [
+          "python-2.7.18.8" # Python < 3.x is needed for kernel backports.
+        ];
+      };
+    };
+
+  # Build up the arguments to instantiate a nixpkgs given a system and a version.
+  mkNixpkgsConfig =
+    system:
+    {
+      nixos = _: { };
+      zyxel-nwa50ax = mkLiminixConfig system;
+      netconf = _: { };
+    }
+    .${system} or (throw "Unknown system: ${system} for nixpkgs configuration instantiation");
+
+  # Instanciates the required nixpkgs version
+  mkSystemNixpkgs = system: version: import (mkNixpkgs' version) (mkNixpkgsConfig system version);
 
   ###
   # Function to create arguments based on the node
   #
   mkArgs = node: rec {
-    lib = import sources.nix-lib {
-      inherit (mkNixpkgs' node) lib;
-
-      keysRoot = ./keys;
+    lib = sourcePkgs.lib // {
+      extra = nix-lib;
     };
 
+    sourcePkgs = nodePkgs node;
     meta = (import ./meta) lib;
+
+    nodeMeta = meta.nodes.${node};
+    nodePath = "machines/${category node}/${node}";
   };
 in
-# nodes = builtins.attrNames metadata.nodes;
+
 {
   meta = {
-    nodeNixpkgs = lib.mapSingleFuse mkNixpkgs' nodes;
+    nixpkgs = import nixpkgs.nixos.unstable.path;
+    nodeNixpkgs = mapSingleFuse nodePkgs nodes;
 
     specialArgs = {
-      inherit sources;
+      inherit nixpkgs sources;
+
+      dgn-keys = import ./keys;
     };
 
-    nodeSpecialArgs = lib.mapSingleFuse mkArgs nodes;
+    nodeSpecialArgs = mapSingleFuse mkArgs nodes;
   };
 
-  defaults =
-    { meta, name, ... }:
-    {
-      # Import the default modules
-      imports = [ ./modules ];
+  registry = {
+    zyxel-nwa50ax = {
+      evalConfig =
+        args:
+        (import "${sources.liminix}/lib/eval-config.nix" {
+          nixpkgs = args.specialArgs.sourcePkgs.path;
+        })
+          args;
 
-      # Include default secrets
-      age-secrets.sources = [ (./machines + "/${name}/secrets") ];
-
-      # Deployment config is specified in meta.nodes.${node}.deployment
-      inherit (meta.nodes.${name}) deployment;
-
-      # Set NIX_PATH to the patched version of nixpkgs
-      nix.nixPath = [ "nixpkgs=${mkNixpkgs name}" ];
-      nix.optimise.automatic = true;
-
-      # Allow unfree packages
-      nixpkgs.config.allowUnfree = true;
-
-      # Use the stateVersion declared in the metadata
-      system = {
-        inherit (meta.nodes.${name}) stateVersion;
-      };
+      defaults =
+        { name, nodePath, ... }:
+        {
+          # Import the default modules
+          imports = [
+            # Import the base configuration for each node
+            ./${nodePath}/_configuration.nix
+            ./modules/generic
+            ./modules/${category name}
+          ];
+          # It's impure, but who cares?
+          # Can Flakes even do that? :)
+          nixpkgs.buildPlatform = builtins.currentSystem;
+        };
     };
+
+    netconf = {
+      evalConfig = nixpkgs.nixos.unstable.lib.evalModules;
+
+      defaults =
+        {
+          name,
+          nodeMeta,
+          nodePath,
+          ...
+        }:
+        {
+          _module.args = {
+            pkgs = nixpkgs.nixos.unstable;
+          };
+
+          # Import the default modules
+          imports = [
+            # Import the base configuration for each node
+            ./${nodePath}.nix
+            ./modules/netconf
+            ./lib/netconf-junos
+            "${sources.nixpkgs}/nixos/modules/misc/assertions.nix"
+          ];
+
+          system.host-name = name;
+
+          inherit (nodeMeta) deployment;
+        };
+    };
+
+    nixos = {
+      evalConfig = args: import "${args.specialArgs.sourcePkgs.path}/nixos/lib/eval-config.nix" args;
+      defaults =
+        {
+          lib,
+          name,
+          nodes,
+          nodeMeta,
+          nodePath,
+          meta,
+          sourcePkgs,
+          ...
+        }:
+        {
+          # Import the default modules
+          imports = [
+            # Import the base configuration for each node
+            ./${nodePath}/_configuration.nix
+            ./modules/generic
+            (import "${sources.lix-module}/module.nix" { inherit (sources) lix; })
+            ./modules/${category name}
+          ];
+
+          _module.args.serverNodes = lib.filterAttrs (
+            name: _: meta.nodes.${name}.nixpkgs.system == "nixos"
+          ) nodes;
+
+          # Include default secrets
+          age-secrets.sources = [ ./${nodePath}/secrets ];
+
+          # Deployment config is specified in meta.nodes.${node}.deployment
+          inherit (nodeMeta) deployment;
+
+          nix = {
+            # Set NIX_PATH to the patched version of nixpkgs
+            nixPath = [ "nixpkgs=${builtins.storePath sourcePkgs.path}" ];
+            optimise.automatic = true;
+
+            gc = {
+              automatic = true;
+              dates = "weekly";
+              options = "--delete-older-than 7d";
+            };
+
+            settings =
+              {
+                substituters = [ "https://tvix-store.dgnum.eu/infra" ];
+              }
+              // (import ./machines/nixos/storage01/tvix-cache/cache-settings.nix {
+                caches = [ "infra" ];
+              });
+          };
+
+          # Allow unfree packages
+          nixpkgs.config.allowUnfree = true;
+
+          # Use the stateVersion declared in the metadata
+          system = {
+            inherit (nodeMeta) stateVersion;
+          };
+        };
+    };
+  };
 }
-// (lib.mapSingleFuse mkNode nodes)
+// (mapSingleFuse mkNode nodes)

iso/build-iso.sh

@@ -1,5 +1,9 @@
 #!/usr/bin/env bash
 
-NIXPKGS=$(nix-build nixpkgs.nix)
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+NIXPKGS=$(nix-build --no-out-link nixpkgs.nix)
 
 nixos-generate -c configuration.nix -I NIX_PATH="$NIXPKGS" -f install-iso

iso/configuration.nix

@@ -1,9 +1,13 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
 { lib, pkgs, ... }:
 
 let
-  dgn-lib = import ../lib { };
+  dgn-keys = import ../keys;
 
-  dgn-members = (import ../meta).members.groups.iso;
+  dgn-members = (import ../meta lib).organization.groups.root;
 in
 
 {
@@ -11,7 +15,7 @@ in
 
   boot = {
     blacklistedKernelModules = [ "snd_pcsp" ];
-    kernelPackages = pkgs.linuxPackages_6_1;
+    kernelPackages = pkgs.linuxPackages_latest;
     tmp.cleanOnBoot = true;
 
     loader = {
@@ -22,6 +26,7 @@ in
     supportedFilesystems = [
       "exfat"
       "zfs"
+      "bcachefs"
     ];
 
     swraid.enable = lib.mkForce false;
@@ -33,7 +38,5 @@ in
     openssh.enable = true;
   };
 
-  users.users.root.openssh.authorizedKeys.keyFiles = builtins.map (
-    m: dgn-lib.mkRel ../keys "${m}.keys"
-  ) dgn-members;
+  users.users.root.openssh.authorizedKeys.keys = dgn-keys.getKeys dgn-members;
 }

iso/dgn-install/README.md

@@ -1 +1,7 @@
+<!--
+SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+
+SPDX-License-Identifier: EUPL-1.2
+-->
+
 Script pour installer automatiquement NixOS sur les machines de la DGNum

iso/dgn-install/default.nix

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
 { pkgs, ... }:
 
 let

iso/dgn-install/dgn-install.sh

@@ -1,3 +1,7 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
 bootDevice=
 rootDevice=
 

iso/nixpkgs.nix

@@ -1,5 +1,10 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
 let
-  inherit (import ../npins) nixpkgs;
+  version = (import ../meta/nixpkgs.nix).default;
+  nixpkgs = (import ../npins)."nixos-${version}";
 in
 
 (import nixpkgs { }).srcOnly {

keys/default.nix

@@ -0,0 +1,108 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  _sources = import ../npins;
+
+  inherit (import _sources.nixpkgs { }) lib;
+
+  meta = import ../meta lib;
+
+  getAttr = flip builtins.getAttr;
+
+  inherit (import ../lib/nix-lib) flip setDefault unique;
+in
+
+rec {
+  # WARNING: When updating this list, make sure that the nodes and members are alphabetically sorted
+  #          If not, you will face an angry maintainer
+  _keys = {
+    # SSH keys of the nodes
+    bridge01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5bS3iBXz8wycBnTvI5Qi79WLu0h4IVv/EOdKYbP5y7" ];
+    compute01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu" ];
+    geo01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4" ];
+    geo02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket" ];
+    hypervisor01 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPE0typcnvSioMfdLUloIfR5zcf/X0k6201xMHoQBCr"
+    ];
+    hypervisor02 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPETkWlOfESXQic+HgfGLV/T4Nqg0WjdDbEqtgDwkH+S"
+    ];
+    hypervisor03 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLF0mxSGitsDE3/YXfrHNjtOMUt4HT2MbryyUKPLSBI"
+    ];
+    rescue01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf" ];
+    storage01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ" ];
+    tower01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVpR+TMRLGAfhn7Q0C3tKOydYYjfoC/e1ZYbKpby01Z" ];
+    vault01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW" ];
+    web01 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5" ];
+    web02 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+QDE+GgZs6zONHvzRW15BzGJNW69k2BFZgB/Zh/tLX" ];
+    web03 = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrWsMEfK86iaO9SubMqE2UvZNtHkLY5VUod/bbqKC0L" ];
+
+    # SSH keys of the DGNum members
+    agroudiev = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgyt3ntpcoI/I2n97R1hzjBiNL6R98S73fSi7pkSE/8mQbI8r9GzsPUBcxQ+tIg0FgwkLxTwF8DwLf0E+Le/rPznxBS5LUQaAktSQSrxz/IIID1+jN8b03vf5PjfKS8H2Tu3Q8jZXa8HNsj3cpySpGMqGrE3ieUmknd/YfppRRf+wM4CsGKZeS3ZhB9oZi3Jn22A0U/17AOJTnv4seq+mRZWRQt3pvQvpp8/2M7kEqizie/gTr/DnwxUr45wisqYYH4tat9Cw6iDr7LK10VCrK37BfFagMIZ08Hkh3c46jghjYNQWe+mBUWJByWYhTJ0AtYrbaYeUV1HVYbsRJ6bNx25K6794QQPaE/vc2Z/VK/ILgvJ+9myFSAWVylCWdyYpwUu07RH/jDBl2aqH62ESwAG7SDUUcte6h9N+EryAQLWc8OhsGAYLpshhBpiqZwzX90m+nkbhx1SqMbtt6TS+RPDEHKFYn8E6FBrf1FK34482ndq/hHXZ88mqzGb1nOnM="
+    ];
+    catvayor = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
+    ];
+    cst1 = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrijwPlb7KQkYPLznMPVzPPT69cLzhEsJzZi9tmxzTh cst1@x270"
+    ];
+    ecoppens = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGmU7yEOCGuGNt4PlQbzd0Cms1RePpo8yEA7Ij/+TdA" ];
+    gdd = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ"
+    ];
+    jemagius = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8="
+    ];
+    luj = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower"
+    ];
+    mboyer = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGYnwZaFYvUxtJeNvpaA20rLfq8fOO4dFp7cIXsD8YNx" ];
+    mdebray = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdDnSl3cyWil+S5JiyGqOvBR3wVh+lduw58S5WvraoL maurice@fekda"
+    ];
+    raito = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU"
+    ];
+    thubrecht = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn"
+    ];
+  };
+
+  getKeys = ls: builtins.concatLists (builtins.map (getAttr _keys) ls);
+
+  mkSecrets =
+    nodes: setDefault { publicKeys = unique (rootKeys ++ (builtins.concatMap getNodeKeys' nodes)); };
+
+  getNodeKeys' =
+    node:
+    let
+      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
+        meta.nodes.${node}.admins ++ [ node ]
+      ) meta.nodes.${node}.adminGroups;
+    in
+    unique (getKeys names);
+
+  getNodeKeys = node: rootKeys ++ getNodeKeys' node;
+
+  # List of keys for the root group
+  rootKeys = getKeys meta.organization.groups.root;
+
+  # List of 'machine' keys
+  machineKeys = rootKeys ++ (getKeys (builtins.attrNames meta.nodes));
+
+  nixosMachineKeys =
+    rootKeys
+    ++ (getKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == "nixos") meta.nodes)));
+}

keys/gdd.keys

@@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICE7TN5NQKGojNGIeTFiHjLHTDQGT8i05JFqX/zLW2zc
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbkPWWZzOBaRdx4+7xQUgxDwuncSl2fxAeVuYfVUPZ

keys/jemagius.keys

@@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoxmou5OU74GgpIUkhVt6GiB+O9Jy4ge0TwK5MDFJ2F
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxQX0JLRah3GfIOkua4ZhEJhp5Ykv55RO0SPrSUwCBs5arnALg8gq12YLr09t4bzW/NA9/jn7flhh4S54l4RwBUhmV4JSQhGu71KGhfOj5ZBkDoSyYqzbu206DfZP5eQonSmjfP6XghcWOr/jlBzw9YAAQkFxsQgXEkr4kdn0ZXfZGz6b0t3YUjYIuDNbptFsGz2V9iQVy1vnxrjnLSfc25j4et8z729Vpy4M7oCaE6a6hgon4V1jhVbg43NAE5gu2eYFAPIzO3E7ZI8WjyLu1wtOBClk1f+HMen3Tr+SX2PXmpPGb+I2fAkbzu/C4X/M3+2bL1dYjxuvQhvvpAjxFwmdoXW4gWJ3J/FRiFrKsiAY0rYC+yi8SfacJWCv4EEcV/yQ4gYwpmU9xImLaro6w5cOHGCqrzYqjZc4Wi6AWFGeBSNzNs9PXLgMRWeUyiIDOFnSep2ebZeVjTB16m+o/YDEhE10uX9kCCx3Dy/41iJ1ps7V4JWGFsr0Fqaz8mu8=

keys/luj.keys

@@ -1,2 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDMBW7rTtfZL9wtrpCVgariKdpN60/VeAzXkh9w3MwbO julien@enigma
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa+7n7kNzb86pTqaMn554KiPrkHRGeTJ0asY1NjSbpr julien@tower

keys/machines/compute01.keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/YluSVS+4h3oV8CIUj0OmquyJXju8aEQy0Jz210vTu

keys/machines/geo01.keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEl6Pubbau+usQkemymoSKrTBbrX8JU5m5qpZbhNx8p4

keys/machines/geo02.keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFNXaCS0/Nsu5npqQk1TP6wMHCVIOaj4pblp2tIg6Ket

keys/machines/rescue01.keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJa02Annu8o7ggPjTH/9ttotdNGyghlWfU9E8pnuLUf

keys/machines/storage01.keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0s+rPcEcfWCqZ4B2oJiWT/60awOI8ijL1rtDM2glXZ

keys/machines/vault01.keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJA6VA7LENvTRlKdcrqt8DxDOPvX3bg3Gjy9mNkdFEW

keys/machines/web01.keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5

keys/machines/web02.keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE020zqMJTlJ73czVxWVNmRof6il+N9dS4Knm43bJSpm

keys/mdebray.keys

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpwF+XD3HgX64kqD42pcEZRNYAWoO4YNiOm5KO4tH6o maurice@polaris

keys/raito.keys

@@ -1,3 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcEkYM1r8QVNM/G5CxJInEdoBCWjEHHDdHlzDYNSUIdHHsn04QY+XI67AdMCm8w30GZnLUIj5RiJEWXREUApby0GrfxGGcy8otforygfgtmuUKAUEHdU2MMwrQI7RtTZ8oQ0USRGuqvmegxz3l5caVU7qGvBllJ4NUHXrkZSja2/51vq80RF4MKkDGiz7xUTixI2UcBwQBCA/kQedKV9G28EH+1XfvePqmMivZjl+7VyHsgUVj9eRGA1XWFw59UPZG8a7VkxO/Eb3K9NF297HUAcFMcbY6cPFi9AaBgu3VC4eetDnoN/+xT1owiHi7BReQhGAy/6cdf7C/my5ehZwD
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0xMwWedkKosax9+7D2OlnMxFL/eV4CvFZLsbLptpXr
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiXXYkhRh+s7ixZ8rvG8ntIqd6FELQ9hh7HoaHQJRPU

keys/thubrecht.keys

@@ -1,3 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL+EZXYziiaynJX99EW8KesnmRTZMof3BoIs3mdEl8L3
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHL4M4HKjs4cjRAYRk9pmmI8U0R4+T/jQh6Fxp/i1Eoy
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPM1jpXR7BWQa7Sed7ii3SbvIPRRlKb3G91qC0vOwfJn

lib/default.nix

@@ -1,33 +0,0 @@
-_:
-
-let
-  sources = import ../npins;
-
-  lib = import sources.nix-lib {
-    inherit ((import sources.nixpkgs { })) lib;
-
-    keysRoot = ../keys;
-  };
-
-  meta = import ../meta lib;
-
-  inherit (lib.extra) getAllKeys;
-in
-
-lib.extra
-// rec {
-  # Get publickeys associated to a node
-  getNodeKeys =
-    node:
-    let
-      names = builtins.foldl' (names: group: names ++ meta.organization.groups.${group}) (
-        meta.nodes.${node}.admins ++ [ "/machines/${node}" ]
-      ) meta.nodes.${node}.adminGroups;
-    in
-    rootKeys ++ (getAllKeys names);
-
-  rootKeys = getAllKeys meta.organization.groups.root;
-
-  machineKeys =
-    rootKeys ++ (getAllKeys (builtins.map (n: "machines/${n}") (builtins.attrNames meta.nodes)));
-}

lib/netconf-junos/default.nix

@@ -0,0 +1,120 @@
+# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  lib,
+  pkgs,
+  name,
+  ...
+}:
+
+let
+  inherit (lib) mapAttrs mkOption;
+
+  inherit (lib.types)
+    attrs
+    attrsOf
+    bool
+    str
+    submodule
+    package
+    ;
+
+  mandatory.options = {
+    supportPoE = mkOption {
+      type = bool;
+      example = true;
+      description = ''
+        Whether this interface supports PoE.
+      '';
+    };
+  };
+in
+{
+  imports = [
+    ./interfaces.nix
+    ./poe.nix
+    ./protocols.nix
+    ./system.nix
+    ./vlans.nix
+  ];
+
+  options = {
+    # Hack because of this https://git.dgnum.eu/DGNum/colmena/src/commit/71b1b660f2cda2e34e134d0028cafbd56bb22008/src/nix/hive/eval.nix#L166 which defines nixpkgs option but we don't have it here. What about liminix ?
+    nixpkgs = mkOption {
+      type = attrs;
+      default = { };
+      visible = false;
+    };
+    netconf = {
+      xmls.configuration = mkOption {
+        type = str;
+        readOnly = true;
+        description = ''
+          The full configuration to send to a JunOS.
+        '';
+      };
+      mandatoryInterfaces = mkOption {
+        type = attrsOf (submodule mandatory);
+        example = {
+          "ge-0/0/0" = {
+            supportPoE = true;
+          };
+          "ge-0/0/1" = {
+            supportPoE = true;
+          };
+          "xe-0/0/0" = {
+            supportPoE = false;
+          };
+        };
+        description = ''
+          JunOS require some interfaces to always be configured (even if they are disabled),
+          which correspond to physical interfaces of the switch. They have to be declared here
+          with some information about it (only if it supports PoE for now).
+        '';
+      };
+      rpc = mkOption {
+        type = package;
+        readOnly = true;
+        description = ''
+          The final rpc xml to send via netconf.
+        '';
+      };
+    };
+  };
+  config = {
+    interfaces =
+      let
+        mkIntf = _: _: { };
+      in
+      mapAttrs mkIntf config.netconf.mandatoryInterfaces;
+    netconf = {
+      xmls.configuration = with config.netconf.xmls; ''
+        <configuration>
+          ${system}
+          ${interfaces}
+          ${protocols}
+          ${vlans}
+          ${poe}
+        </configuration>
+      '';
+      rpc = pkgs.writeText "${name}.rpc" ''
+        <rpc>
+          <edit-config>
+            <config>
+              ${config.netconf.xmls.configuration}
+            </config>
+            <target>
+              <candidate/>
+            </target>
+          </edit-config>
+        </rpc>
+        <rpc>
+          <commit/>
+        </rpc>
+      '';
+    };
+  };
+}

lib/netconf-junos/interfaces.nix

@@ -0,0 +1,172 @@
+# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+
+let
+  inherit (lib)
+    mapAttrsToList
+    mkEnableOption
+    mkOption
+    optionalString
+    ;
+
+  inherit (lib.types)
+    attrsOf
+    either
+    enum
+    ints
+    listOf
+    str
+    submodule
+    ;
+
+  interface =
+    { name, config, ... }:
+    let
+      unit =
+        { name, config, ... }:
+        {
+          options = {
+            enable = mkEnableOption "this logical interface" // {
+              default = true;
+              example = false;
+            };
+            family = {
+              ethernet-switching = {
+                enable = mkEnableOption "the ethernet switching on this logical interface";
+                interface-mode = mkOption {
+                  type = enum [
+                    "trunk"
+                    "access"
+                  ];
+                  description = ''
+                    Mode of operation for vlan addressing of this interface.
+                    "trunk" means that the traffic is tagged, "access" means the
+                    traffic is tagged by the switch.
+                  '';
+                };
+                vlans = mkOption {
+                  type = listOf (either str ints.unsigned);
+                  default = [ ];
+                  description = ''
+                    Vlans that can be used on this interface.
+                    Only one ID should be here for "access" mode of operation.
+                  '';
+                };
+              };
+              #TODO : DHCP
+              inet = {
+                enable = mkEnableOption "the IPv4 configuration of this logical interface";
+                addresses = mkOption {
+                  type = listOf str;
+                  default = [ ];
+                  description = ''
+                    ipv4 addresses of this interface.
+                  '';
+                };
+              };
+              inet6 = {
+                enable = mkEnableOption "the IPv6 configuration of this logical interface";
+                addresses = mkOption {
+                  type = listOf str;
+                  default = [ ];
+                  description = ''
+                    ipv6 addresses of this interface.
+                  '';
+                };
+              };
+            };
+            xml = mkOption {
+              type = str;
+              visible = false;
+              readOnly = true;
+            };
+          };
+          config.xml =
+            let
+              members = map (
+                vlan: "<members>${builtins.toString vlan}</members>"
+              ) config.family.ethernet-switching.vlans;
+              eth = optionalString config.family.ethernet-switching.enable ''
+                <ethernet-switching>
+                  <interface-mode>${config.family.ethernet-switching.interface-mode}</interface-mode>
+                  <vlan>${builtins.concatStringsSep "" members}</vlan>
+                  <storm-control><profile-name>default</profile-name></storm-control>
+                </ethernet-switching>
+              '';
+
+              addr4 = map (addr: "<name>${addr}</name>") config.family.inet.addresses;
+              inet = optionalString config.family.inet.enable ''
+                <inet>
+                  <address>${builtins.concatStringsSep "" addr4}</address>
+                </inet>
+              '';
+
+              addr6 = map (addr: "<name>${addr}</name>") config.family.inet6.addresses;
+              inet6 = optionalString config.family.inet6.enable ''
+                <inet6>
+                  <address>${builtins.concatStringsSep "" addr6}</address>
+                </inet6>
+              '';
+            in
+            ''
+              <unit>
+                <name>${name}</name>
+                ${optionalString (!config.enable) "<disable/>"}
+                <family>
+                  ${eth}${inet}${inet6}
+                </family>
+              </unit>'';
+        };
+    in
+    {
+      options = {
+        enable = mkEnableOption "this physical interface";
+        unit = mkOption {
+          type = attrsOf (submodule unit);
+          default = { };
+          description = ''
+            Configuration of the logical interfaces on this physical interface.
+          '';
+        };
+        xml = mkOption {
+          type = str;
+          visible = false;
+          readOnly = true;
+        };
+      };
+      config.xml =
+        let
+          units = mapAttrsToList (_: unit: unit.xml) config.unit;
+        in
+        ''
+          <interface>
+            <name>${name}</name>
+            ${optionalString (!config.enable) "<disable/>"}
+            ${builtins.concatStringsSep "" units}
+          </interface>
+        '';
+    };
+in
+{
+  options = {
+    interfaces = mkOption {
+      type = attrsOf (submodule interface);
+      description = ''
+        The interfaces configuration.
+      '';
+    };
+    netconf.xmls.interfaces = mkOption {
+      type = str;
+      visible = false;
+      readOnly = true;
+    };
+  };
+  config.netconf.xmls.interfaces = ''
+    <interfaces operation="replace">
+      ${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.interfaces)}
+    </interfaces>
+  '';
+}

lib/netconf-junos/poe.nix

@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+
+let
+  inherit (lib)
+    mapAttrsToList
+    mkEnableOption
+    mkOption
+    optionalString
+    ;
+
+  inherit (lib.types) attrsOf str submodule;
+
+  interface-module =
+    { name, config, ... }:
+    {
+      options = {
+        enable = mkEnableOption "the PoE for this interface";
+        xml = mkOption {
+          type = str;
+          visible = false;
+          readOnly = true;
+        };
+      };
+      config.xml = ''
+        <interface><name>${name}</name>${optionalString (!config.enable) "<disable/>"}</interface>
+      '';
+    };
+in
+{
+  options = {
+    poe.interfaces = mkOption {
+      type = attrsOf (submodule interface-module);
+      default = { };
+      description = ''
+        PoE configuration of interfaces.
+      '';
+    };
+    netconf.xmls.poe = mkOption {
+      type = str;
+      visible = false;
+      readOnly = true;
+    };
+  };
+  config.netconf.xmls.poe = ''
+    <poe operation="replace">
+      ${builtins.concatStringsSep "" (mapAttrsToList (_: intf: intf.xml) config.poe.interfaces)}
+    </poe>
+  '';
+}

lib/netconf-junos/protocols.nix

@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+
+let
+  inherit (lib) concatMapStringsSep mkOption;
+
+  inherit (lib.types) listOf str;
+in
+
+{
+  options = {
+    protocols.rstp = mkOption {
+      type = listOf str;
+      description = ''
+        List of interfaces on which Rapid Spanning Tree Protocol should be enabled.
+      '';
+    };
+    netconf.xmls.protocols = mkOption {
+      type = str;
+      visible = false;
+      readOnly = true;
+    };
+  };
+
+  config.netconf.xmls.protocols = ''
+    <protocols>
+      <rstp operation="replace">
+        ${
+          concatMapStringsSep "" (intf: "<interface><name>${intf}</name></interface>") config.protocols.rstp
+        }
+      </rstp>
+    </protocols>
+  '';
+}

lib/netconf-junos/system.nix

@@ -0,0 +1,95 @@
+# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+
+let
+  inherit (lib)
+    concatStrings
+    concatStringsSep
+    filter
+    hasPrefix
+    length
+    mkOption
+    splitString
+    ;
+
+  inherit (lib.types)
+    enum
+    listOf
+    port
+    str
+    ;
+in
+
+{
+  options = {
+    system = {
+      host-name = mkOption {
+        type = str;
+        description = "The hostname of the switch.";
+      };
+      root-authentication = {
+        hashedPasswd = mkOption {
+          type = str;
+          description = "Hashed password for root.";
+        };
+        ssh-keys = mkOption {
+          type = listOf str;
+          description = "ssh keys for root user.";
+          default = [ ];
+        };
+      };
+      services = {
+        ssh.root-login = mkOption {
+          type = enum [
+            "allow"
+            "deny"
+            "deny-password"
+          ];
+          description = "Login policy to use for root.";
+        };
+        netconf.port = mkOption {
+          type = port;
+          description = "Port to use for netconf.";
+          default = 830;
+        };
+      };
+    };
+    netconf.xmls.system = mkOption {
+      type = str;
+      visible = false;
+      readOnly = true;
+    };
+  };
+  config.netconf.xmls.system =
+    let
+      ssh-keys1 = map (splitString " ") config.system.root-authentication.ssh-keys;
+      ssh-keys2 = map (key: if length key < 3 then key ++ [ "foo@bar" ] else key) ssh-keys1;
+      ssh-keys = map (concatStringsSep " ") ssh-keys2;
+      edsca = map (key: "<ssh-edsca><name>${key}</name></ssh-edsca>") (
+        filter (hasPrefix "ssh-edsca ") ssh-keys
+      );
+      rsa = map (key: "<ssh-rsa><name>${key}</name></ssh-rsa>") (filter (hasPrefix "ssh-rsa ") ssh-keys);
+      ed25519 = map (key: "<ssh-ed25519><name>${key}</name></ssh-ed25519>") (
+        filter (hasPrefix "ssh-ed25519 ") ssh-keys
+      );
+    in
+    ''
+      <system>
+        <host-name operation="replace">${config.system.host-name}</host-name>
+        <root-authentication operation="replace">
+          <encrypted-password>${config.system.root-authentication.hashedPasswd}</encrypted-password>
+          ${concatStrings (edsca ++ rsa ++ ed25519)}
+        </root-authentication>
+        <services operation="replace">
+          <ssh><root-login>${config.system.services.ssh.root-login}</root-login></ssh>
+          <netconf>
+            <ssh><port>${toString config.system.services.netconf.port}</port></ssh>
+            <rfc-compliant/><yang-compliant/>
+          </netconf>
+        </services>
+      </system>
+    '';
+}

lib/netconf-junos/vlans.nix

@@ -0,0 +1,135 @@
+# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, lib, ... }:
+
+let
+  inherit (lib)
+    assertMsg
+    concatStringsSep
+    mapAttrsToList
+    mkOption
+    optionalString
+    ;
+
+  inherit (lib.types)
+    attrsOf
+    either
+    ints
+    listOf
+    nullOr
+    str
+    submodule
+    unspecified
+    ;
+
+  vlan =
+    { name, config, ... }:
+    {
+      options = {
+        id = mkOption {
+          type = nullOr ints.unsigned;
+          default = null;
+          description = ''
+            The ID of this vlan, `null` means no ID.
+            Incompatible with vlans.${name}.id-list.
+          '';
+        };
+        id-list = mkOption {
+          type =
+            let
+              range_type =
+                { config, ... }:
+                {
+                  config.__toString = _: "${toString config.begin}-${toString config.end}";
+                  options = {
+                    begin = mkOption {
+                      type = ints.unsigned;
+                      visible = false;
+                    };
+                    end = mkOption {
+                      type = ints.unsigned;
+                      visible = false;
+                    };
+                    __toString = mkOption {
+                      visible = false;
+                      internal = true;
+                      readOnly = true;
+                      type = unspecified;
+                    };
+                  };
+                };
+            in
+            listOf (either ints.unsigned (submodule range_type));
+          default = [ ];
+          example = [
+            42
+            {
+              begin = 100;
+              end = 200;
+            }
+          ];
+          description = ''
+            List of IDs or IDs range to classify as this vlan.
+            Incompatible with vlans.${name}.id.
+          '';
+        };
+        l3-interface = mkOption {
+          type = nullOr str;
+          default = null;
+          example = "irb.0";
+          description = ''
+            Switch's logical interface to connect directly to this vlan.
+            This allows to communicate with the switch from a vlan without
+            having a cable looping back on it's management interface.
+          '';
+        };
+        xml = mkOption {
+          type = str;
+          readOnly = true;
+          visible = false;
+        };
+      };
+      config.xml =
+        let
+          id = optionalString (config.id != null) "<vlan-id>${toString config.id}</vlan-id>";
+          id-list = concatStringsSep "" (
+            map (vlan: "<vlan-id-list>${toString vlan}</vlan-id-list>") config.id-list
+          );
+          l3-intf = optionalString (
+            config.l3-interface != null
+          ) "<l3-interface>${config.l3-interface}</l3-interface>";
+        in
+        assert assertMsg (
+          config.id == null || config.id-list == [ ]
+        ) "vlans.${name}.id and vlans.${name}.id-list are incompatible.";
+        ''
+          <vlan>
+            <name>${name}</name>
+            ${id}${id-list}${l3-intf}
+          </vlan>
+        '';
+    };
+in
+{
+  options = {
+    vlans = mkOption {
+      type = attrsOf (submodule vlan);
+      description = ''
+        Named vlans configuration. Allows to name vlans inside interface configuration,
+        instead of just using their IDs.
+      '';
+    };
+    netconf.xmls.vlans = mkOption {
+      type = str;
+      visible = false;
+      readOnly = true;
+    };
+  };
+  config.netconf.xmls.vlans = ''
+    <vlans operation="replace">
+      ${builtins.concatStringsSep "" (mapAttrsToList (_: vlan: vlan.xml) config.vlans)}
+    </vlans>
+  '';
+}

lib/nix-lib/default.nix

@@ -0,0 +1,176 @@
+# Copyright Tom Hubrecht, (2023)
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  # Reimplement optional functions
+  _optional =
+    default: b: value:
+    if b then value else default;
+in
+
+rec {
+  inherit (import ./nixpkgs.nix)
+    flip
+    hasPrefix
+    recursiveUpdate
+    splitString
+    unique
+    warn
+    ;
+
+  /*
+    Fuses a list of attribute sets into a single attribute set.
+
+    Type: [attrs] -> attrs
+
+     Example:
+       x = [ { a = 1; } { b = 2; } ]
+       fuseAttrs x
+       => { a = 1; b = 2; }
+  */
+  fuseAttrs = builtins.foldl' (attrs: x: attrs // x) { };
+
+  fuseValueAttrs = attrs: fuseAttrs (builtins.attrValues attrs);
+
+  /*
+    Applies a function to `attrsList` before fusing the resulting list
+    of attribute sets.
+
+    Type: ('a -> attrs) -> ['a] -> attrs
+
+    Example:
+     x = [ "to" "ta" "ti" ]
+     f = s: { ${s} = s + s; }
+     mapFuse f x
+     => { to = "toto"; ta = "tata"; ti = "titi"; }
+  */
+  mapFuse =
+    # 'a -> attrs
+    f:
+    # ['a]
+    attrsList:
+    fuseAttrs (builtins.map f attrsList);
+
+  /*
+    Equivalent of lib.singleton but for an attribute set.
+
+    Type: str -> 'a -> attrs
+
+     Example:
+       singleAttr "a" 1
+       => { a = 1; }
+  */
+  singleAttr = name: value: { ${name} = value; };
+
+  # Enables a list of modules.
+  enableAttrs' =
+    enable:
+    mapFuse (m: {
+      ${m}.${enable} = true;
+    });
+
+  enableModules = enableAttrs' "enable";
+
+  /*
+    Create an attribute set from a list of values, mapping those
+    values through the function `f`.
+
+    Example:
+     mapSingleFuse (x: "val-${x}") [ "a" "b" ]
+     => { a = "val-a"; b = "val-b" }
+  */
+  mapSingleFuse = f: mapFuse (x: singleAttr x (f x));
+
+  /*
+    Creates a relative path as a string
+
+    Type: path -> str -> path
+
+     Example:
+       mkRel /home/test/ "file.txt"
+       => "/home/test/file.txt"
+  */
+  mkRel = path: file: path + "/${file}";
+
+  setDefault =
+    default:
+    mapFuse (name: {
+      ${name} = default;
+    });
+
+  mkBaseSecrets =
+    root:
+    mapFuse (secret: {
+      ${secret}.file = mkRel root secret;
+    });
+
+  getSecrets = dir: builtins.attrNames (import (mkRel dir "secrets.nix"));
+
+  subAttr = attrs: name: attrs.${name};
+
+  subAttrs = attrs: builtins.map (subAttr attrs);
+
+  optionalList = _optional [ ];
+
+  optionalAttrs = _optional { };
+
+  optionalString = _optional "";
+  /*
+    Same as fuseAttrs but using `lib.recursiveUpdate` to merge attribute
+    sets together.
+
+    Type: [attrs] -> attrs
+  */
+  recursiveFuse = builtins.foldl' recursiveUpdate { };
+
+  mkImport =
+    root: file:
+    let
+      path = mkRel root file;
+    in
+    path + (optionalString (!(builtins.pathExists path)) ".nix");
+
+  mkImports = root: builtins.map (mkImport root);
+
+  /*
+    Creates a confugiration by merging enabled modules,
+    services and extraConfig.
+
+    Example:
+     mkConfig {
+       enabledModules = [ "ht-defaults" ];
+       enabledServices = [ "toto" ];
+       extraConfig = { services.nginx.enable = true; };
+       root = ./.;
+     }
+     =>
+     {
+       imports = [ ./toto ];
+       ht-defaults.enable = true;
+       services.nginx.enable = true;
+     }
+  */
+  mkConfig =
+    {
+      # List of modules to enable with `enableModules`
+      enabledModules,
+      # List of services to import
+      enabledServices,
+      # Extra configuration, defaults to `{ }`
+      extraConfig ? { },
+      # Path relative to which the enabled services will be imported
+      root,
+    }:
+    recursiveFuse [
+      (enableModules enabledModules)
+
+      {
+        imports =
+          (extraConfig.imports or [ ]) ++ (mkImports root ([ "_hardware-configuration" ] ++ enabledServices));
+      }
+
+      (removeAttrs extraConfig [ "imports" ])
+    ];
+}

lib/nix-lib/nixpkgs.nix

@@ -0,0 +1,466 @@
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+###
+# Collection of nixpkgs library functions, those are necessary for defining our own lib
+#
+# They have been simplified and builtins are used in some places, instead of lib shims.
+
+rec {
+  /**
+    Does the same as the update operator '//' except that attributes are
+    merged until the given predicate is verified.  The predicate should
+    accept 3 arguments which are the path to reach the attribute, a part of
+    the first attribute set and a part of the second attribute set.  When
+    the predicate is satisfied, the value of the first attribute set is
+    replaced by the value of the second attribute set.
+
+    # Inputs
+
+    `pred`
+
+    : Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdateUntil` usage example
+
+    ```nix
+    recursiveUpdateUntil (path: l: r: path == ["foo"]) {
+      # first attribute set
+      foo.bar = 1;
+      foo.baz = 2;
+      bar = 3;
+    } {
+      #second attribute set
+      foo.bar = 1;
+      foo.quz = 2;
+      baz = 4;
+    }
+
+    => {
+      foo.bar = 1; # 'foo.*' from the second set
+      foo.quz = 2; #
+      bar = 3;     # 'bar' from the first set
+      baz = 4;     # 'baz' from the second set
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdateUntil =
+    pred: lhs: rhs:
+    let
+      f =
+        attrPath:
+        builtins.zipAttrsWith (
+          n: values:
+          let
+            here = attrPath ++ [ n ];
+          in
+          if builtins.length values == 1 || pred here (builtins.elemAt values 1) (builtins.head values) then
+            builtins.head values
+          else
+            f here values
+        );
+    in
+    f [ ] [
+      rhs
+      lhs
+    ];
+
+  /**
+    A recursive variant of the update operator ‘//’.  The recursion
+    stops when one of the attribute values is not an attribute set,
+    in which case the right hand side value takes precedence over the
+    left hand side value.
+
+    # Inputs
+
+    `lhs`
+
+    : Left attribute set of the merge.
+
+    `rhs`
+
+    : Right attribute set of the merge.
+
+    # Type
+
+    ```
+    recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.attrsets.recursiveUpdate` usage example
+
+    ```nix
+    recursiveUpdate {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "/dev/hda";
+    } {
+      boot.loader.grub.device = "";
+    }
+
+    returns: {
+      boot.loader.grub.enable = true;
+      boot.loader.grub.device = "";
+    }
+    ```
+
+    :::
+  */
+  recursiveUpdate =
+    lhs: rhs:
+    recursiveUpdateUntil (
+      _: lhs: rhs:
+      !(builtins.isAttrs lhs && builtins.isAttrs rhs)
+    ) lhs rhs;
+
+  /**
+    Determine whether a string has given prefix.
+
+    # Inputs
+
+    `pref`
+    : Prefix to check for
+
+    `str`
+    : Input string
+
+    # Type
+
+    ```
+    hasPrefix :: string -> string -> bool
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.hasPrefix` usage example
+
+    ```nix
+    hasPrefix "foo" "foobar"
+    => true
+    hasPrefix "foo" "barfoo"
+    => false
+    ```
+
+    :::
+  */
+  hasPrefix = pref: str: (builtins.substring 0 (builtins.stringLength pref) str == pref);
+
+  /**
+    Escape occurrence of the elements of `list` in `string` by
+    prefixing it with a backslash.
+
+    # Inputs
+
+    `list`
+    : 1\. Function argument
+
+    `string`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    escape :: [string] -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escape` usage example
+
+    ```nix
+    escape ["(" ")"] "(foo)"
+    => "\\(foo\\)"
+    ```
+
+    :::
+  */
+  escape = list: builtins.replaceStrings list (builtins.map (c: "\\${c}") list);
+
+  /**
+    Convert a string `s` to a list of characters (i.e. singleton strings).
+    This allows you to, e.g., map a function over each character.  However,
+    note that this will likely be horribly inefficient; Nix is not a
+    general purpose programming language. Complex string manipulations
+    should, if appropriate, be done in a derivation.
+    Also note that Nix treats strings as a list of bytes and thus doesn't
+    handle unicode.
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    stringToCharacters :: string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.stringToCharacters` usage example
+
+    ```nix
+    stringToCharacters ""
+    => [ ]
+    stringToCharacters "abc"
+    => [ "a" "b" "c" ]
+    stringToCharacters "🦄"
+    => [ "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" "<EFBFBD>" ]
+    ```
+
+    :::
+  */
+  stringToCharacters = s: builtins.genList (p: builtins.substring p 1 s) (builtins.stringLength s);
+
+  /**
+    Turn a string `s` into an exact regular expression
+
+    # Inputs
+
+    `s`
+    : 1\. Function argument
+
+    # Type
+
+    ```
+    escapeRegex :: string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.escapeRegex` usage example
+
+    ```nix
+    escapeRegex "[^a-z]*"
+    => "\\[\\^a-z]\\*"
+    ```
+
+    :::
+  */
+  escapeRegex = escape (stringToCharacters "\\[{()^$?*+|.");
+
+  /**
+    Appends string context from string like object `src` to `target`.
+
+    :::{.warning}
+    This is an implementation
+    detail of Nix and should be used carefully.
+    :::
+
+    Strings in Nix carry an invisible `context` which is a list of strings
+    representing store paths. If the string is later used in a derivation
+    attribute, the derivation will properly populate the inputDrvs and
+    inputSrcs.
+
+    # Inputs
+
+    `src`
+    : The string to take the context from. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    `target`
+    : The string to append the context to. If the argument is not a string,
+      it will be implicitly converted to a string.
+
+    # Type
+
+    ```
+    addContextFrom :: string -> string -> string
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.addContextFrom` usage example
+
+    ```nix
+    pkgs = import <nixpkgs> { };
+    addContextFrom pkgs.coreutils "bar"
+    => "bar"
+    ```
+
+    The context can be displayed using the `toString` function:
+
+    ```nix
+    nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
+    {
+      "/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
+    }
+    ```
+
+    :::
+  */
+  addContextFrom = src: target: builtins.substring 0 0 src + target;
+
+  /**
+    Cut a string with a separator and produces a list of strings which
+    were separated by this separator.
+
+    # Inputs
+
+    `sep`
+    : 1\. Function argument
+
+    `s`
+    : 2\. Function argument
+
+    # Type
+
+    ```
+    splitString :: string -> string -> [string]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.strings.splitString` usage example
+
+    ```nix
+    splitString "." "foo.bar.baz"
+    => [ "foo" "bar" "baz" ]
+    splitString "/" "/usr/local/bin"
+    => [ "" "usr" "local" "bin" ]
+    ```
+
+    :::
+  */
+  splitString =
+    sep: s:
+    let
+      splits = builtins.filter builtins.isString (
+        builtins.split (escapeRegex (builtins.toString sep)) (builtins.toString s)
+      );
+    in
+    builtins.map (addContextFrom s) splits;
+
+  /**
+    Remove duplicate elements from the `list`. O(n^2) complexity.
+
+    # Inputs
+
+    `list`
+
+    : Input list
+
+    # Type
+
+    ```
+    unique :: [a] -> [a]
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.lists.unique` usage example
+
+    ```nix
+    unique [ 3 2 3 4 ]
+    => [ 3 2 4 ]
+    ```
+
+    :::
+  */
+  unique = builtins.foldl' (acc: e: if builtins.elem e acc then acc else acc ++ [ e ]) [ ];
+
+  /**
+    Flip the order of the arguments of a binary function.
+
+    # Inputs
+
+    `f`
+
+    : 1\. Function argument
+
+    `a`
+
+    : 2\. Function argument
+
+    `b`
+
+    : 3\. Function argument
+
+    # Type
+
+    ```
+    flip :: (a -> b -> c) -> (b -> a -> c)
+    ```
+
+    # Examples
+    :::{.example}
+    ## `lib.trivial.flip` usage example
+
+    ```nix
+    flip concat [1] [2]
+    => [ 2 1 ]
+    ```
+
+    :::
+  */
+  flip =
+    f: a: b:
+    f b a;
+
+  /**
+    `warn` *`message`* *`value`*
+
+    Print a warning before returning the second argument.
+
+    See [`builtins.warn`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn) (Nix >= 2.23).
+    On older versions, the Nix 2.23 behavior is emulated with [`builtins.trace`](https://nix.dev/manual/nix/latest/language/builtins.html#builtins-warn), including the [`NIX_ABORT_ON_WARN`](https://nix.dev/manual/nix/latest/command-ref/conf-file#conf-abort-on-warn) behavior, but not the `nix.conf` setting or command line option.
+
+    # Inputs
+
+    *`message`* (String)
+
+    : Warning message to print before evaluating *`value`*.
+
+    *`value`* (any value)
+
+    : Value to return as-is.
+
+    # Type
+
+    ```
+    String -> a -> a
+    ```
+  */
+  warn =
+    # Since Nix 2.23, https://github.com/NixOS/nix/pull/10592
+    builtins.warn or (
+      let
+        mustAbort = builtins.elem (builtins.getEnv "NIX_ABORT_ON_WARN") [
+          "1"
+          "true"
+          "yes"
+        ];
+      in
+      # Do not eta reduce v, so that we have the same strictness as `builtins.warn`.
+      msg: v:
+      # `builtins.warn` requires a string message, so we enforce that in our implementation, so that callers aren't accidentally incompatible with newer Nix versions.
+      assert builtins.isString msg;
+      if mustAbort then
+        builtins.trace "evaluation warning: ${msg}" (
+          abort "NIX_ABORT_ON_WARN=true; warnings are treated as unrecoverable errors."
+        )
+      else
+        builtins.trace "evaluation warning: ${msg}" v
+    );
+}

lib/nix-patches/default.nix

@@ -0,0 +1,85 @@
+# Copyright Tom Hubrecht, (2023-2024)
+# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  patchFile,
+  excludeGitHubManual ? true,
+  fetchers ? { },
+}:
+
+rec {
+  base =
+    { pkgs }:
+    rec {
+      mkUrlPatch =
+        attrs:
+        pkgs.fetchpatch (
+          {
+            hash = pkgs.lib.fakeHash;
+          }
+          // attrs
+          // (pkgs.lib.optionalAttrs (excludeGitHubManual && !(builtins.hasAttr "includes" attrs)) {
+            excludes = (attrs.excludes or [ ]) ++ [ "nixos/doc/manual/*" ];
+          })
+        );
+
+      mkGitHubPatch =
+        { id, ... }@attrs:
+        mkUrlPatch (
+          (builtins.removeAttrs attrs [ "id" ])
+          // {
+            url = "https://github.com/NixOS/nixpkgs/pull/${builtins.toString id}.diff";
+          }
+        );
+
+      mkCommitPatch =
+        { sha, ... }@attrs:
+        mkUrlPatch (
+          (builtins.removeAttrs attrs [ "sha" ])
+          // {
+            url = "https://github.com/NixOS/nixpkgs/commit/${builtins.toString sha}.diff";
+          }
+        );
+
+      patchFunctions = {
+        commit = mkCommitPatch;
+        github = mkGitHubPatch;
+        remote = pkgs.fetchpatch;
+        static = attrs: attrs.path;
+        url = mkUrlPatch;
+      } // fetchers;
+
+      mkPatch =
+        {
+          _type ? "github",
+          ...
+        }@attrs:
+        if builtins.hasAttr _type patchFunctions then
+          patchFunctions.${_type} (builtins.removeAttrs attrs [ "_type" ])
+        else
+          throw "Unknown patch type: ${builtins.toString _type}.";
+
+      mkPatches = v: builtins.map mkPatch ((import patchFile).${v} or [ ]);
+
+      applyPatches =
+        {
+          src,
+          name,
+          patches ? mkPatches name,
+        }:
+        if patches == [ ] then
+          src
+        else
+          pkgs.applyPatches {
+            inherit patches src;
+
+            name = "${name}-patched";
+          };
+
+      applyPatches' = name: src: applyPatches { inherit name src; };
+    };
+
+  mkNixpkgsSrc = { src, name }: (base { pkgs = import src { }; }).applyPatches { inherit src name; };
+}

machines/compute01/_configuration.nix

@@ -1,43 +0,0 @@
-{ lib, ... }:
-
-lib.extra.mkConfig {
-  enabledModules = [
-    # List of modules to enable
-    "dgn-backups"
-    "dgn-fail2ban"
-    "dgn-web"
-  ];
-
-  enabledServices = [
-    # List of services to enable
-    "arkheon"
-    "ds-fr"
-    "grafana"
-    "hedgedoc"
-    "k-radius"
-    "kanidm"
-    "librenms"
-    "mastodon"
-    "nextcloud"
-    "outline"
-    "rstudio-server"
-    "satosa"
-    "telegraf"
-    "vaultwarden"
-    "zammad"
-    "signald"
-  ];
-
-  extraConfig = {
-    dgn-fail2ban.jails = lib.extra.enableAttrs' "enabled" [
-      "sshd-bruteforce"
-      "sshd-timeout"
-    ];
-
-    dgn-hardware.useZfs = true;
-
-    services.netbird.enable = true;
-  };
-
-  root = ./.;
-}

machines/compute01/ds-fr/module.nix

@@ -1,421 +0,0 @@
-# Copyright Tom Hubrecht, (2023)
-#
-# Tom Hubrecht <tom@hubrecht.ovh>
-#
-# This software is a computer program whose purpose is to configure
-# machines and servers with NixOS.
-#
-# This software is governed by the CeCILL  license under French law and
-# abiding by the rules of distribution of free software.  You can  use,
-# modify and/ or redistribute the software under the terms of the CeCILL
-# license as circulated by CEA, CNRS and INRIA at the following URL
-# "http://www.cecill.info".
-#
-# As a counterpart to the access to the source code and  rights to copy,
-# modify and redistribute granted by the license, users are provided only
-# with a limited warranty  and the software's author,  the holder of the
-# economic rights,  and the successive licensors  have only  limited
-# liability.
-#
-# In this respect, the user's attention is drawn to the risks associated
-# with loading,  using,  modifying and/or developing or reproducing the
-# software by the user in light of its specific status of free software,
-# that may mean  that it is complicated to manipulate,  and  that  also
-# therefore means  that it is reserved for developers  and  experienced
-# professionals having in-depth computer knowledge. Users are therefore
-# encouraged to load and test the software's suitability as regards their
-# requirements in conditions enabling the security of their systems and/or
-# data to be ensured and,  more generally, to use and operate it in the
-# same conditions as regards security.
-#
-# The fact that you are presently reading this means that you have had
-# knowledge of the CeCILL license and that you accept its terms.
-
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  inherit (lib)
-    mdDoc
-    mkDefault
-    mkEnableOption
-    mkIf
-    mkOption
-
-    optional
-    optionalString
-
-    types
-    ;
-
-  cfg = config.services.demarches-simplifiees;
-
-  settingsFormat = pkgs.formats.keyValue { };
-
-  env = settingsFormat.generate "ds-fr-env" cfg.settings;
-
-  ds-fr = pkgs.writeShellScriptBin "ds-fr" ''
-    set -a
-    cd ${cfg.package}
-
-    ${optionalString (cfg.secretFile != null) "source ${cfg.secretFile}"}
-    source ${env}
-
-    BIN="$1"
-    shift
-
-    SUDO="exec"
-    if [[ $USER != ${cfg.user} ]]; then
-      SUDO='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
-    fi
-
-    $SUDO ${cfg.package}/bin/$BIN "$@"
-  '';
-in
-{
-  options.services.demarches-simplifiees = {
-    enable = mkEnableOption "demarches-simplifiees.";
-
-    package = mkOption {
-      type = types.package;
-      default = pkgs.callPackage ./package { inherit (cfg) initialDeploymentDate dataDir logDir; };
-    };
-
-    user = mkOption {
-      type = types.str;
-      default = "ds-fr";
-      description = mdDoc "User account under which DS runs.";
-    };
-
-    group = mkOption {
-      type = types.str;
-      default = "ds-fr";
-      description = mdDoc "Group account under which DS runs.";
-    };
-
-    dataDir = mkOption {
-      type = types.str;
-      default = "/var/lib/ds-fr";
-    };
-
-    logDir = mkOption {
-      type = types.str;
-      default = "/var/log/ds-fr";
-    };
-
-    secretFile = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-    };
-
-    settings = mkOption { inherit (settingsFormat) type; };
-
-    initialDeploymentDate = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-    };
-  };
-
-  config = mkIf cfg.enable {
-
-    environment.systemPackages = [ ds-fr ];
-
-    systemd.tmpfiles.rules = [
-      "f '${cfg.logDir}/production.log' 0640 ${cfg.user} ${cfg.group} - -"
-      "f '${cfg.dataDir}/.env' 0600 ${cfg.user} ${cfg.group} - -"
-      "d '${cfg.dataDir}/tmp' 0700 ${cfg.user} ${cfg.group} 10d -"
-      "d '${cfg.dataDir}/storage' 0700 ${cfg.user} ${cfg.group} - -"
-    ];
-
-    systemd.services = {
-      ds-fr-setup = {
-        description = "Demarches Simplifiees setup";
-
-        wantedBy = [ "multi-user.target" ];
-        path = [
-          pkgs.bash
-          ds-fr
-        ];
-        after = [ "postgresql.service" ];
-
-        serviceConfig = {
-          Type = "oneshot";
-          User = cfg.user;
-          Group = cfg.group;
-          EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
-          StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
-          LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
-        };
-
-        script = ''
-          [[ ! -f ${cfg.dataDir}/.initial-migration ]] \
-            && ds-fr rails db:environment:set \
-            && ds-fr rails db:schema:load \
-            && ds-fr rails db:seed \
-            && touch ${cfg.dataDir}/.initial-migration
-
-          ds-fr rake db:migrate
-          ds-fr rake after_party:run
-        '';
-      };
-
-      ds-fr-work = {
-        description = "Demarches Simplifiees work service";
-
-        wantedBy = [
-          "multi-user.target"
-          "ds-fr.service"
-        ];
-        after = [
-          "network.target"
-          "ds-fr-setup.service"
-        ];
-        requires = [ "ds-fr-setup.service" ];
-
-        serviceConfig = {
-          ExecStart = "${ds-fr}/bin/ds-fr rails jobs:work";
-          EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
-          User = cfg.user;
-          Group = cfg.group;
-          StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
-          LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
-        };
-      };
-
-      ds-fr = {
-        description = "Demarches Simplifiees web service";
-
-        wantedBy = [ "multi-user.target" ];
-        after = [
-          "network.target"
-          "ds-fr-setup.service"
-        ];
-        requires = [ "ds-fr-setup.service" ];
-        path = [ pkgs.imagemagick ];
-
-        serviceConfig = {
-          ExecStart = "${ds-fr}/bin/ds-fr rails server";
-          Environment = [ "RAILS_QUEUE_ADAPTER=delayed_job" ];
-          EnvironmentFile = [ env ] ++ (optional (cfg.secretFile != null) cfg.secretFile);
-          User = cfg.user;
-          Group = cfg.group;
-          StateDirectory = mkIf (cfg.dataDir == "/var/lib/ds-fr") "ds-fr";
-          LogsDirectory = mkIf (cfg.logDir == "/var/log/ds-fr") "ds-fr";
-        };
-      };
-    };
-
-    services = {
-      demarches-simplifiees.settings =
-        (builtins.mapAttrs (_: mkDefault) {
-          RAILS_ENV = "production";
-          RAILS_ROOT = builtins.toString cfg.package;
-
-          # Application host name
-          #
-          # Examples:
-          # * For local development: localhost:3000
-          # * For preproduction: staging.ds.example.org
-          # * For production: ds.example.org
-          APP_HOST = "localhost:3000";
-
-          # Rails key for signing sensitive data
-          # See https://guides.rubyonrails.org/security.html
-          #
-          # For production you MUST generate a new key, and keep it secret.
-          # Secrets must be long and random. Use bin/rails secret to get new unique secrets.
-
-          # Secret key for One-Time-Password codes, used for 2-factors authentication
-          # OTP_SECRET_KEY = "";
-
-          # Protect access to the instance with a static login/password (useful for staging environments)
-          BASIC_AUTH_ENABLED = "disabled";
-          BASIC_AUTH_USERNAME = "";
-          BASIC_AUTH_PASSWORD = "";
-
-          # ActiveStorage service to use for attached files.
-          # Possible values:
-          # - "local": store files on the local filesystem
-          # - "amazon": store files remotely on an S3 storage service
-          # - "openstack": store files remotely on an OpenStack storage service
-          #
-          # (See config/storage.yml for the configuration of each service.)
-          ACTIVE_STORAGE_SERVICE = "local";
-
-          # Configuration for the OpenStack storage service (if enabled)
-          FOG_OPENSTACK_API_KEY = "";
-          FOG_OPENSTACK_USERNAME = "";
-          FOG_OPENSTACK_URL = "";
-          FOG_OPENSTACK_REGION = "";
-          DS_PROXY_URL = "";
-
-          # SAML
-          SAML_IDP_ENABLED = "disabled";
-
-          # External service: authentication through France Connect
-          FC_PARTICULIER_ID = "";
-          FC_PARTICULIER_SECRET = "";
-          FC_PARTICULIER_BASE_URL = "";
-
-          # External service: authentication through Agent Connect
-          AGENT_CONNECT_ID = "";
-          AGENT_CONNECT_SECRET = "";
-          AGENT_CONNECT_BASE_URL = "";
-          AGENT_CONNECT_JWKS = "";
-          AGENT_CONNECT_REDIRECT = "";
-
-          # External service: integration with HelpScout (optional)
-          HELPSCOUT_MAILBOX_ID = "";
-          HELPSCOUT_CLIENT_ID = "";
-          HELPSCOUT_CLIENT_SECRET = "";
-          HELPSCOUT_WEBHOOK_SECRET = "";
-
-          # External service: external supervision
-          SENTRY_ENABLED = "disabled";
-          SENTRY_CURRENT_ENV = "development";
-          SENTRY_DSN_RAILS = "";
-          SENTRY_DSN_JS = "";
-
-          # External service: Matomo web analytics
-          MATOMO_ENABLED = "disabled";
-          MATOMO_COOKIE_DOMAIN = "*.www.demarches-simplifiees.fr";
-          MATOMO_DOMAIN = "*.www.demarches-simplifiees.fr";
-          MATOMO_ID = "";
-          MATOMO_HOST = "matomo.example.org";
-
-          # Default SMTP Provider: Mailjet
-          MAILJET_API_KEY = "";
-          MAILJET_SECRET_KEY = "";
-
-          # Alternate SMTP Provider: SendInBlue/DoList
-          SENDINBLUE_CLIENT_KEY = "";
-          SENDINBLUE_SMTP_KEY = "";
-          SENDINBLUE_USER_NAME = "";
-          # SENDINBLUE_LOGIN_URL="https://app.sendinblue.com/account/saml/login/truc"
-
-          # Alternate SMTP Provider: Mailtrap (mail catcher for staging environments)
-          # When enabled, all emails will be sent using this provider
-          MAILTRAP_ENABLED = "disabled";
-          MAILTRAP_USERNAME = "";
-          MAILTRAP_PASSWORD = "";
-
-          # Alternative SMTP Provider: Mailcatcher (Catches mail and serves it through a dream.)
-          # When enabled, all emails will be sent using this provider
-          MAILCATCHER_ENABLED = "disabled";
-          MAILCATCHER_HOST = "";
-          MAILCATCHER_PORT = "";
-
-          # External service: live chat for admins (specific to démarches-simplifiées.fr)
-          CRISP_ENABLED = "disabled";
-          CRISP_CLIENT_KEY = "";
-
-          # API Entreprise credentials
-          # https://api.gouv.fr/api/api-entreprise.html
-          API_ENTREPRISE_KEY = "";
-
-          # External service: CRM for following admin accounts pipeline (specific to démarches-simplifiées.fr)
-          PIPEDRIVE_KEY = "";
-
-          # Networks bypassing the email login token that verifies new devices, and rack-attack throttling
-          TRUSTED_NETWORKS = "";
-
-          # External service: mesuring performance of the Rails app (specific to démarches-simplifiées.fr)
-          SKYLIGHT_AUTHENTICATION_KEY = "";
-          #   "sXaot-fKhBlkI8qaSirQyuZbrpv5sVFoOturQ0pFEh0";
-
-          # Enable or disable Lograge logs
-          LOGRAGE_ENABLED = "disabled";
-
-          # Logs source for Lograge
-          #
-          # Examples:
-          # * For local development: tps_local
-          # * For preproduction: tps_staging
-          # * For production: tps_prod
-          LOGRAGE_SOURCE = "tps_prod";
-
-          # External service: timestamping a daily archive of dossiers status changes
-          UNIVERSIGN_API_URL = "https://ws.universign.eu/tsa/post/";
-          UNIVERSIGN_USERPWD = "";
-
-          # External service: API Geo / Adresse
-          API_ADRESSE_URL = "https://api-adresse.data.gouv.fr";
-          API_GEO_URL = "https://geo.api.gouv.fr";
-
-          # External service: API Education
-          API_EDUCATION_URL = "https://data.education.gouv.fr/api/records/1.0";
-
-          # Encryption key for sensitive columns in the database
-          ENCRYPTION_SERVICE_SALT = "";
-
-          # ActiveRecord encryption keys. Generate them with bin/rails db:encryption:init (you can omit deterministic_key)
-          AR_ENCRYPTION_PRIMARY_KEY = "";
-          AR_ENCRYPTION_KEY_DERIVATION_SALT = "";
-
-          # Salt for invisible_captcha session data.
-          # Must be the same value for all app instances behind a load-balancer.
-          INVISIBLE_CAPTCHA_SECRET = "kikooloool";
-
-          # Clamav antivirus usage
-          CLAMAV_ENABLED = "disabled";
-
-          # Siret number used for API Entreprise, by default we use SIRET from dinum
-          API_ENTREPRISE_DEFAULT_SIRET = "put_your_own_siret";
-        })
-        // {
-          # Database credentials
-          DB_DATABASE = "ds-fr";
-          DB_USERNAME = cfg.user;
-          DB_PASSWORD = "";
-          DB_HOST = "/run/postgresql";
-          DB_POOL = "";
-
-          # Log on stdout
-          RAILS_LOG_TO_STDOUT = true;
-        };
-
-      postgresql = {
-        enable = true;
-
-        ensureDatabases = [ "ds-fr" ];
-
-        ensureUsers = optional (cfg.user == "ds-fr") {
-          name = "ds-fr";
-          ensureDBOwnership = true;
-        };
-
-        extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
-      };
-
-      nginx = {
-        enable = true;
-
-        virtualHosts.${cfg.settings.APP_HOST} = {
-          enableACME = true;
-          forceSSL = true;
-          root = "${cfg.package}/public/";
-
-          locations."/".tryFiles = "$uri @proxy";
-          locations."@proxy" = {
-            proxyPass = "http://127.0.0.1:3000";
-          };
-        };
-      };
-    };
-
-    users.users = mkIf (cfg.user == "ds-fr") {
-      ds-fr = {
-        inherit (cfg) group;
-
-        isSystemUser = true;
-        home = cfg.package;
-      };
-    };
-
-    users.groups.${cfg.group} = { };
-  };
-}

machines/compute01/ds-fr/package/default.nix

@@ -1,160 +0,0 @@
-{
-  lib,
-  stdenv,
-  fetchFromGitHub,
-  git,
-  fetchYarnDeps,
-  yarn,
-  fixup_yarn_lock,
-  nodejs,
-  ruby_3_2,
-  bundlerEnv,
-  logDir ? "/var/log/ds-fr",
-  dataDir ? "/var/lib/ds-fr",
-  initialDeploymentDate ? "17941030",
-}:
-
-let
-  inherit (lib) getExe;
-
-  # Head of the DGNum repo
-  dgn-id = "12e4a32ca5d909a90ca6f7e53081cc6b6b14c416";
-
-  pname = "ds-fr";
-  meta = import ./meta.nix;
-
-  inherit (meta) version;
-
-  src = fetchFromGitHub {
-    owner = "demarches-simplifiees";
-    repo = "demarches-simplifiees.fr";
-    rev = version;
-    hash = meta.src-hash;
-  };
-
-  rubyEnv = bundlerEnv {
-    name = "env-${pname}";
-    gemdir = ./rubyEnv;
-    ruby = ruby_3_2;
-    gemset = (import ./rubyEnv/gemset.nix) // {
-      bundler = {
-        groups = [ "default" ];
-        platforms = [ ];
-        source = {
-          remotes = [ "https://rubygems.org" ];
-          sha256 = "deeQ3fNwcSiGSO/yeB2yoTniRq2gHW8WueprXoPX6Jk=";
-          type = "gem";
-        };
-        version = "2.3.11";
-      };
-    };
-  };
-
-  dsModules = stdenv.mkDerivation {
-    pname = "${pname}-modules";
-    inherit src version;
-
-    offlineCache = fetchYarnDeps {
-      yarnLock = "${src}/yarn.lock";
-      hash = meta.deps-hash;
-    };
-
-    buildInputs = [ rubyEnv ];
-    nativeBuildInputs = [
-      fixup_yarn_lock
-      nodejs
-      yarn
-      rubyEnv.wrappedRuby
-    ];
-
-    RAILS_ENV = "production";
-    NODE_ENV = "dev";
-
-    patches = [
-      # Disable functionnalities as we only precompile assets
-      ./patches/build.patch
-    ];
-
-    postPatch = ''
-      ${getExe git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
-    '';
-
-    OTP_SECRET_KEY = "precompile_placeholder";
-    SECRET_KEY_BASE = "precompile_placeholder";
-    APP_HOST = "precompile_placeholder";
-
-    buildPhase = ''
-      export HOME=$(mktemp -d)
-      yarn config --offline set yarn-offline-mirror $offlineCache
-      fixup_yarn_lock yarn.lock
-      yarn install --offline --frozen-lockfile --ignore-platform --ignore-scripts --no-progress --non-interactive
-
-      patchShebangs node_modules/
-      patchShebangs bin/
-
-      bin/rake assets:precompile
-
-      yarn cache clean --offline
-      rm -rf node_modules/
-    '';
-
-    installPhase = ''
-      mkdir -p $out/public
-      cp -r public/* $out/public
-    '';
-  };
-in
-stdenv.mkDerivation {
-  name = "demarches-simplifiees.fr-${version}";
-
-  inherit src;
-
-  buildInputs = [ rubyEnv ];
-  propagatedBuildInputs = [ rubyEnv.wrappedRuby ];
-
-  patches = [
-    ./patches/replay_routing_engine_for_a_cloned_procedure.patch
-    ./patches/smtp_settings.patch
-    ./patches/garage.patch
-  ];
-
-  postPatch = ''
-    ${getExe git} apply -p1 < ${builtins.fetchurl "https://git.dgnum.eu/DGNum/demarches-normaliennes/commit/${dgn-id}.patch"}
-  '';
-
-  buildPhase = ''
-    rm -rf public
-    ln -s ${dsModules}/public/ public
-
-    patchShebangs bin/
-
-    rm -rf log storage
-    ln -s ${logDir} log
-    ln -s ${dataDir}/tmp tmp
-    ln -s ${dataDir}/storage storage
-
-    for f in $(ls lib/tasks/deployment/); do
-      [[ ! ${initialDeploymentDate} < $f ]] \
-        && rm lib/tasks/deployment/$f;
-    done;
-
-    echo "Removed unused data migrations"
-  '';
-
-  installPhase = ''
-    mkdir -p $out
-    cp -r * $out/
-  '';
-
-  passthru = {
-    inherit rubyEnv;
-    ruby = rubyEnv.wrappedRuby;
-  };
-
-  meta = with lib; {
-    description = "Dématérialiser et simplifier les démarches administratives";
-    homepage = "https://github.com/demarches-simplifiees/demarches-simplifiees.fr";
-    license = licenses.agpl3Only;
-    maintainers = with maintainers; [ thubrecht ];
-  };
-}

machines/compute01/ds-fr/package/meta.nix

@@ -1,5 +0,0 @@
-{
-  version = "2024-03-26-01";
-  src-hash = "sha256-JLwbeCGZNFxzZnh6bcheNUkrg/51UG4IM9pln+ridSs=";
-  deps-hash = "sha256-ZtZ1iqKHWGPR5+BDOtOvrpgdndfP5IiqrLkju96YAM4=";
-}

machines/compute01/ds-fr/package/patches/build.patch

@@ -1,42 +0,0 @@
-diff --git a/config/environments/production.rb b/config/environments/production.rb
-index 16d8c8e84..6262b8782 100644
---- a/config/environments/production.rb
-+++ b/config/environments/production.rb
-@@ -118,7 +118,7 @@ Rails.application.configure do
-   # the I18n.default_locale when a translation cannot be found).
-   config.i18n.fallbacks = true
- 
--  config.active_storage.service = ENV.fetch("ACTIVE_STORAGE_SERVICE").to_sym
-+  config.active_storage.service = ENV.fetch("ACTIVE_STORAGE_SERVICE", 'local').to_sym
- 
-   # Send deprecation notices to registered listeners.
-   config.active_support.deprecation = :notify
-@@ -174,5 +174,5 @@ Rails.application.configure do
-   # The Content-Security-Policy is NOT in Report-Only mode
-   config.content_security_policy_report_only = false
- 
--  config.lograge.enabled = ENV['LOGRAGE_ENABLED'] == 'enabled'
-+  config.lograge.enabled = ENV.fetch('LOGRAGE_ENABLED', 'disabled') == 'enabled'
- end
-
-diff --git a/config/initializers/mailcatcher.rb b/config/initializers/mailcatcher.rb
-index 8b931f704..dbeceb4ec 100644
---- a/config/initializers/mailcatcher.rb
-+++ b/config/initializers/mailcatcher.rb
-@@ -1,4 +1,4 @@
--if ENV.fetch('MAILCATCHER_ENABLED') == 'enabled'
-+if ENV.fetch('MAILCATCHER_ENABLED', 'disabled') == 'enabled'
-   ActiveSupport.on_load(:action_mailer) do
-     module Mailcatcher
-       class SMTP < ::Mail::SMTP; end
-
-diff --git a/config/initializers/mailtrap.rb b/config/initializers/mailtrap.rb
-index 6d1faa04b..658673ed1 100644
---- a/config/initializers/mailtrap.rb
-+++ b/config/initializers/mailtrap.rb
-@@ -1,4 +1,4 @@
--if ENV.fetch('MAILTRAP_ENABLED') == 'enabled'
-+if ENV.fetch('MAILTRAP_ENABLED', 'disabled') == 'enabled'
-   ActiveSupport.on_load(:action_mailer) do
-     module Mailtrap
-       class SMTP < ::Mail::SMTP; end

machines/compute01/ds-fr/package/patches/garage.patch

@@ -1,16 +0,0 @@
-diff --git a/config/storage.yml b/config/storage.yml
-index d2b2d241f..1b2744504 100644
---- a/config/storage.yml
-+++ b/config/storage.yml
-@@ -19,3 +19,11 @@ amazon:
-   secret_access_key: <%= ENV.fetch("S3_SECRET_ACCESS_KEY", "") %>
-   region: <%= ENV.fetch("S3_REGION", "") %>
-   bucket: <%= ENV.fetch("S3_BUCKET", "") %>
-+garage:
-+  service: S3
-+  access_key_id: <%= ENV.fetch("S3_ACCESS_KEY_ID", "") %>
-+  secret_access_key: <%= ENV.fetch("S3_SECRET_ACCESS_KEY", "") %>
-+  region: <%= ENV.fetch("S3_REGION", "garage") %>
-+  bucket: <%= ENV.fetch("S3_BUCKET", "") %>
-+  endpoint: <%= ENV.fetch("S3_ENDPOINT", "") %>
-+  force_path_style: <%= ENV.fetch("S3_FORCE_PATH_STYLE", "").present? %>

machines/compute01/ds-fr/package/patches/replay_routing_engine_for_a_cloned_procedure.patch

@@ -1,35 +0,0 @@
-diff --git a/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake b/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
-index 9d4f3a284..04d62a63b 100644
---- a/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
-+++ b/lib/tasks/deployment/20230613114744_replay_routing_engine_for_a_cloned_procedure.rake
-@@ -4,18 +4,18 @@ namespace :after_party do
-     puts "Running deploy task 'replay_routing_engine_for_a_cloned_procedure'"
- 
-     # Put your task implementation HERE.
--    dossiers = Procedure
--      .find(76266)
--      .dossiers
--      .en_construction
--
--    progress = ProgressReport.new(dossiers.count)
--
--    dossiers.find_each do |dossier|
--      RoutingEngine.compute(dossier)
--      progress.inc
--    end
--    progress.finish
-+    # dossiers = Procedure
-+    #   .find(76266)
-+    #   .dossiers
-+    #   .en_construction
-+    #
-+    # progress = ProgressReport.new(dossiers.count)
-+    #
-+    # dossiers.find_each do |dossier|
-+    #   RoutingEngine.compute(dossier)
-+    #   progress.inc
-+    # end
-+    # progress.finish
- 
-     # Update task as completed.  If you remove the line below, the task will
-     # run with every deploy (or every time you call after_party:run).

machines/compute01/ds-fr/package/patches/smtp_settings.patch

@@ -1,14 +0,0 @@
-diff --git a/config/environments/production.rb b/config/environments/production.rb
-index 16d8c8e84..e0326d26d 100644
---- a/config/environments/production.rb
-+++ b/config/environments/production.rb
-@@ -86,7 +86,8 @@ Rails.application.configure do
-       user_name:            ENV.fetch("SMTP_USER"),
-       password:             ENV.fetch("SMTP_PASS"),
-       authentication:       ENV.fetch("SMTP_AUTHENTICATION"),
--      enable_starttls_auto: ENV.fetch("SMTP_TLS").present?
-+      enable_starttls_auto: ENV.fetch("SMTP_TLS").present?,
-+      ssl:                  ENV.fetch("SMTP_SSL").present?
-     }
-   elsif ENV['SENDMAIL_ENABLED'] == 'enabled'
-     config.action_mailer.delivery_method = :sendmail

machines/compute01/ds-fr/package/patches/uninterlace_png.patch

@@ -1,12 +0,0 @@
-diff --git a/app/controllers/concerns/uninterlace_png_concern.rb b/app/controllers/concerns/uninterlace_png_concern.rb
-index 8e9d06251..0870357c6 100644
---- a/app/controllers/concerns/uninterlace_png_concern.rb
-+++ b/app/controllers/concerns/uninterlace_png_concern.rb
-@@ -14,6 +14,6 @@ module UninterlacePngConcern
- 
-   def interlaced?(png_path)
-     png = MiniMagick::Image.open(png_path)
--    png.data["interlace"] != "None"
-+    png.details["interlace"] != "None"
-   end
- end

machines/compute01/ds-fr/package/rubyEnv/Gemfile

@@ -1,148 +0,0 @@
-source 'https://rubygems.org'
-
-gem 'rails', '~> 7.0.8' # allows update to security fixes at any time
-
-gem 'aasm'
-gem 'acsv'
-gem 'active_model_serializers'
-gem 'activestorage-openstack'
-gem 'active_storage_validations'
-gem 'addressable'
-gem 'administrate'
-gem 'administrate-field-enum' # Allow using Field::Enum in administrate
-gem 'after_party'
-gem 'ancestry'
-gem 'anchored'
-gem 'bcrypt'
-gem 'bootsnap', '>= 1.4.4', require: false # Reduces boot times through caching; required in config/boot.rb
-gem 'browser'
-gem 'charlock_holmes'
-gem 'chartkick'
-gem 'chunky_png'
-gem 'clamav-client', require: 'clamav/client'
-gem 'daemons'
-gem 'deep_cloneable' # Enable deep clone of active record models
-gem 'delayed_cron_job' # Cron jobs
-gem 'delayed_job_active_record'
-gem 'delayed_job_web'
-gem 'devise', git: 'https://github.com/heartcombo/devise.git', ref: "edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1" # Gestion des comptes utilisateurs, drop ref on next release: 4.9.4
-gem 'devise-i18n'
-gem 'devise-two-factor'
-gem 'discard'
-gem 'dotenv-rails', require: 'dotenv/rails-now' # dotenv should always be loaded before rails
-gem 'dry-monads'
-gem 'faraday-jwt'
-gem 'flipper'
-gem 'flipper-active_record'
-gem 'flipper-active_support_cache_store'
-gem 'flipper-ui'
-gem 'fugit'
-gem 'geocoder'
-gem 'geo_coord', require: "geo/coord"
-gem 'gitlab-sidekiq-fetcher', require: 'sidekiq-reliable-fetch', git: 'https://github.com/demarches-simplifiees/reliable-fetch.git'
-gem 'gon'
-gem 'graphql', '2.0.24'
-gem 'graphql-batch', '0.5.1'
-gem 'graphql-rails_logger'
-gem 'groupdate'
-gem 'haml-rails'
-gem 'hashie'
-gem 'http_accept_language'
-gem 'i18n_data'
-gem 'i18n-tasks', require: false
-gem 'iban-tools'
-gem 'image_processing'
-gem 'invisible_captcha'
-gem 'json_schemer'
-gem 'jwt'
-gem 'kaminari'
-gem 'kredis'
-gem 'listen' # Required by ActiveSupport::EventedFileUpdateChecker
-gem 'lograge'
-gem 'logstash-event'
-gem 'maintenance_tasks'
-gem 'matrix' # needed by prawn and not default in ruby 3.1
-gem 'mini_magick'
-gem 'net-imap', require: false # See https://github.com/mikel/mail/pull/1439
-gem 'net-pop', require: false # same
-gem 'net-smtp', require: false # same
-gem 'openid_connect'
-gem 'parsby'
-gem 'pg'
-gem 'phonelib'
-gem 'prawn-rails' # PDF Generation
-gem 'premailer-rails'
-gem 'puma' # Use Puma as the app server
-gem 'pundit'
-gem 'rack-attack'
-gem 'rails-i18n' # Locales par défaut
-gem 'rake-progressbar', require: false
-gem 'redcarpet'
-gem 'redis'
-gem 'rexml' # add missing gem due to ruby3 (https://github.com/Shopify/bootsnap/issues/325)
-gem 'rqrcode'
-gem 'saml_idp'
-gem 'sassc-rails' # Use SCSS for stylesheets
-gem 'sentry-delayed_job'
-gem 'sentry-rails'
-gem 'sentry-ruby'
-gem 'sentry-sidekiq'
-gem 'sib-api-v3-sdk'
-gem 'sidekiq'
-gem 'skylight'
-gem 'spreadsheet_architect'
-gem 'strong_migrations' # lint database migrations
-gem 'turbo-rails'
-gem 'typhoeus'
-gem 'ulid-ruby', require: 'ulid'
-gem 'view_component'
-gem 'vite_rails'
-gem 'warden'
-gem 'zipline'
-gem 'zxcvbn-ruby', require: 'zxcvbn'
-
-group :test do
-  gem 'axe-core-rspec' # accessibility rspec matchers
-  gem 'capybara' # Integration testing
-  gem 'capybara-email' # Access emails during integration tests
-  gem 'capybara-screenshot' # Save a dump of the page when an integration test fails
-  gem 'factory_bot'
-  gem 'launchy'
-  gem 'rack_session_access'
-  gem 'rails-controller-testing'
-  gem 'rspec_junit_formatter'
-  gem 'rspec-retry'
-  gem 'selenium-devtools'
-  gem 'selenium-webdriver'
-  gem 'shoulda-matchers', require: false
-  gem 'timecop'
-  gem 'vcr'
-  gem 'webmock'
-end
-
-group :development do
-  gem 'benchmark-ips', require: false
-  gem 'brakeman', require: false
-  gem 'haml-lint'
-  gem 'letter_opener_web'
-  gem 'memory_profiler'
-  gem 'rack-mini-profiler'
-  gem 'rails-erd', require: false # generates `doc/database_models.pdf`
-  gem 'rubocop', require: false
-  gem 'rubocop-performance', require: false
-  gem 'rubocop-rails', require: false
-  gem 'rubocop-rspec', require: false
-  gem 'scss_lint', require: false
-  gem 'stackprof'
-  gem 'web-console'
-end
-
-group :development, :test do
-  gem 'graphql-schema_comparator'
-  gem 'irb'
-  gem 'mina', require: false # Deploy
-  gem 'rspec-rails'
-  gem 'simple_xlsx_reader'
-  gem 'spring' # Spring speeds up development by keeping your application running in the background
-  gem 'spring-commands-rspec'
-end

machines/compute01/ds-fr/package/rubyEnv/Gemfile.lock

@@ -1,966 +0,0 @@
-GIT
-  remote: https://github.com/demarches-simplifiees/reliable-fetch.git
-  revision: f547a270c402b0180091516d790434e83287fae7
-  specs:
-    gitlab-sidekiq-fetcher (0.11.0)
-      json (>= 2.5)
-      sidekiq (~> 7.0)
-
-GIT
-  remote: https://github.com/heartcombo/devise.git
-  revision: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
-  ref: edffc79bf05d7f1c58ba50ffeda645e2e4ae0cb1
-  specs:
-    devise (4.9.3)
-      bcrypt (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 4.1.0)
-      responders
-      warden (~> 1.2.3)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    aasm (5.5.0)
-      concurrent-ruby (~> 1.0)
-    acsv (0.0.1)
-    actioncable (7.0.8.1)
-      actionpack (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-      nio4r (~> 2.0)
-      websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.8.1)
-      actionpack (= 7.0.8.1)
-      activejob (= 7.0.8.1)
-      activerecord (= 7.0.8.1)
-      activestorage (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-      mail (>= 2.7.1)
-      net-imap
-      net-pop
-      net-smtp
-    actionmailer (7.0.8.1)
-      actionpack (= 7.0.8.1)
-      actionview (= 7.0.8.1)
-      activejob (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-      mail (~> 2.5, >= 2.5.4)
-      net-imap
-      net-pop
-      net-smtp
-      rails-dom-testing (~> 2.0)
-    actionpack (7.0.8.1)
-      actionview (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-      rack (~> 2.0, >= 2.2.4)
-      rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (7.0.8.1)
-      actionpack (= 7.0.8.1)
-      activerecord (= 7.0.8.1)
-      activestorage (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-      globalid (>= 0.6.0)
-      nokogiri (>= 1.8.5)
-    actionview (7.0.8.1)
-      activesupport (= 7.0.8.1)
-      builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    active_model_serializers (0.10.14)
-      actionpack (>= 4.1)
-      activemodel (>= 4.1)
-      case_transform (>= 0.2)
-      jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
-    active_storage_validations (1.1.4)
-      activejob (>= 5.2.0)
-      activemodel (>= 5.2.0)
-      activestorage (>= 5.2.0)
-      activesupport (>= 5.2.0)
-    activejob (7.0.8.1)
-      activesupport (= 7.0.8.1)
-      globalid (>= 0.3.6)
-    activemodel (7.0.8.1)
-      activesupport (= 7.0.8.1)
-    activerecord (7.0.8.1)
-      activemodel (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-    activestorage (7.0.8.1)
-      actionpack (= 7.0.8.1)
-      activejob (= 7.0.8.1)
-      activerecord (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-      marcel (~> 1.0)
-      mini_mime (>= 1.1.0)
-    activestorage-openstack (1.6.0)
-      fog-openstack (>= 1.0.9)
-      marcel
-      rails (>= 5.2.2)
-    activesupport (7.0.8.1)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 1.6, < 2)
-      minitest (>= 5.1)
-      tzinfo (~> 2.0)
-    addressable (2.8.6)
-      public_suffix (>= 2.0.2, < 6.0)
-    administrate (0.20.1)
-      actionpack (>= 6.0, < 8.0)
-      actionview (>= 6.0, < 8.0)
-      activerecord (>= 6.0, < 8.0)
-      jquery-rails (~> 4.6.0)
-      kaminari (~> 1.2.2)
-      sassc-rails (~> 2.1)
-      selectize-rails (~> 0.6)
-    administrate-field-enum (0.0.9)
-      administrate (~> 0.12)
-    aes_key_wrap (1.1.0)
-    after_party (1.11.2)
-    ancestry (4.3.3)
-      activerecord (>= 5.2.6)
-    anchored (1.1.0)
-    ast (2.4.2)
-    attr_required (1.0.2)
-    axe-core-api (4.8.2)
-      dumb_delegator
-      virtus
-    axe-core-rspec (4.8.2)
-      axe-core-api
-      dumb_delegator
-      virtus
-    axiom-types (0.1.1)
-      descendants_tracker (~> 0.0.4)
-      ice_nine (~> 0.11.0)
-      thread_safe (~> 0.3, >= 0.3.1)
-    base64 (0.2.0)
-    bcrypt (3.1.20)
-    benchmark-ips (2.13.0)
-    better_html (2.0.2)
-      actionview (>= 6.0)
-      activesupport (>= 6.0)
-      ast (~> 2.0)
-      erubi (~> 1.4)
-      parser (>= 2.4)
-      smart_properties
-    bigdecimal (3.1.6)
-    bindata (2.5.0)
-    bindex (0.8.1)
-    bootsnap (1.18.3)
-      msgpack (~> 1.2)
-    brakeman (6.1.2)
-      racc
-    browser (5.3.1)
-    builder (3.2.4)
-    capybara (3.40.0)
-      addressable
-      matrix
-      mini_mime (>= 0.1.3)
-      nokogiri (~> 1.11)
-      rack (>= 1.6.0)
-      rack-test (>= 0.6.3)
-      regexp_parser (>= 1.5, < 3.0)
-      xpath (~> 3.2)
-    capybara-email (3.0.2)
-      capybara (>= 2.4, < 4.0)
-      mail
-    capybara-screenshot (1.0.26)
-      capybara (>= 1.0, < 4)
-      launchy
-    case_transform (0.2)
-      activesupport
-    caxlsx (3.4.1)
-      htmlentities (~> 4.3, >= 4.3.4)
-      marcel (~> 1.0)
-      nokogiri (~> 1.10, >= 1.10.4)
-      rubyzip (>= 1.3.0, < 3)
-    charlock_holmes (0.7.7)
-    chartkick (5.0.5)
-    choice (0.2.0)
-    chunky_png (1.4.0)
-    clamav-client (3.2.0)
-    coercible (1.0.0)
-      descendants_tracker (~> 0.0.1)
-    concurrent-ruby (1.2.3)
-    connection_pool (2.4.1)
-    content_disposition (1.0.0)
-    crack (1.0.0)
-      bigdecimal
-      rexml
-    crass (1.0.6)
-    css_parser (1.16.0)
-      addressable
-    daemons (1.4.1)
-    date (3.3.4)
-    deep_cloneable (3.2.0)
-      activerecord (>= 3.1.0, < 8)
-    delayed_cron_job (0.9.0)
-      fugit (>= 1.5)
-    delayed_job (4.1.11)
-      activesupport (>= 3.0, < 8.0)
-    delayed_job_active_record (4.1.8)
-      activerecord (>= 3.0, < 8.0)
-      delayed_job (>= 3.0, < 5)
-    delayed_job_web (1.4.4)
-      activerecord (> 3.0.0)
-      delayed_job (> 2.0.3)
-      rack-protection (>= 1.5.5)
-      sinatra (>= 1.4.4)
-    descendants_tracker (0.0.4)
-      thread_safe (~> 0.3, >= 0.3.1)
-    devise-i18n (1.12.0)
-      devise (>= 4.9.0)
-    devise-two-factor (5.0.0)
-      activesupport (~> 7.0)
-      devise (~> 4.0)
-      railties (~> 7.0)
-      rotp (~> 6.0)
-    diff-lcs (1.5.1)
-    discard (1.3.0)
-      activerecord (>= 4.2, < 8)
-    dotenv (2.8.1)
-    dotenv-rails (2.8.1)
-      dotenv (= 2.8.1)
-      railties (>= 3.2)
-    dry-cli (1.0.0)
-    dry-core (1.0.1)
-      concurrent-ruby (~> 1.0)
-      zeitwerk (~> 2.6)
-    dry-monads (1.6.0)
-      concurrent-ruby (~> 1.0)
-      dry-core (~> 1.0, < 2)
-      zeitwerk (~> 2.6)
-    dumb_delegator (1.0.0)
-    email_validator (2.2.4)
-      activemodel
-    erubi (1.12.0)
-    et-orbi (1.2.7)
-      tzinfo
-    ethon (0.16.0)
-      ffi (>= 1.15.0)
-    excon (0.109.0)
-    factory_bot (6.4.6)
-      activesupport (>= 5.0.0)
-    faraday (2.9.0)
-      faraday-net_http (>= 2.0, < 3.2)
-    faraday-follow_redirects (0.3.0)
-      faraday (>= 1, < 3)
-    faraday-jwt (0.1.0)
-      faraday (~> 2.0)
-      json-jwt (~> 1.16)
-    faraday-net_http (3.1.0)
-      net-http
-    ffi (1.16.3)
-    flipper (1.2.2)
-      concurrent-ruby (< 2)
-    flipper-active_record (1.2.2)
-      activerecord (>= 4.2, < 8)
-      flipper (~> 1.2.2)
-    flipper-active_support_cache_store (1.2.2)
-      activesupport (>= 4.2, < 8)
-      flipper (~> 1.2.2)
-    flipper-ui (1.2.2)
-      erubi (>= 1.0.0, < 2.0.0)
-      flipper (~> 1.2.2)
-      rack (>= 1.4, < 4)
-      rack-protection (>= 1.5.3, <= 4.0.0)
-      sanitize (< 7)
-    fog-core (2.4.0)
-      builder
-      excon (~> 0.71)
-      formatador (>= 0.2, < 2.0)
-      mime-types
-    fog-json (1.2.0)
-      fog-core
-      multi_json (~> 1.10)
-    fog-openstack (1.1.0)
-      fog-core (~> 2.1)
-      fog-json (>= 1.0)
-    formatador (1.1.0)
-    fugit (1.9.0)
-      et-orbi (~> 1, >= 1.2.7)
-      raabro (~> 1.4)
-    geo_coord (0.2.0)
-    geocoder (1.8.2)
-    globalid (1.2.1)
-      activesupport (>= 6.1)
-    gon (6.4.0)
-      actionpack (>= 3.0.20)
-      i18n (>= 0.7)
-      multi_json
-      request_store (>= 1.0)
-    graphql (2.0.24)
-    graphql-batch (0.5.1)
-      graphql (>= 1.10, < 3)
-      promise.rb (~> 0.7.2)
-    graphql-rails_logger (1.2.4)
-      actionpack (> 5.0)
-      activesupport (> 5.0)
-      railties (> 5.0)
-      rouge (~> 3.0)
-    graphql-schema_comparator (1.2.1)
-      bundler (>= 1.14)
-      graphql (>= 1.10, < 3.0)
-      thor (>= 0.19, < 2.0)
-    groupdate (6.4.0)
-      activesupport (>= 6.1)
-    haml (6.3.0)
-      temple (>= 0.8.2)
-      thor
-      tilt
-    haml-lint (0.999.999)
-      haml_lint
-    haml-rails (2.1.0)
-      actionpack (>= 5.1)
-      activesupport (>= 5.1)
-      haml (>= 4.0.6)
-      railties (>= 5.1)
-    haml_lint (0.56.0)
-      haml (>= 5.0)
-      parallel (~> 1.10)
-      rainbow
-      rubocop (>= 1.0)
-      sysexits (~> 1.1)
-    hana (1.3.7)
-    hashdiff (1.1.0)
-    hashie (5.0.0)
-    highline (3.0.1)
-    htmlentities (4.3.4)
-    http_accept_language (2.1.1)
-    i18n (1.14.4)
-      concurrent-ruby (~> 1.0)
-    i18n-tasks (1.0.13)
-      activesupport (>= 4.0.2)
-      ast (>= 2.1.0)
-      better_html (>= 1.0, < 3.0)
-      erubi
-      highline (>= 2.0.0)
-      i18n
-      parser (>= 3.2.2.1)
-      rails-i18n
-      rainbow (>= 2.2.2, < 4.0)
-      terminal-table (>= 1.5.1)
-    i18n_data (0.13.0)
-    iban-tools (1.2.1)
-    ice_nine (0.11.2)
-    image_processing (1.12.2)
-      mini_magick (>= 4.9.5, < 5)
-      ruby-vips (>= 2.0.17, < 3)
-    invisible_captcha (2.2.0)
-      rails (>= 5.2)
-    io-console (0.7.2)
-    irb (1.11.2)
-      rdoc
-      reline (>= 0.4.2)
-    job-iteration (1.4.1)
-      activejob (>= 5.2)
-    jquery-rails (4.6.0)
-      rails-dom-testing (>= 1, < 3)
-      railties (>= 4.2.0)
-      thor (>= 0.14, < 2.0)
-    json (2.7.1)
-    json-jwt (1.16.6)
-      activesupport (>= 4.2)
-      aes_key_wrap
-      base64
-      bindata
-      faraday (~> 2.0)
-      faraday-follow_redirects
-    json_schemer (2.1.1)
-      hana (~> 1.3)
-      regexp_parser (~> 2.0)
-      simpleidn (~> 0.2)
-    jsonapi-renderer (0.2.2)
-    jwt (2.7.1)
-    kaminari (1.2.2)
-      activesupport (>= 4.1.0)
-      kaminari-actionview (= 1.2.2)
-      kaminari-activerecord (= 1.2.2)
-      kaminari-core (= 1.2.2)
-    kaminari-actionview (1.2.2)
-      actionview
-      kaminari-core (= 1.2.2)
-    kaminari-activerecord (1.2.2)
-      activerecord
-      kaminari-core (= 1.2.2)
-    kaminari-core (1.2.2)
-    kredis (1.7.0)
-      activemodel (>= 6.0.0)
-      activesupport (>= 6.0.0)
-      redis (>= 4.2, < 6)
-    language_server-protocol (3.17.0.3)
-    launchy (2.5.2)
-      addressable (~> 2.8)
-    letter_opener (1.9.0)
-      launchy (>= 2.2, < 3)
-    letter_opener_web (2.0.0)
-      actionmailer (>= 5.2)
-      letter_opener (~> 1.7)
-      railties (>= 5.2)
-      rexml
-    listen (3.8.0)
-      rb-fsevent (~> 0.10, >= 0.10.3)
-      rb-inotify (~> 0.9, >= 0.9.10)
-    lograge (0.14.0)
-      actionpack (>= 4)
-      activesupport (>= 4)
-      railties (>= 4)
-      request_store (~> 1.0)
-    logstash-event (1.2.02)
-    loofah (2.22.0)
-      crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
-    mail (2.8.1)
-      mini_mime (>= 0.1.1)
-      net-imap
-      net-pop
-      net-smtp
-    maintenance_tasks (2.6.0)
-      actionpack (>= 6.0)
-      activejob (>= 6.0)
-      activerecord (>= 6.0)
-      job-iteration (>= 1.3.6)
-      railties (>= 6.0)
-      zeitwerk (>= 2.6.2)
-    marcel (1.0.2)
-    matrix (0.4.2)
-    memory_profiler (1.0.1)
-    method_source (1.0.0)
-    mime-types (3.5.2)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2024.0206)
-    mina (1.2.5)
-      rake
-    mini_magick (4.12.0)
-    mini_mime (1.1.5)
-    mini_portile2 (2.8.5)
-    minitest (5.22.2)
-    msgpack (1.7.2)
-    multi_json (1.15.0)
-    mustermann (3.0.0)
-      ruby2_keywords (~> 0.0.1)
-    net-http (0.4.1)
-      uri
-    net-imap (0.4.10)
-      date
-      net-protocol
-    net-pop (0.1.2)
-      net-protocol
-    net-protocol (0.2.2)
-      timeout
-    net-smtp (0.4.0.1)
-      net-protocol
-    nio4r (2.7.0)
-    nokogiri (1.16.2)
-      mini_portile2 (~> 2.8.2)
-      racc (~> 1.4)
-    openid_connect (2.3.0)
-      activemodel
-      attr_required (>= 1.0.0)
-      email_validator
-      faraday (~> 2.0)
-      faraday-follow_redirects
-      json-jwt (>= 1.16)
-      mail
-      rack-oauth2 (~> 2.2)
-      swd (~> 2.0)
-      tzinfo
-      validate_url
-      webfinger (~> 2.0)
-    orm_adapter (0.5.0)
-    parallel (1.24.0)
-    parsby (1.1.1)
-    parser (3.3.0.5)
-      ast (~> 2.4.1)
-      racc
-    pdf-core (0.9.0)
-    pg (1.5.4)
-    phonelib (0.8.7)
-    prawn (2.4.0)
-      pdf-core (~> 0.9.0)
-      ttfunk (~> 1.7)
-    prawn-rails (1.4.2)
-      actionview (>= 3.1.0)
-      prawn
-      prawn-table
-    prawn-table (0.2.2)
-      prawn (>= 1.3.0, < 3.0.0)
-    premailer (1.22.0)
-      addressable
-      css_parser (>= 1.12.0)
-      htmlentities (>= 4.0.0)
-    premailer-rails (1.12.0)
-      actionmailer (>= 3)
-      net-smtp
-      premailer (~> 1.7, >= 1.7.9)
-    promise.rb (0.7.4)
-    psych (5.1.2)
-      stringio
-    public_suffix (5.0.4)
-    puma (6.4.2)
-      nio4r (~> 2.0)
-    pundit (2.3.1)
-      activesupport (>= 3.0.0)
-    raabro (1.4.0)
-    racc (1.7.3)
-    rack (2.2.8.1)
-    rack-attack (6.7.0)
-      rack (>= 1.0, < 4)
-    rack-mini-profiler (3.3.1)
-      rack (>= 1.2.0)
-    rack-oauth2 (2.2.1)
-      activesupport
-      attr_required
-      faraday (~> 2.0)
-      faraday-follow_redirects
-      json-jwt (>= 1.11.0)
-      rack (>= 2.1.0)
-    rack-protection (3.2.0)
-      base64 (>= 0.1.0)
-      rack (~> 2.2, >= 2.2.4)
-    rack-proxy (0.7.7)
-      rack
-    rack-test (2.1.0)
-      rack (>= 1.3)
-    rack_session_access (0.2.0)
-      builder (>= 2.0.0)
-      rack (>= 1.0.0)
-    rails (7.0.8.1)
-      actioncable (= 7.0.8.1)
-      actionmailbox (= 7.0.8.1)
-      actionmailer (= 7.0.8.1)
-      actionpack (= 7.0.8.1)
-      actiontext (= 7.0.8.1)
-      actionview (= 7.0.8.1)
-      activejob (= 7.0.8.1)
-      activemodel (= 7.0.8.1)
-      activerecord (= 7.0.8.1)
-      activestorage (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-      bundler (>= 1.15.0)
-      railties (= 7.0.8.1)
-    rails-controller-testing (1.0.5)
-      actionpack (>= 5.0.1.rc1)
-      actionview (>= 5.0.1.rc1)
-      activesupport (>= 5.0.1.rc1)
-    rails-dom-testing (2.2.0)
-      activesupport (>= 5.0.0)
-      minitest
-      nokogiri (>= 1.6)
-    rails-erd (1.7.2)
-      activerecord (>= 4.2)
-      activesupport (>= 4.2)
-      choice (~> 0.2.0)
-      ruby-graphviz (~> 1.2)
-    rails-html-sanitizer (1.6.0)
-      loofah (~> 2.21)
-      nokogiri (~> 1.14)
-    rails-i18n (7.0.8)
-      i18n (>= 0.7, < 2)
-      railties (>= 6.0.0, < 8)
-    railties (7.0.8.1)
-      actionpack (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-      method_source
-      rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
-    rainbow (3.1.1)
-    rake (13.1.0)
-    rake-progressbar (0.0.5)
-    rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
-      ffi (~> 1.0)
-    rdoc (6.6.2)
-      psych (>= 4.0.0)
-    redcarpet (3.6.0)
-    redis (5.1.0)
-      redis-client (>= 0.17.0)
-    redis-client (0.20.0)
-      connection_pool
-    regexp_parser (2.9.0)
-    reline (0.4.2)
-      io-console (~> 0.5)
-    request_store (1.5.1)
-      rack (>= 1.4)
-    responders (3.1.1)
-      actionpack (>= 5.2)
-      railties (>= 5.2)
-    rexml (3.2.6)
-    rodf (1.2.0)
-      builder (>= 3.0)
-      rubyzip (>= 1.0)
-    rotp (6.3.0)
-    rouge (3.30.0)
-    rqrcode (2.2.0)
-      chunky_png (~> 1.0)
-      rqrcode_core (~> 1.0)
-    rqrcode_core (1.2.0)
-    rspec-core (3.13.0)
-      rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.13.0)
-    rspec-rails (6.1.1)
-      actionpack (>= 6.1)
-      activesupport (>= 6.1)
-      railties (>= 6.1)
-      rspec-core (~> 3.12)
-      rspec-expectations (~> 3.12)
-      rspec-mocks (~> 3.12)
-      rspec-support (~> 3.12)
-    rspec-retry (0.6.2)
-      rspec-core (> 3.3)
-    rspec-support (3.13.0)
-    rspec_junit_formatter (0.6.0)
-      rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.60.2)
-      json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
-      parallel (~> 1.10)
-      parser (>= 3.3.0.2)
-      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.30.0)
-      parser (>= 3.2.1.0)
-    rubocop-capybara (2.20.0)
-      rubocop (~> 1.41)
-    rubocop-factory_bot (2.25.1)
-      rubocop (~> 1.41)
-    rubocop-performance (1.20.2)
-      rubocop (>= 1.48.1, < 2.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
-    rubocop-rails (2.23.1)
-      activesupport (>= 4.2.0)
-      rack (>= 1.1)
-      rubocop (>= 1.33.0, < 2.0)
-      rubocop-ast (>= 1.30.0, < 2.0)
-    rubocop-rspec (2.26.1)
-      rubocop (~> 1.40)
-      rubocop-capybara (~> 2.17)
-      rubocop-factory_bot (~> 2.22)
-    ruby-graphviz (1.2.5)
-      rexml
-    ruby-progressbar (1.13.0)
-    ruby-vips (2.2.0)
-      ffi (~> 1.12)
-    ruby2_keywords (0.0.5)
-    rubyzip (2.3.2)
-    saml_idp (0.16.0)
-      activesupport (>= 5.2)
-      builder (>= 3.0)
-      nokogiri (>= 1.6.2)
-      rexml
-      xmlenc (>= 0.7.1)
-    sanitize (6.1.0)
-      crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
-    sass (3.7.4)
-      sass-listen (~> 4.0.0)
-    sass-listen (4.0.0)
-      rb-fsevent (~> 0.9, >= 0.9.4)
-      rb-inotify (~> 0.9, >= 0.9.7)
-    sassc (2.4.0)
-      ffi (~> 1.9)
-    sassc-rails (2.1.2)
-      railties (>= 4.0.0)
-      sassc (>= 2.0)
-      sprockets (> 3.0)
-      sprockets-rails
-      tilt
-    scss_lint (0.60.0)
-      sass (~> 3.5, >= 3.5.5)
-    selectize-rails (0.12.6)
-    selenium-devtools (0.121.0)
-      selenium-webdriver (~> 4.2)
-    selenium-webdriver (4.17.0)
-      base64 (~> 0.2)
-      rexml (~> 3.2, >= 3.2.5)
-      rubyzip (>= 1.2.2, < 3.0)
-      websocket (~> 1.0)
-    sentry-delayed_job (5.16.1)
-      delayed_job (>= 4.0)
-      sentry-ruby (~> 5.16.1)
-    sentry-rails (5.16.1)
-      railties (>= 5.0)
-      sentry-ruby (~> 5.16.1)
-    sentry-ruby (5.16.1)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
-    sentry-sidekiq (5.16.1)
-      sentry-ruby (~> 5.16.1)
-      sidekiq (>= 3.0)
-    shoulda-matchers (6.1.0)
-      activesupport (>= 5.2.0)
-    sib-api-v3-sdk (9.1.0)
-      addressable (~> 2.3, >= 2.3.0)
-      json (~> 2.1, >= 2.1.0)
-      typhoeus (~> 1.0, >= 1.0.1)
-    sidekiq (7.2.1)
-      concurrent-ruby (< 2)
-      connection_pool (>= 2.3.0)
-      rack (>= 2.2.4)
-      redis-client (>= 0.19.0)
-    simple_xlsx_reader (1.0.4)
-      nokogiri
-      rubyzip
-    simpleidn (0.2.1)
-      unf (~> 0.1.4)
-    sinatra (3.2.0)
-      mustermann (~> 3.0)
-      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.2.0)
-      tilt (~> 2.0)
-    skylight (6.0.3)
-      activesupport (>= 5.2.0)
-    smart_properties (1.17.0)
-    spreadsheet_architect (5.0.0)
-      caxlsx (>= 3.3.0, < 4)
-      rodf (>= 1.0.0, < 2)
-    spring (4.1.3)
-    spring-commands-rspec (1.0.4)
-      spring (>= 0.9.1)
-    sprockets (4.2.1)
-      concurrent-ruby (~> 1.0)
-      rack (>= 2.2.4, < 4)
-    sprockets-rails (3.4.2)
-      actionpack (>= 5.2)
-      activesupport (>= 5.2)
-      sprockets (>= 3.0.0)
-    stackprof (0.2.26)
-    stringio (3.1.0)
-    strong_migrations (1.7.0)
-      activerecord (>= 5.2)
-    swd (2.0.3)
-      activesupport (>= 3)
-      attr_required (>= 0.0.5)
-      faraday (~> 2.0)
-      faraday-follow_redirects
-    sysexits (1.2.0)
-    temple (0.8.2)
-    terminal-table (3.0.2)
-      unicode-display_width (>= 1.1.1, < 3)
-    thor (1.3.0)
-    thread_safe (0.3.6)
-    tilt (2.3.0)
-    timecop (0.9.8)
-    timeout (0.4.1)
-    ttfunk (1.7.0)
-    turbo-rails (2.0.2)
-      actionpack (>= 6.0.0)
-      activejob (>= 6.0.0)
-      railties (>= 6.0.0)
-    typhoeus (1.4.1)
-      ethon (>= 0.9.0)
-    tzinfo (2.0.6)
-      concurrent-ruby (~> 1.0)
-    ulid-ruby (1.0.2)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.9.1)
-    unicode-display_width (2.5.0)
-    uri (0.13.0)
-    validate_url (1.0.15)
-      activemodel (>= 3.0.0)
-      public_suffix
-    vcr (6.2.0)
-    view_component (3.10.0)
-      activesupport (>= 5.2.0, < 8.0)
-      concurrent-ruby (~> 1.0)
-      method_source (~> 1.0)
-    virtus (2.0.0)
-      axiom-types (~> 0.1)
-      coercible (~> 1.0)
-      descendants_tracker (~> 0.0, >= 0.0.3)
-    vite_rails (3.0.17)
-      railties (>= 5.1, < 8)
-      vite_ruby (~> 3.0, >= 3.2.2)
-    vite_ruby (3.5.0)
-      dry-cli (>= 0.7, < 2)
-      rack-proxy (~> 0.6, >= 0.6.1)
-      zeitwerk (~> 2.2)
-    warden (1.2.9)
-      rack (>= 2.0.9)
-    web-console (4.2.1)
-      actionview (>= 6.0.0)
-      activemodel (>= 6.0.0)
-      bindex (>= 0.4.0)
-      railties (>= 6.0.0)
-    webfinger (2.1.3)
-      activesupport
-      faraday (~> 2.0)
-      faraday-follow_redirects
-    webmock (3.20.0)
-      addressable (>= 2.8.0)
-      crack (>= 0.3.2)
-      hashdiff (>= 0.4.0, < 2.0.0)
-    websocket (1.2.10)
-    websocket-driver (0.7.6)
-      websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.5)
-    xmlenc (0.8.0)
-      activemodel (>= 3.0.0)
-      activesupport (>= 3.0.0)
-      nokogiri (>= 1.6.0, < 2.0.0)
-      xmlmapper (>= 0.7.3)
-    xmlmapper (0.8.1)
-      nokogiri (~> 1.11)
-    xpath (3.2.0)
-      nokogiri (~> 1.8)
-    zeitwerk (2.6.13)
-    zip_tricks (5.6.0)
-    zipline (1.5.0)
-      actionpack (>= 6.0, < 8.0)
-      content_disposition (~> 1.0)
-      zip_tricks (>= 4.2.1, < 6.0)
-    zxcvbn-ruby (1.2.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  aasm
-  acsv
-  active_model_serializers
-  active_storage_validations
-  activestorage-openstack
-  addressable
-  administrate
-  administrate-field-enum
-  after_party
-  ancestry
-  anchored
-  axe-core-rspec
-  bcrypt
-  benchmark-ips
-  bootsnap (>= 1.4.4)
-  brakeman
-  browser
-  capybara
-  capybara-email
-  capybara-screenshot
-  charlock_holmes
-  chartkick
-  chunky_png
-  clamav-client
-  daemons
-  deep_cloneable
-  delayed_cron_job
-  delayed_job_active_record
-  delayed_job_web
-  devise!
-  devise-i18n
-  devise-two-factor
-  discard
-  dotenv-rails
-  dry-monads
-  factory_bot
-  faraday-jwt
-  flipper
-  flipper-active_record
-  flipper-active_support_cache_store
-  flipper-ui
-  fugit
-  geo_coord
-  geocoder
-  gitlab-sidekiq-fetcher!
-  gon
-  graphql (= 2.0.24)
-  graphql-batch (= 0.5.1)
-  graphql-rails_logger
-  graphql-schema_comparator
-  groupdate
-  haml-lint
-  haml-rails
-  hashie
-  http_accept_language
-  i18n-tasks
-  i18n_data
-  iban-tools
-  image_processing
-  invisible_captcha
-  irb
-  json_schemer
-  jwt
-  kaminari
-  kredis
-  launchy
-  letter_opener_web
-  listen
-  lograge
-  logstash-event
-  maintenance_tasks
-  matrix
-  memory_profiler
-  mina
-  mini_magick
-  net-imap
-  net-pop
-  net-smtp
-  openid_connect
-  parsby
-  pg
-  phonelib
-  prawn-rails
-  premailer-rails
-  puma
-  pundit
-  rack-attack
-  rack-mini-profiler
-  rack_session_access
-  rails (~> 7.0.8)
-  rails-controller-testing
-  rails-erd
-  rails-i18n
-  rake-progressbar
-  redcarpet
-  redis
-  rexml
-  rqrcode
-  rspec-rails
-  rspec-retry
-  rspec_junit_formatter
-  rubocop
-  rubocop-performance
-  rubocop-rails
-  rubocop-rspec
-  saml_idp
-  sassc-rails
-  scss_lint
-  selenium-devtools
-  selenium-webdriver
-  sentry-delayed_job
-  sentry-rails
-  sentry-ruby
-  sentry-sidekiq
-  shoulda-matchers
-  sib-api-v3-sdk
-  sidekiq
-  simple_xlsx_reader
-  skylight
-  spreadsheet_architect
-  spring
-  spring-commands-rspec
-  stackprof
-  strong_migrations
-  timecop
-  turbo-rails
-  typhoeus
-  ulid-ruby
-  vcr
-  view_component
-  vite_rails
-  warden
-  web-console
-  webmock
-  zipline
-  zxcvbn-ruby
-
-BUNDLED WITH
-   2.5.4

machines/compute01/ds-fr/package/update.sh

@@ -1,66 +0,0 @@
-#!/usr/bin/env bash
-
-version=
-gitArgs=
-
-while [ "$#" -gt 0 ]; do
-	i="$1"
-	shift 1
-	case "$i" in
-	--version | -v)
-		version="$1"
-		shift 1
-		;;
-	--git-args)
-		gitArgs="$gitArgs $1"
-		shift 1
-		;;
-	*)
-		echo "$0: unknown option \`$i'"
-		exit 1
-		;;
-	esac
-done
-
-# Create a working environment
-CWD=$(pwd)
-
-TMP=$(mktemp -d)
-cd "$TMP"
-
-# Fetch the latest source or the required version
-gitUrl="https://github.com/demarches-simplifiees/demarches-simplifiees.fr.git"
-
-if [ -n "$version" ]; then
-	git clone --depth 1 --branch $version $gitUrl .
-else
-	git clone --depth 1 $gitUrl .
-
-	version="$(git rev-parse HEAD)"
-fi
-
-# Generate gemset.nix
-nix-shell -p bundix --run "bundix -l" >/dev/null
-
-# Copy the new files
-cp gemset.nix Gemfile Gemfile.lock "$CWD/rubyEnv/"
-
-# Print the new source details
-SRC_HASH=$(nix-shell -p nurl --run "nurl --hash $gitUrl $version")
-
-# Print Yarn deps hash
-hash=$(nix-shell -p prefetch-yarn-deps --run "prefetch-yarn-deps yarn.lock")
-
-DEPS_HASH=$(nix-hash --to-sri --type sha256 "$hash")
-
-cat <<EOF >"$CWD/meta.nix"
-{
-  version = "$version";
-  src-hash = "$SRC_HASH";
-  deps-hash = "$DEPS_HASH";
-}
-EOF
-
-nixfmt "$CWD"
-
-rm -rf "$TMP"

machines/compute01/k-radius/module.nix

@@ -1,196 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  inherit (lib)
-    mkEnableOption
-    mkIf
-    mkOption
-    types
-    ;
-
-  settingsFormat = pkgs.formats.toml { };
-
-  py-pkgs = import ./packages/python { inherit pkgs; };
-  pykanidm = pkgs.callPackage ./packages/pykanidm.nix { inherit (py-pkgs) pydantic; };
-  rlm_python = pkgs.callPackage ./packages/rlm_python.nix { inherit pykanidm; };
-
-  cfg = config.services.k-radius;
-in
-{
-  options.services.k-radius = {
-    enable = mkEnableOption "a freeradius service linked to kanidm.";
-
-    settings = mkOption { inherit (settingsFormat) type; };
-
-    freeradius = mkOption {
-      type = types.package;
-      default = pkgs.freeradius.overrideAttrs (old: {
-        buildInputs = (old.buildInputs or [ ]) ++ [ (pkgs.python3.withPackages (ps: [ ps.kanidm ])) ];
-      });
-    };
-
-    configDir = mkOption {
-      type = types.path;
-      default = "/var/lib/radius/raddb";
-      description = "The path of the freeradius server configuration directory.";
-    };
-
-    authTokenFile = mkOption {
-      type = types.path;
-      description = "File to the auth token for the service account.";
-    };
-
-    radiusClients = mkOption {
-      type = types.attrsOf (
-        types.submodule {
-          options = {
-            secret = mkOption { type = types.path; };
-            ipaddr = mkOption { type = types.str; };
-          };
-        }
-      );
-      default = { };
-      description = "A mapping of clients and their authentication tokens.";
-    };
-
-    certs = {
-      ca = mkOption {
-        type = types.str;
-        description = "The signing CA of the RADIUS certificate.";
-      };
-      dh = mkOption {
-        type = types.str;
-        description = "The output of `openssl dhparam -in ca.pem -out dh.pem 2048`.";
-      };
-      cert = mkOption {
-        type = types.str;
-        description = "The certificate for the RADIUS server.";
-      };
-      key = mkOption {
-        type = types.str;
-        description = "The signing key for the RADIUS certificate.";
-      };
-    };
-
-    privateKeyPasswordFile = mkOption { type = types.path; };
-  };
-
-  config = mkIf cfg.enable {
-    users = {
-      users.radius = {
-        group = "radius";
-        description = "Radius daemon user";
-        isSystemUser = true;
-      };
-
-      groups.radius = { };
-    };
-
-    services.k-radius.settings = {
-      ca_path = cfg.certs.ca;
-
-      radius_cert_path = cfg.certs.cert;
-      radius_key_path = cfg.certs.key;
-      radius_dh_path = cfg.certs.dh;
-      radius_ca_path = cfg.certs.ca;
-    };
-
-    systemd.services.radius = {
-      description = "FreeRadius server";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
-      wants = [ "network.target" ];
-
-      preStart = ''
-        cp -R ${cfg.freeradius}/etc/raddb/* ${cfg.configDir}
-        cp -R ${rlm_python}/etc/raddb/* ${cfg.configDir}
-
-        chmod -R u+w ${cfg.configDir}
-
-        # disable auth via methods kanidm doesn't support
-        rm ${cfg.configDir}/mods-available/sql
-        rm ${cfg.configDir}/mods-enabled/{passwd,totp}
-
-        # enable the python and cache modules
-        ln -nsf ${cfg.configDir}/mods-available/python3 ${cfg.configDir}/mods-enabled/python3
-        ln -nsf ${cfg.configDir}/sites-available/check-eap-tls ${cfg.configDir}/sites-enabled/check-eap-tls
-
-        # write the clients configuration
-        rm ${cfg.configDir}/clients.conf && touch ${cfg.configDir}/clients.conf
-        ${builtins.concatStringsSep "\n" (
-          builtins.attrValues (
-            builtins.mapAttrs (
-              name:
-              { secret, ipaddr }:
-              ''
-                cat <<EOF >> ${cfg.configDir}/clients.conf
-                client ${name} {
-                    ipaddr = ${ipaddr}
-                    secret = $(cat "${secret}")
-                    proto  = *
-                }
-                EOF
-              ''
-            ) cfg.radiusClients
-          )
-        )}
-
-        # Copy the kanidm configuration
-        cat <<EOF > /var/lib/radius/kanidm.toml
-        auth_token = "$(cat "${cfg.authTokenFile}")"
-        EOF
-
-        cat ${settingsFormat.generate "kanidm.toml" cfg.settings} >> /var/lib/radius/kanidm.toml
-        chmod u+w /var/lib/radius/kanidm.toml
-
-        # Copy the certificates to the correct directory
-        rm -rf ${cfg.configDir}/certs && mkdir -p ${cfg.configDir}/certs
-
-        cp ${cfg.certs.ca} ${cfg.configDir}/certs/ca.pem
-
-        ${pkgs.openssl}/bin/openssl rehash ${cfg.configDir}/certs
-
-        cp ${cfg.certs.dh} ${cfg.configDir}/certs/dh.pem
-
-        cat ${cfg.certs.cert} ${cfg.certs.key} > ${cfg.configDir}/certs/server.pem
-
-        # Write the password of the private_key in the eap module
-        sed -i ${cfg.configDir}/mods-available/eap \
-          -e "s/whatever/$(cat "${cfg.privateKeyPasswordFile}")/"
-
-        # Check the configuration
-        # ${pkgs.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout
-      '';
-
-      path = [
-        pkgs.openssl
-        pkgs.gnused
-      ];
-
-      serviceConfig = {
-        ExecStart = "${cfg.freeradius}/bin/radiusd -X -f -d ${cfg.configDir} -l stdout";
-        ExecReload = [
-          "${cfg.freeradius}/bin/radiusd -C -d ${cfg.configDir} -l stdout"
-          "${pkgs.coreutils}/bin/kill -HUP $MAINPID"
-        ];
-        User = "radius";
-        Group = "radius";
-        DynamicUser = true;
-        Restart = "on-failure";
-        RestartSec = 2;
-        LogsDirectory = "radius";
-        StateDirectory = "radius";
-        RuntimeDirectory = "radius";
-        Environment = [
-          "KANIDM_RLM_CONFIG=/var/lib/radius/kanidm.toml"
-          "PYTHONPATH=${rlm_python.pythonPath}"
-        ];
-      };
-    };
-  };
-}

machines/compute01/k-radius/packages/pykanidm.nix

@@ -1,52 +0,0 @@
-{
-  lib,
-  fetchFromGitHub,
-  python3,
-  pydantic,
-}:
-
-let
-  pname = "kanidm";
-  version = "0.0.3";
-in
-python3.pkgs.buildPythonPackage {
-  inherit pname version;
-  format = "pyproject";
-
-  disabled = python3.pythonOlder "3.8";
-
-  src =
-    (fetchFromGitHub {
-      owner = pname;
-      repo = pname;
-      # Latest 1.1.0-rc.15 tip
-      rev = "a5ca8018e3a636dbb0a79b3fd869db059d92979d";
-      hash = "sha256-PFGoeGn7a/lVR6rOmOKA3ydAoo3/+9RlkwBAKS22Psg=";
-    })
-    + "/pykanidm";
-
-  nativeBuildInputs = with python3.pkgs; [ poetry-core ];
-
-  propagatedBuildInputs = with python3.pkgs; [
-    aiohttp
-    pydantic
-    toml
-    (authlib.overridePythonAttrs (_: {
-      doCheck = false;
-    }))
-  ];
-
-  doCheck = false;
-
-  pythonImportsCheck = [ "kanidm" ];
-
-  meta = with lib; {
-    description = "Kanidm client library";
-    homepage = "https://github.com/kanidm/kanidm/tree/master/pykanidm";
-    license = licenses.mpl20;
-    maintainers = with maintainers; [
-      arianvp
-      hexa
-    ];
-  };
-}

machines/compute01/k-radius/packages/python/01-remove-benchmark-flags.patch

@@ -1,18 +0,0 @@
-diff --git a/pyproject.toml b/pyproject.toml
-index 1602e32..507048d 100644
---- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -72,13 +72,6 @@ filterwarnings = [
- ]
- timeout = 30
- xfail_strict = true
--# min, max, mean, stddev, median, iqr, outliers, ops, rounds, iterations
--addopts = [
--    '--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations',
--    '--benchmark-group-by', 'group',
--    '--benchmark-warmup', 'on',
--    '--benchmark-disable',  # this is enable by `make benchmark` when you actually want to run benchmarks
--]
- 
- [tool.coverage.run]
- source = ['pydantic_core']

machines/compute01/k-radius/packages/python/default.nix

@@ -1,20 +0,0 @@
-{ pkgs }:
-
-let
-  inherit (pkgs) lib;
-
-  callPackage = lib.callPackageWith (pkgs // pkgs.python3.pkgs // self);
-
-  self = builtins.listToAttrs (
-    builtins.map
-      (name: {
-        inherit name;
-        value = callPackage (./. + "/${name}.nix") { };
-      })
-      [
-        "pydantic"
-        "pydantic-core"
-      ]
-  );
-in
-self

machines/compute01/k-radius/packages/python/pydantic-core.nix

@@ -1,84 +0,0 @@
-{
-  stdenv,
-  lib,
-  buildPythonPackage,
-  fetchFromGitHub,
-  cargo,
-  rustPlatform,
-  rustc,
-  libiconv,
-  typing-extensions,
-  pytestCheckHook,
-  hypothesis,
-  pytest-timeout,
-  pytest-mock,
-  dirty-equals,
-}:
-
-let
-  pydantic-core = buildPythonPackage rec {
-    pname = "pydantic-core";
-    version = "2.14.5";
-    format = "pyproject";
-
-    src = fetchFromGitHub {
-      owner = "pydantic";
-      repo = "pydantic-core";
-      rev = "refs/tags/v${version}";
-      hash = "sha256-UguZpA3KEutOgIavjx8Ie//0qJq+4FTZNQTwb/ZIgb8=";
-    };
-
-    patches = [ ./01-remove-benchmark-flags.patch ];
-
-    cargoDeps = rustPlatform.fetchCargoTarball {
-      inherit src;
-      name = "${pname}-${version}";
-      hash = "sha256-mMgw922QjHmk0yimXfolLNiYZntTsGydQywe7PTNnwc=";
-    };
-
-    nativeBuildInputs = [
-      cargo
-      rustPlatform.cargoSetupHook
-      rustPlatform.maturinBuildHook
-      rustc
-      typing-extensions
-    ];
-
-    buildInputs = lib.optionals stdenv.isDarwin [ libiconv ];
-
-    propagatedBuildInputs = [ typing-extensions ];
-
-    pythonImportsCheck = [ "pydantic_core" ];
-
-    # escape infinite recursion with pydantic via dirty-equals
-    doCheck = false;
-    passthru.tests.pytest = pydantic-core.overrideAttrs { doCheck = true; };
-
-    nativeCheckInputs = [
-      pytestCheckHook
-      hypothesis
-      pytest-timeout
-      dirty-equals
-      pytest-mock
-    ];
-
-    disabledTests = [
-      # RecursionError: maximum recursion depth exceeded while calling a Python object
-      "test_recursive"
-    ];
-
-    disabledTestPaths = [
-      # no point in benchmarking in nixpkgs build farm
-      "tests/benchmarks"
-    ];
-
-    meta = with lib; {
-      changelog = "https://github.com/pydantic/pydantic-core/releases/tag/v${version}";
-      description = "Core validation logic for pydantic written in rust";
-      homepage = "https://github.com/pydantic/pydantic-core";
-      license = licenses.mit;
-      maintainers = with maintainers; [ blaggacao ];
-    };
-  };
-in
-pydantic-core

machines/compute01/k-radius/packages/python/pydantic.nix

@@ -1,92 +0,0 @@
-{
-  lib,
-  buildPythonPackage,
-  fetchFromGitHub,
-  pythonOlder,
-
-  # build-system
-  hatchling,
-  hatch-fancy-pypi-readme,
-
-  # native dependencies
-  libxcrypt,
-
-  # dependencies
-  annotated-types,
-  pydantic-core,
-  typing-extensions,
-
-  # tests
-  cloudpickle,
-  email-validator,
-  dirty-equals,
-  faker,
-  pytestCheckHook,
-  pytest-mock,
-}:
-
-buildPythonPackage rec {
-  pname = "pydantic";
-  version = "2.5.2";
-  pyproject = true;
-
-  disabled = pythonOlder "3.7";
-
-  src = fetchFromGitHub {
-    owner = "pydantic";
-    repo = "pydantic";
-    rev = "refs/tags/v${version}";
-    hash = "sha256-D0gYcyrKVVDhBgV9sCVTkGq/kFmIoT9l0i5bRM1qxzM=";
-  };
-
-  buildInputs = lib.optionals (pythonOlder "3.9") [ libxcrypt ];
-
-  nativeBuildInputs = [
-    hatch-fancy-pypi-readme
-    hatchling
-  ];
-
-  propagatedBuildInputs = [
-    annotated-types
-    pydantic-core
-    typing-extensions
-  ];
-
-  passthru.optional-dependencies = {
-    email = [ email-validator ];
-  };
-
-  nativeCheckInputs = [
-    cloudpickle
-    dirty-equals
-    faker
-    pytest-mock
-    pytestCheckHook
-  ] ++ lib.flatten (lib.attrValues passthru.optional-dependencies);
-
-  preCheck = ''
-    export HOME=$(mktemp -d)
-    substituteInPlace pyproject.toml \
-      --replace "'--benchmark-columns', 'min,mean,stddev,outliers,rounds,iterations'," "" \
-      --replace "'--benchmark-group-by', 'group'," "" \
-      --replace "'--benchmark-warmup', 'on'," "" \
-      --replace "'--benchmark-disable'," ""
-  '';
-
-  disabledTestPaths = [
-    "tests/benchmarks"
-
-    # avoid cyclic dependency
-    "tests/test_docs.py"
-  ];
-
-  pythonImportsCheck = [ "pydantic" ];
-
-  meta = with lib; {
-    description = "Data validation and settings management using Python type hinting";
-    homepage = "https://github.com/pydantic/pydantic";
-    changelog = "https://github.com/pydantic/pydantic/blob/v${version}/HISTORY.md";
-    license = licenses.mit;
-    maintainers = with maintainers; [ wd15 ];
-  };
-}

machines/compute01/k-radius/packages/rlm_python.nix

@@ -1,45 +0,0 @@
-{
-  stdenv,
-  fetchFromGitHub,
-  python3,
-  pykanidm,
-}:
-
-let
-  pythonPath = with python3.pkgs; makePythonPath [ pykanidm ];
-in
-stdenv.mkDerivation rec {
-  pname = "rlm_python";
-  version = "1.1.0-rc.15";
-
-  src = fetchFromGitHub {
-    owner = "kanidm";
-    repo = "kanidm";
-    rev = "v${version}";
-    hash = "sha256-0y8juXS61Z9zxOdsWAQ6lJurP+n855Nela6egYRecok=";
-  };
-
-  patches = [ ./python_path.patch ];
-
-  postPatch = ''
-    substituteInPlace rlm_python/mods-available/python3 \
-      --replace "@kanidm_python@" "${pythonPath}"
-  '';
-
-  installPhase = ''
-    mkdir -p $out/etc/raddb/
-    cp -R rlm_python/{mods-available,sites-available} $out/etc/raddb/
-  '';
-
-  phases = [
-    "unpackPhase"
-    "patchPhase"
-    "installPhase"
-  ];
-
-  passthru = {
-    inherit pythonPath;
-  };
-
-  preferLocalBuild = true;
-}

machines/compute01/kanidm/default.nix

@@ -1,89 +0,0 @@
-{ config, sources, ... }:
-
-let
-  domain = "sso.dgnum.eu";
-
-  cert = config.security.acme.certs.${domain};
-
-  allowedSubDomains = [
-    "cloud"
-    "git"
-    "videos"
-    "social"
-    "demarches"
-    "netbird"
-  ];
-in
-{
-  services.kanidm = {
-    enableServer = true;
-
-    package = (import sources.nixos-unstable { }).kanidm;
-
-    serverSettings = {
-      inherit domain;
-
-      origin = "https://${domain}";
-
-      bindaddress = "127.0.0.1:8443";
-      ldapbindaddress = "0.0.0.0:636";
-
-      trust_x_forward_for = true;
-
-      tls_chain = "${cert.directory}/fullchain.pem";
-      tls_key = "${cert.directory}/key.pem";
-    };
-  };
-
-  users.users.kanidm.extraGroups = [ cert.group ];
-
-  services.nginx = {
-    enable = true;
-
-    virtualHosts.${domain} = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "https://127.0.0.1:8443";
-
-        extraConfig = ''
-          if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
-              return 444;
-          }
-
-          set $origin $http_origin;
-
-          if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
-              set $origin 'https://${domain}';
-          }
-
-          proxy_hide_header Access-Control-Allow-Origin;
-
-          if ($request_method = 'OPTIONS') {
-              add_header 'Access-Control-Allow-Origin' "$origin" always;
-              add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
-              add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
-              add_header 'Access-Control-Allow-Credentials' 'true' always;
-
-              add_header Access-Control-Max-Age 1728000;
-              add_header Content-Type 'text/plain charset=UTF-8';
-              add_header Content-Length 0;
-              return 204;
-          }
-
-          if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
-              add_header Access-Control-Allow-Origin "$origin" always;
-              add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
-              add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
-              add_header Access-Control-Allow-Credentials true always;
-          }
-        '';
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 636 ];
-  networking.firewall.allowedUDPPorts = [ 636 ];
-
-  dgn-backups.jobs.kanidm.settings.paths = [ "/var/lib/kanidm" ];
-}

machines/compute01/kanidm/secrets/secrets.nix

@@ -1,9 +0,0 @@
-let
-  lib = import ../../../../lib { };
-  publicKeys = lib.getNodeKeys "compute01";
-in
-
-lib.setDefault { inherit publicKeys; } [
-  "kanidm-password_admin"
-  "kanidm-password_idm_admin"
-]

machines/compute01/nextcloud.nix

@@ -1,215 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  host = "cloud.dgnum.eu";
-  nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
-in
-{
-  services.nextcloud = {
-    enable = true;
-    hostName = host;
-
-    package = pkgs.nextcloud28;
-
-    https = true;
-
-    config = {
-      overwriteProtocol = "https";
-
-      dbtype = "pgsql";
-
-      adminpassFile = config.age.secrets."nextcloud-adminpass_file".path;
-      adminuser = "thubrecht";
-
-      defaultPhoneRegion = "FR";
-
-      trustedProxies = [ "::1" ];
-
-      objectstore.s3 = {
-        enable = true;
-
-        hostname = "s3.dgnum.eu";
-        region = "garage";
-        usePathStyle = true;
-        port = 443;
-
-        bucket = "nextcloud-dgnum";
-        key = "GKda5367c73ca607c349d83c35";
-        verify_bucket_exists = false;
-        secretFile = config.age.secrets."nextcloud-s3_secret_file".path;
-      };
-    };
-
-    maxUploadSize = "4G";
-
-    poolSettings = {
-      pm = "dynamic";
-      "pm.max_children" = 64;
-      "pm.max_requests" = "500";
-      "pm.max_spare_servers" = "8";
-      "pm.min_spare_servers" = "4";
-      "pm.start_servers" = "6";
-    };
-
-    phpOptions = {
-      short_open_tag = "Off";
-      expose_php = "Off";
-      error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
-      display_errors = "stderr";
-      "opcache.enable_cli" = "1";
-      "opcache.interned_strings_buffer" = "32";
-      "opcache.max_accelerated_files" = "10000";
-      "opcache.memory_consumption" = "128";
-      "opcache.revalidate_freq" = "1";
-      "opcache.fast_shutdown" = "1";
-      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
-      catch_workers_output = "yes";
-    };
-
-    database.createLocally = true;
-    configureRedis = true;
-
-    autoUpdateApps.enable = true;
-
-    extraOptions = {
-      overwritehost = host;
-      "overwrite.cli.url" = "https://${host}";
-      updatechecker = false;
-
-      allow_local_remote_servers = true;
-      maintenance_window_start = 1;
-
-      "memories.exiftool" = "${pkgs.lib.getExe pkgs.exiftool}";
-      "memories.vod.ffmpeg" = "${pkgs.lib.getExe pkgs.ffmpeg-headless}";
-      "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
-    };
-  };
-
-  virtualisation = {
-    podman = {
-      enable = true;
-
-      defaultNetwork.settings = {
-        dns_enable = true;
-        ipv6_enabled = true;
-      };
-    };
-  };
-
-  virtualisation.oci-containers = {
-    # # Since 22.05, the default driver is podman but it doesn't work
-    # # with podman. It would however be nice to switch to podman.
-    # backend = "docker";
-    containers.collabora = {
-      image = "collabora/code";
-      imageFile = pkgs.dockerTools.pullImage {
-        imageName = "collabora/code";
-        imageDigest = "sha256:a8cce07c949aa59cea0a7f1f220266a1a6d886c717c3b5005782baf6f384d645";
-        sha256 = "sha256-lN6skv62x+x7G7SNOUyZ8W6S/uScrkqE1nbBwwSEWXQ=";
-      };
-      ports = [ "9980:9980" ];
-      environment = {
-        domain = "cloud.dgnum.eu";
-        extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
-      };
-      extraOptions = [
-        "--cap-add"
-        "MKNOD"
-        "--cap-add"
-        "SYS_ADMIN"
-      ];
-    };
-  };
-
-  services.nginx.virtualHosts = {
-    ${host} = {
-      enableACME = true;
-      forceSSL = true;
-
-      extraConfig = ''
-        proxy_max_temp_file_size 4096m;
-      '';
-    };
-
-    "code.dgnum.eu" = {
-      forceSSL = true;
-      enableACME = true;
-
-      extraConfig = ''
-        # static files
-        location ^~ /browser {
-          proxy_pass http://127.0.0.1:9980;
-          proxy_set_header Host $host;
-        }
-
-        # WOPI discovery URL
-        location ^~ /hosting/discovery {
-          proxy_pass http://127.0.0.1:9980;
-          proxy_set_header Host $host;
-        }
-
-        # Capabilities
-        location ^~ /hosting/capabilities {
-          proxy_pass http://127.0.0.1:9980;
-          proxy_set_header Host $host;
-        }
-
-        # main websocket
-        location ~ ^/cool/(.*)/ws$ {
-          proxy_pass http://127.0.0.1:9980;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "Upgrade";
-          proxy_set_header Host $host;
-          proxy_read_timeout 36000s;
-        }
-
-        # download, presentation and image upload
-        location ~ ^/(c|l)ool {
-          proxy_pass http://127.0.0.1:9980;
-          proxy_set_header Host $host;
-        }
-
-        # Admin Console websocket
-        location ^~ /cool/adminws {
-          proxy_pass http://127.0.0.1:9980;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "Upgrade";
-          proxy_set_header Host $host;
-          proxy_read_timeout 36000s;
-        }
-      '';
-    };
-  };
-
-  systemd.services = {
-    nextcloud-preview = {
-      description = "Generate preview for nextcloud media.";
-      script = "${nextcloud-occ} preview:pre-generate -vvv";
-      startAt = "*-*-* 01:00:00 UTC";
-      serviceConfig = {
-        Restart = "on-failure";
-      };
-    };
-
-    nextcloud-cron.path = [ pkgs.perl ];
-  };
-
-  environment.systemPackages = [ pkgs.ffmpeg_6-headless ];
-
-  networking.hosts = {
-    "129.199.146.148" = [ "s3.dgnum.eu" ];
-  };
-
-  age-secrets.autoMatch = [ "nextcloud" ];
-
-  system.activationScripts = {
-    restart-nextcloud.text = ''
-      if [ "$(${pkgs.systemd}/bin/systemctl is-active phpfpm-nextcloud)" == "active" ]; then
-        ${pkgs.systemd}/bin/systemctl restart phpfpm-nextcloud
-      fi
-    '';
-  };
-
-  dgn-backups.jobs.nextcloud.settings.paths = [ "/var/lib/nextcloud" ];
-  dgn-backups.postgresDatabases = [ "nextcloud" ];
-}

machines/compute01/secrets/grafana-oauth_client_secret_file

@@ -1,24 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 tDqJRg ukyCbDqq1/18sjxWxyCCwYgYDavNcRq5cBvpZoqSKVQ
-2lmz4ONDnXiW0+FqLwi4OVOClm96YU6NUMxeLcwyqhI
--> ssh-ed25519 jIXfPA MNspuPXKkP/fUp3qoPDmew+htam1l8JczSCCZFil6zE
-1ugIhchyaumzv/izKFq1dCer6QPfLt6Fv2rIiU6rzGs
--> ssh-ed25519 QlRB9Q teomppq6nVFhnQFELI/sQNCRuMGNs2Tu6AY/PMWAzzI
-LDLn1CsC9xqBBszdp4TZV/uCaYHBb65HS5eoG2+vfzU
--> ssh-ed25519 r+nK/Q GK/IVVvWVNjq1Fa8DKvljC1pD4OUz3MsM+VjROVYfSA
-jJ2vK3HFkOGzrxvQJg6PayrEhOPVyvAZS29IEfKRbhs
--> ssh-rsa krWCLQ
-XywRp0R34ulA6AhRloj+OonbP3ZmvWvnxko+KSBNZHUEO3P84N/UTSJLhTJrJHps
-uYWhOO1VXMdOmu8+s2ymvsFFHZlQ1Ngr28/8Cb4InYbOcjc1jGsA/laSFelGG/qZ
-CxoSw59oga+wssAf7NRVDY0GLtZIhdACnlfCodBnwGgr7MrO/jtv6wUcNtTQwqyg
-k6JvmeXVO54sAbcICfDNHiWLejOA9B1tQ4biAtNZrw2BRh1siXVcjtrlkjdfqsc4
-4R/EDAYLHIMBnG/6Qpp5H3vPEEdwtaU2Tcd5RZHxWR+8ZjFFhLsZaGQZ5GxzlVOW
-qd63AwlEvNGOSIMXBqc+tQ
--> ssh-ed25519 /vwQcQ Qm4OViiUxA0eIAiP+tPi+q9Uw+dluFKGi4J35q6dr3A
-Byx5ohtc05YfpZhcZew6P7g90KEMammQ0KgvtRGAhBk
--> ssh-ed25519 0R97PA YKE87fWy7Gix4dk+YOqTkMMFyG1mTVjroO/I6rHtLXQ
-o9O664qMLUIEwxti17O4VByFCMmOZ4vTtPH5qNscGnU
--> ssh-ed25519 JGx7Ng NfuL52cirg0LkXcoF3a0GYJx82Bt50YS9cpEnDH27T8
-OdqOs4ViSnW1fWZ5GLro4Z5afqmnGya6TsoKr3aZs0w
---- oqm2jb9ZHSHAhbxUYWDxQW/FaPwiq3iFr6RIX1nHCYo
-ì©šÎj½ó˪f¾©Fyz#ö뤄å…ùÕâ	íz‰z¥}´ýÂø9(!SÂöÛ<C3B6>$³
¸ûz2kªÈCæ<43>¦J¬T…Ÿ”þG<C3BE>‚€³“Z_àÑ

machines/compute01/secrets/outline-oidc_client_secret_file

@@ -1,27 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 tDqJRg X/tRIl6TzF09a1Tvr8vP3SocmlfwKg307he8LP3Q5mo
-hWjX3AUbREbQR+uCiW8Nsj5nCwYQYy1KV/41sbxBFo4
--> ssh-ed25519 jIXfPA 6EOXJfa+aY4JjOb0SO2k+s6xnNjtm/o8au6lbN1UfxA
-dVsgH99btiE+pl7Q4uiOcYDTwtv6X0jgjYXoFFd+tPs
--> ssh-ed25519 QlRB9Q 4Hje1HQL+Zjm9+BGDQvb83KaizOjfKTwjiq1SJlXvA0
-w2rMGVcZcS2aLNYxHZIJZF/j50CQm8UCmq89W9K7Q14
--> ssh-ed25519 r+nK/Q aPQh4X7xZnTbrkxIaAwUbaS7NnbHMY+Q31E0x7AvwSo
-rnMus4wPVugzscVNPO33rNgboN7I42tdz4dikVOvWIw
--> ssh-rsa krWCLQ
-Xe2Vv3tCZy19QQt26q6T3mJkZyltU7OVOrruwxWr8hlaKgOfR/pMa7nbR+eWm6jS
-++39H+E6gssE/534ld5qz2J3oPV5E6+p4wok/Owy7zE6aWrALP1Mp296lumRjjGN
-6aYhmf4fbpvOWDMNujExWURggswbUplk0f7l5UYjNpcSnM9Iq6s9fTAUVTMAlvoL
-cmVvPTll6QlhhM7tkJL1fo+1nEimfmwDaOhE2lAKKJUD7DTqcBGsukpysOhcmCyr
-Xtx38kcuF5eaDzjT9gXgi4QtCrxf31Lfjju44HSqJFB1LqO2Vzd9rASurD2LN7/1
-uj8F5y+dmf6IqIM/kYXqPg
--> ssh-ed25519 /vwQcQ Byl5reTJslEFsIdUWp+rg5sZxG1jEHVduBE/grTD/Vc
-SEzFbpWUZrVitO1Swfs3/pzfaZ6Zd4Roi8anJRHO7/o
--> ssh-ed25519 0R97PA CLDuGuFPHf0rgUoCUY2C1jtXAeBEqKiqaeiH4ZcRFk8
-rBYZfmS7BSKDIJMVpWTGy5wRhhoi9xR1GchVsUn7Psw
--> ssh-ed25519 JGx7Ng xqTydh3Bt5bL/7R6ZnVtqhfSW2V3g1g2UWPcePt8TCU
-lPQeGP4VQGU4xeGqVcIRnWZjeDp2Q4lH2CLg+C/weyM
--> .-grease
-l4qPzZnL/yerx8Y3VUmUoO2GgK7OUAjbhfYsHPhDFSo+ZPgvYo7qpJBEsPQqrPA3
-FF2/R9IFD+jFranJsg
---- ynZs900dI1cp+HWu6HdnUGKaJw/Wa1Y26eQSeO3fvH8
-|Nös.­æ·»×KC²éi#<11>XôfÓé‚öÃÎq[í¶t{ŸôEkœÇ±­<A–ÿñYd'çÉ…²3ȆbMæÝ;0f”V[œ
¥<ûàX;E‘

machines/compute01/secrets/radius-dh_pem_file

@@ -1,31 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 tDqJRg R3h8Ph1ooMaR/bmz09yRzVRq1mR3L7o87wMhsysC5kU
-Go50Us/u8CgZS7Up20RH8NlRS0+ESBw30wa8SZ5dqoo
--> ssh-ed25519 jIXfPA gMaMIQvUIu5bK5mRWP6SSZQArMzhg4bDZDcjwx9dyDY
-Vv8H7oTBvogaoW4dhdm81TOe995CSGeBxB8LtFgJqwc
--> ssh-ed25519 QlRB9Q 1CxZ2F8EMykWDzrAzN6NSPtjLmMJ99zf8UWLyV3e+Ag
-ak7M8/mCeQOMKFPllTsA79glffS/vu51vHIRT3F8qLE
--> ssh-ed25519 r+nK/Q qcuIACZn+1ofDpWW1IBmY0IIj4WZNQhxtUJlHgh11ws
-OJhEfDQHkg3s5CCBcVfba9S4OG4hBjJIYkCoLAIFwOI
--> ssh-rsa krWCLQ
-1XseIDq7c94X7Dpp1sC3oBLhZSd4w7UJ7QI03SGmqVTd3VVwP5IV430vrSIFETMI
-LopkMvCtF1XpIJQ+nHoxsukG/0kefh5Iodmd6anQNp0iVU/tWkQzWbkHlVlkxJ2M
-o3fMRAaVyH5GvQkIT5ndWma34vqwydAinM2mchi0hy0ibP5lkk8K7OtafNP4eYNh
-m7necRRI8yCuE1wBRy8sBpo5mEqGj1uINxXiF6yUI05pCBXHG1qDiFkDHfw8va9k
-Qitfwv2Clkk/hQG6aEYuruoXwq4SZxSCswMpP5Nz70I+e5YkZw8G50ICaVBXxuAP
-ABByGBZ/QKLw66NpE7rbSA
--> ssh-ed25519 /vwQcQ 1P92WFx8+9DaL2dPwmX+Bva+h7Hy9qXszDTyPvd81kc
-gLVhBlE4lAMcod32/Y8xzypVCDu4vRca3aem3OHiocU
--> ssh-ed25519 0R97PA rZblJRi2bYJig4HyzOXdtpUEEkGDlHS456aKlqxwGX4
-qjIkEyHjDxzmf34bS7qWJ9lexMXu2QMmcD9RP4MpkYQ
--> ssh-ed25519 JGx7Ng IbCSvxAUY1gDTny5KurzONVaQwX/VgvNs1hAQ9iUQRE
-5ivoGkzEHAyTl3gUE+9nVYclF8/aqnyOF3a81fZfbW0
--> t|-grease (u /1\q}65 ]@
-Dd2SJgnQFUSDlS4eSkKUaGwve8Rsv/4MNEwGRJftdtTvxv80bRuNBEFe+ah4YhiV
-LA3n6c+Te9Q
---- wWhpJpx4IHeC1Qo4nH6iuEB3e9l5b8U5xOnsX8BoBgQ
-5¥t·Œ °ÒxÚ@<1E>`zÈÔgC’à	Ѭ:4Œó¾&‡Spi8ñŸuæ"lÕ‚×)<29>:ìaŒÁÄ,4ÃsÌ*uÿ€ƒ±v#ÿ*ÎàÜÊ^ݶ‚Ø«%´Ñº98¾,yB‚Ù
-"¶%Ç㤄†NÎÓ· íò¬}	[Ñ¿Ó(äØ{<11>ý0ô—f²<66>„|Šà-—&qF	kÖ¶¹µùÔÎLì,¹À„žD™áΩ­QÍ—½è<C2BD>4N}<7D>ÙÐJ´·‹ÇÓˆpç€]dUÏø¿<C3B8>I—:ÌôÑÉ
öì’°¦£‘sý¨õB#}¹
-ÞÃXzð‰N4·>ñ5iSan`‰¹.‚õÃPcHØÉAéßÈÿµH=¥ËæÂ~ö(Pçô±Š$ ,¡ã‹ù¯ZЬÆwçÚ	/×
-Á–+rC$†ýê&ØJñ ; ÉvÞjæ‰ÎY¹,š*`ºGå=ã¯M¼ƒƒeäAQö<51>\D˜ÿ@¥j¾$gö{Q´lhIoÊÏ‚IM)};@ìNü½b‰<62>k5Dgüoþ'ItW(Ïk
-ê6)ËŒä0£<30>tM¶É
Ó(Ûê¡<C3AA>n²k®Zu%m<17>¡bzÚõ–Š¿ÁìÍÿ

machines/compute01/secrets/radius-private_key_password_file

@@ -1,26 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 tDqJRg sTm4u+QVtvUqNgMJhufIljdH63oCmvfbRz6NRa2ZbwI
-ZYjAINMp/ds7g+7Wjg26YRpRV+nznQPB1r7NzAHGfW0
--> ssh-ed25519 jIXfPA z4LS/Igwab0moIzxG9b06T5rZiODkdJyjaFepJVcxQ8
-qNkDc+prvr1bNTSWJyygJj7yb8MOz2nR+Z8EMHUVVOs
--> ssh-ed25519 QlRB9Q 6TQ0Vp3KB5yDIEt029hIB3aCnDjTDP0JG6LN2J9gtjU
-fZXeSxb7GJOJYvCr2nVf6BKf8QjaqOOuoi0I/xXV1qc
--> ssh-ed25519 r+nK/Q eW4wTH9PNd0mzVFsxwS4mEEn5gVUCpYA/g+ifeUB+00
-kqED+vZVHn0SXTpgbaiMseI6vPCyTt5Gfu4pHxPvKp0
--> ssh-rsa krWCLQ
-axyFJ/zhMoZ1mJLzWAbXbHjlAlLj7HraHyY6ddZBVibgRSEufdXsa8ABmdR6+EuM
-ty37+/TZOBv11ew/D1C7vQ7B/1JXgej2TAAmYt4vN3lVZdgJI+tQGiOf1nsqfI64
-p4ZbMi9G0wlzb+Z7Z5SLKo6HwharYI+vDEgh3Ua9Q+6bpZeXxxJHmkACikAI4xJV
-3lLo1iTeyJy/9u/WoHmEOuqJLeZdhmPZBozxTdDTWz9wMHy+NotfXFaIFTyUpocu
-OU19N95fyVyTRwmrGFcWs34O631Ejpo3oVLDvjXrFtV4HISSweB/YbU84EveFbz5
-28gTWKdeOQcHJfmaeJV/Rg
--> ssh-ed25519 /vwQcQ cXNRE5eLKNh4lL7S7cMDfp79+TQyiJK3gTzYCuHeRHo
-4bz0al2kf/S6VEhObpLxy8tvB1t/tBVdB1Gi/7XinD4
--> ssh-ed25519 0R97PA iGdUtE7KDRBNSXv1w0dJNPQWxAeDpIAePUU8t0qURV8
-OUoeLNWl0rLt6+FNf5plNmQIgrULwIgEL/W4HFTYeB8
--> ssh-ed25519 JGx7Ng tPkAPvVDZOcP06+mrD5uK03dUJi4aMAvkoz21y9L6Ak
-tcUItLMra+EIYH6MA1ULMpr8bkUql448jnurev8N5wk
--> \<?_-grease (+d_8zF H
-
---- /CiW5jTjVkXDOdwmb4P80FswPEpgTt2GZnqT7KlOvC0
-›=þ%©»gæÆQ³-¼ffÄUC.qÅ͘·H<C2B7>µ—ìäÙ=Vý£žØú<C398>ŽRåN

machines/compute01/secrets/secrets.nix

@@ -1,31 +0,0 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "compute01";
-in
-
-lib.setDefault { inherit publicKeys; } [
-  "arkheon-env_file"
-  "bupstash-put_key"
-  "ds-fr-secret_file"
-  "grafana-smtp_password_file"
-  "grafana-oauth_client_secret_file"
-  "hedgedoc-environment_file"
-  "librenms-database_password_file"
-  "librenms-environment_file"
-  "mastodon-extra_env_file"
-  "nextcloud-adminpass_file"
-  "nextcloud-s3_secret_file"
-  "outline-oidc_client_secret_file"
-  "outline-smtp_password_file"
-  "outline-storage_secret_key_file"
-  "radius-auth_token_file"
-  "radius-ca_pem_file"
-  "radius-cert_pem_file"
-  "radius-dh_pem_file"
-  "radius-key_pem_file"
-  "radius-private_key_password_file"
-  "satosa-env_file"
-  "telegraf-environment_file"
-  "vaultwarden-environment_file"
-  "zammad-secret_key_base_file"
-]

machines/geo01/secrets/secrets.nix

@@ -1,5 +0,0 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "geo01";
-in
-lib.setDefault { inherit publicKeys; } [ ]

machines/geo02/secrets/secrets.nix

@@ -1,5 +0,0 @@
-let
-  lib = import ../../../lib { };
-  publicKeys = lib.getNodeKeys "geo02";
-in
-lib.setDefault { inherit publicKeys; } [ ]

machines/liminix/ap01/_configuration.nix

@@ -0,0 +1,44 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  modulesPath,
+  sourcePkgs,
+  ...
+}:
+{
+  imports = [
+    "${modulesPath}/wlan.nix"
+    "${modulesPath}/network"
+    "${modulesPath}/hostapd"
+    "${modulesPath}/ssh"
+    "${modulesPath}/ntp"
+    "${modulesPath}/vlan"
+    "${modulesPath}/bridge"
+    "${modulesPath}/jitter-rng"
+    "${modulesPath}/pki"
+    "${modulesPath}/ubus"
+    # System-level configuration
+    ./system.nix
+    # Configures our own WLAN.
+    ./wlan.nix
+    # Configures our LAN interfaces, e.g. bridge + VLANs.
+    ./lan.nix
+    # Configures our IPv4/IPv6 addresses, e.g. DHCPv4 on VLAN 0, SLAAC on VLAN 3001.
+    ./addresses.nix
+    # Configures a basic local DNS.
+    ./dns.nix
+    # Configures our management layer, e.g. SSH server + DGNum FAI keys.
+    ./management.nix
+    # Configures our recovery system, e.g. a levitation script.
+    ./recovery.nix
+    # Metadata on the system for field recovery.
+    ./metadata.nix
+    # TODO: god that's so a fucking hack.
+    (import "${modulesPath}/../devices/zyxel-nwa50ax").module
+  ];
+
+  hostname = "ap01-prototype";
+  nixpkgs.source = sourcePkgs.path;
+}

machines/liminix/ap01/addresses.nix

@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, ... }:
+let
+  svc = config.system.service;
+in
+{
+  services.dhcpv4 = svc.network.dhcp.client.build {
+    interface = config.services.int;
+    dependencies = [
+      config.services.bridge.components.lan
+    ];
+  };
+
+  services.defaultroute4 = svc.network.route.build {
+    via = "$(output ${config.services.dhcpv4} router)";
+    target = "default";
+    dependencies = [ config.services.dhcpv4 ];
+  };
+}

machines/liminix/ap01/dns.nix

@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, pkgs, ... }:
+let
+  inherit (pkgs.liminix.services) oneshot;
+  inherit (pkgs.pseudofile) dir symlink;
+  inherit (pkgs) serviceFns;
+in
+{
+  # TODO: support dynamic reconfiguration once we are in the target VLAN?
+  services.resolvconf = oneshot rec {
+    name = "resolvconf";
+    up = ''
+      . ${serviceFns}
+      ( in_outputs ${name}
+      for i in $(output ${config.services.dhcpv4} dns); do
+        echo "nameserver $i" >> resolv.conf
+      done
+      )
+    '';
+
+    dependencies = [
+      config.services.dhcpv4
+    ];
+  };
+
+  filesystem = dir {
+    etc = dir {
+      "resolv.conf" = symlink "${config.services.resolvconf}/.outputs/resolv.conf";
+    };
+  };
+}

machines/liminix/ap01/ipc.nix

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, ... }:
+let
+  svc = config.system.service;
+in
+{
+  # ubus socket for various needs.
+  services.ubus = svc.ubus.build { };
+}

machines/liminix/ap01/lan.nix

@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, ... }:
+let
+  svc = config.system.service;
+in
+{
+  services.int = svc.bridge.primary.build {
+    ifname = "int";
+    macAddressFromInterface = config.hardware.networkInterfaces.lan;
+  };
+
+  services.bridge = svc.bridge.members.build {
+    primary = config.services.int;
+    members = {
+      lan.member = config.hardware.networkInterfaces.lan;
+      wlan0 = {
+        member = config.hardware.networkInterfaces.wlan0;
+        # Bridge only once hostapd is ready.
+        dependencies = [ config.services.hostap-1-ready ];
+      };
+      wlan1 = {
+        member = config.hardware.networkInterfaces.wlan1;
+        # Bridge only once hostapd is ready.
+        dependencies = [ config.services.hostap-2-ready ];
+      };
+    };
+  };
+
+  # Default VLAN
+  # services.vlan-apro = svc.vlan.build {
+  #   vlanId = 0;
+  #   interface = config.services.int;
+  # };
+
+  # # Administration VLAN
+  # services.vlan-admin = svc.vlan.build {
+  #   vlan = 3001;
+  #   interface = config.services.int;
+  # };
+}

machines/liminix/ap01/management.nix

@@ -0,0 +1,16 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, ... }:
+let
+  svc = config.system.service;
+in
+{
+  # SSH keys are handled by the access control module.
+  dgn-access-control.enable = true;
+  users.root = {
+    passwd = "$6$Z2MiaMXkpUJRPl2/$fxVE3iD/n208CISM2F6OnWj0Qq0QG2tTQqLCjU80PFJJGIwNLLyOp6SeYH3dH20OvJX1loZRETrThZfIPw.rb/";
+  };
+  services.sshd = svc.ssh.build { allowRoot = true; };
+}

machines/liminix/ap01/metadata.nix

@@ -0,0 +1,19 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ pkgs, ... }:
+let
+  inherit (pkgs.pseudofile) dir;
+in
+{
+  filesystem = dir {
+    etc = dir {
+      "nixpkgs.version" = {
+        type = "f";
+        file = "${pkgs.lib.version}";
+        mode = "0444";
+      };
+    };
+  };
+}

machines/liminix/ap01/recovery.nix

@@ -0,0 +1,49 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{
+  config,
+  pkgs,
+  modulesPath,
+  ...
+}:
+let
+  svc = config.system.service;
+in
+{
+  defaultProfile.packages = with pkgs; [
+    # Levitate enable us to mass-reinstall the system on the fly.
+    (levitate.override {
+      config = {
+        imports = [
+          "${modulesPath}/network"
+          "${modulesPath}/ssh"
+          "${modulesPath}/hardware.nix"
+          "${modulesPath}/kernel"
+          "${modulesPath}/outputs/tftpboot.nix"
+          "${modulesPath}/outputs.nix"
+        ];
+        nixpkgs.buildPlatform = builtins.currentSystem;
+        services = {
+          # In this situation, we fallback to the appro VLAN.
+          # TODO: add support for the admin VLAN.
+          # Simplest DHCPv4 we can find.
+          dhcpv4 = svc.network.dhcp.client.build {
+            interface = config.hardware.networkInterfaces.lan;
+          };
+          inherit (config.services) sshd;
+          defaultroute4 = svc.network.route.build {
+            via = "$(output ${config.services.dhcpv4} router)";
+            target = "default";
+            dependencies = [ config.services.dhcpv4 ];
+          };
+        };
+
+        defaultProfile.packages = [ mtdutils ];
+        # Only keep root, which should inherit from DGN access control's root permissions.
+        users.root = config.users.root;
+      };
+    })
+  ];
+}

machines/liminix/ap01/system.nix

@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ pkgs, config, ... }:
+let
+  svc = config.system.service;
+in
+{
+  # Get moar random please
+  services = {
+    jitter = svc.jitter-rng.build { };
+    packet_forwarding = svc.network.forward.build { };
+    ntp = config.system.service.ntp.build {
+      pools = {
+        "pool.ntp.org" = [ "iburst" ];
+      };
+
+      dependencies = [ config.services.jitter ];
+    };
+  };
+
+  boot.tftp = {
+    serverip = "192.0.2.10";
+    ipaddr = "192.0.2.12";
+  };
+
+  defaultProfile.packages = with pkgs; [
+    zyxel-bootconfig
+    min-collect-garbage
+  ];
+}

machines/liminix/ap01/wlan.nix

@@ -0,0 +1,97 @@
+# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+{ config, pkgs, ... }:
+let
+  svc = config.system.service;
+  secrets-1 = {
+    ssid = "DGNum 2G (N)";
+  };
+  secrets-2 = {
+    ssid = "DGNum 5G (AX)";
+  };
+  baseParams = {
+    country_code = "FR";
+    hw_mode = "g";
+    channel = 6;
+    wmm_enabled = 1;
+    ieee80211n = 1;
+    ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
+    auth_algs = 1;
+    wpa = 2;
+    wpa_pairwise = "TKIP CCMP";
+    rsn_pairwise = "CCMP";
+  };
+
+  radiusKeyMgmt = {
+    wpa_key_mgmt = "WPA-EAP";
+  };
+
+  modernParams = {
+    hw_mode = "a";
+    he_su_beamformer = 1;
+    he_su_beamformee = 1;
+    he_mu_beamformer = 1;
+    preamble = 1;
+    # Allow radar detection.
+    ieee80211d = 1;
+    ieee80211h = 1;
+    ieee80211ac = 1;
+    ieee80211ax = 1;
+    vht_capab = "[MAX-MPDU-7991][SU-BEAMFORMEE][SU-BEAMFORMER][RXLDPC][SHORT-GI-80][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][TX-STBC-2BY1][RX-STBC-1][MU-BEAMFORMER]";
+    vht_oper_chwidth = 1;
+    he_oper_chwidth = 1;
+    channel = 36;
+    vht_oper_centr_freq_seg0_idx = 42;
+    he_oper_centr_freq_seg0_idx = 42;
+    require_vht = 1;
+  };
+
+  clientRadius = {
+    ieee8021x = 1;
+    eapol_version = 2;
+    use_pae_group_addr = 1;
+    dynamic_vlan = 0;
+    vlan_tagged_interface = "lan";
+  };
+
+  externalRadius = {
+    # TODO: when we have proper IPAM, set the right value here.
+    own_ip_addr = "127.0.0.1";
+    nas_identifier = "ap01.dgnum.eu";
+
+    # No DNS here, hostapd do not support this mode.
+    auth_server_addr = "129.199.195.129";
+    auth_server_port = 1812;
+    auth_server_shared_secret = "read it online";
+  };
+
+  mkWifiSta =
+    params: interface: secrets:
+    svc.hostapd.build {
+      inherit interface;
+      package = pkgs.hostapd-radius;
+      params = params // secrets;
+      dependencies = [ config.services.jitter ];
+    };
+in
+{
+  services = {
+    # wlan0 is the 2.4GHz interface.
+    hostap-1 = mkWifiSta (
+      baseParams // radiusKeyMgmt
+    ) config.hardware.networkInterfaces.wlan0 secrets-1;
+    hostap-1-ready = svc.hostapd-ready.build {
+      interface = config.hardware.networkInterfaces.wlan0;
+    };
+    # wlan1 is the 5GHz interface, e.g. AX capable.
+    hostap-2 = mkWifiSta (
+      baseParams // clientRadius // externalRadius // radiusKeyMgmt // modernParams
+    ) config.hardware.networkInterfaces.wlan1 secrets-2;
+    # Oneshot that waits until the hostapd has set the interface in operational state. 
+    hostap-2-ready = svc.hostapd-ready.build {
+      interface = config.hardware.networkInterfaces.wlan1;
+    };
+  };
+}

machines/netconf/netcore02.nix

@@ -0,0 +1,113 @@
+# SPDX-FileCopyrightText: 2024 Lubin Bailly <lubin.bailly@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  #TODO: meta
+  vlansPlan = {
+    "uplink-cri".id = 223;
+
+    "admin-core" = {
+      id = 3000;
+      l3-interface = "irb.0";
+    };
+    "admin-ap".id = 3001;
+    "users".id-list = [
+      {
+        begin = 3045;
+        end = 4094;
+      }
+    ];
+
+    "ap-staging".id = 2000;
+  };
+  #TODO: additionnal module (always the same for APs)
+  AP-staging = {
+    poe = true;
+    ethernet-switching = {
+      interface-mode = "access";
+      vlans = [ "ap-staging" ];
+    };
+  };
+in
+{
+  vlans = vlansPlan;
+  dgn-hardware.model = "EX2300-48P";
+  dgn-interfaces = {
+    # "ge-0/0/0" = AP-staging;
+    # "ge-0/0/1" = AP-staging;
+    # "ge-0/0/2" = AP-staging;
+    # "ge-0/0/3" = AP-staging;
+    "ge-0/0/4" = AP-staging;
+    # "ge-0/0/5" = AP-staging;
+    # "ge-0/0/6" = AP-staging;
+    # "ge-0/0/7" = AP-staging;
+    # "ge-0/0/8" = AP-staging;
+    # "ge-0/0/9" = AP-staging;
+    # "ge-0/0/10" = AP-staging;
+    # "ge-0/0/11" = AP-staging;
+    # "ge-0/0/12" = AP-staging;
+    # "ge-0/0/13" = AP-staging;
+    # "ge-0/0/14" = AP-staging;
+    # "ge-0/0/15" = AP-staging;
+    # "ge-0/0/16" = AP-staging;
+    # "ge-0/0/17" = AP-staging;
+
+    # oob
+    "ge-0/0/42".ethernet-switching = {
+      interface-mode = "trunk";
+      vlans = [ "all" ];
+    };
+    # AP de test
+    "ge-0/0/43" = {
+      poe = true;
+      ethernet-switching = {
+        interface-mode = "access";
+        vlans = [ 4000 ];
+      };
+    };
+    # uplink oob
+    "ge-0/0/46".ethernet-switching = {
+      interface-mode = "access";
+      vlans = [ 222 ];
+      rstp = false;
+    };
+    # ilo
+    "ge-0/0/47".ethernet-switching = {
+      interface-mode = "access";
+      vlans = [ "admin-core" ];
+    };
+
+    # router
+    "xe-0/1/0".ethernet-switching = {
+      interface-mode = "trunk";
+      vlans = [ "all" ];
+    };
+    # netaccess01
+    "xe-0/1/1".ethernet-switching = {
+      interface-mode = "trunk";
+      vlans = [
+        "users"
+        "ap-staging"
+        "admin-ap"
+        "admin-core"
+      ];
+    };
+    # netcore01 (Potos)
+    "xe-0/1/2".ethernet-switching = {
+      interface-mode = "access";
+      vlans = [
+        "ap-staging"
+      ];
+    };
+    # uplink
+    "ge-0/1/3".ethernet-switching = {
+      interface-mode = "trunk";
+      vlans = [ "uplink-cri" ];
+    };
+
+    # management
+    "me0".inet.addresses = [ "192.168.42.6/24" ];
+    "irb".inet6.addresses = [ "fd26:baf9:d250:8000::1001/64" ];
+  };
+}