enable pcscd for yubikey

add .val search domain
remove gandi acme
2026-01-06 15:51:35 +01:00 · 2026-01-06 15:50:45 +01:00 · 2026-01-06 15:48:51 +01:00 · 2026-01-06 15:47:03 +01:00 · 2026-01-06 15:46:21 +01:00 · 2026-01-06 15:46:18 +01:00
55 changed files with 381 additions and 1085 deletions
--- a/clan/flake-module.nix
+++ b/clan/flake-module.nix
@@ -9,6 +9,10 @@
  clan.meta.name = "blossom";
  clan.meta.domain = "val";
  clan.secrets.age.plugins = [
    "age-plugin-yubikey"
  ];
  clan.inventory.instances."rpqt-admin" = {
    module.input = "clan-core";
    module.name = "admin";
--- a/clan/network.nix
+++ b/clan/network.nix
@@ -33,16 +33,17 @@
    };
  };
-  # clan.inventory.instances.certificates = {
+  clan.inventory.instances.certificates = {
-  #   module.name = "certificates";
+    module.name = "certificates";
-  #   module.input = "clan-core";
+    module.input = "clan-core";
-  #   roles.ca.machines.verbena = {
+    roles.ca.machines.verbena = {
-  #     settings.acmeEmail = "admin@rpqt.fr";
+      settings.acmeEmail = "admin@rpqt.fr";
-  #   };
+      settings.tlds = [ "val" ];
-  #   roles.default.tags.all = { };
+    };
-  #   roles.default.settings.acmeEmail = "admin@rpqt.fr";
+    roles.default.tags.all = { };
-  # };
+    roles.default.settings.acmeEmail = "admin@rpqt.fr";
  };
  # Temporarily patched version of clan-core/coredns for AAAA records support
  clan.inventory.instances.coredns = {
@@ -52,12 +53,21 @@
    roles.default.tags.all = { };
    roles.server.machines.verbena = {
      settings.ip = "fd28:387a:90:c400::1";
      settings.dnsPort = 53;
    };
    roles.server.machines.crocus = {
      settings.ip = "fd28:387a:90:c400:6db2:dfc3:c376:9956";
    };
    roles.server.settings = {
-      tld = "home.rpqt.fr";
+      tld = "val";
    };
    roles.default.machines.verbena.settings = {
      ip = "fd28:387a:90:c400::1";
      services = [
        "ca"
        "vaultwarden"
      ];
    };
    roles.default.machines.genepi.settings = {
--- a/clanServices/coredns/default.nix
+++ b/clanServices/coredns/default.nix
@@ -118,11 +118,13 @@
                ''
                  .:${dnsPort} {
                      bind wireguard
                      forward . 1.1.1.1
                      cache 30
                  }
                  ${settings.tld}:${dnsPort} {
                      bind wireguard
                      file ${zonefile}
                  }
                '';
@@ -168,7 +170,7 @@
            networking.nameservers = map (
              m:
              let
-                port = config.services.unbound.settings.port or 53;
+                port = config.services.unbound.settings.server.port or 53;
              in
              "127.0.0.1:${toString port}#${roles.server.machines.${m}.settings.tld}"
            ) (lib.attrNames roles.server.machines);
@@ -179,11 +181,11 @@
            services.unbound = {
              enable = true;
-              resolveLocalQueries = true;
+              # resolveLocalQueries = true;
              checkconf = true;
              settings = {
                server = {
-                  # port = 5353;
+                  port = 5353;
                  verbosity = 2;
                  interface = [ "127.0.0.1" ];
                  access-control = [ "127.0.0.0/8 allow" ];
--- a/flake.lock
+++ b/flake.lock
@@ -10,11 +10,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1765893949,
+        "lastModified": 1766893577,
-        "narHash": "sha256-5wn3/cMZ6cQ7BHaoTkeDiMxgjZUV/8FPGplCJ/P6Idc=",
+        "narHash": "sha256-8SFRZJt9HlNN1ic3asTCOc6Vr/QJQDdZjJ4C5XzxFi0=",
        "owner": "nix-community",
        "repo": "buildbot-nix",
-        "rev": "39896cb5a1a6ad52d1feb6634913087e11059454",
+        "rev": "4f590eb97462eef698f2c96c67a080876c1f8051",
        "type": "github"
      },
      "original": {
@@ -41,11 +41,11 @@
        "treefmt-nix": "treefmt-nix_2"
      },
      "locked": {
-        "lastModified": 1766058975,
+        "lastModified": 1767634906,
-        "narHash": "sha256-HBnRRq9wLq7UfJxMM55wR10lZFK1F0lNyRgUwwOby6s=",
+        "narHash": "sha256-NoyNzhWX0O7nJA6zMm9aYN8NgpFY/ua+0n3YEw5+rTk=",
        "ref": "refs/heads/main",
-        "rev": "9032d11a0e31641808ef1427150aac0f40e2e0b9",
+        "rev": "d9efb591e391f474c90fdb07df1672a3da35267b",
-        "revCount": 11671,
+        "revCount": 11861,
        "type": "git",
        "url": "https://git.clan.lol/clan/clan-core"
      },
@@ -70,11 +70,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765768061,
+        "lastModified": 1767582502,
-        "narHash": "sha256-RZ/ocDUJ3WPr2KcDc2MB6Fu+ZPqzwsMKQ16XxqrPi+o=",
+        "narHash": "sha256-WVcYGWcAlWzVt38OaTC5i5Q3QkIKJKZsJ7LcQZVVxeE=",
-        "rev": "53351f9953ecf9dbe18795b4784abe53b14e6eee",
+        "rev": "31f2e3ecf207fd2760e3cebf7c2cf3cb7170ea3d",
        "type": "tarball",
-        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/53351f9953ecf9dbe18795b4784abe53b14e6eee.tar.gz"
+        "url": "https://git.clan.lol/api/v1/repos/clan/data-mesher/archive/31f2e3ecf207fd2760e3cebf7c2cf3cb7170ea3d.tar.gz"
      },
      "original": {
        "type": "tarball",
@@ -89,11 +89,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765794845,
+        "lastModified": 1766150702,
-        "narHash": "sha256-YD5QWlGnusNbZCqR3pxG8tRxx9yUXayLZfAJRWspq2s=",
+        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "7194cfe5b7a3660726b0fe7296070eaef601cae9",
+        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
        "type": "github"
      },
      "original": {
@@ -109,11 +109,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765794845,
+        "lastModified": 1766150702,
-        "narHash": "sha256-YD5QWlGnusNbZCqR3pxG8tRxx9yUXayLZfAJRWspq2s=",
+        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "7194cfe5b7a3660726b0fe7296070eaef601cae9",
+        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
        "type": "github"
      },
      "original": {
@@ -195,11 +195,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765980955,
+        "lastModified": 1766936966,
-        "narHash": "sha256-rB45jv4uwC90vM9UZ70plfvY/2Kdygs+zlQ07dGQFk4=",
+        "narHash": "sha256-LfixPDPlysn7sAUVyHEL8sjzgoYv2abDLoCxAlzY440=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "89c9508bbe9b40d36b3dc206c2483ef176f15173",
+        "rev": "80cca72314c3b18896f2a412f2f070d17810b45f",
        "type": "github"
      },
      "original": {
@@ -208,42 +208,6 @@
        "type": "github"
      }
    },
    "impermanence": {
      "locked": {
        "lastModified": 1737831083,
        "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
        "owner": "nix-community",
        "repo": "impermanence",
        "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "impermanence",
        "type": "github"
      }
    },
    "matugen": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1765981892,
        "narHash": "sha256-c7VKaNiBUkwGsTq398EQSM4K7skPacmOz8NeLj67M7s=",
        "owner": "InioX",
        "repo": "Matugen",
        "rev": "e405cd9de87510dd40c1328bcf06e0daf3d1a5bf",
        "type": "github"
      },
      "original": {
        "owner": "InioX",
        "repo": "Matugen",
        "type": "github"
      }
    },
    "nix-darwin": {
      "inputs": {
        "nixpkgs": [
@@ -252,11 +216,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764161084,
+        "lastModified": 1767028240,
-        "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
+        "narHash": "sha256-0/fLUqwJ4Z774muguUyn5t8AQ6wyxlNbHexpje+5hRo=",
        "owner": "nix-darwin",
        "repo": "nix-darwin",
-        "rev": "e95de00a471d07435e0527ff4db092c84998698e",
+        "rev": "c31afa6e76da9bbc7c9295e39c7de9fca1071ea1",
        "type": "github"
      },
      "original": {
@@ -295,11 +259,11 @@
    },
    "nixos-facter-modules": {
      "locked": {
-        "lastModified": 1765442039,
+        "lastModified": 1766558141,
-        "narHash": "sha256-k3lYQ+A1F7aTz8HnlU++bd9t/x/NP2A4v9+x6opcVg0=",
+        "narHash": "sha256-Ud9v49ZPsoDBFuyJSQ2Mpw1ZgAH/aMwUwwzrVoetNus=",
        "owner": "nix-community",
        "repo": "nixos-facter-modules",
-        "rev": "9dd775ee92de63f14edd021d59416e18ac2c00f1",
+        "rev": "e796d536e3d83de74267069e179dc620a608ed7d",
        "type": "github"
      },
      "original": {
@@ -329,11 +293,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1764440730,
+        "lastModified": 1766568855,
-        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
+        "narHash": "sha256-UXVtN77D7pzKmzOotFTStgZBqpOcf8cO95FcupWp4Zo=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
+        "rev": "c5db9569ac9cc70929c268ac461f4003e3e5ca80",
        "type": "github"
      },
      "original": {
@@ -361,11 +325,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1765779637,
+        "lastModified": 1766651565,
-        "narHash": "sha256-KJ2wa/BLSrTqDjbfyNx70ov/HdgNBCBBSQP3BIzKnv4=",
+        "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "1306659b587dc277866c7b69eb97e5f07864d8c4",
+        "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539",
        "type": "github"
      },
      "original": {
@@ -382,8 +346,6 @@
        "disko": "disko_2",
        "flake-parts": "flake-parts_2",
        "home-manager": "home-manager",
        "impermanence": "impermanence",
        "matugen": "matugen",
        "nixos-generators": "nixos-generators",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
@@ -398,11 +360,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765836173,
+        "lastModified": 1767499857,
-        "narHash": "sha256-hWRYfdH2ONI7HXbqZqW8Q1y9IRbnXWvtvt/ONZovSNY=",
+        "narHash": "sha256-0zUU/PW09d6oBaR8x8vMHcAhg1MOvo3CwoXgHijzzNE=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "443a7f2e7e118c4fc63b7fae05ab3080dd0e5c63",
+        "rev": "ecc41505948ec2ab0325f14c9862a4329c2b4190",
        "type": "github"
      },
      "original": {
@@ -418,11 +380,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1766020451,
+        "lastModified": 1766626001,
-        "narHash": "sha256-Jy7rX7sMbSJEX0KKwvNcGUfRVZ0SDWo3Zk2e5LGyqw0=",
+        "narHash": "sha256-YQk9UVG4PsrTp4LVbWCDwuc594S9H05pxNgjK8R30/U=",
        "owner": "nix-community",
        "repo": "srvos",
-        "rev": "5ecd4a56da963480db305e56ab3a42d13597c0a7",
+        "rev": "cf609acbe9aa6f53120df7b1adad16957e481b93",
        "type": "github"
      },
      "original": {
@@ -446,21 +408,6 @@
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1689347949,
        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
        "owner": "nix-systems",
        "repo": "default-linux",
        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default-linux",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
@@ -468,27 +415,6 @@
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1762938485,
        "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": [
          "clan-core",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1766000401,
        "narHash": "sha256-+cqN4PJz9y0JQXfAK5J1drd0U05D5fcAGhzhfVrDlsI=",
@@ -502,6 +428,27 @@
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": [
          "clan-core",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1767468822,
        "narHash": "sha256-MpffQxHxmjVKMiQd0Tg2IM/bSjjdQAM+NDcX6yxj7rE=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "d56486eb9493ad9c4777c65932618e9c2d0468fc",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -6,15 +6,11 @@
      nixpkgs,
      clan-core,
      flake-parts,
      home-manager,
      impermanence,
      nixos-hardware,
      self,
      ...
    }:
    flake-parts.lib.mkFlake { inherit inputs; } ({
      imports = [
-        inputs.clan-core.flakeModules.default
+        clan-core.flakeModules.default
        ./clan/flake-module.nix
        ./clanServices/flake-module.nix
        ./devShells/flake-module.nix
@@ -39,8 +35,6 @@
    home-manager.url = "github:nix-community/home-manager";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
    impermanence.url = "github:nix-community/impermanence";
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    nixos-generators.url = "github:nix-community/nixos-generators";
@@ -49,9 +43,6 @@
    clan-core.inputs.nixpkgs.follows = "nixpkgs";
    clan-core.inputs.flake-parts.follows = "flake-parts";
    matugen.url = "github:InioX/Matugen";
    matugen.inputs.nixpkgs.follows = "nixpkgs";
    flake-parts.url = "github:hercules-ci/flake-parts";
    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
--- a/home-manager/cli.nix
+++ b/home-manager/cli.nix
@@ -11,6 +11,8 @@
  ];
  home.packages = with pkgs; [
    age
    age-plugin-yubikey
    bottom
    btop
    comma
@@ -20,8 +22,10 @@
    eza
    fd
    glow
    jjui
    lazygit
    nh
    passage
    ripgrep
    skim
    tealdeer
--- a/home-manager/desktop/sway.nix
+++ b/home-manager/desktop/sway.nix
@@ -1,32 +0,0 @@
 {
  self,
  config,
  pkgs,
  ...
 }:
 {
  imports = [
    self.homeManagerModules.dotfiles
    ./wayland.nix
  ];
  home.packages = with pkgs; [
    tofi
    i3status-rust
    wlsunset
    kanshi
    grim
    slurp
    playerctl
    swaybg
  ];
  xdg.configFile = {
    "sway".source = "${config.dotfiles.path}/.config/sway";
    "swaylock".source = "${config.dotfiles.path}/.config/swaylock";
    "swayidle".source = "${config.dotfiles.path}/.config/swayidle";
    "kanshi".source = "${config.dotfiles.path}/.config/kanshi";
    "i3status-rust".source = "${config.dotfiles.path}/.config/i3status-rust";
    "tofi/config".source = "${config.dotfiles.path}/.config/tofi/config";
  };
 }
--- a/home-manager/mail/default.nix
+++ b/home-manager/mail/default.nix
@@ -1,4 +1,7 @@
 { config, ... }:
 let
  pass = "passage";
 in
 {
  programs.thunderbird = {
    enable = true;
@@ -9,24 +12,44 @@
    };
  };
  programs.aerc = {
    enable = true;
    # safe since the accounts file just contains commands for retrieving passwords and is readonly in the nix store
    extraConfig.general.unsafe-accounts-conf = true;
  };
  accounts.email.accounts = {
-    "rpqt@rpqt.fr" = {
+    "rpqt@rpqt.fr" = rec {
      address = "rpqt@rpqt.fr";
      realName = "Romain Paquet";
      primary = true;
      flavor = "migadu.com";
      thunderbird.enable = config.programs.thunderbird.enable;
      aerc.enable = config.programs.aerc.enable;
      passwordCommand = [
        pass
        "show"
        "mail/${address}"
      ];
      folders.inbox = "INBOX";
    };
-    "admin@rpqt.fr" = {
+    "admin@rpqt.fr" = rec {
      address = "admin@rpqt.fr";
      aliases = [ "postmaster@rpqt.fr" ];
      realName = "Postmaster";
      flavor = "migadu.com";
      thunderbird.enable = config.programs.thunderbird.enable;
      aerc.enable = config.programs.aerc.enable;
      passwordCommand = [
        pass
        "show"
        "mail/${address}"
      ];
      folders.inbox = "INBOX";
    };
-    "romain.paquet@grenoble-inp.org" = {
+    "romain.paquet@grenoble-inp.org" = rec {
      address = "romain.paquet@grenoble-inp.org";
      realName = "Romain Paquet";
      userName = "romain.paquet@grenoble-inp.org";
@@ -39,14 +62,26 @@
        port = 465;
      };
      thunderbird.enable = config.programs.thunderbird.enable;
      aerc.enable = config.programs.aerc.enable;
      passwordCommand = [
        pass
        "show"
        "mail/${address}"
      ];
      folders.inbox = "INBOX";
    };
-    "admin@turifer.dev" = {
+    "admin@turifer.dev" = rec {
      address = "admin@turifer.dev";
      aliases = [ "postmaster@turifer.dev" ];
      realName = "Postmaster";
      flavor = "migadu.com";
      thunderbird.enable = config.programs.thunderbird.enable;
      aerc.enable = config.programs.aerc.enable;
      passwordCommand = [
        pass
        "mail/${address}"
      ];
    };
    "romain@student.agh.edu.pl" = {
--- a/home/.config/dotfiles/clone.sh
+++ b/home/.config/dotfiles/clone.sh
@@ -1,29 +0,0 @@
 #!/bin/sh
 DOTFILES_GIT_URL='git@git.sr.ht:~rpqt/dotfiles'
 # The first argument can be the destination folder
 if [ $# -eq 1 ]; then
  DOTFILES_DIR="$1"
 else
  DOTFILES_DIR="$HOME/.dotfiles"
 fi
 echo "$DOTFILES_DIR" >> "$HOME/.gitignore"
 git clone --bare "$DOTFILES_GIT_URL" "$DOTFILES_DIR"
 alias dotfiles='/usr/bin/git --git-dir=$DOTFILES_DIR --work-tree=$HOME'
 dotfiles config --local status.showUntrackedFiles no
 dotfiles checkout
 tee "$HOME/.config/git/config" >/dev/null <<EOT
 [include]
  path = ~/.config/git/common.gitconfig
  path = ~/.config/git/local.gitconfig
 EOT
 unset DOTFILES_DIR
 unset DOTFILES_GIT_URL
--- a/home/.config/i3bar-river/bottom-config.toml
+++ b/home/.config/i3bar-river/bottom-config.toml
@@ -1,6 +0,0 @@
 font = "JetBrains Mono NF Bold 12"
 height = 24
 background = "#000000"
 command = "i3status-rs ~/.config/i3status-rust/bottom-config.toml"
 position = "bottom"
 show_tags = false
--- a/home/.config/i3bar-river/config.toml
+++ b/home/.config/i3bar-river/config.toml
@@ -1,10 +0,0 @@
 font = "JetBrains Mono NF Bold 12"
 height = 24
 background = "#000000"
 command = "i3status-rs"
 tags_margin = 0.0
 tags_padding = 8.0
 tag_fg = "#727169"
 tag_bg = "#000000"
 tag_focused_fg = "#dcd7ba"
 tag_focused_bg = "#000000"
--- a/home/.config/kanshi/config
+++ b/home/.config/kanshi/config
@@ -1,5 +0,0 @@
 profile mirror-hdmi {
    output eDP-1 enable mode 1920x1080 position 0,0
    output HDMI-A-1 enable mode 1920x1080 position 1920,0
    exec wl-present mirror eDP-1 --fullscreen-output HDMI-A-1 --fullscreen
 }
--- a/home/.config/niri/config.kdl
+++ b/home/.config/niri/config.kdl
@@ -25,6 +25,9 @@ input {
    focus-follows-mouse max-scroll-amount="0%"
 }
 workspace "browser" {
 }
 output "eDP-1" {
    mode "1920x1080@60.049"
    scale 1
@@ -72,6 +75,7 @@ cursor {
 window-rule {
    match app-id=r#"^firefox$"#
    open-maximized true
    open-on-workspace "browser"
    focus-ring {
        off
    }
--- a/home/.config/sway/config
+++ b/home/.config/sway/config
@@ -1,2 +0,0 @@
 include ~/.config/sway/config.d/*
 include /etc/sway/config.d/*
--- a/home/.config/sway/config.d/bar
+++ b/home/.config/sway/config.d/bar
@@ -1,37 +0,0 @@
 include ~/.config/sway/kanagawa.sway
 set $font "JetBrains Mono NF Bold 12"
 set $background #000000
 bar {
 	id top_bar
 	status_command i3status-rs
 	position top
 	height 24
 	font $font
 	workspace_min_width 20
 	status_padding 0
 	status_edge_padding 0
 	colors {
 		background $background
 		focused_workspace #000000 #000000 $fujiWhite
 		active_workspace #000000 #000000 $fujiGray
 		inactive_workspace #000000 #000000 $fujiGray
 	}
 }
 bar {
 	id bottom_bar
 	status_command i3status-rs ~/.config/i3status-rust/bottom-config.toml
 	position bottom
 	height 24
 	font $font
 	workspace_buttons no
 	binding_mode_indicator no
 	tray_output none
 	colors {
 		background $background
 	}
 }
 # vim:ft=swayconfig
--- a/home/.config/sway/config.d/bindings
+++ b/home/.config/sway/config.d/bindings
@@ -1,169 +0,0 @@
 set $mod Mod4
 set $left h
 set $down j
 set $up k
 set $right l
 set $term alacritty msg create-window || alacritty
 set $launcher tofi-drun | xargs swaymsg exec --
 set $lock swaylock
 set $screenshots $HOME/Pictures/Screenshots
 floating_modifier $mod normal
 bindsym {
    # Start a terminal
    $mod+Return exec $term
    # Kill focused window
    $mod+Shift+q kill
 		$mod+w       kill
    # Application launcher
    $mod+d exec $launcher
    # Reload the configuration file
    $mod+Shift+c reload
    # Exit sway / log out
    $mod+Shift+e exec swaynag \
 		-t warning \
 		-m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' \
 		-B 'Yes, exit sway' 'swaymsg exit' \
 		--dismiss-button 'Cancel'
    # Move focus
    $mod+$left  focus left
    $mod+$down  focus down
    $mod+$up    focus up
    $mod+$right focus right
    $mod+Left   focus left
    $mod+Down   focus down
    $mod+Up     focus up
    $mod+Right  focus right
    # Move the focused window
    $mod+Shift+$left  move left
    $mod+Shift+$down  move down
    $mod+Shift+$up    move up
    $mod+Shift+$right move right
    $mod+Shift+Left  move left
    $mod+Shift+Down  move down
    $mod+Shift+Up    move up
    $mod+Shift+Right move right
 	--to-code {
 		# Switch to workspace
 		$mod+ampersand  workspace number 1
 		$mod+eacute     workspace number 2
 		$mod+quotedbl   workspace number 3
 		$mod+apostrophe workspace number 4
 		$mod+parenleft  workspace number 5
 		$mod+minus      workspace number 6
 		$mod+egrave     workspace number 7
 		$mod+underscore workspace number 8
 		$mod+ccedilla   workspace number 9
 		$mod+agrave     workspace number 10
 	}
 	# Move focused container to workspace
 	$mod+1 move container to workspace number 1
 	$mod+2 move container to workspace number 2
 	$mod+3 move container to workspace number 3
 	$mod+4 move container to workspace number 4
 	$mod+5 move container to workspace number 5
 	$mod+6 move container to workspace number 6
 	$mod+7 move container to workspace number 7
 	$mod+8 move container to workspace number 8
 	$mod+9 move container to workspace number 9
 	$mod+0 move container to workspace number 10
 	$mod+Shift+1 move container to workspace number 1
 	$mod+Shift+2 move container to workspace number 2
 	$mod+Shift+3 move container to workspace number 3
 	$mod+Shift+4 move container to workspace number 4
 	$mod+Shift+5 move container to workspace number 5
 	$mod+Shift+6 move container to workspace number 6
 	$mod+Shift+7 move container to workspace number 7
 	$mod+Shift+8 move container to workspace number 8
 	$mod+Shift+9 move container to workspace number 9
 	$mod+Shift+0 move container to workspace number 10
    # Split
    $mod+b splith
    $mod+v splitv
    # Switch the current container between different layout styles
    $mod+s layout stacking
    $mod+t layout tabbed
    $mod+m layout toggle split
    # Toggle fullscreen on the current focus
    $mod+f fullscreen
    # Toggle floating mode for current container
    $mod+Shift+f floating toggle
    # Move focus to the parent container
    $mod+a focus parent
    # Move the focused window to the scratchpad
    $mod+Shift+equal move scratchpad
 	# Cycle through scratchpad windows
    $mod+equal scratchpad show
 	# Volume
 	XF86AudioRaiseVolume exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+ -l 1.0
 	XF86AudioLowerVolume exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%- -l 1.0
 	XF86AudioMute        exec wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle
 	XF86AudioMicMute     exec wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle
 	# Media
 	XF86AudioPlay exec playerctl play-pause
 	XF86AudioNext exec playerctl next
 	XF86AudioPrev exec playerctl previous
 	XF86Search    exec $launcher
 	# Brightness
 	--locked {
 		XF86MonBrightnessDown exec brightnessctl set 5%-
 		XF86MonBrightnessUp   exec brightnessctl set +5%
 	}
 	# Lock
 	Ctrl+Mod4+L exec $lock
 	# Screenshot
 	## Full screen capture
 	Print             exec grim "$screenshots/$(date +\"Screenshot from %Y-%m-%d %H-%M-%S.png\")"
 	## Select a zone and save
 	$mod+Shift+s      exec grim -g "$(slurp -d)" "$screenshots/$(date +\"Screenshot from %Y-%m-%d %H-%M-%S.png\")"
 	## Select a zone and copy to clipboard
 	$mod+Shift+Ctrl+s exec grim -g "$(slurp -d)" - | wl-copy
 }
 mode "resize" bindsym {
 		# Shrink or grow the container
 		$left resize shrink width 10px
 	    $down resize grow height 10px
 	    $up resize shrink height 10px
 	    $right resize grow width 10px
 	    # Same with arrow keys
 	    Left resize shrink width 10px
 	    Down resize grow height 10px
 	    Up resize shrink height 10px
 	    Right resize grow width 10px
 	    # Return to default mode
 	    Return mode "default"
 	    Escape mode "default"
 }
 bindsym $mod+r mode "resize"
--- a/home/.config/sway/config.d/input
+++ b/home/.config/sway/config.d/input
@@ -1,17 +0,0 @@
 input "1267:12613:ASUE140C:00_04F3:3145_Keyboard" {
    xkb_layout "fr,us(colemak_dh),us"
 	xkb_options grp:win_space_toggle
 }
 input "1:1:AT_Translated_Set_2_keyboard" {
    xkb_layout "fr,us(colemak_dh),us"
 	xkb_options grp:win_space_toggle
 }
 input type:touchpad {
    tap enabled
    natural_scroll enabled
 }
 bindgesture swipe:right workspace prev
 bindgesture swipe:left workspace next
--- a/home/.config/sway/config.d/programs
+++ b/home/.config/sway/config.d/programs
@@ -1,16 +0,0 @@
 # Directory for received taildrop files
 set $taildrop_inbox $HOME/Downloads
 # Screen temperature
 exec wlsunset -l 45 -L 6
 # Notifications
 exec mako
 # Output management
 exec kanshi
 # Auto receive taildrop files
 exec tailscale file get --loop --conflict=rename $taildrop_inbox
 exec swayidle -w
--- a/home/.config/sway/config.d/theme
+++ b/home/.config/sway/config.d/theme
@@ -1,22 +0,0 @@
 include ~/.config/sway/kanagawa.sway
 default_border pixel 3
 smart_borders on
 titlebar_border_thickness 2
 font "JetBrains Mono NF 11"
 gaps outer 0
 gaps inner 0
 set $waveBlue3 #3D5F77
 set $waveBlue4 #6D8FA7
 # class                  border     background text       indicator  child_border
 client.focused_inactive  $sumiInk2  $sumiInk1  $fujiWhite $sumiInk2  $sumiInk2
 client.unfocused         $sumiInk2  $sumiInk1  $fujiWhite $sumiInk2  $sumiInk2
 client.focused           $waveBlue3 $waveBlue2 $fujiWhite $waveBlue4 $waveBlue2
 client.focused_tab_title $waveBlue2 $waveBlue2 $fujiWhite
 for_window [app_id="firefox"] border none
 output * bg ~/.local/state/wallpaper fill
--- a/home/.config/sway/kanagawa.sway
+++ b/home/.config/sway/kanagawa.sway
@@ -1,110 +0,0 @@
 # Default foreground
 set $fujiWhite      #DCD7BA
 # Dark foreground (statuslines)
 set $oldWhite 	    #C8C093
 # Dark background (statuslines and floating windows)
 set $sumiInk0 	    #16161D
 # Default background
 set $sumiInk1 	    #1F1F28
 # Lighter background (colorcolumn, folds)
 set $sumiInk2 	    #2A2A37
 # Lighter background (cursorline)
 set $sumiInk3 	    #363646
 # Darker foreground (line numbers, fold column, non-text characters), float borders
 set $sumiInk4 	    #54546D
 # Popup background, visual selection background
 set $waveBlue1 	    #223249
 # Popup selection background, search background
 set $waveBlue2 	    #2D4F67
 # Diff Add (background)
 set $winterGreen    #2B3328
 # Diff Change (background)
 set $winterYellow   #49443C
 # Diff Deleted (background)
 set $winterRed 	    #43242B
 # Diff Line (background)
 set $winterBlue     #252535
 # Git Add
 set $autumnGreen    #76946A
 # Git Delete
 set $autumnRed 	    #C34043
 # Git Change
 set $autumnYellow   #DCA561
 # Diagnostic Error
 set $samuraiRed     #E82424
 # Diagnostic Warning
 set $roninYellow    #FF9E3B
 # Diagnostic Info
 set $waveAqua1 	    #6A9589
 # Diagnostic Hint
 set $dragonBlue     #658594
 # Comments
 set $fujiGray 	    #727169
 # Light foreground
 set $springViolet1  #938AA9
 # Statements and Keywords
 set $oniViolet 	    #957FB8
 # Functions and Titles
 set $crystalBlue    #7E9CD8
 # Brackets and punctuation
 set $springViolet2  #9CABCA
 # Specials and builtin functions
 set $springBlue     #7FB4CA
 # Not used
 set $lightBlue 	    #A3D4D5
 # Types
 set $waveAqua2 	    #7AA89F
 # Strings
 set $springGreen    #98BB6C
 # Not used
 set $boatYellow1    #938056
 # Operators, RegEx
 set $boatYellow2    #C0A36E
 # Identifiers
 set $carpYellow     #E6C384
 # Numbers
 set $sakuraPink     #D27E99
 # Standout specials 1 (builtin variables)
 set $waveRed 	    #E46876
 # Standout specials 2 (exception handling, return)
 set $peachRed 	    #FF5D62
 # Constants, imports, booleans
 set $surimiOrange   #FFA066
 # Deprecated
 set $katanaGray     #717C7C
--- a/home/.config/swayidle/config
+++ b/home/.config/swayidle/config
@@ -1,10 +0,0 @@
 # This will lock the screen after 300 seconds of inactivity.
 timeout 300 "swaylock -f"
 # Turn off all displays after another 300 seconds.
 # and turn them back on when resumed.
 timeout 600 "swaymsg 'output * dpms off'" resume "swaymsg 'output * dpms on'"
 # Lock the screen before the computer goes to sleep.
 before-sleep "playerctl pause"
 before-sleep "swaylock -f"
--- a/home/.config/swaylock/config
+++ b/home/.config/swaylock/config
@@ -1,29 +0,0 @@
 daemonize
 font=JetBrains Mono NF
 font-size=22
 image=~/.local/state/wallpaper
 ring-color=FFFFFF55
 ring-clear-color=FFFFFF55
 ring-ver-color=1885d4
 ring-wrong-color=FF0000
 key-hl-color=FFFFFF
 inside-color=00000000
 inside-clear-color=00000000
 inside-ver-color=00000000
 inside-wrong-color=00000000
 line-uses-inside
 separator-color=00000000
 layout-bg-color=00000000
 layout-text-color=FFFFFF
 text-color=FFFFFF
 text-clear-color=FFFFFF
 text-ver-color=FFFFFF
 text-wrong-color=FFFFFF
 indicator-radius=100
--- a/home/.config/task/taskrc
+++ b/home/.config/task/taskrc
@@ -1,4 +0,0 @@
 data.location=~/.local/share/task
 hooks.location=~/.config/task/hooks
 include ~/.config/task/sync
--- a/home/.config/tofi/config
+++ b/home/.config/tofi/config
@@ -1,176 +0,0 @@
 #
 ### Fonts
 #
 	# Font to use, either a path to a font file or a name.
 	#
 	# If a path is given, tofi will startup much quicker, but any
 	# characters not in the chosen font will fail to render.
 	#
 	# Otherwise, fonts are interpreted in Pango format.
 	font = "JetBrainsMono NF"
 	# Point size of text.
 	font-size = 15
 	# Perform font hinting. Only applies when a path to a font has been
 	# specified via `font`. Disabling font hinting speeds up text
 	# rendering appreciably, but will likely look poor at small font pixel
 	# sizes.
 	hint-font = true
 #
 ### Colors
 #
 	# Window background
 	background-color = #111111DD
 	# Border outlines
 	outline-color = #080800
 	# Border
 	border-color = #0981E3
 	# Default text
 	text-color = #C5C9C7
 	# Selection text
 	selection-color = #0981E3
 	# Matching portion of selection text
 	selection-match-color = #44BBFF
 	# Selection background
 	selection-background = #00000000
 #
 ### Text layout
 #
 	# Prompt to display.
 	prompt-text = "run: "
 	# Extra horizontal padding between prompt and input.
 	prompt-padding = 0
 	# Maximum number of results to display.
 	# If 0, tofi will draw as many results as it can fit in the window.
 	num-results = 0
 	# Spacing between results in pixels. Can be negative.
 	result-spacing = 8
 	# List results horizontally.
 	horizontal = false
 	# Minimum width of input in horizontal mode.
 	min-input-width = 0
 	# Extra horizontal padding of the selection background in pixels.
 	selection-background-padding = 0
 #
 ### Window layout
 #
 	# Width and height of the window. Can be pixels or a percentage.
 	width = 100%
 	height = 100%
 	# Width of the border outlines in pixels.
 	outline-width = 0
 	# Width of the border in pixels.
 	border-width = 0
 	# Radius of window corners in pixels.
 	corner-radius = 0
 	# Padding between borders and text. Can be pixels or a percentage.
 	padding-top = 200
 	padding-bottom = 0
 	padding-left = 35%
 	padding-right = 0
 	# Whether to scale the window by the output's scale factor.
 	scale = true
 #
 ### Window positioning
 #
 	# The name of the output to appear on. An empty string will use the
 	# default output chosen by the compositor.
 	output = ""
 	# Location on screen to anchor the window to.
 	#
 	# Supported values: top-left, top, top-right, right, bottom-right,
 	# bottom, bottom-left, left, center.
 	anchor = center
 	# Set the size of the exclusive zone.
 	#
 	# A value of -1 means ignore exclusive zones completely.
 	# A value of 0 will move tofi out of the way of other windows' zones.
 	# A value greater than 0 will set that much space as an exclusive zone.
 	#
 	# Values greater than 0 are only meaningful when tofi is anchored to a
 	# single edge.
 	exclusive-zone = -1
 	# Window offset from edge of screen. Only has an effect when anchored
 	# to the relevant edge. Can be pixels or a percentage.
 	margin-top = 0
 	margin-bottom = 0
 	margin-left = 0
 	margin-right = 0
 #
 ### Behaviour
 #
 	# Hide the cursor.
 	hide-cursor = false
 	# Sort results by number of usages in run and drun modes.
 	history = true
 	# Use fuzzy matching for searches.
 	fuzzy-match = false
 	# If true, require a match to allow a selection to be made. If false,
 	# making a selection with no matches will print input to stdout.
 	# In drun mode, this is always true.
 	require-match = true
 	# If true, typed input will be hidden, and what is displayed (if
 	# anything) is determined by the hidden-character option.
 	hide-input = false
 	# Replace displayed input characters with a character. If the empty
 	# string is given, input will be completely hidden.
 	# This option only has an effect when hide-input is set to true.
 	hidden-character = "*"
 	# If true, directly launch applications on selection when in drun mode.
 	# Otherwise, just print the command line to stdout.
 	drun-launch = false
 	# The terminal to run terminal programs in when in drun mode.
 	# This option has no effect if drun-launch is set to true.
 	# Defaults to the value of the TERMINAL environment variable.
 	# terminal = foot
 	# Delay keyboard initialisation until after the first draw to screen.
 	# This option is experimental, and will cause tofi to miss keypresses
 	# for a short time after launch. The only reason to use this option is
 	# performance on slow systems.
 	late-keyboard-init = false
 	# If true, allow multiple simultaneous processes.
 	# If false, create a lock file on startup to prevent multiple instances
 	# from running simultaneously.
 	multi-instance = false
 #
 ### Inclusion
 #
 	# Configs can be split between multiple files, and then included
 	# within each other.
 	# include = /path/to/config
--- a/home/.ssh/config
+++ b/home/.ssh/config
@@ -1,11 +1,11 @@
 Host crocus
-	HostName crocus.home.rpqt.fr
+	HostName crocus.val
 	User root
 Host verbena
-	HostName verbena.home.rpqt.fr
+	HostName verbena.val
 	User root
 Host genepi
-	HostName genepi.home.rpqt.fr
+	HostName genepi.val
 	User root
--- a/infra/.terraform.lock.hcl
+++ b/infra/.terraform.lock.hcl
@@ -1,26 +1,6 @@
 # This file is maintained automatically by "tofu init".
 # Manual edits may be lost in future updates.
 provider "registry.opentofu.org/go-gandi/gandi" {
  version     = "2.3.0"
  constraints = "2.3.0"
  hashes = [
    "h1:9kqWL+eFk/ogrQSltL9zVqjMcOqbvs3EgIJEeyNPb8U=",
    "zh:0936d011cf75bb5162c6027d00575a586807adc9008f4152def157b6ad22bae9",
    "zh:2170e671f04d3346ea416fcc404be6d05f637eab7df77e289a6898a928885f0b",
    "zh:250329baae3cb09cfb88dd004d45f003ba76fbe7b8daf9d18fd640b93a2b7252",
    "zh:2ccd9f253424738ca5fbbcb2127bf3713c20e87bfb3829f8c4565569424fd0bd",
    "zh:3607b48bc4691cd209528f9ffe16a6cc666bd284b0d0bdfe8c4e1d538559a408",
    "zh:3bc1d2b770fe0f50027da59c405b2468d1322243235367014f75f765124f458d",
    "zh:6c8a9092847ee2e2890825432b54424c456638d494e49b7d1845f055214714f5",
    "zh:8e0b62a330876005d52bcd65d7b1d9a679a7ac79c626e0f86661519e8f9b5698",
    "zh:8f44f4d52583ff249e2001ea2a8b8841010489dd43e1a01a9ec3a6813d121c28",
    "zh:9a617927d4a3a2897ff10999a19a6d1f0ef634b8c6b8fc3be12cf53948cfd9cf",
    "zh:cab3c82c54e38e6001eed5b80a2d16b7824921f8f8b3909049e174c48e6e8804",
    "zh:f78cc685aa4ba5056ea53a7f8ce585f87a911f0a8a387a44a33d7dfb69db7663",
  ]
 }
 provider "registry.opentofu.org/hashicorp/assert" {
  version = "0.16.0"
  hashes = [
@@ -39,45 +19,44 @@ provider "registry.opentofu.org/hashicorp/assert" {
 }
 provider "registry.opentofu.org/hetznercloud/hcloud" {
-  version     = "1.52.0"
+  version     = "1.57.0"
  constraints = "~> 1.45"
  hashes = [
-    "h1:LTjrLuC+4F1Kv4TxS9e7LVVkG8/S4QQ7X4ORblvKTbc=",
+    "h1:Xk+Whn6wnhEJEeiO/mPII/mOL+buHLj05AKy4TbDz3U=",
-    "zh:1e9bb6b6a2ea5f441638dbae2d60fbe04ff455f58a18c740b8b7913e2197d875",
+    "zh:016ecc39328f34f6c0ffa413598f354824f7878c89cd031f123edb4bc8a687a2",
-    "zh:29c122e404ba331cfbadacc7f1294de5a31c9dfd60bdfe3e1b402271fc8e419c",
+    "zh:10b362dc0847200c987214b129b5f85e2f7d8ad417261a1d2dd04ab74de15603",
-    "zh:2bd0ae2f0bb9f16b7753f59a08e57ac7230f9c471278d7882f81406b9426c8c7",
+    "zh:194647d9a61dca4f411f44580316b88a11095d7a99679d445f9b0f2c1ba976c4",
-    "zh:4383206971873f6b5d81580a9a36e0158924f5816ebb6206b0cf2430e4e6a609",
+    "zh:1d8aafe2ce7890696385bb3a0c3286e7ee3020416d337f59935406e4c6f91de6",
-    "zh:47e2ca1cfa18500e4952ab51dc357a0450d00a92da9ea03e452f1f3efe6bbf75",
+    "zh:594585616210fb232fad4ebda2387ecd3f483931e00eff988fca83add6ce7cfc",
-    "zh:8e9fe90e3cea29bb7892b64da737642fc22b0106402df76c228a3cbe99663278",
+    "zh:65e50be33ffb85580546f119839e1293591cc6d4db729d809931d0408b6ae408",
-    "zh:a2d69350a69c471ddb63bcc74e105e585319a0fc0f4d1b7f70569f6d2ece5824",
+    "zh:7d4ed5bd8c477ec304142e2160203a76a0d09c93d224950bda253172b2571038",
-    "zh:a97abcc254e21c294e2d6b0fc9068acfd63614b097dda365f1c56ea8b0fd5f6b",
+    "zh:90a70a70a266b78c8216903e711904e6969b3957d182602b5d788602ec9ef323",
-    "zh:aba8d72d4fe2e89c922d5446d329e5c23d00b28227b4666e6486ba18ea2ec278",
+    "zh:abb8e28e96fb8de270995873de980896b7cb53cfc550f02c50eaa42884624ba9",
-    "zh:ad36c333978c2d9e4bc43dcadcbff42fe771a8c5ef53d028bcacec8287bf78a7",
+    "zh:bbf34dca2de6e105ca7204222162a0402d8e9e9a28e1de5ffbaa2c0d6270a059",
-    "zh:cdb1e6903b9d2f0ad8845d4eb390fbe724ee2435fb045baeab38d4319e637682",
+    "zh:c1a9edb693d632dcb5c3c9ee84c97138e08eadb9354e28592efd581f68ac0385",
-    "zh:df77b08757f3f36b8aadb33d73362320174047044414325c56a87983f48b5186",
+    "zh:dadbf1368fae314fe8dcb99ebefbc78409f3fc0e3808cd92ea573b8eee1cae98",
-    "zh:e07513d5ad387247092b5ae1c87e21a387fc51873b3f38eee616187e38b090a7",
+    "zh:e713e00ca27348abd18da2eeff861905e84050e3e7e008f14a0c63c70ab2ff84",
    "zh:e2be02bdc59343ff4b9e26c3b93db7680aaf3e6ed13c8c4c4b144c74c2689915",
  ]
 }
 provider "registry.opentofu.org/ovh/ovh" {
-  version     = "2.5.0"
+  version     = "2.10.0"
-  constraints = "2.5.0"
+  constraints = "> 2.5.0"
  hashes = [
-    "h1:CrmFEWjczVhLWc2qzOktKSu8Q0U78uV8fnSHo54lMQg=",
+    "h1:6CHM/tHZ7vAvQKtdqurs6ExO+46gpFooZ0zdaW74DKE=",
-    "zh:1a11c3bc191c3417b41af5c56a66ac7071980f7babb390096b43aab3ac60fe7c",
+    "zh:1582485c59b5e25fa407417de3040dfc31bfec3f9b884d51953f6625b930d2f6",
-    "zh:1d46fa7c37468becb01d117463838f694a093e58a9b7d28347db2c377933db76",
+    "zh:15b425716d5e05992cb1d68a49d58f0e9e0cbd7dbaa35ea9793404fa1ec45bed",
-    "zh:22b83b15e878a9627477fe49e03dada3f4cd4357cb91cdb621394da690238542",
+    "zh:1c1547ff469c2f772d478f67d148d08b38468d43c9517b723b622a085625d949",
-    "zh:316541fc8bbf2fe14f4a484d878c63e4b949bd21a352e0ebf60d4848c96a338e",
+    "zh:2491be291a8876da2dc1e71490428706cdca39002a1e89d10dd060474f59ce19",
-    "zh:50e72847a4b1d532e7abd5669408832ac1b49dcfda266378b8e2419d97f0f49a",
+    "zh:2d9c7589764f838f04d38a87a0e6c9db6b560b6c5b510b69eabf2d67caa38d2b",
-    "zh:7582c8630edb3e83642e7a4b06fababeaf4833ce622c71220c38724d0e0231af",
+    "zh:56c5b16a55dc4ac5f3eed69072e5ae74aafac2a4a8a84ba27fa06528320037cc",
-    "zh:a26714d6bd8e04acbbc94c708b151405c4b6fc20dc7060e0daef8395f1bb9ce0",
+    "zh:629d2c7f709fc01adabba1c8b98ec7485dfebcc4b9f72f4bd4d36509166eb42c",
-    "zh:aa8be95462c5ca909c923cc3d44636eccc71cb25b51572fe7e2f68bc93c57612",
+    "zh:82f4b8b35a31a468d7a2a5aa4630f432ef64d9abfed8066afdaab0502886a72a",
-    "zh:b520c0661c514586b2aa3105c4345eda4d34ef08b62fda2cc20a2bcb8cb88ab2",
+    "zh:84c5e65122efaee5e34c266cd750576969bd788c2bdbb804a7ffc08728ac3987",
-    "zh:be8125f1b6bc8aa93441ec9dd96db5f49d21b4dcc100c13028404b461da545c9",
+    "zh:85db08f3e1b27fda723b080bc5132069b6b7ba9699567cd44fb0a2207456a76c",
-    "zh:c6aab9b6b04fa8483aa10c194eaab8e4a1fbffc64ad495f5027d496e5b2da214",
+    "zh:a84c043c96a01230e570163706f58c33ee59699fcc857d3db0f6e0b2a6b08bc6",
-    "zh:d537d85afc71c51d86b1031586c619c503df9462e0240d94984bc32273a03df2",
+    "zh:ad984516009930efc6ec465046287c6b293b6b219e3167aa4c0b900b903c6a50",
-    "zh:eaa9f41d33fa7731c4a937e80554a1b6b2042d273705e4c8fc983ba251193206",
+    "zh:bd0114d45ec72134cf930a7619b70b0068e439759febba5717abb76219b85800",
-    "zh:f0d085065a0ada787ad080ddd6e7c646b8ca3a351712961de735d18c9d59af7c",
+    "zh:f243a50dcf87687881972fcaba9226b4247588b6dc7368b0ef98168f643ee159",
  ]
 }
--- a/infra/dns.tf
+++ b/infra/dns.tf
@@ -1,47 +1,17 @@
 data "gandi_livedns_domain" "rpqt_fr" {
  name = "rpqt.fr"
 }
 resource "gandi_livedns_record" "rpqt_fr_radicle_a" {
  zone = data.gandi_livedns_domain.rpqt_fr.id
  name = "radicle"
  type = "A"
  ttl  = 10800
  values = [
    hcloud_server.crocus_server.ipv4_address,
  ]
 }
 resource "gandi_livedns_record" "rpqt_fr_radicle_aaaa" {
  zone = data.gandi_livedns_domain.rpqt_fr.id
  name = "radicle"
  type = "AAAA"
  ttl  = 10800
  values = [
    hcloud_server.crocus_server.ipv6_address,
  ]
 }
 resource "gandi_livedns_record" "rpqt_fr_cloud_a" {
  zone   = data.gandi_livedns_domain.rpqt_fr.id
  name   = "cloud"
  type   = "A"
  ttl    = 10800
  values = local.verbena_ipv4_addresses
 }
 resource "gandi_livedns_record" "rpqt_fr_cloud_aaaa" {
  zone   = data.gandi_livedns_domain.rpqt_fr.id
  name   = "cloud"
  type   = "AAAA"
  ttl    = 10800
  values = local.verbena_ipv6_addresses
 }
 data "ovh_vps" "verbena_vps" {
  service_name = "vps-7e78bac2.vps.ovh.net"
 }
 data "ovh_domain_zone" "rpqt_fr" {
  name = "rpqt.fr"
 }
 resource "ovh_domain_zone_import" "rpqt_fr_import" {
  zone_name = "rpqt.fr"
  zone_file = local.rpqt_fr_zone_file
 }
 data "ovh_domain_zone" "turifer_dev" {
  name = "turifer.dev"
 }
@@ -62,5 +32,13 @@ locals {
    verbena_ipv4_addresses = local.verbena_ipv4_addresses
    verbena_ipv6_addresses = local.verbena_ipv6_addresses
  })
  rpqt_fr_zone_file = templatefile("./templates/rpqt.fr.zone", {
    crocus_ipv4_address = hcloud_server.crocus_server.ipv4_address
    crocus_ipv6_address = hcloud_server.crocus_server.ipv6_address
    verbena_ipv4_addresses = local.verbena_ipv4_addresses
    verbena_ipv6_addresses = local.verbena_ipv6_addresses
  })
 }
--- a/infra/main.tf
+++ b/infra/main.tf
@@ -1,16 +1,12 @@
 terraform {
  required_providers {
    gandi = {
      source  = "go-gandi/gandi"
      version = "2.3.0"
    }
    hcloud = {
      source  = "hetznercloud/hcloud"
      version = "~> 1.45"
    }
    ovh = {
      source  = "ovh/ovh"
-      version = "2.5.0"
+      version = "> 2.5.0"
    }
    assert = {
      source = "hashicorp/assert"
--- a/infra/providers.tf
+++ b/infra/providers.tf
@@ -1,7 +1,3 @@
 provider "gandi" {
  personal_access_token = var.gandi_token
 }
 provider "hcloud" {
  token = var.hcloud_token
 }
--- a/infra/templates/rpqt.fr.zone
+++ b/infra/templates/rpqt.fr.zone
@@ -0,0 +1,31 @@
 $TTL 3600
@	IN SOA dns100.ovh.net. tech.ovh.net. (2026010123 86400 3600 3600000 60)
    IN NS     dns100.ovh.net.
 	IN NS     ns100.ovh.net.
 rpqt.fr. 3000 IN TXT "hosted-email-verify=pgeaq3bp"
 rpqt.fr. 3000 IN MX 10 aspmx1.migadu.com.
 rpqt.fr. 3000 IN MX 20 aspmx2.migadu.com.
 rpqt.fr. 3000 IN TXT "v=spf1 include:spf.migadu.com -all"
 key1._domainkey.rpqt.fr. 3000 IN CNAME key1.rpqt.fr._domainkey.migadu.com.
 key2._domainkey.rpqt.fr. 3000 IN CNAME key2.rpqt.fr._domainkey.migadu.com.
 key3._domainkey.rpqt.fr. 3000 IN CNAME key3.rpqt.fr._domainkey.migadu.com.
 _dmarc.rpqt.fr. 3000 IN TXT "v=DMARC1; p=quarantine;"
 autoconfig.rpqt.fr. 3000 IN CNAME autoconfig.migadu.com.
 _autodiscover._tcp.rpqt.fr. 3000 IN SRV 0 1 443 autodiscover.migadu.com.
 _submissions._tcp.rpqt.fr. 3000 IN SRV 0 1 465 smtp.migadu.com.
 _imaps._tcp.rpqt.fr. 3000 IN SRV 0 1 993 imap.migadu.com.
 _pop3s._tcp.rpqt.fr. 3000 IN SRV 0 1 995 pop.migadu.com.
@ 10800 IN A 46.23.81.157
@ 10800 IN AAAA 2a03:6000:1813:1337::157
 %{ for addr in verbena_ipv4_addresses ~}
 cloud 10800 IN A ${addr}
 %{ endfor ~}
 %{ for addr in verbena_ipv6_addresses ~}
 cloud 10800 IN AAAA ${addr}
 %{ endfor ~}
 radicle 10800 IN A ${crocus_ipv4_address}
 radicle 10800 IN AAAA ${crocus_ipv6_address}
--- a/infra/variables.tf
+++ b/infra/variables.tf
@@ -1,7 +1,3 @@
 variable "gandi_token" {
  sensitive = true
 }
 variable "hcloud_token" {
  sensitive = true
 }
--- a/machines/genepi/actual.nix
+++ b/machines/genepi/actual.nix
@@ -1,4 +1,7 @@
 { config, ... }:
 let
  domain = "actual.val";
 in
 {
  services.actual = {
    enable = true;
@@ -8,12 +11,14 @@
    };
  };
-  services.nginx.virtualHosts."actual.home.rpqt.fr" = {
+  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
-    useACMEHost = "home.rpqt.fr";
+    enableACME = true;
    locations."/".proxyPass =
      "http://127.0.0.1:${builtins.toString config.services.actual.settings.port}";
  };
-  clan.core.state.acutal.folders = [ "/var/lib/actual" ];
+  security.acme.certs.${domain}.server = "https://ca.val/acme/acme/directory";
  clan.core.state.actual.folders = [ "/var/lib/actual" ];
 }
--- a/machines/genepi/configuration.nix
+++ b/machines/genepi/configuration.nix
@@ -12,7 +12,6 @@
    ./homeassistant.nix
    ./immich.nix
    ./monitoring
    ./mpd.nix
    ./network.nix
    ./nginx.nix
    ./pinchflat.nix
--- a/machines/genepi/freshrss.nix
+++ b/machines/genepi/freshrss.nix
@@ -1,13 +1,13 @@
 { config, ... }:
 let
-  domain = "home.rpqt.fr";
+  tld = "val";
-  subdomain = "rss.${domain}";
+  domain = "rss.${tld}";
 in
 {
  services.freshrss = {
    enable = true;
-    baseUrl = "https://${subdomain}";
+    baseUrl = "https://${domain}";
-    virtualHost = "${subdomain}";
+    virtualHost = "${domain}";
    defaultUser = "rpqt";
    passwordFile = config.clan.core.vars.generators.freshrss.files.freshrss-password.path;
@@ -15,9 +15,11 @@ in
  services.nginx.virtualHosts.${config.services.freshrss.virtualHost} = {
    forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
  };
  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
  clan.core.vars.generators.freshrss = {
    prompts.freshrss-password = {
      description = "freshrss default user password";
--- a/machines/genepi/glance-config.nix
+++ b/machines/genepi/glance-config.nix
@@ -1,3 +1,4 @@
 { tld }:
 {
  theme = {
    light = true;
@@ -41,22 +42,22 @@
              sites = [
                {
                  title = "Immich";
-                  url = "https://images.home.rpqt.fr";
+                  url = "https://images.${tld}";
                  icon = "sh:immich";
                }
                {
                  title = "FreshRSS";
-                  url = "https://rss.home.rpqt.fr";
+                  url = "https://rss.${tld}";
                  icon = "sh:freshrss";
                }
                {
                  title = "Syncthing";
-                  url = "https://genepi.home.rpqt.fr/syncthing";
+                  url = "https://genepi.${tld}/syncthing";
                  icon = "sh:syncthing";
                }
                {
                  title = "Actual Budget";
-                  url = "https://actual.home.rpqt.fr";
+                  url = "https://actual.${tld}";
                  icon = "sh:actual-budget";
                }
                {
@@ -66,12 +67,12 @@
                }
                {
                  title = "Pinchflat";
-                  url = "https://pinchflat.home.rpqt.fr";
+                  url = "https://pinchflat.${tld}";
                  icon = "https://cdn.jsdelivr.net/gh/selfhst/icons/png/pinchflat.png";
                }
                {
                  title = "Home Assistant";
-                  url = "https://assistant.home.rpqt.fr";
+                  url = "https://assistant.${tld}";
                  icon = "sh:home-assistant";
                }
                {
@@ -98,12 +99,12 @@
              sites = [
                {
                  title = "Grafana";
-                  url = "https://grafana.home.rpqt.fr";
+                  url = "https://grafana.${tld}";
                  icon = "sh:grafana";
                }
                {
                  title = "Prometheus";
-                  url = "http://genepi.home.rpqt.fr:9090";
+                  url = "http://genepi.${tld}:9090";
                  icon = "sh:prometheus";
                }
              ];
@@ -115,7 +116,7 @@
              sites = [
                {
                  title = "Lounge";
-                  url = "https://lounge.home.rpqt.fr";
+                  url = "https://lounge.${tld}";
                  icon = "si:html5";
                }
                {
@@ -178,7 +179,7 @@
              cache = "12h";
              feeds = [
                {
-                  url = "https://rss.home.rpqt.fr/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss";
+                  url = "https://rss.${tld}/api/query.php?user=rpqt&t=74HfeLZ6Wu9h4MmjNR38Rz&f=rss";
                }
              ];
            }
--- a/machines/genepi/glance.nix
+++ b/machines/genepi/glance.nix
@@ -1,18 +1,20 @@
 { config, ... }:
 let
-  domain = "home.rpqt.fr";
+  tld = "val";
-  subdomain = "glance.${domain}";
+  domain = "glance.${tld}";
 in
 {
  services.glance = {
    enable = true;
-    settings = ./glance-config.nix;
+    settings = (import ./glance-config.nix) { inherit tld; };
  };
-  services.nginx.virtualHosts.${subdomain} = {
+  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
    locations."/".proxyPass =
      "http://127.0.0.1:${toString config.services.glance.settings.server.port}";
  };
  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
 }
--- a/machines/genepi/homeassistant.nix
+++ b/machines/genepi/homeassistant.nix
@@ -1,7 +1,7 @@
 { config, ... }:
 let
-  domain = "home.rpqt.fr";
+  tld = "val";
-  subdomain = "assistant.${domain}";
+  domain = "assistant.${tld}";
 in
 {
  services.home-assistant = {
@@ -26,9 +26,9 @@ in
    };
  };
-  services.nginx.virtualHosts.${subdomain} = {
+  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
    extraConfig = ''
      proxy_buffering off;
    '';
@@ -37,4 +37,6 @@ in
      proxyWebsockets = true;
    };
  };
  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
 }
--- a/machines/genepi/immich.nix
+++ b/machines/genepi/immich.nix
@@ -1,19 +1,19 @@
 { config, ... }:
 let
-  domain = "home.rpqt.fr";
+  tld = "val";
-  subdomain = "images.${domain}";
+  domain = "images.${tld}";
 in
 {
  services.immich = {
    enable = true;
    settings = {
-      server.externalDomain = "https://${subdomain}";
+      server.externalDomain = "https://${domain}";
    };
  };
-  services.nginx.virtualHosts.${subdomain} = {
+  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
    locations."/" = {
      proxyPass = "http://${toString config.services.immich.host}:${toString config.services.immich.port}";
      proxyWebsockets = true;
@@ -26,5 +26,7 @@ in
    };
  };
  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
  clan.core.state.immich.folders = [ "/var/lib/immich" ];
 }
--- a/machines/genepi/monitoring/grafana.nix
+++ b/machines/genepi/monitoring/grafana.nix
@@ -1,6 +1,6 @@
 { config, ... }:
 let
-  domain = "home.rpqt.fr";
+  tld = "val";
 in
 {
  services.grafana = {
@@ -8,7 +8,7 @@ in
    settings = {
      server = {
        http_port = 3000;
-        domain = "grafana.${domain}";
+        domain = "grafana.${tld}";
      };
    };
    provision = {
@@ -31,10 +31,13 @@ in
  services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
    forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
      proxyWebsockets = true;
    };
  };
  security.acme.certs.${config.services.grafana.settings.server.domain}.server =
    "https://ca.${tld}/acme/acme/directory";
 }
--- a/machines/genepi/mpd.nix
+++ b/machines/genepi/mpd.nix
@@ -1,27 +0,0 @@
 { config, ... }:
 {
  services.mpd = {
    enable = true;
    musicDirectory = "/home/rpqt/Media/Music";
    extraConfig = ''
      audio_output {
        type "pulse"
        name "Pulse Audio"
      }
    '';
    network.listenAddress = "any";
  };
  services.pulseaudio.enable = true;
  # Workaround: run PulseAudio system-wide so that the mpd user can access it
  services.pulseaudio.systemWide = true;
  # Fixes the stutter when changing volume (found this randomly)
  services.pulseaudio.daemon.config.flat-volumes = "no";
  users.users.${config.services.mpd.user}.extraGroups = [ "pulse-access" ];
  users.users.rpqt.homeMode = "755";
 }
--- a/machines/genepi/pinchflat.nix
+++ b/machines/genepi/pinchflat.nix
@@ -3,6 +3,10 @@
  pkgs,
  ...
 }:
 let
  tld = "val";
  domain = "pinchflat.${tld}";
 in
 {
  services.pinchflat = {
    enable = true;
@@ -23,9 +27,11 @@
  clan.core.state.pinchflat.folders = [ "/var/lib/pinchflat" ];
-  services.nginx.virtualHosts."pinchflat.home.rpqt.fr" = {
+  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
-    useACMEHost = "home.rpqt.fr";
+    enableACME = true;
    locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.pinchflat.port}";
  };
  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
 }
--- a/machines/genepi/syncthing.nix
+++ b/machines/genepi/syncthing.nix
@@ -1,31 +1,41 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  user = "rpqt";
  home = config.users.users.${user}.home;
-  domain = "home.rpqt.fr";
+  tld = "val";
-  subdomain = "genepi.${domain}";
+  domain = "genepi.${tld}";
 in
 {
-  services.nginx.virtualHosts.${subdomain} = {
+  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
-    useACMEHost = "${domain}";
+    enableACME = true;
-    locations."/syncthing".proxyPass = "http://${config.services.syncthing.guiAddress}";
+    locations."/syncthing" = {
      proxyPass = "http://${config.services.syncthing.guiAddress}";
    };
  };
  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
  services.syncthing = {
    enable = true;
    user = user;
    group = lib.mkForce "users";
    dataDir = home;
    configDir = lib.mkForce "${home}/.config/syncthing";
    guiAddress = "0.0.0.0:8384";
    guiPasswordFile = config.clan.core.vars.generators.syncthing-gui.files.password.path;
  };
  networking.firewall.interfaces.wireguard = {
    allowedTCPPorts = [ 8384 ];
  };
  clan.core.vars.generators.syncthing-gui = {
    files.password = {
      secret = true;
--- a/machines/haze/configuration.nix
+++ b/machines/haze/configuration.nix
@@ -36,7 +36,8 @@
  clan.core.networking.targetHost = "rpqt@haze.local";
  networking.search = [
-    "home.rpqt.fr"
+    "val"
    "wireguard"
  ];
  time.timeZone = "Europe/Paris";
--- a/machines/haze/sway.nix
+++ b/machines/haze/sway.nix
@@ -1,11 +0,0 @@
 {
  services.gnome.gnome-keyring.enable = true;
  programs.sway = {
    enable = true;
    wrapperFeatures.gtk = true;
  };
  users.users."rpqt".extraGroups = [ "video" ];
  programs.light.enable = true;
 }
--- a/machines/verbena/configuration.nix
+++ b/machines/verbena/configuration.nix
@@ -4,6 +4,7 @@
    self.nixosModules.nix-defaults
    self.nixosModules.nextcloud
    self.nixosModules.gitea
    self.nixosModules.vaultwarden
    self.inputs.srvos.nixosModules.server
--- a/modules/acme-home.nix
+++ b/modules/acme-home.nix
@@ -1,26 +1,34 @@
 { config, lib, ... }:
 {
-  imports = [
+  config,
-    ./gandi.nix
+  lib,
-  ];
+  pkgs,
-
+  ...
 }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = lib.mkDefault "admin@rpqt.fr";
  };
-  security.acme = {
+  # security.acme = {
-    certs."home.rpqt.fr" = {
+  #   certs."home.rpqt.fr" = {
-      group = config.services.nginx.group;
+  #     group = config.services.nginx.group;
-      domain = "home.rpqt.fr";
+  #     domain = "home.rpqt.fr";
-      extraDomainNames = [ "*.home.rpqt.fr" ];
+  #     extraDomainNames = [ "*.home.rpqt.fr" ];
-      dnsProvider = "gandiv5";
+  #     dnsProvider = "rfc2136";
-      dnsPropagationCheck = true;
+  #     dnsPropagationCheck = true;
-      environmentFile = config.clan.core.vars.generators.gandi.files.gandi-env.path;
+  #     credentialFiles = {
-      email = "admin@rpqt.fr";
+  #       RFC2136_TSIG_SECRET_FILE = config.clan.core.vars.generators.coredns.files.tsig-key.path;
-      dnsResolver = "1.1.1.1:53";
+  #     };
-    };
+  #     environmentFile = pkgs.writeFile ''
-  };
+  #       RFC2136_NAMESERVER=fd28:387a:90:c400::1
  #     '';
  #     email = "admin@rpqt.fr";
  #     dnsResolver = "1.1.1.1:53";
  #     server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # TODO: use production api
  # };
  # };
-  clan.core.vars.generators.gandi.files.gandi-env.owner = "acme";
+  # clan.core.vars.generators.coredns.files.tsig-key.group = "acme";
  # clan.core.vars.generators.coredns.files.tsig-key.mode = "0440";
 }
--- a/modules/desktop.nix
+++ b/modules/desktop.nix
@@ -20,4 +20,6 @@
    enable = true;
    terminal = "ghostty";
  };
  services.pcscd.enable = true;
 }
--- a/modules/flake-module.nix
+++ b/modules/flake-module.nix
@@ -1,31 +1,28 @@
 { lib, ... }:
 {
-  flake.nixosModules = {
+  flake.nixosModules =
-    gitea.imports = [
+    (
-      ./gitea.nix
+      (builtins.readDir ./.)
-    ];
+      |> lib.filterAttrs (path: type: type == "regular" && (lib.hasSuffix ".nix" path))
      |> lib.mapAttrs' (
        path: _: {
          name = lib.removeSuffix ".nix" path;
          value = {
            imports = [ ./${path} ];
          };
        }
      )
    )
    // {
      server.imports = [
        ./motd.nix
      ];
-    desktop.imports = [
+      common.imports = [
-      ./desktop.nix
+        {
-    ];
+          users.mutableUsers = lib.mkDefault false;
-
+          services.userborn.enable = lib.mkDefault true;
-    dev.imports = [ ./dev.nix ];
+        }
-    nix-defaults.imports = [ ./nix-defaults.nix ];
+      ];
-    tailscale.imports = [ ./tailscale.nix ];
+    };
    user-rpqt.imports = [ ./user-rpqt.nix ];
    hardened-ssh-server.imports = [ ./hardened-ssh-server.nix ];
    nextcloud.imports = [ ./nextcloud.nix ];
    radicle.imports = [ ./radicle.nix ];
    server.imports = [
      ./motd.nix
    ];
    common.imports = [
      {
        users.mutableUsers = lib.mkDefault false;
        services.userborn.enable = lib.mkDefault true;
      }
    ];
  };
 }
--- a/modules/gandi.nix
+++ b/modules/gandi.nix
@@ -1,15 +0,0 @@
 {
  clan.core.vars.generators.gandi = {
    prompts.gandi-token = {
      description = "gandi access token";
      type = "hidden";
    };
    files.gandi-env = {
      secret = true;
    };
    script = ''
      printf %s "GANDIV5_PERSONAL_ACCESS_TOKEN=" >> $out/gandi-env
      cat $prompts/gandi-token >> $out/gandi-env
    '';
  };
 }
--- a/modules/lounge.nix
+++ b/modules/lounge.nix
@@ -1,7 +1,13 @@
 let
  tld = "val";
  domain = "lounge.${tld}";
 in
 {
-  services.nginx.virtualHosts."lounge.home.rpqt.fr" = {
+  services.nginx.virtualHosts.${domain} = {
-    useACMEHost = "home.rpqt.fr";
+    enableACME = true;
    forceSSL = true;
    root = "/var/www/lounge";
  };
  security.acme.certs.${domain}.server = "https://ca.${tld}/acme/acme/directory";
 }
--- a/modules/vaultwarden.nix
+++ b/modules/vaultwarden.nix
@@ -0,0 +1,18 @@
 {
  config,
  ...
 }:
 {
  services.vaultwarden = {
    enable = true;
    domain = "vaultwarden.val";
    configureNginx = true;
  };
  services.nginx.virtualHosts.${config.services.vaultwarden.domain} = {
    enableACME = true;
  };
  security.acme.certs.${config.services.vaultwarden.domain}.server =
    "https://ca.val/acme/acme/directory";
 }
--- a/vars/shared/openssh-ca/id_ed25519/machines/crocus
+++ b/vars/shared/openssh-ca/id_ed25519/machines/crocus
@@ -1 +0,0 @@
 ../../../../../sops/machines/crocus
--- a/vars/shared/openssh-ca/id_ed25519/machines/genepi
+++ b/vars/shared/openssh-ca/id_ed25519/machines/genepi
@@ -1 +0,0 @@
 ../../../../../sops/machines/genepi
--- a/vars/shared/openssh-ca/id_ed25519/machines/verbena
+++ b/vars/shared/openssh-ca/id_ed25519/machines/verbena
@@ -1 +0,0 @@
 ../../../../../sops/machines/verbena
--- a/vars/shared/openssh-ca/id_ed25519/secret
+++ b/vars/shared/openssh-ca/id_ed25519/secret
@@ -3,28 +3,16 @@
 	"sops": {
 		"age": [
 			{
-				"recipient": "age10lf2vjmlkff25qyft9d3c0274gvkxsf255fw0ea60cuqc7703ajqu3yxx9",
+				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VG4xcmdBQVJHUXY0enRY\nNmFaZ2RPUWRNYXllMWFucllicDVUTkNuQkh3Ck5uK3prYlRxL2s5MzFqZXRuR3Jv\nLys5RnlVZFBUdTcvRHdYYnlDVlhCSWcKLS0tIFdQY29WZVFYNTRwWXVucUU2RWFL\nOTkyWlc5L3NwUnNXUHRKTzBwZnhhRzAK9f+zmgmEA6ZoD+6ACPmaJuEXCC99fOqb\nKorQurVtUZEGPCYI8hPE26qpITJdwB5g61jXHcobuU8Cy9wemnrWjg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBeDczWEw4\ndGQydE1DN3RRRFpDQm1RWUcrOExaY0w3dEtLN2wzL0RDU0NkRQoydVBFOFY2eHpD\nUWk0T2V6cUNxZFZBZ1U4NS9adzc2ZXlUcWVRZGNscURzCi0tLSBpZ3VoYXhGdldS\nMVFralNzaTRQMEhVT0xRdEJDcUxPNHFOY29NUnh2K2ZvCjflIFoO8/97HXz0893D\nnNc5EVMRMNhJbDb/Nj4MCafNrf3JeN3jWmCX1IA5AZqMt2Nq2SB1Itx8iaIcRq0t\nlTY=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1yubikey1qd2d7qpxlw9lj9l573f34vdkrazdq6yk4mvnlug46m979dl6p2p5xlzr0wt",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBdjA4Tllj\nVVh4Y1lOeU8wUHFZa3k2VEZpdWRMaHdXQmRUazFqbUJQWHpRZQp3SjJaSzNOaVVQ\nZVpqdVd6U3J1ODNKRTBoRnRJZzNJMVRDU1JGeitIM2MwCi0tLSBZZEVsUzRiOWdT\nRzVoSlQ2RkVLV1JSamRlUDdjeVFCQlFVMGpxM3pKVjE0CvpAOL+lnUcv/BrlKqiE\nIdnv3DqHUgQv0lxuqtgM9ykyqOYX1GoHLH2pX0Zce55V7u4Dh+IWnjta/i7HT2aH\ndDI=\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IHU2Nm1JdyBBaURsSGZ3\neFRLVCtjYW90bytBcG1MUHpXdVpYZHVZK01tcVpJOWRBYitsUgp3RTE1UUFOUjVV\nRGcvbFJ0MUpFdnVUYmVuN2pUVkdEdDdjSFlwRGZPWVhJCi0tLSB4WWNRMEM3ZDVX\nMUVXUklPbkFVcjBGcU14WjZpTTY0RlFvYXB2STRtSEpZCmTYPzBXojpndrIeuMi+\nj4oGZRPWKkx0EMORJFBIR1YQJhjjVrnrv7BbWYRGPkcS1mJZH2x4IgmUz7ZTfN5F\njuw=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1yubikey1qwnawsag6k3lq7aklc92uq72vqx3r68ylg0x8fphn0qm8d7e00eq5ynu3wk",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IDJlWGZKZyBBNEdaY1pT\nYVQxckJjS3NIU2RZTlhuV25Pc01FeGNnbUZvWDJWZktPOTJ6dgpzcUlIWkh5WENH\ndWh3VXNuWlUxMGw4TU1tQnA3VFc4ZHQyQlBvVzFoSHZVCi0tLSBqUWFJM2JOYXds\nc0x0RS9EZ2pYSkdhSWs1djFjVXprTHRndExWTlBYTmJ3CijN/D3rZJMGeKOvosvQ\n2SEDmYfeSlCcOyTGO1zAw54R2sEpNWnKphrC9NI77v45UsCwXO69AfiIqWIhoyc8\nwXU=\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1teege0n8gf9qcheuxtpy7cltf8aczt9ugh8ztp9v4fftn3wwd4jsz0lpeh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQUlFUL2Y2SnZqRVFyajF6\na3hYMi84Qml4MUlERkRJT000VUZZNWZmaERJClZ6N203OFYxZkwxYzVOeVNSc0Zi\nR2xkZEpFTklBRG9xK3UyR2ZYWXVxUjQKLS0tICtYcnZrTWJ0Y2lYVzdEMSs4clM4\nTU5PbjNKRllLckNEOFJkSGF1bS96VmMKIa0co34KtiHG7403j2UsS/rRLs4di0Ek\ngbjv1lvPmEQOl9CrYrMRt24NdPm1JQc00mwgVDvWGwTXbdp9LV8XwQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1h0vx6w4d89amt90j3u0vm96gvjt9lwczsjamaakyew524x9u8a8qu5qvg5",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVa0FRTDVlS2xMc1llUUtn\nRFhocWc5R3FKaHJCUUZHclVlMXNvcytEeEZZCnB6WU5MSzB1SU5Lb2xKTjBTb25R\naGVpOTluRk5Hc0FCakh2QWdNSEF4YjQKLS0tIDYyaVVQUExhM1QyZE03b2NLYWZt\nKy9IVyt6VlJYSWRZK3BRUE9VSXNnMmcK0TL1tXGqyrOawPzEisws2MtFxE/3RJeP\nZBAZ/8ryUUddgmZ4vosgKZ1B1Dc8adc9HsI+vR/PpNvJkU3hH+QHHQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1mqnmzn203hyj200psc982ehcedjmcdz8s0ncc50fm9jszjx7rgmqqmppw5",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYODNZWGRSYUF6NWJDWjRW\neGJNYi9uSzhORW1BaDNaY2JwWHB6TTdLT2dBCjhwVTBVVmlaeEtnVE9nU3pSa2h0\ndjJtUERadmVXenpkSG5CT3ZmbktTNm8KLS0tIE5MMmtwc2Z5SFB1cWVXNlZhbVBY\ndTNmZGhXVXJZeW1rb0tMT3BIaFA4WEkK2sWALInkeLsTsA4szuRgeSdQAOfFgCl/\n4v8zdn2TfuIHa0iGEJL3Fn1pUPS7E6OJV8M9ua/LgZfuczkbxJr4yA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByY1pvaWhUSnZqeFl4blo1\nNGtRN2g2Tit1OFFxTnVvV1VSVFFjVlpjUVNvClRBTldvb2NEaHA3Vi80L3pnTzly\nOFBYMUUyLzhtdmNraXJCQmJ5bGxIWlEKLS0tIGVRcFJ6MmdjL2VuVUdVbCtnM1Bi\nbW9Bdm5OdWJRSUwwYWdaSXFEbzhsOW8K5dda6d6wkUvMYU3PpTLG65RWxdH/3ewB\n+yakGuatvZP1nJo7THhHXyZ9dQ2CMOnnOFi0W8W4hVcgBNWc8HR2xg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-10-15T14:18:28Z",
Author	SHA1	Message	Date
Romain Paquet	1e8e04bf24	enable pcscd for yubikey	2026-01-06 15:51:35 +01:00
Romain Paquet	87e589e690	add .val search domain	2026-01-06 15:50:45 +01:00
Romain Paquet	c9953d269b	remove gandi acme	2026-01-06 15:48:51 +01:00
Romain Paquet	d162591696	infra: allow more recent ovh versions	2026-01-06 15:47:03 +01:00
Romain Paquet	4ce5811615	update flake inputs	2026-01-06 15:46:21 +01:00
Romain Paquet	600e2c26c9	add vaultwarden	2026-01-06 15:46:18 +01:00
Romain Paquet	d3201fbca9	move coredns to port 53 to allow access on android	2026-01-06 15:43:40 +01:00
Romain Paquet	2063550f93	setup internal CA	2026-01-06 15:43:17 +01:00
Romain Paquet	dda8ca5d0f	move services to internal clan tld	2026-01-06 15:43:17 +01:00
Romain Paquet	9e3d99231d	infra: allow more recent version of ovh provider	2026-01-03 23:43:01 +01:00
Romain Paquet	c79df328de	infra: fix terrible copypasta	2026-01-03 23:41:23 +01:00
Romain Paquet	7a8b12bba4	infra: remove gandi	2026-01-03 23:41:11 +01:00
Romain Paquet	caa0179f1d	refactor nix module list	2026-01-03 22:57:19 +01:00
Romain Paquet	d2c624fe9c	genepi: remove mpd	2026-01-03 22:26:56 +01:00
Romain Paquet	3a2dd0cc0b	configure email for aerc	2026-01-03 22:24:11 +01:00
Romain Paquet	afb8dd50f4	niri: reserve first workspace for web	2026-01-03 22:21:52 +01:00
Romain Paquet	82a559e81a	remove deleted vars	2026-01-03 22:21:28 +01:00
Romain Paquet	f8fb7a2480	add passage	2026-01-03 22:20:52 +01:00
Romain Paquet	410f63eb31	add jjui	2026-01-03 22:20:36 +01:00
Romain Paquet	2b2b5d30c7	migrate rpqt.fr domain to OVH	2026-01-03 22:17:25 +01:00
Romain Paquet	964b9b5b4e	add age-plugin-yubikey for clan vars	2026-01-03 22:15:49 +01:00
Romain Paquet	010c53b6ad	remove sway config and outdated dotfiles	2026-01-03 22:11:35 +01:00
Romain Paquet	e7ce8dba6d	cleanup flake inputs	2026-01-03 22:11:35 +01:00
		`@@ -1,2 +0,0 @@`
			`include ~/.config/sway/config.d/*`
			`include /etc/sway/config.d/*`