From: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Fri, 11 Mar 2022 00:04:02 +0000 (+0100)
Subject: WIP upgrade
X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=e34b30796934686fedc660fe8aef2990622b7cf5;p=perso%2FImmae%2FConfig%2FNix.git

WIP upgrade
---

diff --git a/.envrc b/.envrc
index 16c9dde..9882ad4 100644
--- a/.envrc
+++ b/.envrc
@@ -1,6 +1,5 @@
 # vim: filetype=bash
 export NIX_PATH=nixpkgs=$(cat $(expand_path nix/sources.json) | jq -r '."nixpkgs-nixops".url')
-NIX_PATH=$NIX_PATH:nixpkgs-nix=$(cat $(expand_path nix/sources.json) | jq -r '."nixpkgs-nix".url')
 
 export NIXOPS_ENV_LOADED=1
 export ANONYMIZE_KEY="dedhogryajkegthlwribFecnocItTelilAwdod"
diff --git a/Makefile b/Makefile
index 50fa09f..fd35872 100644
--- a/Makefile
+++ b/Makefile
@@ -1,10 +1,10 @@
-subrecipes = setup nix-info edit_env edit_vars
-subrecipes += ssh-eldiron ssh-backup-2 ssh-monitoring-1 ssh-4c
-subrecipes += debug build dry-run upload deploy next-boot deploy-reboot
-subrecipes += list-generations delete-generations cleanup
-${subrecipes}:
+TARGET ?=
+MORPH_ARGS ?=
+SSHARGS ?=
+GEN ?=
+
+setup nix-info edit_env edit_vars ssh-eldiron ssh-backup-2 ssh-monitoring-1 ssh-4c debug build dry-run upload deploy next-boot deploy-reboot list-generations delete-generations cleanup:
 	@$(MAKE) --no-print-directory -C nixops/ $@
-.PHONY: ${subrecipes}
 
 nur:
 	./scripts/make-nur
diff --git a/environments/immae-eu.nix b/environments/immae-eu.nix
index 52cdfcb..a4f2d73 100644
--- a/environments/immae-eu.nix
+++ b/environments/immae-eu.nix
@@ -34,7 +34,7 @@ let
 
     # e-mails
     muttprint mutt-ics
-    notmuch-python2 notmuch-python3 notmuch-vim
+    notmuch-python3 notmuch-vim
     neomutt mairix
     bogofilter fetchmail
     sieve-connect
@@ -50,7 +50,7 @@ let
     feh imagemagick tiv graphicsmagick qrcode
 
     # internet browsing
-    w3m lynx links elinks browsh woob urlview urlscan googler urlwatch
+    w3m lynx links2 elinks browsh python3Packages.woob urlview urlscan googler urlwatch
 
     # less
     python3Packages.pygments lesspipe highlight sourceHighlight
@@ -58,7 +58,7 @@ let
     # monitoring
     cnagios mtop pg_activity nagios-cli mtr
     iftop htop iotop iperf bonfire
-    goaccess tcpdump tshark tcpflow
+    goaccess tcpdump wireshark-cli tcpflow
     mitmproxy
     # nagnu
 
@@ -71,7 +71,7 @@ let
 
     # nix
     yarn2nix-moretea.yarn2nix nixUnstable
-    nixops nix-prefetch-scripts nix-generate-from-cpan
+    nix-prefetch-scripts nix-generate-from-cpan
     bundix nodePackages.bower2nix nix-diff
     nodePackages.node2nix niv
     # (nixos {}).nixos-generate-config
@@ -103,7 +103,7 @@ let
     pdftk poppler_utils
 
     # programming
-    emacs26-nox ctags
+    emacs-nox ctags
     wdiff patch gnumake
 
     # security
@@ -121,22 +121,22 @@ let
     s6-portable-utils
 
     # system tools
-    telnet bind.dnsutils httpie ngrep nmap p0f socat lsof psmisc
+    inetutils bind.dnsutils httpie ngrep nmap p0f socat lsof psmisc
     wget patchelf rename tmux (lib.meta.hiPrio nettools)
-    vlock' mosh manpages openssl openssl.doc openssl.man
+    vlock' mosh man-pages openssl openssl.doc openssl.man
     sshfs ncdu procps-watch8bit
 
     # other tools
     pgloader s3cmd lftp jq cpulimit libxslt gandi-cli bubblewrap
 
-    # Terraform + AWS
-    terraform_0_12 awscli
-    ansible python3Packages.boto
+    # AWS
+    awscli
+    ansible
     openvpn
 
     zsh-completions
 
-    hetzner
+    python3Packages.hetzner
     smartmontools
   ];
 in
diff --git a/flakes/backports/flake.nix b/flakes/backports/flake.nix
deleted file mode 100644
index c0233fd..0000000
--- a/flakes/backports/flake.nix
+++ /dev/null
@@ -1,150 +0,0 @@
-{
-  description = "Backported packages";
-
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-  inputs.flake-utils.url = "github:numtide/flake-utils";
-
-  outputs = { self, flake-utils, nixpkgs }: flake-utils.lib.eachDefaultSystem (system:
-    let
-      pkgs = import nixpkgs { inherit system; overlays = []; };
-    in rec {
-      packages = {
-        apprise = pkgs.apprise;
-        bitlbee-mastodon = pkgs.bitlbee-mastodon;
-        cointop = pkgs.cointop;
-        coturn = pkgs.coturn;
-        cryptpad = pkgs.cryptpad;
-        delta = pkgs.delta;
-        dovecot_fts-xapian = pkgs.dovecot_fts_xapian;
-        duply = pkgs.duply;
-        fiche = pkgs.fiche;
-        galene = pkgs.galene;
-        hetzner = pkgs.python3Packages.hetzner;
-        influxdb2 = pkgs.influxdb2;
-        ldapvi = pkgs.ldapvi;
-        lego = pkgs.lego;
-        mpd = pkgs.mpd;
-        mpd-small = pkgs.mpd-small;
-        neomutt = pkgs.neomutt;
-        opensmtpd = pkgs.opensmtpd;
-        pass = pkgs.pass;
-        pg_activity = pkgs.pg_activity;
-        signald = pkgs.signald;
-        ssh-to-age = pkgs.ssh-to-age;
-        stgit = pkgs.stgit;
-        sops = pkgs.sops;
-        sudo = pkgs.sudo;
-        telegram-cli = pkgs.telegram-cli;
-        woob = pkgs.python3Packages.woob;
-        zrepl = pkgs.zrepl;
-      };
-      legacyPackages = packages;
-      apps = {
-        apprise = flake-utils.lib.mkApp { drv = packages.apprise; name = "apprise"; };
-        cointop = flake-utils.lib.mkApp { drv = packages.cointop; name = "cointop"; };
-        coturn = flake-utils.lib.mkApp { drv = packages.coturn; name = "coturn"; };
-        cryptpad = flake-utils.lib.mkApp { drv = packages.cryptpad; name = "cryptpad"; };
-        delta = flake-utils.lib.mkApp { drv = packages.delta; name = "delta"; };
-        duply = flake-utils.lib.mkApp { drv = packages.duply; name = "duply"; };
-        fiche = flake-utils.lib.mkApp { drv = packages.fiche; name = "fiche"; };
-        galene = flake-utils.lib.mkApp { drv = packages.galene; name = "galene"; };
-        hetzner = flake-utils.lib.mkApp { drv = packages.hetzner; name = "hetznerctl"; };
-        influxd = flake-utils.lib.mkApp { drv = packages.influxdb2; name = "influxd"; };
-        influx = flake-utils.lib.mkApp { drv = packages.influxdb2; name = "influx"; };
-        ldapvi = flake-utils.lib.mkApp { drv = packages.ldapvi; name = "ldapvi"; };
-        lego = flake-utils.lib.mkApp { drv = packages.lego; name = "lego"; };
-        mpd = flake-utils.lib.mkApp { drv = packages.mpd; name = "mpd"; };
-        mpd-small = flake-utils.lib.mkApp { drv = packages.mpd-small; name = "mpd"; };
-        neomutt = flake-utils.lib.mkApp { drv = packages.neomutt; name = "neomutt"; };
-        opensmtpd = flake-utils.lib.mkApp { drv = packages.opensmtpd; name = "opensmtpd"; };
-        pass = flake-utils.lib.mkApp { drv = packages.pass; name = "pass"; };
-        pg_activity = flake-utils.lib.mkApp { drv = packages.pg_activity; name = "pg_activity"; };
-        signald = flake-utils.lib.mkApp { drv = packages.signald; name = "signald"; };
-        ssh-to-age = flake-utils.lib.mkApp { drv = packages.ssh-to-age; name = "ssh-to-age"; };
-        stgit = flake-utils.lib.mkApp { drv = packages.stgit; name = "stgit"; };
-        sops = flake-utils.lib.mkApp { drv = packages.sops; name = "sops"; };
-        sudo = flake-utils.lib.mkApp { drv = packages.sudo; name = "sudo"; };
-        telegram-cli = flake-utils.lib.mkApp { drv = packages.telegram-cli; name = "telegram-cli"; };
-        woob = flake-utils.lib.mkApp { drv = packages.woob; name = "woob"; };
-        zrepl = flake-utils.lib.mkApp { drv = packages.zrepl; name = "zrepl"; };
-      };
-    }
-  ) // rec {
-    lib = {
-      overrideDeps = pkgs: package: let
-          packageDeps = builtins.attrNames package.override.__functionArgs;
-        in package.override (pkgs.lib.genAttrs packageDeps (n: pkgs."${n}"));
-    };
-    overlays = {
-      apprise = final: prev: { apprise = self.packages."${final.system}".apprise; };
-      bitlbee-mastodon = final: prev: {
-        bitlbee-mastodon = lib.overrideDeps final self.packages."${final.system}".bitlbee-mastodon;
-      };
-      cointop = final: prev: { cointop = self.packages."${final.system}".cointop; };
-      coturn = final: prev: { coturn = self.packages."${final.system}".coturn; };
-      cryptpad = final: prev: { cryptpad = self.packages."${final.system}".cryptpad; };
-      delta = final: prev: { delta = self.packages."${final.system}".delta; };
-      dovecot_fts-xapian = final: prev: {
-        dovecot_fts-xapian = lib.overrideDeps final self.packages."${final.system}".dovecot_fts-xapian;
-      };
-      duply = final: prev: { duply = self.packages."${final.system}".duply; };
-      fiche = final: prev: { fiche = self.packages."${final.system}".fiche; };
-      galene = final: prev: { galene = self.packages."${final.system}".galene; };
-      hetzner = final: prev: { hetzner = self.packages."${final.system}".hetzner; };
-      influxdb2 = final: prev: { influxdb2 = self.packages."${final.system}".influxdb2; };
-      ldapvi = final: prev: { ldapvi = self.packages."${final.system}".ldapvi; };
-      lego = final: prev: { lego = self.packages."${final.system}".lego; };
-      mpd = final: prev: { mpd = self.packages."${final.system}".mpd; };
-      neomutt = final: prev: { neomutt = self.packages."${final.system}".neomutt; };
-      opensmtpd = final: prev: { opensmtpd = self.packages."${final.system}".opensmtpd; };
-      pass = final: prev: { pass = self.packages."${final.system}".pass; };
-      pg_activity = final: prev: { pg_activity = self.packages."${final.system}".pg_activity; };
-      signald = final: prev: { signald = self.packages."${final.system}".signald; };
-      ssh-to-age = final: prev: { ssh-to-age = self.packages."${final.system}".ssh-to-age; };
-      stgit = final: prev: { stgit = self.packages."${final.system}".stgit; };
-      sops = final: prev: { sops = self.packages."${final.system}".sops; };
-      sudo = final: prev: { sudo = self.packages."${final.system}".sudo; };
-      telegram-cli = final: prev: { telegram-cli = self.packages."${final.system}".telegram-cli; };
-      woob = final: prev: { woob = self.packages."${final.system}".woob; };
-      zrepl = final: prev: { zrepl = self.packages."${final.system}".zrepl; };
-    };
-    overlay = final: prev: ({}
-      // overlays.apprise final prev
-      // overlays.bitlbee-mastodon final prev
-      // overlays.cointop final prev
-      // overlays.coturn final prev
-      // overlays.cryptpad final prev
-      // overlays.delta final prev
-      // overlays.dovecot_fts-xapian final prev
-      // overlays.duply final prev
-      // overlays.fiche final prev
-      // overlays.galene final prev
-      // overlays.hetzner final prev
-      // overlays.influxdb2 final prev
-      // overlays.ldapvi final prev
-      // overlays.lego final prev
-      // overlays.mpd final prev
-      // overlays.neomutt final prev
-      // overlays.opensmtpd final prev
-      // overlays.pass final prev
-      // overlays.pg_activity final prev
-      // overlays.signald final prev
-      // overlays.ssh-to-age final prev
-      // overlays.stgit final prev
-      // overlays.sops final prev
-      // overlays.sudo final prev
-      // overlays.telegram-cli final prev
-      // overlays.woob final prev
-      // overlays.zrepl final prev
-    );
-
-    nixosModules = {
-      coturn = import (nixpkgs + "/nixos/modules/services/networking/coturn.nix");
-      galene = import (nixpkgs + "/nixos/modules/services/web-apps/galene.nix");
-      influxdb2 = import (nixpkgs + "/nixos/modules/services/databases/influxdb2.nix");
-      mpd = import (nixpkgs + "/nixos/modules/services/audio/mpd.nix");
-      zrepl = import (nixpkgs + "/nixos/modules/services/backup/zrepl.nix");
-    };
-  };
-}
-
diff --git a/flakes/myuids/flake.nix b/flakes/myuids/flake.nix
index cc6dc66..72b2f44 100644
--- a/flakes/myuids/flake.nix
+++ b/flakes/myuids/flake.nix
@@ -6,6 +6,7 @@
       # Check that there is no clash with nixos/modules/misc/ids.nix
       uids = {
         cryptpad = 386;
+        openldap = 99; # commented in the ids file
         postfixscripts = 387;
         acme = 388;
         backup = 389;
@@ -21,6 +22,7 @@
       };
       gids = {
         nagios = 11; # commented in the ids file
+        openldap = 99; # commented in the ids file
         cryptpad = 386;
         acme = 388;
         backup = 389;
diff --git a/flakes/peertube/flake.nix b/flakes/peertube/flake.nix
index 2f9c8c1..be67523 100644
--- a/flakes/peertube/flake.nix
+++ b/flakes/peertube/flake.nix
@@ -166,10 +166,10 @@
     nixosModule = { lib, pkgs, config, ... }:
       let
         name = "peertube";
-        cfg = config.services.peertube;
+        cfg = config.immaeServices.peertube;
       in
       {
-        options.services.peertube = {
+        options.immaeServices.peertube = {
           enable = lib.mkEnableOption "Enable Peertube’s service";
           user = lib.mkOption {
             type = lib.types.str;
diff --git a/flakes/backports/flake.lock b/flakes/private/php/flake.lock
similarity index 60%
rename from flakes/backports/flake.lock
rename to flakes/private/php/flake.lock
index 73bf3b8..cd281a2 100644
--- a/flakes/backports/flake.lock
+++ b/flakes/private/php/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1629481132,
-        "narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=",
+        "lastModified": 1648297722,
+        "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "997f7efcb746a9c140ce1f13c72263189225f482",
+        "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
         "type": "github"
       },
       "original": {
@@ -16,18 +16,19 @@
       }
     },
     "nixpkgs": {
+      "flake": false,
       "locked": {
-        "lastModified": 1645433236,
-        "narHash": "sha256-4va4MvJ076XyPp5h8sm5eMQvCrJ6yZAbBmyw95dGyw4=",
+        "lastModified": 1596265691,
+        "narHash": "sha256-9ofCzFqttTsGrvTaS4RrDSTNQO9PFOz5uyn8V+2eA5M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7f9b6e2babf232412682c09e57ed666d8f84ac2d",
+        "rev": "840c782d507d60aaa49aa9e3f6d0b0e780912742",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
         "repo": "nixpkgs",
+        "rev": "840c782d507d60aaa49aa9e3f6d0b0e780912742",
         "type": "github"
       }
     },
diff --git a/flakes/private/php/flake.nix b/flakes/private/php/flake.nix
new file mode 100644
index 0000000..6eada3c
--- /dev/null
+++ b/flakes/private/php/flake.nix
@@ -0,0 +1,27 @@
+{
+  description = "Php old versions";
+  inputs.flake-utils.url = "github:numtide/flake-utils";
+  inputs.nixpkgs = {
+    url = "github:NixOS/nixpkgs/840c782d507d60aaa49aa9e3f6d0b0e780912742";
+    flake = false;
+  };
+  outputs = { self, nixpkgs, flake-utils }: flake-utils.lib.eachSystem ["x86_64-linux"] (system:
+    let
+      pkgs = import nixpkgs { inherit system; overlays = []; };
+    in rec {
+      packages = {
+        php72 = pkgs.php72;
+        php73 = pkgs.php73;
+      };
+      defaultPackage = packages.php73;
+      legacyPackages = packages;
+    }) // rec {
+      overlays = {
+        php = final: prev: {
+          php72 = self.packages."${final.system}".php72;
+          php73 = self.packages."${final.system}".php73;
+        };
+      };
+      overlay = overlays.php;
+    };
+}
diff --git a/flakes/rsync_backup/flake.nix b/flakes/rsync_backup/flake.nix
index 6d359e5..6d5cbef 100644
--- a/flakes/rsync_backup/flake.nix
+++ b/flakes/rsync_backup/flake.nix
@@ -228,7 +228,7 @@
             ];
 
             programs.ssh.knownHosts = lib.attrsets.mapAttrs' (name: profile: lib.attrsets.nameValuePair name {
-              hostNames = [ profile.host ];
+              extraHostNames = [ profile.host ];
               publicKey = "${profile.host_key_type} ${profile.host_key}";
             }) cfg.profiles;
 
diff --git a/lib/node-env.nix b/lib/node-env.nix
index 720e0cc..842caa1 100644
--- a/lib/node-env.nix
+++ b/lib/node-env.nix
@@ -1,6 +1,6 @@
 # This file originates from node2nix
 
-{stdenv, nodejs, python2, utillinux, libtool, runCommand, writeTextFile}:
+{lib, stdenv, nodejs, python2, utillinux, libtool, runCommand, writeTextFile}:
 
 let
   python = if nodejs ? python then nodejs.python else python2;
@@ -38,8 +38,8 @@ let
     };
 
   includeDependencies = {dependencies}:
-    stdenv.lib.optionalString (dependencies != [])
-      (stdenv.lib.concatMapStrings (dependency:
+    lib.optionalString (dependencies != [])
+      (lib.concatMapStrings (dependency:
         ''
           # Bundle the dependencies of the package
           mkdir -p node_modules
@@ -100,7 +100,7 @@ let
       cd "$DIR/${packageName}"
       ${includeDependencies { inherit dependencies; }}
       cd ..
-      ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+      ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
     '';
 
   pinpointDependencies = {dependencies, production}:
@@ -161,12 +161,12 @@ let
     ''
       node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
 
-      ${stdenv.lib.optionalString (dependencies != [])
+      ${lib.optionalString (dependencies != [])
         ''
           if [ -d node_modules ]
           then
               cd node_modules
-              ${stdenv.lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
+              ${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
               cd ..
           fi
         ''}
@@ -183,7 +183,7 @@ let
           cd "${packageName}"
           ${pinpointDependencies { inherit dependencies production; }}
           cd ..
-          ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+          ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
       fi
     '';
 
@@ -332,8 +332,8 @@ let
     stdenv.mkDerivation ({
       name = "node-${name}-${version}";
       buildInputs = [ tarWrapper python nodejs ]
-        ++ stdenv.lib.optional (stdenv.isLinux) utillinux
-        ++ stdenv.lib.optional (stdenv.isDarwin) libtool
+        ++ lib.optional (stdenv.isLinux) utillinux
+        ++ lib.optional (stdenv.isDarwin) libtool
         ++ buildInputs;
 
       inherit dontStrip; # Stripping may fail a build for some package deployments
@@ -374,7 +374,7 @@ let
         cd "${packageName}"
         runHook preRebuild
 
-        ${stdenv.lib.optionalString bypassCache ''
+        ${lib.optionalString bypassCache ''
           if [ ! -f package-lock.json ]
           then
               echo "No package-lock.json file found, reconstructing..."
@@ -384,14 +384,14 @@ let
           node ${addIntegrityFieldsScript}
         ''}
 
-        npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} rebuild
+        npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
 
         if [ "$dontNpmInstall" != "1" ]
         then
             # NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
             rm -f npm-shrinkwrap.json
 
-            npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} install
+            npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
         fi
 
         # Create symlink to the deployed executable folder, if applicable
@@ -445,8 +445,8 @@ let
         name = "node-dependencies-${name}-${version}";
 
         buildInputs = [ tarWrapper python nodejs ]
-          ++ stdenv.lib.optional (stdenv.isLinux) utillinux
-          ++ stdenv.lib.optional (stdenv.isDarwin) libtool
+          ++ lib.optional (stdenv.isLinux) utillinux
+          ++ lib.optional (stdenv.isDarwin) libtool
           ++ buildInputs;
 
         inherit dontStrip; # Stripping may fail a build for some package deployments
@@ -466,7 +466,7 @@ let
           # Create fake package.json to make the npm commands work properly
           cp ${src}/package.json .
           chmod 644 package.json
-          ${stdenv.lib.optionalString bypassCache ''
+          ${lib.optionalString bypassCache ''
             if [ -f ${src}/package-lock.json ]
             then
                 cp ${src}/package-lock.json .
@@ -476,7 +476,7 @@ let
           # Pinpoint the versions of all dependencies to the ones that are actually being used
           echo "pinpointing versions of dependencies..."
           cd ..
-          ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+          ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
 
           source $pinpointDependenciesScriptPath
           cd ${packageName}
@@ -487,7 +487,7 @@ let
 
           export HOME=$PWD
 
-          ${stdenv.lib.optionalString bypassCache ''
+          ${lib.optionalString bypassCache ''
             if [ ! -f package-lock.json ]
             then
                 echo "No package-lock.json file found, reconstructing..."
@@ -497,17 +497,17 @@ let
             node ${addIntegrityFieldsScript}
           ''}
 
-          npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} rebuild
+          npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
 
-          ${stdenv.lib.optionalString (!dontNpmInstall) ''
+          ${lib.optionalString (!dontNpmInstall) ''
             # NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
             rm -f npm-shrinkwrap.json
 
-            npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} install
+            npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
           ''}
 
           cd ..
-          ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+          ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
 
           mv ${packageName} lib
           ln -s $out/lib/node_modules/.bin $out/bin
@@ -517,7 +517,7 @@ let
     stdenv.mkDerivation {
       name = "node-shell-${name}-${version}";
 
-      buildInputs = [ python nodejs ] ++ stdenv.lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
+      buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
       buildCommand = ''
         mkdir -p $out/bin
         cat > $out/bin/shell <<EOF
@@ -530,13 +530,13 @@ let
 
       # Provide the dependencies in a development shell through the NODE_PATH environment variable
       inherit nodeDependencies;
-      shellHook = stdenv.lib.optionalString (dependencies != []) ''
+      shellHook = lib.optionalString (dependencies != []) ''
         export NODE_PATH=$nodeDependencies/lib/node_modules
       '';
     };
 in
 {
-  buildNodeSourceDist = stdenv.lib.makeOverridable buildNodeSourceDist;
-  buildNodePackage = stdenv.lib.makeOverridable buildNodePackage;
-  buildNodeShell = stdenv.lib.makeOverridable buildNodeShell;
+  buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
+  buildNodePackage = lib.makeOverridable buildNodePackage;
+  buildNodeShell = lib.makeOverridable buildNodeShell;
 }
diff --git a/modules/default.nix b/modules/default.nix
index 6f8ba10..84e151f 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -26,6 +26,4 @@ in
   php-application = ./websites/php-application.nix;
   zrepl = ./zrepl.nix;
   websites = ./websites;
-
-  galene = (flakeCompat ../flakes/backports).nixosModules.galene;
 } // (if builtins.pathExists ./private then import ./private else {})
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 9879946..8d4d607 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -8,7 +8,7 @@
     };
     certConfig = lib.mkOption {
       default = {
-        webroot = lib.mkForce null; # avoids creation of tmpfiles
+        webroot = "/var/lib/acme/acme-challenges";
         email = "ismael@bouya.org";
         postRun = builtins.concatStringsSep "\n" [
           (lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
@@ -18,6 +18,8 @@
         ];
         extraLegoRenewFlags = [ "--reuse-key" ];
         keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
+        #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
+        #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
       };
       description = "Default configuration for certificates";
     };
@@ -46,154 +48,5 @@
         domain = config.hostEnv.fqdn;
       };
     };
-
-    users.users.acme = {
-      uid = config.ids.uids.acme;
-      group = "acme";
-      description = "Acme user";
-    };
-    users.groups.acme = {
-      gid = config.ids.gids.acme;
-    };
-
-    systemd.services = lib.attrsets.mapAttrs' (k: v:
-      lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
-          wantedBy = [ "acme-selfsigned-certificates.target" ];
-          script = lib.mkAfter ''
-          cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
-          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
-          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
-
-          cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
-          chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
-          chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
-          '';
-        }
-      ) config.security.acme.certs //
-    lib.attrsets.mapAttrs' (k: data:
-      lib.attrsets.nameValuePair "acme-${k}" {
-        after = lib.mkAfter [ "bind.service" ];
-        serviceConfig =
-          let
-            cfg = config.security.acme;
-            hashOptions = let
-              domains = builtins.concatStringsSep "," (
-                [ data.domain ] ++ (builtins.attrNames data.extraDomains)
-              );
-              certOptions = builtins.concatStringsSep "," [
-                (if data.ocspMustStaple then "must-staple" else "no-must-staple")
-              ];
-            in
-              builtins.hashString "sha256" (builtins.concatStringsSep ";" [ data.keyType domains certOptions ]);
-            accountsDir = "accounts-${data.keyType}";
-            lpath = "acme/${k}";
-            apath = "/var/lib/${lpath}";
-            spath = "/var/lib/acme/.lego/${k}";
-            fileMode = if data.allowKeysForGroup then "640" else "600";
-            dirFileMode = if data.allowKeysForGroup then "750" else "700";
-            globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
-              ++ lib.optionals (cfg.acceptTerms) [ "--accept-tos" ]
-              ++ lib.optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
-              ++ lib.concatLists (lib.mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
-              ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" config.myServices.certificates.webroot ])
-              ++ lib.optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
-            certOpts = lib.optionals data.ocspMustStaple [ "--must-staple" ];
-            runOpts = lib.escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
-            renewOpts = lib.escapeShellArgs (globalOpts ++
-              [ "renew" "--days" (builtins.toString cfg.validMinDays) ] ++
-              certOpts ++ data.extraLegoRenewFlags);
-            forceRenewOpts = lib.escapeShellArgs (globalOpts ++
-              [ "renew" "--days" "999" ] ++
-              certOpts ++ data.extraLegoRenewFlags);
-            keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
-          in {
-            User = lib.mkForce "acme";
-            Group = lib.mkForce "acme";
-            WorkingDirectory = lib.mkForce spath;
-            StateDirectory = lib.mkForce "acme/.lego/${k} acme/.lego/${accountsDir}";
-            ExecStartPre =
-              let
-                script = pkgs.writeScript "acme-prestart" ''
-                  #!${pkgs.runtimeShell} -e
-                  install -m 0755 -o acme -g acme -d ${config.myServices.certificates.webroot}
-                '';
-              in
-                lib.mkForce "+${script}";
-            ExecStart = lib.mkForce (pkgs.writeScript "acme-start" ''
-              #!${pkgs.runtimeShell} -e
-              # lego doesn't check key type after initial creation, we
-              # need to check for him
-              if [ -L ${spath}/accounts -o -d ${spath}/accounts ]; then
-                if [ -L ${spath}/accounts -a "$(readlink ${spath}/accounts)" != ../${accountsDir} ]; then
-                  ln -sfn ../${accountsDir} ${spath}/accounts
-                  mv -f ${spath}/certificates/${keyName}.key ${spath}/certificates/${keyName}.key.old
-                fi
-              else
-                ln -s ../${accountsDir} ${spath}/accounts
-              fi
-              # check if domain changed: lego doesn't check by itself
-              if [ ! -e ${spath}/certificates/${keyName}.crt -o ! -e ${spath}/certificates/${keyName}.key -o ! -e "${spath}/accounts/acme-v02.api.letsencrypt.org/${data.email}/account.json" ]; then
-                ${pkgs.lego}/bin/lego ${runOpts}
-              elif [ ! -f ${spath}/currentDomains -o "$(cat ${spath}/currentDomains)" != "${hashOptions}" ]; then
-                ${pkgs.lego}/bin/lego ${forceRenewOpts}
-              else
-                ${pkgs.lego}/bin/lego ${renewOpts}
-              fi
-            '');
-            ExecStartPost =
-              let
-                ISRG_Root_X1 = pkgs.fetchurl {
-                  url = "https://letsencrypt.org/certs/isrgrootx1.pem";
-                  sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
-                };
-                fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
-                  for file in chain fullchain full; do
-                    if grep -q MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA "$file.pem"; then
-                      cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
-                      sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" $file.pem
-                    fi
-                  done
-                '';
-                script = pkgs.writeScript "acme-post-start" ''
-                  #!${pkgs.runtimeShell} -e
-                  install -m 0755 -o root -g root -d /var/lib/acme
-                  install -m 0${dirFileMode} -o ${data.user} -g ${data.group} -d /var/lib/acme/${k}
-                  cd /var/lib/acme/${k}
-
-                  # Test that existing cert is older than new cert
-                  KEY=${spath}/certificates/${keyName}.key
-                  KEY_CHANGED=no
-                  if [ -e $KEY -a $KEY -nt key.pem ]; then
-                    KEY_CHANGED=yes
-                    cp -p ${spath}/certificates/${keyName}.key key.pem
-                    cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
-                    cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
-                    ln -sf fullchain.pem cert.pem
-                    cat key.pem fullchain.pem > full.pem
-                    echo -n "${hashOptions}" > ${spath}/currentDomains
-                  fi
-
-                  ${fix_ISRG_Root_X1}
-                  chmod ${fileMode} *.pem
-                  chown '${data.user}:${data.group}' *.pem
-
-                  if [ "$KEY_CHANGED" = "yes" ]; then
-                    : # noop in case postRun is empty
-                    ${data.postRun}
-                  fi
-                '';
-              in
-                lib.mkForce "+${script}";
-          };
-      }
-    ) config.security.acme.certs //
-    {
-      httpdProd = lib.mkIf config.services.httpd.Prod.enable
-        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
-      httpdTools = lib.mkIf config.services.httpd.Tools.enable
-        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
-      httpdInte = lib.mkIf config.services.httpd.Inte.enable
-        { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
-    };
   };
 }
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 101eb3f..a89470d 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -113,7 +113,6 @@ in {
 
     users.users.mysql.extraGroups = [ "keys" ];
     security.acme.certs."mysql" = config.myServices.databasesCerts // {
-      user = "mysql";
       group = "mysql";
       domain = "db-1.immae.eu";
       postRun = ''
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index d35aca0..208c4e9 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -1,26 +1,6 @@
 { lib, pkgs, config, ... }:
 let
   cfg = config.myServices.databases.openldap;
-  ldapConfig = let
-    eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
-  in ''
-    ${eldiron_schemas}
-
-    pidfile         ${cfg.pids.pid}
-    argsfile        ${cfg.pids.args}
-
-    moduleload      back_hdb
-    backend         hdb
-
-    TLSCertificateFile    ${config.security.acme.certs.ldap.directory}/cert.pem
-    TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
-    TLSCACertificateFile  ${config.security.acme.certs.ldap.directory}/fullchain.pem
-    TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
-    #This makes openldap crash
-    #TLSCipherSuite        DEFAULT
-
-    sasl-host kerberos.immae.eu
-    '';
 in
 {
   options.myServices.databases = {
@@ -90,7 +70,7 @@ in
         permissions = "0400";
         user = "openldap";
         group = "openldap";
-        text = "rootpw          ${cfg.rootPw}";
+        text = "${cfg.rootPw}";
       };
       "ldap/access" = {
         permissions = "0400";
@@ -109,7 +89,6 @@ in
     networking.firewall.allowedTCPPorts = [ 636 389 ];
 
     security.acme.certs."ldap" = config.myServices.databasesCerts // {
-      user = "openldap";
       group = "openldap";
       domain = "ldap.immae.eu";
       postRun = ''
@@ -124,24 +103,166 @@ in
 
     services.openldap = {
       enable = true;
-      dataDir = cfg.dataDir;
       urlList = [ "ldap://" "ldaps://" ];
-      logLevel = "none";
-      extraConfig = ldapConfig;
-      extraDatabaseConfig = ''
-        moduleload      memberof
-        overlay         memberof
+      settings = {
+        attrs = {
+          olcPidFile = cfg.pids.pid;
+          olcArgsFile = cfg.pids.args;
+          olcLogLevel = "none";
+          olcTLSCertificateFile = "${config.security.acme.certs.ldap.directory}/cert.pem";
+          olcTLSCertificateKeyFile = "${config.security.acme.certs.ldap.directory}/key.pem";
+          olcTLSCACertificateFile = "${config.security.acme.certs.ldap.directory}/fullchain.pem";
+          olcTLSCACertificatePath = "${pkgs.cacert.unbundled}/etc/ssl/certs/";
+          # This makes openldap crash
+          # olcTLSCipherSuite = "DEFAULT";
+          olcSaslHost = "kerberos.immae.eu";
+          # Map sasl "dn" to ldap dn
+          olcAuthzRegexp = ''{0}"uid=([^,]*)(,cn=IMMAE.EU)?,cn=(gssapi|gss-spnego),cn=auth" "uid=$1,ou=users,dc=immae,dc=eu"'';
+        };
+        children = {
+          "cn=module{0}" = {
+            attrs = {
+              cn = "module{0}";
+              objectClass = [ "olcModuleList" ];
+              olcModuleLoad = [ "{0}back_hdb" "{1}memberof" "{2}syncprov" ];
+            };
+          };
+          "cn=schema".includes = map (schema:
+            "${config.services.openldap.package}/etc/schema/${schema}.ldif"
+            ) [ "core" "cosine" "inetorgperson" "nis" ] ++ [
+              "${./immae.ldif}"
+            ];
+          "olcDatabase={0}config" = {
+            attrs = {
+              objectClass = "olcDatabaseConfig";
+              olcDatabase = "{0}config";
+              olcAccess = ["{0}to *  by * none"];
+            };
+          };
+          "olcDatabase={1}hdb" = {
+            attrs = {
+              objectClass = [ "olcDatabaseConfig" "olcHdbConfig" ];
+              olcDatabase = "{1}hdb";
+              olcDbIndex = [
+                "objectClass      eq"
+                "uid              pres,eq"
+                "mail             pres,eq,sub"
+                "cn               pres,eq,sub"
+                "sn               pres,eq,sub"
+                "dc               eq"
+                "member           eq"
+                "memberOf         eq"
+              ];
+              olcAccess = let
+                join = builtins.replaceStrings ["\n"] [" "];
+              in [
+                # First matching "to" + "by" wins
+                #### Replication needs full access
+                (join ''{0}to *
+                  by dn.base="uid=ldap_replication,cn=ldap,ou=services,dc=immae,dc=eu" read
+                  by * break
+                '')
+                #### Kerberos needs access to users password
+                (join ''{1}to attrs=userPassword,shadowLastChange
+                  by self write
+                  by anonymous auth
+                  by * none
+                '')
+                ####
+                (join ''{2}to attrs=immaeSshKey
+                  by self write
+                  by * break
+                '')
 
-        moduleload      syncprov
-        overlay         syncprov
-        syncprov-checkpoint 100 10
+                #### Anyone can auth, and I can see myself
+                (join ''{3}to *
+                  by self read
+                  by anonymous auth
+                  by * break
+                '')
 
-        include ${config.secrets.fullPaths."ldap/access"}
-        '';
-      rootpwFile = config.secrets.fullPaths."ldap/password";
-      suffix = cfg.baseDn;
-      rootdn = cfg.rootDn;
-      database = "hdb";
+                #### Specific access for phpldapadmin
+                (join ''{4}to filter="(uid=*)"  attrs=entry,uid
+                  by dn.base="cn=phpldapadmin,ou=services,dc=immae,dc=eu" read
+                  by * break
+                '')
+
+                #### Hosts
+                # The attributes are available to every host
+                (join ''{5}to dn.one="ou=hosts,dc=immae,dc=eu"
+                  by dn.subtree="ou=hosts,dc=immae,dc=eu" read
+                  by dn.base="dc=immae,dc=eu" search
+                  by * break
+                '')
+                #### /Hosts
+
+                #### Local services
+                # this/-* & user : all your ancestors have access to you
+                # this/memberOf/-* & user : all those whom you belong to (in a group),
+                #                           and their ancestors, have access to you
+                # user/immaeAccessWriteDn*/member & this : you have write access to the
+                #                                          members of your immaeAccessDn
+                #                                          attributes
+                # user/immaeAccessDn*/member & this : you have access to the members
+                #                                        of your immaeAccessDn attributes
+                # user/immaeAccessReadSubtree* & this/-* : you have access to the
+                #                                         childrens of your immaeAccessReadSubtree
+                #                                         attributes
+                # this/memberOf/-* & user/immaeAccessReadSubtree*: you have access to
+                #                                                  the members of the childrens of your 
+                #                                                  immaeAccessReadSubtree attributes
+                # http://www.openldap.org/faq/data/cache/1133.html
+                (join ''{6}to dn.subtree="dc=immae,dc=eu"
+                  by dn.subtree="ou=external_services,dc=immae,dc=eu" break
+                  by set.exact="this/-* & user" read
+                  by set.exact="this/memberOf/-* & user" read
+                  by set.exact="user/immaeAccessWriteDn*/member & this" write
+                  by set.exact="user/immaeAccessDn*/member & this" read
+                  by set.exact="user/immaeAccessReadSubtree* & this/-*" read
+                  by set.exact="this/memberOf/-* & user/immaeAccessReadSubtree*" read
+                  by users search
+                  by * break
+                '')
+                #### /Local services
+
+                #### External services
+                # http://www.openldap.org/faq/data/cache/429.html
+                # FIXME: Find a way to whitelist?
+                (join ''{7}to attrs=immaeSshKey
+                  by dn.subtree="ou=external_services,dc=immae,dc=eu" none
+                '')
+                (join ''{8}to dn.subtree="dc=immae,dc=eu"
+                  by set.exact="this/-* & user" read
+                  by set.exact="this/memberOf/-* & user" read
+                  by set.exact="user/immaeAccessDn*/member & this/-*" read
+                  by users search
+                  by * none
+                '')
+                  #### /External services
+              ];
+              olcDbDirectory = cfg.dataDir;
+              olcRootDN = cfg.rootDn;
+              olcRootPW.path = config.secrets.fullPaths."ldap/password";
+              olcSuffix = cfg.baseDn;
+            };
+            children = {
+              "olcOverlay={0}memberof" = {
+                attrs = {
+                  objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+                  olcOverlay = "{0}memberof";
+                };
+              };
+              "olcOverlay={1}syncprov" = {
+                attrs = {
+                  objectClass = [ "olcOverlayConfig" "olcSyncProvConfig" ];
+                  olcOverlay = "{1}syncprov";
+                  olcSpCheckpoint = "100 10";
+                };
+              };
+            };
+          };
+        };
+      };
     };
   };
 }
diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix
index cf45ebe..00c7b98 100644
--- a/modules/private/databases/openldap/eldiron_schemas.nix
+++ b/modules/private/databases/openldap/eldiron_schemas.nix
@@ -8,14 +8,14 @@ let
     url = "https://raw.githubusercontent.com/puppetlabs/puppet/bf7c108825ffdb5ea89cf3e500d55d27ab64b8d2/ext/ldap/puppet.schema";
     sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
   };
-  schemas = [
+  schemas = {
     #"${openldap}/etc/schema/core.schema"
     #"${openldap}/etc/schema/cosine.schema"
     #"${openldap}/etc/schema/inetorgperson.schema"
     #"${openldap}/etc/schema/nis.schema"
-    puppetSchema
-    kerberosSchema
-    ./immae.schema
-  ];
+    puppet = puppetSchema;
+    kerberos = kerberosSchema;
+    immae = ./immae.schema;
+  };
 in
-  builtins.concatStringsSep "\n" (map (v: "include         ${v}") schemas)
+  schemas
diff --git a/modules/private/databases/openldap/immae.ldif b/modules/private/databases/openldap/immae.ldif
new file mode 100644
index 0000000..f1b4cb7
--- /dev/null
+++ b/modules/private/databases/openldap/immae.ldif
@@ -0,0 +1,83 @@
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 22130f5f
+dn: cn=immae,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: immae
+olcObjectIdentifier: {0}Immaeroot 1.3.6.1.4.1.50071
+olcObjectIdentifier: {1}Immae Immaeroot:2
+olcObjectIdentifier: {2}ImmaeattributeType Immae:3
+olcObjectIdentifier: {3}ImmaeobjectClass Immae:4
+olcAttributeTypes: {0}( ImmaeattributeType:1 NAME 'immaeTtrssLogin' DESC 'lo
+ gin for TTRSS' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SY
+ NTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: {1}( ImmaeattributeType:2 NAME 'immaeFtpDirectory' DESC '
+ home directory for ftp' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.26 )
+olcAttributeTypes: {2}( ImmaeattributeType:3 NAME 'immaeFtpUid' DESC 'user i
+ d for ftp' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+olcAttributeTypes: {3}( ImmaeattributeType:4 NAME 'immaeFtpGid' DESC 'group 
+ id for ftp' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+olcAttributeTypes: {4}( ImmaeattributeType:5 NAME 'immaeSshKey' DESC 'OpenSS
+ H Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.4
+ 0 )
+olcAttributeTypes: {5}( ImmaeattributeType:6 NAME 'immaeAccessDn' EQUALITY d
+ istinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {6}( ImmaeattributeType:17 NAME 'immaeAccessWriteDn' EQUA
+ LITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {7}( ImmaeattributeType:18 NAME 'immaeAccessReadSubtree' 
+ EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {8}( ImmaeattributeType:7 NAME 'immaeXmppUid' DESC 'user 
+ part for Xmpp' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SY
+ NTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: {9}( ImmaeattributeType:8 NAME 'immaePostfixAddress' DESC
+  'the dovecot address to match as username' EQUALITY caseIgnoreIA5Match SUB
+ STR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} 
+ )
+olcAttributeTypes: {10}( ImmaeattributeType:9 NAME 'immaePostfixHome' DESC '
+ the postfix home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1
+ 466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {11}( ImmaeattributeType:10 NAME 'immaePostfixMail' DESC 
+ 'the dovecot mail location' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1
+ 466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {12}( ImmaeattributeType:11 NAME 'immaePostfixUid' DESC '
+ the dovecot uid' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.26 SINGLE-VALUE )
+olcAttributeTypes: {13}( ImmaeattributeType:12 NAME 'immaePostfixGid' DESC '
+ the dovecot gid' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.26 SINGLE-VALUE )
+olcAttributeTypes: {14}( ImmaeattributeType:16 NAME 'immaePuppetJson' DESC '
+ Puppet hiera json' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.40 )
+olcAttributeTypes: {15}( ImmaeattributeType:19 NAME 'immaeTaskId' DESC 'Task
+ warrior server Org:Name:Key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubs
+ tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: {16}( ImmaeattributeType:20 NAME 'immaePeertubeId' DESC '
+ login for Peertube' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat
+ ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcObjectClasses: {0}( ImmaeobjectClass:1 NAME 'immaeTtrssClass' DESC 'Expan
+ sion of the existing object classes for ttrss' SUP top AUXILIARY MUST immae
+ TtrssLogin )
+olcObjectClasses: {1}( ImmaeobjectClass:2 NAME 'immaeFtpClass' DESC 'Expansi
+ on of the existing object classes for ftp' SUP top AUXILIARY MUST ( immaeFt
+ pDirectory $ immaeFtpGid $ immaeFtpUid ) )
+olcObjectClasses: {2}( ImmaeobjectClass:3 NAME 'immaeSshClass' DESC 'OpenSSH
+  class' SUP top AUXILIARY MAY immaeSSHKey )
+olcObjectClasses: {3}( ImmaeobjectClass:4 NAME 'immaeAccessClass' DESC 'Acce
+ ss class' SUP top AUXILIARY MAY ( immaeAccessDn $ immaeAccessWriteDn $ imma
+ eAccessReadSubtree ) )
+olcObjectClasses: {4}( ImmaeobjectClass:5 NAME 'immaeXmppClass' DESC 'Expans
+ ion of the existing object classes for XMPP' SUP top AUXILIARY MUST immaeXm
+ ppUid )
+olcObjectClasses: {5}( ImmaeobjectClass:6 NAME 'immaePostfixClass' DESC 'Exp
+ ansion of the existing object classes for Postfix' SUP top AUXILIARY MAY ( 
+ immaePostfixHome $ immaePostfixMail $ immaePostfixUid $ immaePostfixGid ) M
+ UST ( immaePostfixAddress ) )
+olcObjectClasses: {6}( ImmaeobjectClass:8 NAME 'immaePuppetClass' DESC 'Expa
+ nsion of the existing object classes for Puppet' SUP top AUXILIARY MUST imm
+ aePuppetJson )
+olcObjectClasses: {7}( ImmaeobjectClass:9 NAME 'immaeTaskClass' DESC 'Expans
+ ion of the existing object classes for Task' SUP top AUXILIARY MUST immaeTa
+ skId )
+olcObjectClasses: {8}( ImmaeobjectClass:10 NAME 'immaePeertubeClass' DESC 'E
+ xpansion of the existing object classes for peertube' SUP top AUXILIARY MUS
+ T immaePeertubeId )
diff --git a/modules/private/databases/openldap/immae.schema b/modules/private/databases/openldap/immae.schema
index d2ef972..7b3b587 100644
--- a/modules/private/databases/openldap/immae.schema
+++ b/modules/private/databases/openldap/immae.schema
@@ -110,8 +110,8 @@ attributetype ( ImmaeattributeType:12 NAME 'immaePostfixGid'
 objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass'
 	DESC 'Expansion of the existing object classes for Postfix'
 	SUP top AUXILIARY
-	MUST ( immaePostfixAddress $ immaePostfixHome $
-          immaePostfixMail $ immaePostfixUid $ immaePostfixGid )
+	MAY ( immaePostfixHome $ immaePostfixMail $ immaePostfixUid $ immaePostfixGid )
+	MUST ( immaePostfixAddress )
         )
 
 # Tinc informations
diff --git a/modules/private/databases/openldap/kerberos.ldif b/modules/private/databases/openldap/kerberos.ldif
new file mode 100644
index 0000000..5daf635
--- /dev/null
+++ b/modules/private/databases/openldap/kerberos.ldif
@@ -0,0 +1,163 @@
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 fca3810d
+dn: cn=kerberos,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: kerberos
+olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName
+ ' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1
+ .4.1.1466.115.121.1.26 )
+olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQU
+ ALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.
+ 1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {2}( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {3}( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DE
+ SC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {4}( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpi
+ ration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 
+ SINGLE-VALUE )
+olcAttributeTypes: {5}( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' 
+ EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {6}( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {7}( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewable
+ Age' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU
+ E )
+olcAttributeTypes: {8}( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferen
+ ces' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {9}( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers'
+  EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {10}( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers'
+  EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {11}( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers'
+  EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {12}( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer'
+  EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {13}( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {14}( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalRe
+ ferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
+ .12 )
+olcAttributeTypes: {15}( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNaming
+ Attr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-
+ VALUE )
+olcAttributeTypes: {16}( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers'
+  EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {17}( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife'
+  EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {18}( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife'
+  EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {19}( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffC
+ hars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL
+ UE )
+olcAttributeTypes: {20}( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLengt
+ h' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE 
+ )
+olcAttributeTypes: {21}( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryL
+ ength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA
+ LUE )
+olcAttributeTypes: {22}( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQU
+ ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {23}( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInt
+ erval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA
+ LUE )
+olcAttributeTypes: {24}( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {25}( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQ
+ UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {26}( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUAL
+ ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {27}( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLi
+ fe' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
+  )
+olcAttributeTypes: {28}( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalt
+ s' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
+ VALUE )
+olcAttributeTypes: {29}( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyRe
+ ference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 12 SINGLE-VALUE )
+olcAttributeTypes: {30}( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExp
+ iration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+  SINGLE-VALUE )
+olcAttributeTypes: {31}( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKe
+ y' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {32}( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolic
+ yReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.12 SINGLE-VALUE )
+olcAttributeTypes: {33}( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' E
+ QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {34}( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncS
+ altTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {35}( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEn
+ cSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {36}( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory'
+  EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {37}( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChan
+ ge' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SING
+ LE-VALUE )
+olcAttributeTypes: {38}( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' E
+ QUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA
+ LUE )
+olcAttributeTypes: {39}( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUAL
+ ITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {40}( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAl
+ iases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {41}( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccess
+ fulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+  SINGLE-VALUE )
+olcAttributeTypes: {42}( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedA
+ uth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN
+ GLE-VALUE )
+olcAttributeTypes: {43}( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailed
+ Count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA
+ LUE )
+olcAttributeTypes: {44}( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' 
+ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {45}( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectRefer
+ ences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+  )
+olcAttributeTypes: {46}( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContai
+ nerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
+ 2 )
+olcAttributeTypes: {47}( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuth
+ Ind' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {48}( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateT
+ o' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.
+ 1.4.1.1466.115.121.1.26 )
+olcObjectClasses: {0}( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP
+  top STRUCTURAL MUST cn )
+olcObjectClasses: {1}( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer
+ ' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ k
+ rbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSa
+ ltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdm
+ Servers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef
+  ) )
+olcObjectClasses: {2}( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP t
+ op ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
+olcObjectClasses: {3}( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SU
+ P krbService STRUCTURAL )
+olcObjectClasses: {4}( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SU
+ P krbService STRUCTURAL )
+olcObjectClasses: {5}( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' 
+ SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled 
+ $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krb
+ PasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHisto
+ ry $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastS
+ uccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ kr
+ bAllowedToDelegateTo $ krbPrincipalAuthInd ) )
+olcObjectClasses: {6}( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP
+  top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
+olcObjectClasses: {7}( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' 
+ SUP top AUXILIARY MAY krbPrincipalReferences )
+olcObjectClasses: {8}( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' S
+ UP krbService STRUCTURAL )
+olcObjectClasses: {9}( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SU
+ P top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDif
+ fChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdF
+ ailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxL
+ ife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
+olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicy
+ Aux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRene
+ wableAge ) )
+olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy
+ ' SUP top STRUCTURAL MUST cn )
diff --git a/modules/private/databases/openldap/puppet.ldif b/modules/private/databases/openldap/puppet.ldif
new file mode 100644
index 0000000..567f5b3
--- /dev/null
+++ b/modules/private/databases/openldap/puppet.ldif
@@ -0,0 +1,20 @@
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 62aec6fb
+dn: cn=puppet,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: puppet
+olcAttributeTypes: {0}( 1.3.6.1.4.1.34380.1.1.3.10 NAME 'puppetClass' DESC '
+ Puppet Node Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.
+ 121.1.26 )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.34380.1.1.3.9 NAME 'parentNode' DESC 'Pu
+ ppet Parent Node' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.26 SINGLE-VALUE )
+olcAttributeTypes: {2}( 1.3.6.1.4.1.34380.1.1.3.11 NAME 'environment' DESC '
+ Puppet Node Environment' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.26 )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.34380.1.1.3.12 NAME 'puppetVar' DESC 'A 
+ variable setting for puppet' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1
+ .1466.115.121.1.26 )
+olcObjectClasses: {0}( 1.3.6.1.4.1.34380.1.1.1.2 NAME 'puppetClient' DESC 'P
+ uppet Client objectclass' SUP top AUXILIARY MAY ( puppetclass $ parentnode 
+ $ environment $ puppetvar ) )
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix
index b456323..6c914c0 100644
--- a/modules/private/databases/openldap_replication.nix
+++ b/modules/private/databases/openldap_replication.nix
@@ -1,13 +1,12 @@
 { pkgs, config, lib, ... }:
 let
   cfg = config.myServices.databasesReplication.openldap;
-  eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {};
   ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" ''
     include ${pkgs.openldap}/etc/schema/core.schema
     include ${pkgs.openldap}/etc/schema/cosine.schema
     include ${pkgs.openldap}/etc/schema/inetorgperson.schema
     include ${pkgs.openldap}/etc/schema/nis.schema
-    ${eldiron_schemas}
+    include ${./openldap/immae.schema}
     pidfile   /run/slapd_${name}/slapd.pid
     argsfile  /run/slapd_${name}/slapd.args
 
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index fdab2f0..8511220 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -98,7 +98,6 @@ in {
     networking.firewall.allowedTCPPorts = [ 5432 ];
 
     security.acme.certs."postgresql" = config.myServices.databasesCerts // {
-      user = "postgres";
       group = "postgres";
       domain = "db-1.immae.eu";
       postRun = ''
@@ -108,10 +107,18 @@ in {
 
     systemd.services.postgresql.serviceConfig = {
       SupplementaryGroups = "keys";
+      ExecStartPre = [ ("+" + (pkgs.writeShellScript "postgresql-fix-cert" ''
+          # postgresql complains:
+          # private key file "${config.security.acme.certs.postgresql.directory}/key.pem" must be owned by the database user or root
+          cp -f
+          "${config.security.acme.certs.postgresql.directory}/key.pem" "${config.services.postgresql.dataDir}/key.pem"
+          chown postgres:postgres "${config.services.postgresql.dataDir}/key.pem"
+          chmod go-r "${config.services.postgresql.dataDir}/key.pem"
+      '')) ];
     };
     systemd.services.postgresql.postStart = lib.mkAfter ''
       # This line is already defined in 19.09
-      PSQL="${pkgs.sudo}/bin/sudo -u postgres psql --port=5432"
+      PSQL="psql --port=5432"
 
       ${builtins.concatStringsSep "\n" (lib.mapAttrsToList (role: _: ''
         $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${role}'" \
@@ -134,28 +141,29 @@ in {
       enable = true;
       package = cfg.package;
       enableTCPIP = true;
-      extraConfig = ''
-        max_connections = 100
-        wal_level = logical
-        shared_buffers = 512MB
-        work_mem = 10MB
-        max_wal_size = 1GB
-        min_wal_size = 80MB
-        log_timezone = 'Europe/Paris'
-        datestyle = 'iso, mdy'
-        timezone = 'Europe/Paris'
-        lc_messages = 'en_US.UTF-8'
-        lc_monetary = 'en_US.UTF-8'
-        lc_numeric = 'en_US.UTF-8'
-        lc_time = 'en_US.UTF-8'
-        default_text_search_config = 'pg_catalog.english'
+      checkConfig = false;
+      settings = {
+        max_connections = 100;
+        wal_level = "logical";
+        shared_buffers = "512MB";
+        work_mem = "10MB";
+        max_wal_size = "1GB";
+        min_wal_size = "80MB";
+        log_timezone = "Europe/Paris";
+        datestyle = "iso, mdy";
+        timezone = "Europe/Paris";
+        lc_messages = "en_US.UTF-8";
+        lc_monetary = "en_US.UTF-8";
+        lc_numeric = "en_US.UTF-8";
+        lc_time = "en_US.UTF-8";
+        default_text_search_config = "pg_catalog.english";
         # this introduces a small delay before storing on disk, but
         # makes it order of magnitudes quicker
-        synchronous_commit = off
-        ssl = on
-        ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem'
-        ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem'
-        '';
+        synchronous_commit = "off";
+        ssl = "on";
+        ssl_cert_file = "${config.security.acme.certs.postgresql.directory}/fullchain.pem";
+        ssl_key_file = "${config.services.postgresql.dataDir}/key.pem";
+      };
       authentication = let
         hosts = builtins.concatStringsSep "\n" (
           lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v:
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index 685fa46..2d2c27d 100644
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -32,16 +32,15 @@ in {
   config = lib.mkIf cfg.enable {
     users.users.redis.uid = config.ids.uids.redis;
     users.groups.redis.gid = config.ids.gids.redis;
-    services.redis = rec {
+    services.redis.servers."" = {
       enable = true;
       bind = "127.0.0.1";
       unixSocket = cfg.sockets.redis;
-      extraConfig = ''
-        unixsocketperm 777
-        maxclients 1024
-        '';
+      unixSocketPerm = 777;
+      maxclients = 1024;
     };
     systemd.services.redis.serviceConfig.Slice = "redis.slice";
+    systemd.services.redis.serviceConfig.RuntimeDirectoryMode = lib.mkForce "0755";
 
     services.spiped = {
       enable = true;
diff --git a/modules/private/databases/utils.nix b/modules/private/databases/utils.nix
index 47988fc..1b3190f 100644
--- a/modules/private/databases/utils.nix
+++ b/modules/private/databases/utils.nix
@@ -16,7 +16,7 @@
       rev = "061f0564757289d3bea553b16f8fd5c4a0319c5e";
     };
     log2rotate = pkgs.writeScript "log2rotate" ''
-      #!${pkgs.python3}/bin/python
+      #!${pkgs.python38}/bin/python
 
       ${builtins.readFile "${log2rotateSrc}/log2rotate.py"}
     '';
diff --git a/modules/private/dns.nix b/modules/private/dns.nix
index 120c46c..81cf25e 100644
--- a/modules/private/dns.nix
+++ b/modules/private/dns.nix
@@ -48,7 +48,7 @@
       ${cfg.extraConfig}
 
       ${ lib.concatMapStrings
-          ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }:
+          ({ name, file, master ? true, extraConfig ? "", slaves ? [], masters ? [] }:
             ''
               zone "${name}" {
                 type ${if master then "master" else "slave"};
@@ -66,10 +66,10 @@
                     };
                   '' else ""}
                 allow-query { any; };
-                ${extra}
+                ${extraConfig}
               };
             '')
-          cfg.zones }
+          (builtins.attrValues cfg.zones) }
     '';
     mxes = lib.attrsets.filterAttrs
       (n: v: v.mx.enable)
@@ -124,11 +124,13 @@
           masters = if lib.attrsets.hasAttr "masters" conf
             then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters)
             else [];
+          slaves = [];
         }) slaveZones)
         ++ (map (conf: {
           name = conf.name;
           master = true;
-          extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else "";
+          extraConfig = if lib.attrsets.hasAttr "extra" conf then conf.extra else "";
+          masters = [];
           slaves = if lib.attrsets.hasAttr "slaves" conf
             then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves)
             else [];
diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix
index 4d86a64..90a9a9f 100644
--- a/modules/private/ejabberd/default.nix
+++ b/modules/private/ejabberd/default.nix
@@ -16,20 +16,13 @@ in
   config = lib.mkIf cfg.enable {
     security.acme.certs = {
       "ejabberd" = config.myServices.certificates.certConfig // {
-        user = "ejabberd";
         group = "ejabberd";
         domain = "eldiron.immae.eu";
         keyType = "rsa4096";
         postRun = ''
           systemctl restart ejabberd.service
           '';
-        extraDomains = {
-          "immae.fr" = null;
-          "conference.immae.fr" = null;
-          "proxy.immae.fr" = null;
-          "pubsub.immae.fr" = null;
-          "upload.immae.fr" = null;
-        };
+        extraDomainNames = [ "immae.fr" "conference.immae.fr" "proxy.immae.fr" "pubsub.immae.fr" "upload.immae.fr" ];
       };
     };
     networking.firewall.allowedTCPPorts = [ 5222 5269 ];
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 9249e08..63eda99 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -32,12 +32,15 @@ in
   config = lib.mkIf config.myServices.ftp.enable {
     security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
       domain = "eldiron.immae.eu";
+      # FIXME: make it global
+      extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
+      extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
       postRun = (lib.optionalString pure-ftpd-enabled ''
         systemctl restart pure-ftpd.service
       '') + (lib.optionalString proftpd-enabled ''
         systemctl restart proftpd.service
       '');
-      extraDomains = { "ftp.immae.eu" = null; };
+      extraDomainNames = [ "ftp.immae.eu" ];
     };
 
     networking = {
diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix
index b4ae71e..d02a4ef 100644
--- a/modules/private/gitolite/default.nix
+++ b/modules/private/gitolite/default.nix
@@ -65,7 +65,7 @@ in {
       ];
     in
       [
-        (pkgs.python3.withPackages python-packages)
+        (pkgs.python38.withPackages python-packages)
         pkgs.nettools
         pkgs.findutils
       ];
diff --git a/modules/private/loginctl-linger.nix b/modules/private/loginctl-linger.nix
index e6b9f23..208280f 100644
--- a/modules/private/loginctl-linger.nix
+++ b/modules/private/loginctl-linger.nix
@@ -41,7 +41,9 @@ in
   };
 
   config = {
-    system.activationScripts.update-lingering =
-      stringAfter [ "users" ] updateLingering;
+    system.activationScripts.update-lingering = {
+      deps = ["users"];
+      text = "${updateLingering}";
+    };
   };
 }
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix
index 2d405c6..ccbd411 100644
--- a/modules/private/mail/default.nix
+++ b/modules/private/mail/default.nix
@@ -15,25 +15,35 @@
 
   config = lib.mkIf config.myServices.mail.enable {
     security.acme.certs."mail" = config.myServices.certificates.certConfig // {
+      postRun = lib.mkBefore ''
+        cp -f fullchain.pem /etc/dovecot/fullchain.pem
+        chown :dovecot2 /etc/dovecot/fullchain.pem
+        chmod a+r /etc/dovecot/fullchain.pem
+      '';
       domain = config.hostEnv.fqdn;
-      extraDomains = let
+      extraDomainNames = let
         zonesWithMx = builtins.filter (zone:
           lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
         ) config.myEnv.dns.masterZones;
         mxs = map (zone: "${config.hostEnv.mx.subdomain}.${zone.name}") zonesWithMx;
-      in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
+      in mxs;
     };
     # This is for clients that don’t support elliptic curves (e.g.
     # printer)
     security.acme.certs."mail-rsa" = config.myServices.certificates.certConfig // {
+      postRun = lib.mkBefore ''
+        cp -f fullchain.pem /etc/dovecot/fullchain-rsa.pem
+        chown :dovecot2 /etc/dovecot/fullchain-rsa.pem
+        chmod a+r /etc/dovecot/fullchain-rsa.pem
+      '';
       domain = config.hostEnv.fqdn;
       keyType = "rsa4096";
-      extraDomains = let
+      extraDomainNames = let
         zonesWithMx = builtins.filter (zone:
           lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
         ) config.myEnv.dns.masterZones;
         mxs = map (zone: "${config.hostEnv.mx.subdomain}.${zone.name}") zonesWithMx;
-      in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
+      in mxs;
     };
     systemd.slices.mail = {
       description = "Mail slice";
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix
index b6fdc02..ae06f2f 100644
--- a/modules/private/mail/dovecot.nix
+++ b/modules/private/mail/dovecot.nix
@@ -47,6 +47,7 @@ in
       uid = config.ids.uids.vhost;
     };
     users.groups.vhost.gid = config.ids.gids.vhost;
+    users.users."${config.services.dovecot2.user}".extraGroups = [ "acme" ];
 
     # https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
     services.dovecot2 = {
@@ -58,7 +59,7 @@ in
       protocols = [ "sieve" ];
       modules = [
         pkgs.dovecot_pigeonhole
-        pkgs.dovecot_fts-xapian
+        pkgs.dovecot_fts_xapian
       ];
       mailUser = "vhost";
       mailGroup = "vhost";
@@ -70,13 +71,13 @@ in
         Drafts = { auto = "subscribe"; specialUse = "Drafts"; };
       };
       mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
-      sslServerCert = "/var/lib/acme/mail/fullchain.pem";
+      sslServerCert = "/etc/dovecot/fullchain.pem";
       sslServerKey = "/var/lib/acme/mail/key.pem";
-      sslCACert = "/var/lib/acme/mail/fullchain.pem";
+      sslCACert = "/etc/dovecot/fullchain.pem";
       extraConfig = builtins.concatStringsSep "\n" [
         # For printer which doesn’t support elliptic curve
         ''
-          ssl_alt_cert = </var/lib/acme/mail-rsa/fullchain.pem
+          ssl_alt_cert = </etc/dovecot/fullchain-rsa.pem
           ssl_alt_key = </var/lib/acme/mail-rsa/key.pem
         ''
 
@@ -273,19 +274,13 @@ in
       postRun = ''
         systemctl restart dovecot2.service
       '';
-      extraDomains = {
-        "imap.immae.eu" = null;
-        "pop3.immae.eu" = null;
-      };
+      extraDomainNames = [ "imap.immae.eu" "pop3.immae.eu" ];
     };
     security.acme.certs."mail" = {
       postRun = ''
         systemctl restart dovecot2.service
       '';
-      extraDomains = {
-        "imap.immae.eu" = null;
-        "pop3.immae.eu" = null;
-      };
+      extraDomainNames = [ "imap.immae.eu" "pop3.immae.eu" ];
     };
   };
 }
diff --git a/modules/private/mail/milters.nix b/modules/private/mail/milters.nix
index 4b93a7a..57e0085 100644
--- a/modules/private/mail/milters.nix
+++ b/modules/private/mail/milters.nix
@@ -79,7 +79,7 @@
         Slice = "mail.slice";
         User = "postfix";
         Group = "postfix";
-        ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
+        ExecStart = let python = pkgs.python38.withPackages (p: [ p.pymilter ]);
           in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock";
         RuntimeDirectory = "milter_verify_from";
       };
diff --git a/modules/private/mail/opensmtpd.nix b/modules/private/mail/opensmtpd.nix
index e05bba9..3f294df 100644
--- a/modules/private/mail/opensmtpd.nix
+++ b/modules/private/mail/opensmtpd.nix
@@ -14,7 +14,7 @@
       enable = true;
       serverConfiguration = let
         filter-rewrite-from = pkgs.runCommand "filter-rewrite-from.py" {
-          buildInputs = [ pkgs.python3 ];
+          buildInputs = [ pkgs.python38 ];
         } ''
           cp ${./filter-rewrite-from.py} $out
           patchShebangs $out
@@ -41,17 +41,5 @@
         '';
     };
     environment.systemPackages = [ config.services.opensmtpd.package ];
-    services.mail.sendmailSetuidWrapper = {
-      program = "sendmail";
-      source = "${config.services.opensmtpd.package}/bin/smtpctl";
-      setuid = false;
-      setgid = false;
-    };
-    security.wrappers.mailq = {
-      program = "mailq";
-      source = "${config.services.opensmtpd.package}/bin/smtpctl";
-      setuid = false;
-      setgid = false;
-    };
   };
 }
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix
index 4ef46f3..3febe62 100644
--- a/modules/private/mail/postfix.nix
+++ b/modules/private/mail/postfix.nix
@@ -439,17 +439,13 @@
       postRun = ''
         systemctl restart postfix.service
         '';
-      extraDomains = {
-        "smtp.immae.eu" = null;
-      };
+      extraDomainNames = [ "smtp.immae.eu" ];
     };
     security.acme.certs."mail-rsa" = {
       postRun = ''
         systemctl restart postfix.service
         '';
-      extraDomains = {
-        "smtp.immae.eu" = null;
-      };
+      extraDomainNames = [ "smtp.immae.eu" ];
     };
     system.activationScripts.testmail = {
       deps = [ "users" ];
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix
index bba9324..fe16123 100644
--- a/modules/private/mail/relay.nix
+++ b/modules/private/mail/relay.nix
@@ -6,12 +6,12 @@
         systemctl restart postfix.service
         '';
       domain = config.hostEnv.fqdn;
-      extraDomains = let
+      extraDomainNames = let
         zonesWithMx = builtins.filter (zone:
           lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
         ) config.myEnv.dns.masterZones;
         mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx;
-      in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
+      in mxs;
     };
     secrets.keys = {
       "postfix/mysql_alias_maps" = {
diff --git a/modules/private/mail/rspamd.nix b/modules/private/mail/rspamd.nix
index 05f1300..a300cc5 100644
--- a/modules/private/mail/rspamd.nix
+++ b/modules/private/mail/rspamd.nix
@@ -26,6 +26,7 @@
       [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ];
 
     systemd.services.rspamd.serviceConfig.Slice = "mail.slice";
+    systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "vhost" ];
     services.rspamd = {
       enable = true;
       debug = false;
diff --git a/modules/private/monitoring/myplugins.nix b/modules/private/monitoring/myplugins.nix
index 864fa99..105811b 100644
--- a/modules/private/monitoring/myplugins.nix
+++ b/modules/private/monitoring/myplugins.nix
@@ -113,7 +113,7 @@ in
       cp ${./plugins}/check_eriomem $out/
       patchShebangs $out/check_eriomem
       wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [
-        pkgs.s3cmd pkgs.python3
+        pkgs.s3cmd pkgs.python38
       ]}
       cp ${./plugins}/check_backup_age $out/check_backup_eriomem_age
       patchShebangs $out/check_backup_eriomem_age
@@ -233,7 +233,7 @@ in
       cp ${./plugins}/check_mem.sh $out/
       patchShebangs $out/check_mem.sh
       wrapProgram $out/check_mem.sh --prefix PATH : ${lib.makeBinPath [
-        pkgs.gnugrep pkgs.gawk pkgs.procps-ng
+        pkgs.gnugrep pkgs.gawk pkgs.procps
       ]}
     '';
   };
@@ -296,7 +296,7 @@ in
       cp ${./plugins}/check_ovh_sms $out/
       patchShebangs $out/check_ovh_sms
       wrapProgram $out/check_ovh_sms --prefix PATH : ${lib.makeBinPath [
-        (pkgs.python3.withPackages (ps: [ps.ovh]))
+        (pkgs.python38.withPackages (ps: [ps.ovh]))
       ]}
     '';
   };
diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix
index 28032a4..ca74db8 100644
--- a/modules/private/monitoring/objects_backup-2.nix
+++ b/modules/private/monitoring/objects_backup-2.nix
@@ -78,13 +78,12 @@ in
         name = "eldiron";
         hcfg = config.myServices.databasesReplication.openldap.hosts.eldiron;
         base = config.myServices.databasesReplication.openldap.base;
-        eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {};
         ldapConfig = pkgs.writeText "slapd.conf" ''
           include ${pkgs.openldap}/etc/schema/core.schema
           include ${pkgs.openldap}/etc/schema/cosine.schema
           include ${pkgs.openldap}/etc/schema/inetorgperson.schema
           include ${pkgs.openldap}/etc/schema/nis.schema
-          ${eldiron_schemas}
+          include ${../databases/openldap/immae.schema}
           moduleload  back_hdb
           backend     hdb
           database    hdb
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix
index 420124b..682f5df 100644
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -56,8 +56,7 @@
       };
     };
     security.acme.certs."${name}" = {
-      extraDomains."status.immae.eu" = null;
-      user = config.services.nginx.user;
+      extraDomainNames = [ "status.immae.eu" ];
       group = config.services.nginx.group;
     };
 
@@ -73,7 +72,7 @@
         Type = "simple";
         WorkingDirectory = "${./status}";
         ExecStart = let
-          python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.flask_login ]);
+          python = pkgs.python38.withPackages (p: [ p.gunicorn p.flask p.flask_login ]);
         in
           "${python}/bin/gunicorn -w4 --bind unix:/run/naemon-status/socket.sock app:app";
         User = "naemon";
diff --git a/modules/private/monitoring/status_engine.nix b/modules/private/monitoring/status_engine.nix
index 39a753a..1ce7b16 100644
--- a/modules/private/monitoring/status_engine.nix
+++ b/modules/private/monitoring/status_engine.nix
@@ -88,7 +88,7 @@ in
       '';
     };
 
-    services.redis = rec {
+    services.redis.servers."" = rec {
       enable = true;
       bind = "127.0.0.1";
     };
diff --git a/modules/private/pub/default.nix b/modules/private/pub/default.nix
index c419530..6a7855e 100644
--- a/modules/private/pub/default.nix
+++ b/modules/private/pub/default.nix
@@ -41,6 +41,8 @@
       description = "Restricted shell user";
       home = "/var/lib/pub";
       uid = config.myEnv.users.pub.uid;
+      isNormalUser = true;
+      group = "nogroup";
       useDefaultShell = true;
       packages = [
         restrict
diff --git a/modules/private/system.nix b/modules/private/system.nix
index 949f07d..b2c01b5 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -27,6 +27,9 @@
         mariadb = self.mariadb_pam;
       }) # don’t put them as generic overlay because of home-manager
     ];
+    nixpkgs.config.permittedInsecurePackages = [
+      "nodejs-10.24.1"
+    ];
 
     services.journald.extraConfig = ''
       #Should be "warning" but disabled for now, it prevents anything from being stored
@@ -49,7 +52,7 @@
             '';
         in
           [
-            pkgs.telnet
+            pkgs.inetutils
             pkgs.htop
             pkgs.iftop
             pkgs.bind.dnsutils
@@ -58,7 +61,7 @@
             pkgs.whois
             pkgs.ngrep
             pkgs.tcpdump
-            pkgs.tshark
+            pkgs.wireshark-cli
             pkgs.tcpflow
             # pkgs.mitmproxy # failing
             pkgs.nmap
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix
index 8f66381..05b61e5 100644
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -49,7 +49,6 @@
 
   myServices.certificates.enable = true;
   security.acme.certs."${name}" = {
-    user = config.services.nginx.user;
     group = config.services.nginx.group;
   };
   services.nginx = {
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index 84890c4..c5f3b01 100644
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -18,7 +18,7 @@
     };
     blacklistedKernelModules = [ "nvidiafb" ];
     supportedFilesystems = [ "zfs" ];
-    kernelPackages = pkgs.linuxPackages_latest;
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
     kernelModules = [ "kvm-intel" ];
     initrd.availableKernelModules = [ "ahci" "sd_mod" ];
     initrd.secrets = {
@@ -28,7 +28,6 @@
     # available in nixos-20.09
     #zfs.requestEncryptionCredentials = [ "zpool/root" ];
   };
-  nix.maxJobs = 8;
   powerManagement.cpuFreqGovernor = "powersave";
   hardware.enableRedistributableFirmware = true;
 
@@ -88,17 +87,19 @@
     shell = pkgs.bashInteractive;
     isSystemUser = true;
     group = "libvirtd";
-    packages = [ pkgs.netcat-openbsd ];
+    packages = [ pkgs.libressl.nc ];
     openssh.authorizedKeys.keys = [
       config.myEnv.buildbot.ssh_key.public
       config.myEnv.sshd.rootKeys.ismael_flony
     ];
   };
 
+  users.groups.backup = {};
   users.users.backup = {
     hashedPassword = "!";
     isSystemUser = true;
     extraGroups = [ "keys" ];
+    group = "backup";
     shell = pkgs.bashInteractive;
     openssh.authorizedKeys.keys = let
       zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml";
@@ -121,7 +122,9 @@
   virtualisation.docker.enable = true;
   virtualisation.docker.storageDriver = "zfs";
   virtualisation.libvirtd.enable = true;
-  users.extraUsers.immae.extraGroups = [ "libvirtd" "docker" ];
+  systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ];
+  users.groups.immae = {};
+  users.extraUsers.immae.extraGroups = [ "immae" "libvirtd" "docker" ];
   systemd.services.libvirtd.postStart = ''
     install -m 0770 -g libvirtd -d /var/lib/libvirt/images
   '';
@@ -137,7 +140,12 @@
 
   time.timeZone = "Europe/Paris";
   nix = {
-    useSandbox = "relaxed";
+    settings = {
+      sandbox = "relaxed";
+      max-jobs = 8;
+      substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
+      trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+    };
     extraOptions = ''
       keep-outputs = true
       keep-derivations = true
@@ -160,31 +168,28 @@
     "home-manager=${pkgs.sources.home-manager.url}"
     "nixpkgs=${pkgs.sources.nixpkgs-home-manager.url}"
   ];
-  nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
-  nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
 
   myServices.monitoring.enable = true;
   myServices.certificates.enable = true;
   security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // {
-    user = "immae";
+    group = "immae";
     domain = "dilion.immae.eu";
   };
   security.acme.certs."${name}" = {
-    user = config.services.nginx.user;
     group = config.services.nginx.group;
-    extraDomains = {
-      "dilion.immae.dev" = null;
-      "caldance.cs.immae.dev" = null;
-      "zulip.carpentier.earth" = null;
-      "zulip.tof.carpentier.earth" = null;
-      "zulip.dine.carpentier.earth" = null;
-      "zulip.quentin.carpentier.earth" = null;
-      "zulip.agnes.carpentier.earth" = null;
+    extraDomainNames = [
+      "dilion.immae.dev"
+      "caldance.cs.immae.dev"
+      "zulip.carpentier.earth"
+      "zulip.tof.carpentier.earth"
+      "zulip.dine.carpentier.earth"
+      "zulip.quentin.carpentier.earth"
+      "zulip.agnes.carpentier.earth"
 
-      "ofn.nc.immae.dev" = null;
+      "ofn.nc.immae.dev"
 
-      "bookstack.cc.immae.dev" = null;
-    };
+      "bookstack.cc.immae.dev"
+    ];
   };
   services.nginx = {
     enable = true;
@@ -266,7 +271,7 @@
   # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
   # pour flony:
   # zfs allow backup hold,release,bookmark,snapshot,send zpool
-  services.zrepl = {
+  immaeServices.zrepl = {
     enable = true;
     config = ''
       global:
@@ -301,11 +306,26 @@
             client_cns:
               - flony
           filesystems:
-            "zpool/docker<": true
             "zpool/libvirt<": true
             "zpool/root<": true
           snapshotting:
             type: manual
+        - type: source
+          # must not change
+          name: "backup-to-wd-zpool-docker"
+          # not encrypted!
+          serve:
+            type: tls
+            listen: :19002
+            ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
+            cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
+            key: ${config.secrets.fullPaths."zrepl/dilion.key"}
+            client_cns:
+              - flony
+          filesystems:
+            "zpool/docker<": true
+          snapshotting:
+            type: manual
     '';
   };
   # This value determines the NixOS release with which your system is
diff --git a/modules/private/system/dilion/vms.nix b/modules/private/system/dilion/vms.nix
index af96622..6a5be5a 100644
--- a/modules/private/system/dilion/vms.nix
+++ b/modules/private/system/dilion/vms.nix
@@ -65,6 +65,7 @@ in
       Type = "oneshot";
       RemainAfterExit = "yes";
     };
+    path = [ config.boot.zfs.package ];
     script =
       let
         xml = pkgs.writeText "libvirt-guest-${name}.xml"
@@ -132,6 +133,7 @@ in
       Type = "oneshot";
       RemainAfterExit = "yes";
     };
+    path = [ config.boot.zfs.package ];
     script = let
       xml = pkgs.writeText "libvirt-network-${name}.xml" ''
         <network>
@@ -163,6 +165,7 @@ in
       Type = "oneshot";
       RemainAfterExit = "yes";
     };
+    path = [ config.boot.zfs.package ];
     script = let
       xml = pkgs.writeText "libvirt-pool-${name}.xml" ''
         <pool type="${pool.type}">
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
index a4acf90..f3bed74 100644
--- a/modules/private/system/eldiron.nix
+++ b/modules/private/system/eldiron.nix
@@ -18,7 +18,7 @@
     };
     supportedFilesystems = [ "zfs" ];
     kernelParams = ["zfs.zfs_arc_max=6442450944"];
-    kernelPackages = pkgs.linuxPackages_latest;
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
     initrd.availableKernelModules = [ "ahci" "sd_mod" ];
     initrd.secrets = {
       "/boot/pass.key" = "/boot/pass.key";
@@ -27,7 +27,7 @@
   services.udev.extraRules = ''
     ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
   '';
-  nix.maxJobs = 8;
+  nix.settings.max-jobs = 8;
   powerManagement.cpuFreqGovernor = "powersave";
   myEnv = import ../../../nixops/secrets/environment.nix;
 
@@ -144,7 +144,7 @@
     };
   };
   programs.ssh.knownHosts.dilion = {
-    hostNames = ["dilion.immae.eu"];
+    extraHostNames = ["dilion.immae.eu"];
     publicKey = let
       profile = config.myEnv.rsync_backup.profiles.dilion;
     in
@@ -166,7 +166,7 @@
 
   environment.systemPackages = [ pkgs.bindfs ];
 
-  services.zrepl = {
+  immaeServices.zrepl = {
     enable = true;
     config = let
       redis_dump = pkgs.writeScript "redis-dump" ''
diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix
index 646fef3..ed6f129 100644
--- a/modules/private/system/quatresaisons.nix
+++ b/modules/private/system/quatresaisons.nix
@@ -382,8 +382,8 @@ in
   environment.systemPackages = [
     sponsoredUser userquotas
     pkgs.git pkgs.vim pkgs.rsync pkgs.strace pkgs.home-manager
-    pkgs.telnet pkgs.htop pkgs.iftop pkgs.bind.dnsutils pkgs.httpie
-    pkgs.iotop pkgs.whois pkgs.ngrep pkgs.tcpdump pkgs.tshark
+    pkgs.inetutils pkgs.htop pkgs.iftop pkgs.bind.dnsutils pkgs.httpie
+    pkgs.iotop pkgs.whois pkgs.ngrep pkgs.tcpdump pkgs.wireshark-cli
     pkgs.tcpflow pkgs.nmap pkgs.p0f pkgs.socat pkgs.lsof pkgs.psmisc
     pkgs.openssl pkgs.wget pkgs.pv pkgs.smartmontools pkgs.youtube-dl
     pkgs.unzip pkgs.octave pkgs.feh pkgs.xv pkgs.sshfs pkgs.gdb
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix
index f7b27e0..f5a4b93 100644
--- a/modules/private/system/quatresaisons/databases.nix
+++ b/modules/private/system/quatresaisons/databases.nix
@@ -14,7 +14,7 @@
         permissions = "0400";
         user = "openldap";
         group = "openldap";
-        text = "rootpw      ${serverSpecificConfig.ldap_root_pw}";
+        text = "${serverSpecificConfig.ldap_root_pw}";
       };
       "webapps/tools-ldap" = {
         user = "wwwrun";
@@ -46,56 +46,89 @@
     users.users.openldap.extraGroups = [ "keys" ];
     services.openldap = {
       enable = true;
-      dataDir = "/var/lib/openldap";
       urlList = [ "ldap://localhost" ];
-      logLevel = "none";
-      extraConfig = ''
-        pidfile     /run/slapd/slapd.pid
-        argsfile    /run/slapd/slapd.args
-
-        moduleload  back_hdb
-        backend     hdb
-      '';
-
-      extraDatabaseConfig = ''
-        moduleload  memberof
-        overlay     memberof
-
-        moduleload  syncprov
-        overlay     syncprov
-        syncprov-checkpoint 100 10
-
-        index   objectClass       eq
-        index   uid               pres,eq
-        #index   uidMember         pres,eq
-        index   mail              pres,sub,eq
-        index   cn                pres,sub,eq
-        index   sn                pres,sub,eq
-        index   dc                eq
-        index   member            eq
-        index   memberOf          eq
-
-        # No one must access that information except root
-        access to attrs=description
-          by * none
-
-        access to attrs=entry,uid filter="(uid=*)"
-          by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
-          by * break
-
-        access to dn.subtree="ou=users,dc=salle-s,dc=org"
-          by dn.subtree="ou=services,dc=salle-s,dc=org" read
-          by * break
-
-        access to *
-          by self read
-          by anonymous auth
-          by * break
-      '';
-      rootpwFile = config.secrets.fullPaths."ldap/password";
-      suffix = "dc=salle-s,dc=org";
-      rootdn = "cn=root,dc=salle-s,dc=org";
-      database = "hdb";
+      settings = {
+        attrs = {
+          olcPidFile = "/run/slapd/slapd.pid";
+          olcArgsFile = "/run/slapd/slapd.args";
+          olcLogLevel = "none";
+        };
+        children = {
+          "cn=module{0}" = {
+            attrs = {
+              cn = "module{0}";
+              objectClass = [ "olcModuleList" ];
+              olcModuleLoad = [ "{0}back_hdb" "{1}memberof" "{2}syncprov" ];
+            };
+          };
+          "cn=schema".includes = map (schema:
+            "${config.services.openldap.package}/etc/schema/${schema}.ldif"
+          ) [ "core" "cosine" "inetorgperson" "nis" ];
+          "olcDatabase={0}config" = {
+            attrs = {
+              objectClass = "olcDatabaseConfig";
+              olcDatabase = "{0}config";
+              olcAccess = ["{0}to *  by * none"];
+            };
+          };
+          "olcDatabase={1}hdb" = {
+            attrs = {
+              objectClass = [ "olcDatabaseConfig" "olcHdbConfig" ];
+              olcDatabase = "{1}hdb";
+              olcAccess = let
+                join = builtins.replaceStrings ["\n"] [" "];
+              in [
+                (join ''{0}to attrs=description
+                      by * none
+                '')
+                (join ''{1}to filter="(uid=*)" attrs=entry,uid
+                      by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
+                      by * break
+                '')
+                (join ''{2}to dn.subtree="ou=users,dc=salle-s,dc=org"
+                      by dn.subtree="ou=services,dc=salle-s,dc=org" read
+                      by * break
+                '')
+                (join ''{3}to *
+                      by self read
+                      by anonymous auth
+                      by * break
+                '')
+              ];
+              olcDbIndex = [
+                "objectClass  eq"
+                "uid          pres,eq"
+                #"uidMember pres,eq"
+                "mail         pres,eq,sub"
+                "cn           pres,eq,sub"
+                "sn           pres,eq,sub"
+                "dc           eq"
+                "member       eq"
+                "memberOf     eq"
+              ];
+              olcDbDirectory = "/var/lib/openldap";
+              olcRootDN = "cn=root,dc=salle-s,dc=org";
+              olcRootPW.path = config.secrets.fullPaths."ldap/password";
+              olcSuffix = "dc=salle-s,dc=org";
+            };
+            children = {
+              "olcOverlay={0}memberof" = {
+                attrs = {
+                  objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+                  olcOverlay = "{0}memberof";
+                };
+              };
+              "olcOverlay={1}syncprov" = {
+                attrs = {
+                  objectClass = [ "olcOverlayConfig" "olcSyncProvConfig" ];
+                  olcOverlay = "{1}syncprov";
+                  olcSpCheckpoint = "100 10";
+                };
+              };
+            };
+          };
+        };
+      };
     };
 
     services.websites.env.production.modules = [ "proxy_fcgi" ];
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index 6480255..7eb8688 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -235,7 +235,7 @@ in {
     };
 
     security.acme.certs."task" = config.myServices.certificates.certConfig // {
-      inherit user group;
+      inherit group;
       domain = fqdn;
       postRun = ''
         systemctl restart taskserver.service
diff --git a/modules/private/websites/christophe_carpentier/agorakit.nix b/modules/private/websites/christophe_carpentier/agorakit.nix
index 2ea5541..eeca991 100644
--- a/modules/private/websites/christophe_carpentier/agorakit.nix
+++ b/modules/private/websites/christophe_carpentier/agorakit.nix
@@ -88,6 +88,7 @@ in {
       inherit app;
       serviceDeps = [ "mysql.service" ];
       phpOpenbasedir = [ "/tmp" secretsPath ];
+      phpPackage = pkgs.php74;
       phpPool = {
         "php_admin_value[upload_max_filesize]" = "100M";
         "php_admin_value[post_max_size]" = "100M";
diff --git a/modules/private/websites/christophe_carpentier/agorakit/default.nix b/modules/private/websites/christophe_carpentier/agorakit/default.nix
index 8348877..178e80f 100644
--- a/modules/private/websites/christophe_carpentier/agorakit/default.nix
+++ b/modules/private/websites/christophe_carpentier/agorakit/default.nix
@@ -1,8 +1,9 @@
 { varDir, secretsPath
-, composerEnv, fetchFromGitHub, fetchurl }:
+, composerEnv, fetchFromGitHub, fetchurl, php74 }:
 let
-  app = composerEnv.buildPackage (
-    import ./php-packages.nix { inherit composerEnv fetchurl; } //
+  composerEnv' = composerEnv.override { php = php74; };
+  app = composerEnv'.buildPackage (
+    import ./php-packages.nix { composerEnv = composerEnv'; inherit fetchurl; } //
     rec {
       version = "master-7d86952";
       pname = "agorakit";
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix
index 8178d0d..d042705 100644
--- a/modules/private/websites/connexionswing/integration.nix
+++ b/modules/private/websites/connexionswing/integration.nix
@@ -102,7 +102,7 @@ in {
             database_name: ${secrets.mysql.database}
             database_user: ${secrets.mysql.user}
             database_password: ${secrets.mysql.password}
-            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
             mailer_transport: sendmail
             mailer_host: null
             mailer_user: null
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
index 8d16de6..1260048 100644
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -103,7 +103,7 @@ in {
             database_name: ${secrets.mysql.database}
             database_user: ${secrets.mysql.user}
             database_password: ${secrets.mysql.password}
-            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
             mailer_transport: sendmail
             mailer_host: null
             mailer_user: null
diff --git a/modules/private/websites/denise/bingo.nix b/modules/private/websites/denise/bingo.nix
index 5c0f85d..d9bdc73 100644
--- a/modules/private/websites/denise/bingo.nix
+++ b/modules/private/websites/denise/bingo.nix
@@ -35,7 +35,7 @@ in {
         Type = "simple";
         WorkingDirectory = varDir;
         ExecStart = let
-          python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
+          python = pkgs.python39.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
         in
           "${python}/bin/gunicorn -w4 -p /run/denise_bingo/gunicorn.pid --bind unix:${socket} app:app";
         User = "wwwrun";
@@ -84,7 +84,7 @@ in {
         Type = "simple";
         WorkingDirectory = varDirBeta;
         ExecStart = let
-          python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask ]);
+          python = pkgs.python39.withPackages (p: [ p.gunicorn p.flask ]);
         in
           "${python}/bin/gunicorn -w4 -p /run/denise_bingo_beta/gunicorn.pid --bind unix:${socket_beta} app:app";
         User = "wwwrun";
diff --git a/modules/private/websites/denise/oms.nix b/modules/private/websites/denise/oms.nix
index e58ff68..5561e72 100644
--- a/modules/private/websites/denise/oms.nix
+++ b/modules/private/websites/denise/oms.nix
@@ -35,7 +35,7 @@ in {
         Type = "simple";
         WorkingDirectory = varDir;
         ExecStart = let
-          python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
+          python = pkgs.python39.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
         in
           "${python}/bin/gunicorn -w4 -p /run/denise_oms/gunicorn.pid --bind unix:${socket} app:app";
         User = "wwwrun";
@@ -84,7 +84,7 @@ in {
         Type = "simple";
         WorkingDirectory = varDirBeta;
         ExecStart = let
-          python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
+          python = pkgs.python39.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
         in
           "${python}/bin/gunicorn -w4 -p /run/denise_oms_beta/gunicorn.pid --bind unix:${socket_beta} app:app";
         User = "wwwrun";
diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix
index 8ac1f46..f0eaf42 100644
--- a/modules/private/websites/florian/integration.nix
+++ b/modules/private/websites/florian/integration.nix
@@ -8,7 +8,7 @@ in {
   options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration";
 
   config = lib.mkIf cfg.enable {
-    security.acme.certs."ftp".extraDomains."ft.immae.dev" = null;
+    security.acme.certs."ftp".extraDomainNames = [ "ft.immae.dev" ];
 
     services.websites.env.integration.modules = adminer.apache.modules;
     services.websites.env.integration.vhostConfs.florian_integration = {
diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix
index 1c5ffa6..f9d248c 100644
--- a/modules/private/websites/florian/production.nix
+++ b/modules/private/websites/florian/production.nix
@@ -8,7 +8,7 @@ in {
   options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production";
 
   config = lib.mkIf cfg.enable {
-    security.acme.certs."ftp".extraDomains."tellesflorian.com" = null;
+    security.acme.certs."ftp".extraDomainNames = [ "tellesflorian.com" ];
 
     services.websites.env.production.modules = adminer.apache.modules;
     services.websites.env.production.vhostConfs.florian_production = {
diff --git a/modules/private/websites/jerome/naturaloutil.nix b/modules/private/websites/jerome/naturaloutil.nix
index 0974ce3..762fce4 100644
--- a/modules/private/websites/jerome/naturaloutil.nix
+++ b/modules/private/websites/jerome/naturaloutil.nix
@@ -13,7 +13,7 @@ in {
   config = lib.mkIf cfg.enable {
     services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ];
 
-    security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null;
+    security.acme.certs."ftp".extraDomainNames = [ "naturaloutil.immae.eu" ];
 
     secrets.keys."websites/jerome/naturaloutil" = {
       user = apacheUser;
diff --git a/modules/private/websites/ludivine/integration.nix b/modules/private/websites/ludivine/integration.nix
index a0d08b3..db05b94 100644
--- a/modules/private/websites/ludivine/integration.nix
+++ b/modules/private/websites/ludivine/integration.nix
@@ -101,7 +101,7 @@ in {
             database_name: ${secrets.mysql.database}
             database_user: ${secrets.mysql.user}
             database_password: ${secrets.mysql.password}
-            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
             mailer_transport: smtp
             mailer_host: 127.0.0.1
             mailer_user: null
diff --git a/modules/private/websites/ludivine/production.nix b/modules/private/websites/ludivine/production.nix
index a245f3f..e1e13a5 100644
--- a/modules/private/websites/ludivine/production.nix
+++ b/modules/private/websites/ludivine/production.nix
@@ -101,7 +101,7 @@ in {
             database_name: ${secrets.mysql.database}
             database_user: ${secrets.mysql.user}
             database_password: ${secrets.mysql.password}
-            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
             mailer_transport: smtp
             mailer_host: 127.0.0.1
             mailer_user: null
diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix
index 1179351..fa70ca8 100644
--- a/modules/private/websites/nassime/production.nix
+++ b/modules/private/websites/nassime/production.nix
@@ -10,7 +10,7 @@ in {
   config = lib.mkIf cfg.enable {
     services.webstats.sites = [ { name = domain; } ];
 
-    security.acme.certs."ftp".extraDomains."${domain}" = null;
+    security.acme.certs."ftp".extraDomainNames = [ domain ];
 
     services.websites.env.production.vhostConfs.nassime = {
       certName     = "nassime";
diff --git a/modules/private/websites/nath/villon.nix b/modules/private/websites/nath/villon.nix
index 57a1df5..06a3a9a 100644
--- a/modules/private/websites/nath/villon.nix
+++ b/modules/private/websites/nath/villon.nix
@@ -18,7 +18,7 @@ in {
         install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${varDir}
       '';
     };
-    security.acme.certs."ftp".extraDomains."${domain}" = null;
+    security.acme.certs."ftp".extraDomainNames = [ domain ];
 
     services.websites.env.production.vhostConfs.nath_villon = {
       certName     = "nath";
diff --git a/modules/private/websites/nicecoop/gestion-compte.nix b/modules/private/websites/nicecoop/gestion-compte.nix
index 0d86297..fbdd4b0 100644
--- a/modules/private/websites/nicecoop/gestion-compte.nix
+++ b/modules/private/websites/nicecoop/gestion-compte.nix
@@ -122,7 +122,7 @@ in {
           name = secrets.mysql.database;
           user = secrets.mysql.user;
           password = secrets.mysql.password;
-          version = pkgs.mariadb.mysqlVersion;
+          version = config.myServices.databases.mariadb.package.mysqlVersion;
         };
         admipassword = secrets.adminpassword;
         smtp = {
diff --git a/modules/private/websites/nicecoop/gestion-compte/default.nix b/modules/private/websites/nicecoop/gestion-compte/default.nix
index 2b33e7e..090f135 100644
--- a/modules/private/websites/nicecoop/gestion-compte/default.nix
+++ b/modules/private/websites/nicecoop/gestion-compte/default.nix
@@ -1,9 +1,10 @@
 { varDir
 , secretsPath
-, composerEnv, fetchFromGitHub, fetchurl, fetchgit }:
+, composerEnv, fetchFromGitHub, fetchurl, fetchgit, php73 }:
 let
-  app = composerEnv.buildPackage (
-    import ./php-packages.nix { inherit composerEnv fetchurl fetchgit; } //
+  composerEnv' = composerEnv.override { php = php73; };
+  app = composerEnv'.buildPackage (
+    import ./php-packages.nix { composerEnv = composerEnv'; inherit fetchurl fetchgit; } //
     rec {
       version = "1.32.3";
       pname = "gestion-compte";
diff --git a/modules/private/websites/nicecoop/gestion-compte_integration.nix b/modules/private/websites/nicecoop/gestion-compte_integration.nix
index 8c5d270..bdc2d1a 100644
--- a/modules/private/websites/nicecoop/gestion-compte_integration.nix
+++ b/modules/private/websites/nicecoop/gestion-compte_integration.nix
@@ -121,7 +121,7 @@ in {
           name = secrets.mysql.database;
           user = secrets.mysql.user;
           password = secrets.mysql.password;
-          version = pkgs.mariadb.mysqlVersion;
+          version = config.myServices.databases.mariadb.package.mysqlVersion;
         };
         admipassword = secrets.adminpassword;
         smtp = {
diff --git a/modules/private/websites/nicecoop/odoo/shell_generate_poetry.nix b/modules/private/websites/nicecoop/odoo/shell_generate_poetry.nix
index 0efc9d6..4291fdb 100644
--- a/modules/private/websites/nicecoop/odoo/shell_generate_poetry.nix
+++ b/modules/private/websites/nicecoop/odoo/shell_generate_poetry.nix
@@ -18,7 +18,7 @@ let
     requires = ["poetry-core>=1.0.0"]
     build-backend = "poetry.core.masonry.api"
   '';
-  newPoetry = pkgs.poetry.override { python = pkgs.python36; };
+  newPoetry = pkgs.poetry.override { python = pkgs.python37; };
 in
 pkgs.mkShell {
   buildInputs = [ pkgs.perl pkgs.gcc pkgs.libjpeg pkgs.libxslt pkgs.pkg-config pkgs.postgresql_11 pkgs.cyrus_sasl pkgs.openldap pkgs.zlib pkgs.file pkgs.libxml2 newPoetry ];
diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix
index a8e5149..9cf635b 100644
--- a/modules/private/websites/papa/surveillance.nix
+++ b/modules/private/websites/papa/surveillance.nix
@@ -7,7 +7,7 @@ in {
   options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website";
 
   config = lib.mkIf cfg.enable {
-    security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null;
+    security.acme.certs."ftp".extraDomainNames = [ "surveillance.maison.bbc.bouya.org" ];
 
     services.cron = {
       systemCronJobs = let
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix
index 01f681c..1bf0364 100644
--- a/modules/private/websites/piedsjaloux/integration.nix
+++ b/modules/private/websites/piedsjaloux/integration.nix
@@ -102,7 +102,7 @@ in {
             database_name: ${secrets.mysql.database}
             database_user: ${secrets.mysql.user}
             database_password: ${secrets.mysql.password}
-            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
             mailer_transport: smtp
             mailer_host: 127.0.0.1
             mailer_user: null
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix
index bd9e1e2..a6f5d3e 100644
--- a/modules/private/websites/piedsjaloux/production.nix
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -102,7 +102,7 @@ in {
             database_name: ${secrets.mysql.database}
             database_user: ${secrets.mysql.user}
             database_password: ${secrets.mysql.password}
-            database_server_version: ${pkgs.mariadb.mysqlVersion}
+            database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
             mailer_transport: smtp
             mailer_host: 127.0.0.1
             mailer_user: null
diff --git a/modules/private/websites/telio_tortay/production.nix b/modules/private/websites/telio_tortay/production.nix
index 16eca74..fc1e9a2 100644
--- a/modules/private/websites/telio_tortay/production.nix
+++ b/modules/private/websites/telio_tortay/production.nix
@@ -12,7 +12,7 @@ in {
   config = lib.mkIf cfg.enable {
     services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ];
 
-    security.acme.certs."ftp".extraDomains."telio-tortay.immae.eu" = null;
+    security.acme.certs."ftp".extraDomainNames = [ "telio-tortay.immae.eu" ];
 
     system.activationScripts.telio_tortay = {
       deps = [ "httpd" ];
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix
index 6ac6a76..37da3c3 100644
--- a/modules/private/websites/tools/mastodon/default.nix
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -98,19 +98,19 @@ in {
 
         RewriteEngine On
 
-        ProxyPass /500.html !
-        ProxyPass /sw.js !
-        ProxyPass /embed.js !
-        ProxyPass /robots.txt !
-        ProxyPass /manifest.json !
-        ProxyPass /browserconfig.xml !
-        ProxyPass /mask-icon.svg !
-        ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
-        ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
-
         RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
+        RewriteRule ^/api/v1/streaming/public$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/public [P,NE,QSA,L]
         RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
-        ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
+        RewriteCond %{REQUEST_URI} !/500.html
+        RewriteCond %{REQUEST_URI} !/sw.js
+        RewriteCond %{REQUEST_URI} !/embed.js
+        RewriteCond %{REQUEST_URI} !/robots.txt
+        RewriteCond %{REQUEST_URI} !/manifest.json
+        RewriteCond %{REQUEST_URI} !/browserconfig.xml
+        RewriteCond %{REQUEST_URI} !/mask-icon.svg
+        RewriteCond %{REQUEST_URI} !^(/.*\.(png|ico|gif)$)
+        RewriteCond %{REQUEST_URI} !^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge)
+        RewriteRule ^/(.*)$ unix:///run/mastodon/live_immae_puma.sock|http://mastodon.immae.eu/$1 [P,NE,QSA,L]
         ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
 
         Alias /system ${mcfg.dataDir}
diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix
index 68c992f..c491d92 100644
--- a/modules/private/websites/tools/peertube/default.nix
+++ b/modules/private/websites/tools/peertube/default.nix
@@ -2,14 +2,14 @@
 let
   env = config.myEnv.tools.peertube;
   cfg = config.myServices.websites.tools.peertube;
-  pcfg = config.services.peertube;
+  pcfg = config.immaeServices.peertube;
 in {
   options.myServices.websites.tools.peertube = {
     enable = lib.mkEnableOption "enable Peertube's website";
   };
 
   config = lib.mkIf cfg.enable {
-    services.peertube = {
+    immaeServices.peertube = {
       enable = true;
       configFile = config.secrets.fullPaths."webapps/tools-peertube";
     };
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index 6658c66..f6ee059 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -149,6 +149,7 @@ in
         '';
     };
     toVhost = ips: vhostConf: {
+      acmeRoot = "/var/lib/acme/acme-challenges";
       forceSSL = vhostConf.forceSSL or true;
       useACMEHost = vhostConf.certName;
       logFormat = "combinedVhost";
@@ -232,12 +233,10 @@ in
     if (!isNull (groupToDomain g))
     then cfg.certs // {
       domain = groupToDomain g;
-      extraDomains = builtins.listToAttrs (
-        map (d: attrsets.nameValuePair d null) (extraDomains g));
+      extraDomainNames = extraDomains g;
     }
     else {
-      extraDomains = builtins.listToAttrs (
-        map (d: attrsets.nameValuePair d null) (extraDomains g));
+      extraDomainNames = extraDomains g;
     }
   ) groupedCerts;
 
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix
index 1f7488d..ec8f0be 100644
--- a/modules/websites/httpd-service-builder.nix
+++ b/modules/websites/httpd-service-builder.nix
@@ -634,7 +634,7 @@ in
       group = mkDefault cfg.group;
       email = if hostOpts.adminAddr != null then hostOpts.adminAddr else cfg.adminAddr;
       webroot = hostOpts.acmeRoot;
-      extraDomains = genAttrs hostOpts.serverAliases (alias: null);
+      extraDomainNames = hostOpts.serverAliases;
       postRun = "systemctl reload httpd.service";
     }) (filterAttrs (name: hostOpts: hostOpts.enableACME) cfg.virtualHosts);
 
diff --git a/modules/websites/php-application.nix b/modules/websites/php-application.nix
index 879a01a..b9d9886 100644
--- a/modules/websites/php-application.nix
+++ b/modules/websites/php-application.nix
@@ -149,6 +149,7 @@ in
       }
     ) cfgByEnv;
 
+    services.phpfpm.phpPackage = pkgs.php74;
     services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
       name {
         user = icfg.httpdUser;
diff --git a/modules/zrepl.nix b/modules/zrepl.nix
index bc3e7e1..7bee4e1 100644
--- a/modules/zrepl.nix
+++ b/modules/zrepl.nix
@@ -1,10 +1,10 @@
 { config, lib, pkgs, name, ... }:
 let
-  cfg = config.services.zrepl;
+  cfg = config.immaeServices.zrepl;
 in
 {
   options = {
-    services.zrepl = {
+    immaeServices.zrepl = {
       enable = lib.mkEnableOption "Enable the zrepl daemon";
 
       config = lib.mkOption {
diff --git a/nix/sources.json b/nix/sources.json
index 514ddcd..d25f195 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -5,58 +5,34 @@
         "homepage": "https://rycee.gitlab.io/home-manager/",
         "owner": "rycee",
         "repo": "home-manager",
-        "rev": "6cf6b587b575493e7718bf08b209013d7dcf4d58",
-        "sha256": "0666ayxazbphjn5xcrczv8m7k2q62k224fvf0kz1lx9qjn93wkvr",
+        "rev": "9580f6c42af2535dc7890edb681ead090f5105f2",
+        "sha256": "0ahfyaba0zkh3hhxfk7pp9smbz7bykqfp5hcd36qig7bnppwa3jq",
         "type": "tarball",
-        "url": "https://github.com/rycee/home-manager/archive/6cf6b587b575493e7718bf08b209013d7dcf4d58.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "nixpkgs": {
-        "branch": "nixos-unstable",
-        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
-        "homepage": "https://github.com/NixOS/nixpkgs",
-        "owner": "NixOS",
-        "repo": "nixpkgs-channels",
-        "rev": "fce7562cf46727fdaf801b232116bc9ce0512049",
-        "sha256": "14rvi69ji61x3z88vbn17rg5vxrnw2wbnanxb7y0qzyqrj7spapx",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs-channels/archive/fce7562cf46727fdaf801b232116bc9ce0512049.tar.gz",
+        "url": "https://github.com/rycee/home-manager/archive/9580f6c42af2535dc7890edb681ead090f5105f2.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs-home-manager": {
         "branch": "nixos-unstable",
-        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
-        "homepage": "https://github.com/NixOS/nixpkgs",
-        "owner": "NixOS",
-        "repo": "nixpkgs-channels",
-        "rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38",
-        "sha256": "1ak7jqx94fjhc68xh1lh35kh3w3ndbadprrb762qgvcfb8351x8v",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs-channels/archive/c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "nixpkgs-nix": {
-        "branch": "nixos-unstable",
-        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
+        "description": "Nix Packages collection",
         "homepage": "https://github.com/NixOS/nixpkgs",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "891f607d5301d6730cb1f9dcf3618bcb1ab7f10e",
-        "sha256": "1cr39f0sbr0h5d83dv1q34mcpwnkwwbdk5fqlyqp2mnxghzwssng",
+        "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026",
+        "sha256": "0vfd7g1gwy9lcnnv8kclqr68pndd9sg0xq69h465zbbzb2vnijh9",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/891f607d5301d6730cb1f9dcf3618bcb1ab7f10e.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/062a0c5437b68f950b081bbfc8a699d57a4ee026.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs-nixops": {
         "branch": "nixos-unstable",
-        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
+        "description": "Nix Packages collection",
         "homepage": "https://github.com/NixOS/nixpkgs",
         "owner": "NixOS",
-        "repo": "nixpkgs-channels",
-        "rev": "840c782d507d60aaa49aa9e3f6d0b0e780912742",
-        "sha256": "14q3kvnmgz19pgwyq52gxx0cs90ddf24pnplmq33pdddbb6c51zn",
+        "repo": "nixpkgs",
+        "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026",
+        "sha256": "0vfd7g1gwy9lcnnv8kclqr68pndd9sg0xq69h465zbbzb2vnijh9",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs-channels/archive/840c782d507d60aaa49aa9e3f6d0b0e780912742.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/062a0c5437b68f950b081bbfc8a699d57a4ee026.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "webapps-landing": {
diff --git a/overlays/bitlbee-discord/default.nix b/overlays/bitlbee-discord/default.nix
index bf8e5db..4227677 100644
--- a/overlays/bitlbee-discord/default.nix
+++ b/overlays/bitlbee-discord/default.nix
@@ -1,12 +1,12 @@
 self: super: {
   bitlbee-discord = super.bitlbee-discord.overrideAttrs(old: rec {
-    version = "master-3061edd";
+    version = "master";
     name = "bitlbee-discord-${version}";
     src = self.fetchFromGitHub {
-      rev = "master";
+      rev = "607f9887ca85f246e970778e3d40aa5c346365a7";
       owner = "sm00th";
       repo = "bitlbee-discord";
-      sha256 = "07gjd4b0g09888gpaqwcjafr8m292y2qz0gzharxjh1k2jbs88g3";
+      sha256 = "0jkwhx2walx2ay0vc9x13q0j1qq4r5x30ss03a3j7ks28xvsnxc7";
     };
   });
 }
diff --git a/overlays/bonfire/default.nix b/overlays/bonfire/default.nix
index 6dc1034..4718295 100644
--- a/overlays/bonfire/default.nix
+++ b/overlays/bonfire/default.nix
@@ -1,36 +1,15 @@
 self: super: {
   bonfire = let
-    click = self.python3Packages.click.overridePythonAttrs(old: rec {
-      version = "6.7";
-      src = self.python3Packages.fetchPypi {
-        pname = "click";
-        inherit version;
-        sha256 = "02qkfpykbq35id8glfgwc38yc430427yd05z1wc5cnld8zgicmgi";
-      };
-      postPatch = ''
-        substituteInPlace click/_unicodefun.py --replace "'locale'" "'${self.locale}/bin/locale'"
-      '';
-      doCheck = false;
-    });
-    keyring = self.python3Packages.keyring.overridePythonAttrs(old: rec {
-      version = "20.0.1";
-      src = self.python3Packages.fetchPypi {
-        pname = "keyring";
-        inherit version;
-        sha256 = "963bfa7f090269d30bdc5e25589e5fd9dad2cf2a7c6f176a7f2386910e5d0d8d";
-      };
-    });
   in
     super.bonfire.overridePythonAttrs(old: {
       version = "0.0.8";
       src = self.fetchFromGitHub {
         owner = "blue-yonder";
         repo = "bonfire";
-        rev = "0a0f18469d484aba6871fa7421bbb2c00ccefcb0";
-        sha256 = "1y2r537ibghhmk6jngw0zwvh1vn2bihqcvji50ffh1j0qc6q3x6x";
+        rev = "6807fd36e27605bfdf9858bcb345c97b55cf013d";
+        sha256 = "1ngggsi8x8qilhjzpv0srgdyzdn82m6g6gqszbdgn1splqqv3iyl";
       };
       postPatch = "";
-      propagatedBuildInputs = self.lib.subtractLists [ self.python3Packages.click self.python3Packages.keyring ] old.propagatedBuildInputs ++ [ click keyring ];
       meta.broken = false;
     });
 }
diff --git a/overlays/databases/mysql/default.nix b/overlays/databases/mysql/default.nix
index f9e5791..62d7687 100644
--- a/overlays/databases/mysql/default.nix
+++ b/overlays/databases/mysql/default.nix
@@ -1,8 +1,9 @@
 self: super: rec {
-  mariadb_pam = super.mariadb.overrideAttrs(old: {
+  mariadb_pam = super.mariadb_106.overrideAttrs(old: {
     cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
     buildInputs = old.buildInputs ++ [ self.pam ];
     outputs = old.outputs ++ [ "dev" ];
+    passthru = old.passthru // { mysqlVersion = "5.7"; };
     postInstall = ''
       mkdir -p $dev $dev/lib $dev/share
       cp -a $out/include $dev
diff --git a/overlays/default.nix b/overlays/default.nix
index f4d28bc..3f01f45 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -1,7 +1,6 @@
 let
   flakeCompat = import ../lib/flake-compat.nix;
   flakes = builtins.foldl' (a: b: a // b) {} (map (n: (flakeCompat n).overlays) [
-    ../flakes/backports
     ../flakes/etherpad-lite
     ../flakes/grocy
     ../flakes/openarc
@@ -12,6 +11,7 @@ let
     ../flakes/mediagoblin
     ../flakes/private/peertube
     ../flakes/private/buildbot
+    ../flakes/private/php
   ]);
 in flakes // {
   mylibs = self: super: { mylibs = import ../lib { pkgs = self; }; };
@@ -32,16 +32,13 @@ in flakes // {
   lesspipe = import ./lesspipe;
   mysql = import ./databases/mysql;
   neomutt = import ./neomutt;
-  nixops = import ./nixops;
   pass = import ./pass;
   php-packages = import ./php-packages;
   postfix = import ./postfix;
   postgresql = import ./databases/postgresql;
-  procps-ng = import ./procps-ng;
-  sc-im = import ./sc-im;
+  procps = import ./procps-ng;
   shaarli = import ./shaarli;
   slrn = import ./slrn;
-  taskwarrior = import ./taskwarrior;
   vcsh = import ./vcsh;
   weechat = import ./weechat;
   ympd = import ./ympd;
diff --git a/overlays/dwm/dwm_config.h b/overlays/dwm/dwm_config.h
index b1587e8..55f4253 100644
--- a/overlays/dwm/dwm_config.h
+++ b/overlays/dwm/dwm_config.h
@@ -34,6 +34,7 @@ static const Rule rules[] = {
 static const float mfact     = 0.55; /* factor of master area size [0.05..0.95] */
 static const int nmaster     = 1;    /* number of clients in master area */
 static const int resizehints = 1;    /* 1 means respect size hints in tiled resizals */
+static const int lockfullscreen = 1; /* 1 will force focus on the fullscreen window */
 
 static const Layout layouts[] = {
 	/* symbol     arrange function */
diff --git a/overlays/elinks/default.nix b/overlays/elinks/default.nix
index 1744dc0..310484e 100644
--- a/overlays/elinks/default.nix
+++ b/overlays/elinks/default.nix
@@ -1,14 +1,7 @@
 self: super: {
-  elinks = super.elinks.overrideAttrs (old:
-    self.mylibs.fetchedGithub ./elinks.json // rec {
-      preConfigure = ''sh autogen.sh'';
-      buildInputs = old.buildInputs ++ (with self; [ gettext automake autoconf ]);
-      configureFlags = [
-        "--disable-smb" "--without-x" "--enable-cgi"
-        "--enable-leds" "--enable-256-colors"
-        "--enable-html-highlight" "--with-zlib"
-        ];
-      patches = [];
-    }
-  );
+  elinks = super.elinks.overrideAttrs (old: rec {
+    configureFlags = old.configureFlags ++ [
+      "--disable-smb" "--without-x" "--enable-leds" "--with-zlib"
+    ];
+  });
 }
diff --git a/overlays/elinks/elinks.json b/overlays/elinks/elinks.json
deleted file mode 100644
index ea13b1f..0000000
--- a/overlays/elinks/elinks.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "tag": "f86be65-master",
-  "meta": {
-    "name": "elinks",
-    "url": "https://github.com/nabetaro/elinks",
-    "branch": "master"
-  },
-  "github": {
-    "owner": "nabetaro",
-    "repo": "elinks",
-    "rev": "f86be659718c0cd0a67f88b42f07044c23d0d028",
-    "sha256": "1jxb7xgawcjkb3gw4gqyw26g02709wwdbhyczfckh3l4njxhy14m",
-    "fetchSubmodules": true
-  }
-}
diff --git a/overlays/ledger/default.nix b/overlays/ledger/default.nix
index 9f2df57..ad52fe8 100644
--- a/overlays/ledger/default.nix
+++ b/overlays/ledger/default.nix
@@ -15,6 +15,12 @@ self: super: {
         sha256 = "0n82mjz9i17800r7vs45sxpss14rivsf1j8hrv7jal24iyfm01dz";
         excludes = [ "doc/NEWS.md" ];
       })
+      (self.fetchpatch {
+        name = "path_local.patch";
+        url = "https://github.com/ledger/ledger/commit/ba8ec32435313b4749a3733071b3184ca6bd8e14.patch";
+        sha256 = "17zgc765ypcf808jay271kqv7m17slr37q13gzllp776qi2n95ca";
+        excludes = [ "test/regress/BF3C1F82-2.test" ];
+      })
     ];
   });
 }
diff --git a/overlays/morph/default.nix b/overlays/morph/default.nix
index 448f051..b316d70 100644
--- a/overlays/morph/default.nix
+++ b/overlays/morph/default.nix
@@ -1,5 +1,27 @@
 self: super: {
-  morph = super.morph.overrideAttrs(old: {
-    patches = (old.patches or []) ++ [ ./verbose_nix.patch ./dry-run.patch ];
+  morph = super.morph.overrideAttrs(old: rec {
+    version = "1.6.0-30-g5b85237";
+    src = self.fetchFromGitHub {
+      owner = "dbcdk";
+      repo = "morph";
+      rev = "5b852370d8054a895b5ba79b5ef017c3afbb3a3c";
+      sha256 = "166dwibbpb90bdy8dvhlinh6gc509f8pq8wn345h01pilf7fc8fh";
+    };
+
+    ldflags = [
+      "-X main.version=${version}"
+    ];
+    preBuild = ''
+      ldflags+=" -X main.assetRoot=$lib"
+    '';
+    postInstall = ''
+      mkdir -p $lib
+      cp -v ./data/*.nix $lib
+    '';
+
+    outputs = [ "out" "lib" ];
+    vendorSha256 = "08zzp0h4c4i5hk4whz06a3da7qjms6lr36596vxz0d8q0n7rspr9";
+
+    patches = (old.patches or []) ++ [ ./dry-run.patch ];
   });
 }
diff --git a/overlays/neomutt/default.nix b/overlays/neomutt/default.nix
index 06de682..2b3bf9a 100644
--- a/overlays/neomutt/default.nix
+++ b/overlays/neomutt/default.nix
@@ -1,12 +1,5 @@
 self: super: {
   neomutt = super.neomutt.overrideAttrs(old: rec {
-    version = "20211029";
-    src = self.fetchFromGitHub {
-      owner  = "neomutt";
-      repo   = "neomutt";
-      rev = "3429205b716c12eff84db4b35daf91a7e959e31d";
-      sha256 = "17mfdi2brdmd6mjg04rsnz2aqngbmp6vb4xja9q1cvhdagcs0sxv";
-    };
     nativeBuildInputs = old.nativeBuildInputs ++ [self.w3m];
     patches = old.patches or [] ++ [
       ./tx.patch
diff --git a/overlays/nixops/default.nix b/overlays/nixops/default.nix
deleted file mode 100644
index 14aec3b..0000000
--- a/overlays/nixops/default.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-self: super: {
-  nixops = super.nixops.overrideAttrs (old: {
-    patches = [
-        ./fix_glibc.patch
-        (self.fetchpatch {
-          name = "hetzner_cloud.patch";
-          url = "https://github.com/goodraven/nixops/commit/272e50d0b0262e49cdcaad42cdab57aad183d1c2.patch";
-          sha256 = "12wcrb0155ald52m7fbr2m5rrxdnwdwripq91ckscgsk42mdc517";
-        })
-       ];
-    preConfigure = (old.preConfigure or "") + ''
-      # https://github.com/NixOS/nixops/issues/1216
-      sed -i -e "/Register the paths in the Nix database./s/#.*$/export USER=root/" nix/libvirtd-image.nix
-
-      sed -i -e '/^import sys$/s/$/; sys.tracebacklimit = 0/' scripts/nixops
-      sed -i -e "/'keyFile'/s/'path'/'string'/" nixops/backends/__init__.py
-      sed -i -e "/security.initialRootPassword/d" nix/hetzner.nix
-      '';
-  });
-}
diff --git a/overlays/nixops/fix_glibc.patch b/overlays/nixops/fix_glibc.patch
deleted file mode 100644
index 1aeb093..0000000
--- a/overlays/nixops/fix_glibc.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/nix/hetzner-bootstrap.nix b/nix/hetzner-bootstrap.nix
-index 035e6f9..def42a1 100644
---- a/nix/hetzner-bootstrap.nix
-+++ b/nix/hetzner-bootstrap.nix
-@@ -3,9 +3,7 @@ with import <nixpkgs> { system = "x86_64-linux"; };
- let
-   pkgsNative = import <nixpkgs> {};
-
--  nixpart = python2Packages.nixpart0.override {
--    useNixUdev = false;
--  };
-+  nixpart = python2Packages.nixpart0;
-
-   generateConfig = (import <nixpkgs/nixos> {
-     configuration = {};
diff --git a/overlays/nixops/hetzner_cloud.patch b/overlays/nixops/hetzner_cloud.patch
deleted file mode 100644
index b75c116..0000000
--- a/overlays/nixops/hetzner_cloud.patch
+++ /dev/null
@@ -1,480 +0,0 @@
-From 272e50d0b0262e49cdcaad42cdab57aad183d1c2 Mon Sep 17 00:00:00 2001
-From: goodraven
- <employee-pseudonym-7f597def-7eeb-47f8-b10a-0724f2ba59a9@google.com>
-Date: Thu, 3 May 2018 22:24:58 -0700
-Subject: [PATCH] Initial commit adding support for hetzner cloud
-
-This is based on the digital ocean backend. It also uses nixos-infect. I extended nixos-infect to be generic
-for both backends.
-
-Fixes #855
----
- examples/trivial-hetzner-cloud.nix |  12 ++
- nix/eval-machine-info.nix          |   1 +
- nix/hetzner-cloud.nix              |  56 +++++++
- nix/options.nix                    |   1 +
- nixops/backends/hetzner_cloud.py   | 230 +++++++++++++++++++++++++++++
- nixops/data/nixos-infect           |  77 +++++++---
- 6 files changed, 354 insertions(+), 23 deletions(-)
- create mode 100644 examples/trivial-hetzner-cloud.nix
- create mode 100644 nix/hetzner-cloud.nix
- create mode 100644 nixops/backends/hetzner_cloud.py
-
-diff --git a/examples/trivial-hetzner-cloud.nix b/examples/trivial-hetzner-cloud.nix
-new file mode 100644
-index 000000000..c61add6bb
---- /dev/null
-+++ b/examples/trivial-hetzner-cloud.nix
-@@ -0,0 +1,12 @@
-+{
-+  resources.sshKeyPairs.ssh-key = {};
-+
-+  machine = { config, pkgs, ... }: {
-+    services.openssh.enable = true;
-+
-+    deployment.targetEnv = "hetznerCloud";
-+    deployment.hetznerCloud.serverType = "cx11";
-+
-+    networking.firewall.allowedTCPPorts = [ 22 ];
-+  };
-+}
-diff --git a/nix/eval-machine-info.nix b/nix/eval-machine-info.nix
-index 2884b4b47..6a7205786 100644
---- a/nix/eval-machine-info.nix
-+++ b/nix/eval-machine-info.nix
-@@ -309,6 +309,7 @@ rec {
-           digitalOcean = optionalAttrs (v.config.deployment.targetEnv == "digitalOcean") v.config.deployment.digitalOcean;
-           gce = optionalAttrs (v.config.deployment.targetEnv == "gce") v.config.deployment.gce;
-           hetzner = optionalAttrs (v.config.deployment.targetEnv == "hetzner") v.config.deployment.hetzner;
-+          hetznerCloud = optionalAttrs (v.config.deployment.targetEnv == "hetznerCloud") v.config.deployment.hetznerCloud;
-           container = optionalAttrs (v.config.deployment.targetEnv == "container") v.config.deployment.container;
-           route53 = v.config.deployment.route53;
-           virtualbox =
-diff --git a/nix/hetzner-cloud.nix b/nix/hetzner-cloud.nix
-new file mode 100644
-index 000000000..21d148c1a
---- /dev/null
-+++ b/nix/hetzner-cloud.nix
-@@ -0,0 +1,56 @@
-+{ config, pkgs, lib, utils, ... }:
-+
-+with utils;
-+with lib;
-+with import ./lib.nix lib;
-+
-+let
-+  cfg = config.deployment.hetznerCloud;
-+in
-+{
-+  ###### interface
-+  options = {
-+
-+    deployment.hetznerCloud.authToken = mkOption {
-+      default = "";
-+      example = "8b2f4e96af3997853bfd4cd8998958eab871d9614e35d63fab45a5ddf981c4da";
-+      type = types.str;
-+      description = ''
-+        The API auth token. We're checking the environment for
-+        <envar>HETZNER_CLOUD_AUTH_TOKEN</envar> first and if that is
-+        not set we try this auth token.
-+      '';
-+    };
-+
-+    deployment.hetznerCloud.datacenter = mkOption {
-+      example = "fsn1-dc8";
-+      default = null;
-+      type = types.nullOr types.str;
-+      description = ''
-+        The datacenter.
-+      '';
-+    };
-+
-+    deployment.hetznerCloud.location = mkOption {
-+      example = "fsn1";
-+      default = null;
-+      type = types.nullOr types.str;
-+      description = ''
-+        The location.
-+      '';
-+    };
-+
-+    deployment.hetznerCloud.serverType = mkOption {
-+      example = "cx11";
-+      type = types.str;
-+      description = ''
-+        Name or id of server types.
-+      '';
-+    };
-+  };
-+
-+  config = mkIf (config.deployment.targetEnv == "hetznerCloud") {
-+    nixpkgs.system = mkOverride 900 "x86_64-linux";
-+    services.openssh.enable = true;
-+  };
-+}
-diff --git a/nix/options.nix b/nix/options.nix
-index 0866c3ab8..db021f74d 100644
---- a/nix/options.nix
-+++ b/nix/options.nix
-@@ -22,6 +22,7 @@ in
-       ./keys.nix
-       ./gce.nix
-       ./hetzner.nix
-+      ./hetzner-cloud.nix
-       ./container.nix
-       ./libvirtd.nix
-     ];
-diff --git a/nixops/backends/hetzner_cloud.py b/nixops/backends/hetzner_cloud.py
-new file mode 100644
-index 000000000..a2cb176b9
---- /dev/null
-+++ b/nixops/backends/hetzner_cloud.py
-@@ -0,0 +1,230 @@
-+# -*- coding: utf-8 -*-
-+"""
-+A backend for hetzner cloud.
-+
-+This backend uses nixos-infect (which uses nixos LUSTRATE) to infect a
-+hetzner cloud instance. The setup requires two reboots, one for
-+the infect itself, another after we pushed the nixos image.
-+"""
-+import os
-+import os.path
-+import time
-+import socket
-+
-+import requests
-+
-+import nixops.resources
-+from nixops.backends import MachineDefinition, MachineState
-+from nixops.nix_expr import Function, RawValue
-+import nixops.util
-+import nixops.known_hosts
-+
-+infect_path = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'data', 'nixos-infect'))
-+
-+API_HOST = 'api.hetzner.cloud'
-+
-+class ApiError(Exception):
-+    pass
-+
-+class ApiNotFoundError(ApiError):
-+    pass
-+
-+class HetznerCloudDefinition(MachineDefinition):
-+    @classmethod
-+    def get_type(cls):
-+        return "hetznerCloud"
-+
-+    def __init__(self, xml, config):
-+        MachineDefinition.__init__(self, xml, config)
-+        self.auth_token = config["hetznerCloud"]["authToken"]
-+        self.location = config["hetznerCloud"]["location"]
-+        self.datacenter = config["hetznerCloud"]["datacenter"]
-+        self.server_type = config["hetznerCloud"]["serverType"]
-+
-+    def show_type(self):
-+        return "{0} [{1}]".format(self.get_type(), self.location or self.datacenter or 'any location')
-+
-+
-+class HetznerCloudState(MachineState):
-+    @classmethod
-+    def get_type(cls):
-+        return "hetznerCloud"
-+
-+    state = nixops.util.attr_property("state", MachineState.MISSING, int)  # override
-+    public_ipv4 = nixops.util.attr_property("publicIpv4", None)
-+    public_ipv6 = nixops.util.attr_property("publicIpv6", None)
-+    location = nixops.util.attr_property("hetznerCloud.location", None)
-+    datacenter = nixops.util.attr_property("hetznerCloud.datacenter", None)
-+    server_type = nixops.util.attr_property("hetznerCloud.serverType", None)
-+    auth_token = nixops.util.attr_property("hetznerCloud.authToken", None)
-+    server_id = nixops.util.attr_property("hetznerCloud.serverId", None, int)
-+
-+    def __init__(self, depl, name, id):
-+        MachineState.__init__(self, depl, name, id)
-+        self.name = name
-+
-+    def get_ssh_name(self):
-+        return self.public_ipv4
-+
-+    def get_ssh_flags(self, *args, **kwargs):
-+        super_flags = super(HetznerCloudState, self).get_ssh_flags(*args, **kwargs)
-+        return super_flags + [
-+            '-o', 'UserKnownHostsFile=/dev/null',
-+            '-o', 'StrictHostKeyChecking=no',
-+            '-i', self.get_ssh_private_key_file(),
-+        ]
-+
-+    def get_physical_spec(self):
-+        return Function("{ ... }", {
-+            'imports': [ RawValue('<nixpkgs/nixos/modules/profiles/qemu-guest.nix>') ],
-+            ('boot', 'loader', 'grub', 'device'): 'nodev',
-+            ('fileSystems', '/'): { 'device': '/dev/sda1', 'fsType': 'ext4'},
-+            ('users', 'extraUsers', 'root', 'openssh', 'authorizedKeys', 'keys'): [self.depl.active_resources.get('ssh-key').public_key],
-+        })
-+
-+    def get_ssh_private_key_file(self):
-+        return self.write_ssh_private_key(self.depl.active_resources.get('ssh-key').private_key)
-+
-+    def create_after(self, resources, defn):
-+        # make sure the ssh key exists before we do anything else
-+        return {
-+            r for r in resources if
-+            isinstance(r, nixops.resources.ssh_keypair.SSHKeyPairState)
-+        }
-+
-+    def get_auth_token(self):
-+        return os.environ.get('HETZNER_CLOUD_AUTH_TOKEN', self.auth_token)
-+
-+    def _api(self, path, method=None, data=None, json=True):
-+        """Basic wrapper around requests that handles auth and serialization."""
-+        assert path[0] == '/'
-+        url = 'https://%s%s' % (API_HOST, path)
-+        token = self.get_auth_token()
-+        if not token:
-+            raise Exception('No hetzner cloud auth token set')
-+        headers = {
-+            'Authorization': 'Bearer '+self.get_auth_token(),
-+        }
-+        res = requests.request(
-+            method=method,
-+            url=url,
-+            json=data,
-+            headers=headers)
-+
-+        if res.status_code == 404:
-+            raise ApiNotFoundError('Not Found: %r' % path)
-+        elif not res.ok:
-+            raise ApiError('Response for %s %s has status code %d: %s' % (method, path, res.status_code, res.content))
-+        if not json:
-+            return
-+        try:
-+            res_data = res.json()
-+        except ValueError as e:
-+            raise ApiError('Response for %s %s has invalid JSON (%s): %r' % (method, path, e, res.content))
-+        return res_data
-+
-+
-+    def destroy(self, wipe=False):
-+        if not self.server_id:
-+            self.log('server {} was never made'.format(self.name))
-+            return
-+        self.log('destroying server {} with id {}'.format(self.name, self.server_id))
-+        try:
-+            res = self._api('/v1/servers/%s' % (self.server_id), method='DELETE')
-+        except ApiNotFoundError:
-+            self.log("server not found - assuming it's been destroyed already")
-+
-+        self.public_ipv4 = None
-+        self.server_id = None
-+
-+        return True
-+
-+    def _create_ssh_key(self, public_key):
-+        """Create or get an ssh key and return an id."""
-+        public_key = public_key.strip()
-+        res = self._api('/v1/ssh_keys', method='GET')
-+        name = 'nixops-%s-%s' % (self.depl.uuid, self.name)
-+        deletes = []
-+        for key in res['ssh_keys']:
-+            if key['public_key'].strip() == public_key:
-+                return key['id']
-+            if key['name'] == name:
-+                deletes.append(key['id'])
-+        for d in deletes:
-+            # This reply is empty, so don't decode json.
-+            self._api('/v1/ssh_keys/%d' % d, method='DELETE', json=False)
-+        res = self._api('/v1/ssh_keys', method='POST', data={
-+            'name': name,
-+            'public_key': public_key,
-+        })
-+        return res['ssh_key']['id']
-+
-+    def create(self, defn, check, allow_reboot, allow_recreate):
-+        ssh_key = self.depl.active_resources.get('ssh-key')
-+        if ssh_key is None:
-+            raise Exception('Please specify a ssh-key resource (resources.sshKeyPairs.ssh-key = {}).')
-+
-+        self.set_common_state(defn)
-+
-+        if self.server_id is not None:
-+            return
-+
-+        ssh_key_id = self._create_ssh_key(ssh_key.public_key)
-+
-+        req = {
-+                'name': self.name,
-+                'server_type': defn.server_type,
-+                'start_after_create': True,
-+                'image': 'debian-9',
-+                'ssh_keys': [
-+                    ssh_key_id,
-+                ],
-+        }
-+
-+        if defn.datacenter:
-+            req['datacenter'] = defn.datacenter
-+        elif defn.location:
-+            req['location'] = defn.location
-+
-+        self.log_start("creating server ...")
-+        create_res = self._api('/v1/servers', method='POST', data=req)
-+        self.server_id = create_res['server']['id']
-+        self.public_ipv4 = create_res['server']['public_net']['ipv4']['ip']
-+        self.public_ipv6 = create_res['server']['public_net']['ipv6']['ip']
-+        self.datacenter = create_res['server']['datacenter']['name']
-+        self.location = create_res['server']['datacenter']['location']['name']
-+
-+        action = create_res['action']
-+        action_path = '/v1/servers/%d/actions/%d' % (self.server_id, action['id'])
-+
-+        while action['status'] == 'running':
-+            time.sleep(1)
-+            res = self._api(action_path, method='GET')
-+            action = res['action']
-+
-+        if action['status'] != 'success':
-+            raise Exception('unexpected status: %s' % action['status'])
-+
-+        self.log_end("{}".format(self.public_ipv4))
-+
-+        self.wait_for_ssh()
-+        self.log_start("running nixos-infect")
-+        self.run_command('bash </dev/stdin 2>&1', stdin=open(infect_path))
-+        self.reboot_sync()
-+
-+    def reboot(self, hard=False):
-+        if hard:
-+            self.log("sending hard reset to server...")
-+            res = self._api('/v1/servers/%d/actions/reset' % self.server_id, method='POST')
-+            action = res['action']
-+            action_path = '/v1/servers/%d/actions/%d' % (self.server_id, action['id'])
-+            while action['status'] == 'running':
-+                time.sleep(1)
-+                res = self._api(action_path, method='GET')
-+                action = res['action']
-+            if action['status'] != 'success':
-+                raise Exception('unexpected status: %s' % action['status'])
-+            self.wait_for_ssh()
-+            self.state = self.STARTING
-+        else:
-+            MachineState.reboot(self, hard=hard)
-diff --git a/nixops/data/nixos-infect b/nixops/data/nixos-infect
-index 66634357b..437a2ec61 100644
---- a/nixops/data/nixos-infect
-+++ b/nixops/data/nixos-infect
-@@ -68,26 +68,49 @@ makeConf() {
- }
- EOF
-   # (nixos-generate-config will add qemu-user and bind-mounts, so avoid)
-+  local disk
-+  if [ -e /dev/sda ]; then
-+    disk=/dev/sda
-+  else
-+    disk=/dev/vda
-+  fi
-   cat > /etc/nixos/hardware-configuration.nix << EOF
- { ... }:
- {
-   imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
--  boot.loader.grub.device = "/dev/vda";
--  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
-+  boot.loader.grub.device = "${disk}";
-+  fileSystems."/" = { device = "${disk}1"; fsType = "ext4"; };
- }
- EOF
- 
-   local IFS=$'\n'
--  ens3_ip4s=($(ip address show dev eth0 | grep 'inet '          | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
--  ens3_ip6s=($(ip address show dev eth0 | grep 'inet6 .*global' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
--  ens4_ip4s=($(ip address show dev eth1 | grep 'inet '          | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
--  ens4_ip6s=($(ip address show dev eth1 | grep 'inet6 .*global' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
--  gateway=($(ip route show dev eth0 | grep default | sed -r 's|default via ([0-9.]+).*|\1|'))
--  gateway6=($(ip -6 route show dev eth0 | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|'))
--  ether0=($(ip address show dev eth0 | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
--  ether1=($(ip address show dev eth1 | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
-+  gateway=($(ip route show | grep default | sed -r 's|default via ([0-9.]+).*|\1|'))
-+  gateway6=($(ip -6 route show | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|'))
-+  interfaces=($(ip link | awk -F ': ' '/^[0-9]*: / {if ($2 != "lo") {print $2}}'))
-   nameservers=($(grep ^nameserver /etc/resolv.conf | cut -f2 -d' '))
- 
-+  # Predict the predictable name for each interface since that is enabled in
-+  # the nixos system.
-+  declare -A predictable_names
-+  for interface in ${interfaces[@]}; do
-+    # udevadm prints out the candidate names which will be selected if
-+    # available in this order.
-+    local name=$(udevadm info /sys/class/net/$interface | awk -F = '
-+    /^E: ID_NET_NAME_FROM_DATABASE=/ {arr[1]=$2}
-+    /^E: ID_NET_NAME_ONBOARD=/ {arr[2]=$2}
-+    /^E: ID_NET_NAME_SLOT=/ {arr[3]=$2}
-+    /^E: ID_NET_NAME_PATH=/ {arr[4]=$2}
-+    /^E: ID_NET_NAME_MAC=/ {arr[5]=$2}
-+    END {for (i=1;i<6;i++) {if (length(arr[i]) > 0) { print arr[i]; break}}}')
-+    if [ -z "$name" ]; then
-+      echo Could not determine predictable name for interface $interface
-+    fi
-+    predictable_names[$interface]=$name
-+  done
-+
-+  # Take a gamble on the first interface being able to reach the gateway.
-+  local default_interface=${predictable_names[${interfaces[0]}]}
-+
-   cat > /etc/nixos/networking.nix << EOF
- { ... }: {
-   # This file was populated at runtime with the networking
-@@ -96,25 +119,27 @@ EOF
-     nameservers = [$(for a in ${nameservers[@]}; do echo -n "
-       \"$a\""; done)
-     ];
--    defaultGateway = "${gateway}";
--    defaultGateway6 = "${gateway6}";
-+    defaultGateway = {address = "${gateway}"; interface = "${default_interface}";};
-+    defaultGateway6 = {address = "${gateway6}"; interface = "${default_interface}";};
-     interfaces = {
--      ens3 = {
--        ip4 = [$(for a in ${ens3_ip4s[@]}; do echo -n "
--          $a"; done)
--        ];
--        ip6 = [$(for a in ${ens3_ip6s[@]}; do echo -n "
--          $a"; done)
--        ];
--      };
--      ens4 = {
--        ip4 = [$(for a in ${ens4_ip4s[@]}; do echo -n "
-+EOF
-+
-+  for interface in ${interfaces[@]}; do
-+    ip4s=($(ip address show dev $interface | grep 'inet '          | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-+    ip6s=($(ip address show dev $interface | grep 'inet6 .*global' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-+    cat >> /etc/nixos/networking.nix << EOF
-+      ${predictable_names[$interface]} = {
-+        ip4 = [$(for a in ${ip4s[@]}; do echo -n "
-           $a"; done)
-         ];
--        ip6 = [$(for a in ${ens4_ip6s[@]}; do echo -n "
-+        ip6 = [$(for a in ${ip6s[@]}; do echo -n "
-           $a"; done)
-         ];
-       };
-+EOF
-+  done
-+
-+  cat >> /etc/nixos/networking.nix << EOF
-     };
-   };
- }
-@@ -154,6 +179,12 @@ export HOME="/root"
- groupadd -r nixbld -g 30000
- seq 1 10 | xargs -I{} useradd -c "Nix build user {}" -d /var/empty -g nixbld -G nixbld -M -N -r -s `which nologin` nixbld{}
- 
-+if ! which curl >/dev/null 2>/dev/null; then
-+  if which apt-get >/dev/null 2>/dev/null; then
-+    apt-get update && apt-get install -y curl
-+  fi
-+fi
-+
- curl https://nixos.org/nix/install | sh
- 
- source ~/.nix-profile/etc/profile.d/nix.sh
diff --git a/overlays/pass/default.nix b/overlays/pass/default.nix
index ad8facd..f1dd951 100644
--- a/overlays/pass/default.nix
+++ b/overlays/pass/default.nix
@@ -1,5 +1,7 @@
 self: super: {
   pass = super.pass.overrideAttrs (old: rec {
-    patches = old.patches ++ [ ./pass-fix-pass-init.patch ];
+    prePatch = ''
+      sed -i -e "s/\bsub\b/[sp]ub/g" src/password-store.sh
+    '';
   });
 }
diff --git a/overlays/php-packages/default.nix b/overlays/php-packages/default.nix
index 90fb613..fd8a4b7 100644
--- a/overlays/php-packages/default.nix
+++ b/overlays/php-packages/default.nix
@@ -1,6 +1,5 @@
 self: super: rec {
   myPhpPackages.mysqli_pam = self.php74.extensions.mysqli.overrideAttrs(old: {
-    configureFlags = [ "--with-mysqli=${self.libmysqlclient_pam}/bin/mysql_config" "--with-mysql-sock=/run/mysqld/mysqld.sock" ];
-    patches = old.patches or [] ++ [ ./mysqli_patch.patch ];
+    configureFlags = [ "--with-mysqli=${self.libmysqlclient_pam.dev}/bin/mysql_config" "--with-mysql-sock=/run/mysqld/mysqld.sock" ];
 });
 }
diff --git a/overlays/procps-ng/default.nix b/overlays/procps-ng/default.nix
index 2d43a11..5a1646d 100644
--- a/overlays/procps-ng/default.nix
+++ b/overlays/procps-ng/default.nix
@@ -1,5 +1,5 @@
 self: super: {
-  procps-ng = super.procps-ng.overrideAttrs(old: {
+  procps-watch8bit = super.procps.overrideAttrs(old: {
     configureFlags = old.configureFlags ++ [ "--enable-watch8bit" ];
   });
 }
diff --git a/overlays/python-packages/default.nix b/overlays/python-packages/default.nix
index 720e777..c7b3351 100644
--- a/overlays/python-packages/default.nix
+++ b/overlays/python-packages/default.nix
@@ -10,7 +10,7 @@ in
   # needs to come before all other in alphabetical order (or make use of
   # lib.mkBefore)
   __pythonOverlayFix = self: super: let
-    pyNames = [ "python3" "python36" "python37" "python38" ];
+    pyNames = [ "python3" "python37" "python38" ];
     overriddenPython = name: [
       { inherit name; value = super.${name}.override { packageOverrides = self.pythonOverrides; }; }
       { name = "${name}Packages"; value = self.recurseIntoAttrs self.${name}.pkgs; }
diff --git a/overlays/sc-im/default.nix b/overlays/sc-im/default.nix
deleted file mode 100644
index f728655..0000000
--- a/overlays/sc-im/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-self: super: {
-  sc-im = super.sc-im.overrideAttrs (old: {
-    buildPhase = ''
-      cd src
-      sed -i Makefile -e 's@\...name.info@.local/state/$(name)info@'
-      cd ..
-      '' + old.buildPhase;
-  });
-}
diff --git a/overlays/vcsh/default.nix b/overlays/vcsh/default.nix
index eb4d48e..d051dde 100644
--- a/overlays/vcsh/default.nix
+++ b/overlays/vcsh/default.nix
@@ -1,7 +1,7 @@
 self: super: {
   vcsh = super.vcsh.overrideAttrs(old: {
     patchPhase = old.patchPhase or "" + ''
-      sed -i -e 's@-r "$XDG_CONFIG_HOME/vcsh/config.d/$VCSH_REPO_NAME"@-f "$XDG_CONFIG_HOME/vcsh/config.d/$VCSH_REPO_NAME"@' vcsh
+      sed -i -e 's@-r "$XDG_CONFIG_HOME/vcsh/config.d/$VCSH_REPO_NAME"@-f "$XDG_CONFIG_HOME/vcsh/config.d/$VCSH_REPO_NAME"@' vcsh.in
       '';
   });
 }
diff --git a/overlays/weechat/default.nix b/overlays/weechat/default.nix
index e8cc792..d4b1240 100644
--- a/overlays/weechat/default.nix
+++ b/overlays/weechat/default.nix
@@ -2,7 +2,7 @@ self: super: {
   weechat = super.weechat.override {
     configure = { availablePlugins, ... }: {
       plugins = with self; with availablePlugins; [
-         (python.withPackages (ps: with ps; [websocket_client emoji]))
+         (python.withPackages (ps: with ps; [cffi websocket_client emoji]))
          perl
          ruby
         ];
diff --git a/pkgs/boinctui/default.nix b/pkgs/boinctui/default.nix
index d8b106a..565840c 100644
--- a/pkgs/boinctui/default.nix
+++ b/pkgs/boinctui/default.nix
@@ -1,10 +1,10 @@
-{ stdenv, fetchurl, expat, openssl, autoconf, ncurses }:
+{ stdenv, fetchurl, expat, openssl, autoconf269, ncurses }:
 stdenv.mkDerivation rec {
   name = "boinctui-${version}";
-  version = "2.5.0";
+  version = "2.6.0";
   src = fetchurl {
     url = "http://sourceforge.net/projects/boinctui/files/boinctui_${version}.tar.gz";
-    sha256 = "16zxp8r4z6pllacdacg681y56cg2phnn3pm5gwszbsi93cix2g8p";
+    sha256 = "1c6hc4x28z8hjncxcwxhb0r3980f72i6480569a0hd9y7vcgf3d0";
   };
 
   configureFlags = [ "--without-gnutls" ];
@@ -12,9 +12,10 @@ stdenv.mkDerivation rec {
     autoconf
     '';
 
+  makeFlags = [ "DESTDIR=$(out)" ];
   preBuild = ''
     sed -i -e 's/"HOME"/"XDG_CONFIG_HOME"/' src/cfg.cpp
     sed -i -e 's@\.boinctui\.cfg@boinctui/boinctui.cfg@' src/mainprog.cpp
     '';
-  buildInputs = [ expat openssl autoconf ncurses ];
+  buildInputs = [ expat openssl autoconf269 ncurses ];
 }
diff --git a/pkgs/composer-env/default.nix b/pkgs/composer-env/default.nix
index 416a61c..8631ca8 100644
--- a/pkgs/composer-env/default.nix
+++ b/pkgs/composer-env/default.nix
@@ -1,6 +1,6 @@
 # This file originates from composer2nix
 
-{ stdenv, writeTextFile, fetchurl, php, unzip }:
+{ stdenv, lib, writeTextFile, fetchurl, php, unzip }:
 
 let
   composer = stdenv.mkDerivation {
@@ -30,9 +30,9 @@ let
     '';
     meta = {
       description = "Dependency Manager for PHP";
-      #license = stdenv.licenses.mit;
-      maintainers = [ stdenv.lib.maintainers.sander ];
-      platforms = stdenv.lib.platforms.unix;
+      #license = lib.licenses.mit;
+      maintainers = [ lib.maintainers.sander ];
+      platforms = lib.platforms.unix;
     };
   };
 
@@ -91,7 +91,7 @@ let
                   else
                       $allPackages = array();
 
-                  ${stdenv.lib.optionalString (!noDev) ''
+                  ${lib.optionalString (!noDev) ''
                     if(array_key_exists("packages-dev", $config))
                         $allPackages = array_merge($allPackages, $config["packages-dev"]);
                   ''}
@@ -142,7 +142,7 @@ let
       };
 
       bundleDependencies = dependencies:
-        stdenv.lib.concatMapStrings (dependencyName:
+        lib.concatMapStrings (dependencyName:
           let
             dependency = dependencies.${dependencyName};
           in
@@ -221,24 +221,24 @@ let
         # Copy or symlink the provided dependencies
         cd vendor
         ${bundleDependencies packages}
-        ${stdenv.lib.optionalString (!noDev) (bundleDependencies devPackages)}
+        ${lib.optionalString (!noDev) (bundleDependencies devPackages)}
         cd ..
 
         # Reconstruct autoload scripts
         # We use the optimize feature because Nix packages cannot change after they have been built
         # Using the dynamic loader for a Nix package is useless since there is nothing to dynamically reload.
-        composer dump-autoload --optimize ${stdenv.lib.optionalString noDev "--no-dev"}
+        composer dump-autoload --optimize ${lib.optionalString noDev "--no-dev"}
 
         # Run the install step as a validation to confirm that everything works out as expected
-        composer install --optimize-autoloader ${stdenv.lib.optionalString noDev "--no-dev"}
+        composer install --optimize-autoloader ${lib.optionalString noDev "--no-dev"}
 
-        ${stdenv.lib.optionalString executable ''
+        ${lib.optionalString executable ''
           # Reconstruct the bin/ folder if we deploy an executable project
           ${constructBin} composer.json
           ln -s $(pwd)/vendor/bin $out/bin
         ''}
 
-        ${stdenv.lib.optionalString (!symlinkDependencies) ''
+        ${lib.optionalString (!symlinkDependencies) ''
           # Patch the shebangs if possible
           if [ -d $(pwd)/vendor/bin ]
           then
@@ -274,7 +274,7 @@ let
   } // extraArgs);
 in
 {
-  composer = stdenv.lib.makeOverridable composer;
-  buildZipPackage = stdenv.lib.makeOverridable buildZipPackage;
-  buildPackage = stdenv.lib.makeOverridable buildPackage;
+  composer = lib.makeOverridable composer;
+  buildZipPackage = lib.makeOverridable buildZipPackage;
+  buildPackage = lib.makeOverridable buildPackage;
 }
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 13611ec..006460a 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -21,9 +21,8 @@ rec {
   nb = callPackage ./nb {};
   note = callPackage ./note {};
   notmuch-python2 = callPackage ./notmuch/notmuch-python { pythonPackages = python2Packages; };
-  notmuch-python3 = callPackage ./notmuch/notmuch-python { pythonPackages = python3Packages; };
+  notmuch-python3 = callPackage ./notmuch/notmuch-python { pythonPackages = python38Packages; };
   notmuch-vim = callPackage ./notmuch/notmuch-vim {};
-  pgloader = callPackage ./pgloader {};
   predixy = callPackage ./predixy { inherit mylibs; };
   rrsync_sudo = callPackage ./rrsync_sudo {};
   signaldctl = callPackage ./signaldctl {};
@@ -57,7 +56,7 @@ rec {
   };
 
   python3PackagesPlus = callPackage ./python-packages {
-    python = python3;
+    python = python38;
     inherit mylibs;
   };
   dovecot_deleted-to-trash = callPackage ./dovecot/plugins/deleted_to_trash {
diff --git a/pkgs/gearmand/default.nix b/pkgs/gearmand/default.nix
index bb3be89..aa68538 100644
--- a/pkgs/gearmand/default.nix
+++ b/pkgs/gearmand/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, boost, gperf, libevent, libmysqlclient, libuuid, python3, sqlite, hiredis, postgresql, openssl }:
+{ stdenv, fetchurl, boost, gperf, libevent, libmysqlclient, libuuid, sqlite, hiredis, postgresql, openssl }:
 stdenv.mkDerivation rec {
   pname = "gearmand";
   version = "1.1.19.1";
diff --git a/pkgs/genius/default.nix b/pkgs/genius/default.nix
index b40d1d0..54a7957 100644
--- a/pkgs/genius/default.nix
+++ b/pkgs/genius/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, mpfr, glib, hicolor-icon-theme, gtk2, intltool, gnome-doc-utils, python3, gnome2, autoconf, automake, libtool, ncurses, readline, pkg-config, }:
+{ stdenv, fetchurl, mpfr, glib, hicolor-icon-theme, gtk2, intltool, gnome-doc-utils, python38, gnome2, autoconf, automake, libtool, ncurses, readline, pkg-config, }:
 stdenv.mkDerivation rec {
   name = "genius-${version}";
   version = "1.0.24";
@@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
     sha256 = "772f95f6ae4716d39bb180cd50e8b6b9b074107bee0cd083b825e1e6e55916b6";
   };
   buildInputs = [
-    mpfr glib hicolor-icon-theme gtk2 intltool gnome-doc-utils python3 gnome2.gtksourceview
+    mpfr glib hicolor-icon-theme gtk2 intltool gnome-doc-utils python38 gnome2.gtksourceview
     autoconf automake libtool ncurses readline pkg-config
   ];
   preConfigure = ''
diff --git a/pkgs/monitoring-plugins/default.nix b/pkgs/monitoring-plugins/default.nix
index 852d29b..b09d7a4 100644
--- a/pkgs/monitoring-plugins/default.nix
+++ b/pkgs/monitoring-plugins/default.nix
@@ -1,5 +1,5 @@
 { stdenv, iputils, fetchpatch, fetchurl, file, hostname, perl, openssl,
-  bind, openldap, procps-ng, postfix,
+  bind, openldap, procps, postfix,
   wrapperDir ? "/run/wrappers/bin"
 }:
 stdenv.mkDerivation rec {
@@ -29,5 +29,5 @@ stdenv.mkDerivation rec {
       --with-sudo-command="${wrapperDir}/sudo"
   '';
 
-  buildInputs = [ perl file hostname iputils openssl openldap procps-ng bind.dnsutils postfix ];
+  buildInputs = [ perl file hostname iputils openssl openldap procps bind.dnsutils postfix ];
 }
diff --git a/pkgs/mtop/default.nix b/pkgs/mtop/default.nix
index 3f6b6bc..ca9be2c 100644
--- a/pkgs/mtop/default.nix
+++ b/pkgs/mtop/default.nix
@@ -1,5 +1,5 @@
-{ buildPerlPackage, fetchurl, perlPackages, lib }:
-buildPerlPackage rec {
+{ fetchurl, perlPackages, lib }:
+perlPackages.buildPerlPackage rec {
   pname = "mtop";
   version = "0.6.6";
   src = fetchurl {
diff --git a/pkgs/note/default.nix b/pkgs/note/default.nix
index d5fcccd..b3b03ef 100644
--- a/pkgs/note/default.nix
+++ b/pkgs/note/default.nix
@@ -1,5 +1,5 @@
-{ lib, buildPerlPackage, fetchurl, perlPackages }:
-buildPerlPackage rec {
+{ lib, fetchurl, perlPackages }:
+perlPackages.buildPerlPackage rec {
   pname = "note";
   version = "1.3.26";
   src = fetchurl {
diff --git a/pkgs/pgloader/default.nix b/pkgs/pgloader/default.nix
deleted file mode 100644
index 6093ada..0000000
--- a/pkgs/pgloader/default.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-# https://github.com/NixOS/nixpkgs/pull/61702
-{ stdenv, fetchurl, makeWrapper, sbcl, sqlite, freetds, libzip, curl, git, cacert, openssl }:
-stdenv.mkDerivation rec {
-  pname = "pgloader";
-  version = "3.6.1";
-  name = "${pname}-${version}";
-
-  src = fetchurl {
-    url = "https://github.com/dimitri/pgloader/releases/download/v3.6.1/pgloader-bundle-3.6.1.tgz";
-    sha256 = "1sm8xmq30d1biin5br0y3vrv4fydbrzfqglz1hnvrkdyxrg7d6f9";
-  };
-
-  nativeBuildInputs = [ git makeWrapper ];
-  buildInputs = [ sbcl cacert sqlite freetds libzip curl openssl ];
-
-  LD_LIBRARY_PATH = stdenv.lib.makeLibraryPath [ sqlite libzip curl git openssl freetds ];
-
-  buildPhase = ''
-    export PATH=$PATH:$out/bin
-    export HOME=$TMPDIR
-
-    make pgloader
-  '';
-
-  dontStrip = true;
-  enableParallelBuilding = false;
-
-  installPhase = ''
-    install -Dm755 bin/pgloader "$out/bin/pgloader"
-    wrapProgram $out/bin/pgloader --prefix LD_LIBRARY_PATH : "${LD_LIBRARY_PATH}"
-  '';
-
-  meta = with stdenv.lib; {
-    homepage = https://pgloader.io/;
-    description = "pgloader loads data into PostgreSQL and allows you to implement Continuous Migration from your current database to PostgreSQL";
-    maintainers = with maintainers; [ mguentner ];
-    license = licenses.postgresql;
-    platforms = platforms.all;
-  };
-}
diff --git a/pkgs/pure-ftpd/default.nix b/pkgs/pure-ftpd/default.nix
index 32a7a91..55c698f 100644
--- a/pkgs/pure-ftpd/default.nix
+++ b/pkgs/pure-ftpd/default.nix
@@ -1,5 +1,5 @@
 { ldapFtpId ? null
-, stdenv, fetchurl, openssl, postgresql, openldap }:
+, stdenv, lib, fetchurl, openssl, postgresql, openldap }:
 
 stdenv.mkDerivation rec {
   name = "pure-ftpd-1.0.47";
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--with-everything" "--with-tls" "--with-pgsql" "--with-ldap" ];
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
     description = "A free, secure, production-quality and standard-conformant FTP server";
     homepage = https://www.pureftpd.org;
     license = licenses.isc; # with some parts covered by BSD3(?)
diff --git a/pkgs/status_engine/interface.nix b/pkgs/status_engine/interface.nix
index 7ee4889..9c8ff5e 100644
--- a/pkgs/status_engine/interface.nix
+++ b/pkgs/status_engine/interface.nix
@@ -1,6 +1,9 @@
-{ stdenv, composerEnv, fetchurl, callPackage, config_file ? "/var/lib/status_engine/interface.yml" }:
-composerEnv.buildPackage (
-  import ./interface_php_packages.nix { inherit composerEnv fetchurl; } // rec {
+{ stdenv, composerEnv, php73, fetchurl, callPackage, config_file ? "/var/lib/status_engine/interface.yml" }:
+let
+  composerEnv' = composerEnv.override { php = php73; };
+in
+composerEnv'.buildPackage (
+  import ./interface_php_packages.nix { composerEnv = composerEnv'; inherit fetchurl; } // rec {
     pname = "interface";
     version = "3.4.0";
     name = "${pname}-${version}";
diff --git a/pkgs/status_engine/worker.nix b/pkgs/status_engine/worker.nix
index 1232303..eb9ae7b 100644
--- a/pkgs/status_engine/worker.nix
+++ b/pkgs/status_engine/worker.nix
@@ -1,18 +1,18 @@
-{ stdenv, mylibs, composerEnv, fetchurl, gearmand, callPackage, php73, config_file ? "/var/lib/status_engine/ui.yml" }:
+{ stdenv, mylibs, composerEnv, fetchurl, gearmand, callPackage, php74, config_file ? "/var/lib/status_engine/ui.yml" }:
 let
-  gearman = php73.buildPecl rec {
-    version = "2.0.6";
+  gearman = php74.buildPecl rec {
+    version = "2.1.0";
     pname = "gearman";
     src = fetchurl {
-      url = "https://github.com/wcgallego/pecl-gearman/archive/${pname}-${version}.tar.gz";
-      sha256 = "0bliga4j41xkvdfh6bqi6k8x6mfxbi5sl9gix97axs7w0ncyfprz";
+      url = "https://github.com/php/pecl-networking-gearman/archive/${pname}-${version}.tar.gz";
+      sha256 = "077wh1kxpp9pfmsm3xixplis85zx5fpbhilvz1d5pic6rb0ali5s";
     };
     configureFlags = [ "--with-gearman=${gearmand}" ];
     nativeBuildInputs = [ gearmand ];
   };
 in
 (composerEnv.override {
-  php = php73.withExtensions({ enabled, all }: enabled ++ (with all; [gearman redis mbstring bcmath json iconv]));
+  php = php74.withExtensions({ enabled, all }: enabled ++ (with all; [gearman redis mbstring bcmath json iconv]));
 }).buildPackage (mylibs.fetchedGithub ./worker.json //
   import ./worker_php_packages.nix { inherit composerEnv fetchurl; } // rec {
     postInstall = ''
diff --git a/pkgs/terminal-velocity/default.nix b/pkgs/terminal-velocity/default.nix
index 1a015c0..3ccfcd3 100644
--- a/pkgs/terminal-velocity/default.nix
+++ b/pkgs/terminal-velocity/default.nix
@@ -1,5 +1,5 @@
-{ python36Packages }:
-with python36Packages;
+{ python37Packages }:
+with python37Packages;
 buildPythonApplication rec {
   pname = "terminal-velocity-git";
   version = "0.2.0";
diff --git a/pkgs/tiv/default.nix b/pkgs/tiv/default.nix
index 3e7a56c..2415db9 100644
--- a/pkgs/tiv/default.nix
+++ b/pkgs/tiv/default.nix
@@ -1,5 +1,5 @@
-{ buildPerlPackage, fetchurl, perlPackages }:
-buildPerlPackage rec {
+{ fetchurl, perlPackages }:
+perlPackages.buildPerlPackage rec {
   pname = "tiv";
   version = "2015";
   src = fetchurl {
diff --git a/pkgs/webapps/mediagoblin/bower-packages.nix b/pkgs/webapps/mediagoblin/bower-packages.nix
deleted file mode 100644
index 03af849..0000000
--- a/pkgs/webapps/mediagoblin/bower-packages.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-# Generated by bower2nix v3.2.0 (https://github.com/rvl/bower2nix)
-{ fetchbower, buildEnv }:
-buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [
-  (fetchbower "jquery" "2.1.4" "~2.1.3" "1ywrpk2xsr6ghkm3j9gfnl9r3jn6xarfamp99b0bcm57kq9fm2k0")
-  (fetchbower "video.js" "4.11.4" "~4.11.4" "05prdvyk0rxbkh7sdd0d9ns5l5crwvc68wzkyqmrdjw367pcv8sn")
-  (fetchbower "leaflet" "0.7.7" "~0.7.3" "0jim285bljmxxngpm3yx6bnnd10n2whwkgmmhzpcd1rdksnr5nca")
-  (fetchbower "tinymce" "4.1.10" "~4.1.7" "16jyvdb9bq8gjwhs69q8p88vdixalajrz81nsmbrzzxhkih57dyx")
-]; }
diff --git a/pkgs/webapps/mediagoblin/default.nix b/pkgs/webapps/mediagoblin/default.nix
deleted file mode 100644
index 22cb292..0000000
--- a/pkgs/webapps/mediagoblin/default.nix
+++ /dev/null
@@ -1,210 +0,0 @@
-{ makeWrapper, stdenv, writeScript, fetchurl, buildBowerComponents, mylibs, which, python36, gst_all_1, automake, autoconf, nodejs, nodePackages, lib, callPackage, fetchgit }:
-let
-  overridePython = let
-    packageOverrides = self: super: {
-      pybcrypt = super.buildPythonPackage rec {
-        pname = "pybcrypt";
-        version = "0.4";
-
-        src = self.fetchPypi {
-          inherit pname version;
-          sha256 = "5fa13bce551468350d66c4883694850570f3da28d6866bb638ba44fe5eabda78";
-        };
-      };
-      celery = super.celery.overridePythonAttrs(old: rec {
-        version = "3.1.26.post2";
-        src = self.fetchPypi {
-          inherit version;
-          inherit (old) pname;
-          sha256 = "5493e172ae817b81ba7d09443ada114886765a8ce02f16a56e6fac68d953a9b2";
-        };
-        patches = [];
-        doCheck = false;
-      });
-      billiard = super.billiard.overridePythonAttrs(old: rec {
-        version = "3.3.0.23";
-        src = self.fetchPypi {
-          inherit version;
-          inherit (old) pname;
-          sha256 = "02wxsc6bhqvzh8j6w758kvgqbnj14l796mvmrcms8fgfamd2lak9";
-        };
-        doCheck = false;
-        doInstallCheck = false;
-      });
-      amqp = super.amqp.overridePythonAttrs(old: rec {
-        version = "1.4.9";
-        src = self.fetchPypi {
-          inherit version;
-          inherit (old) pname;
-          sha256 = "2dea4d16d073c902c3b89d9b96620fb6729ac0f7a923bbc777cb4ad827c0c61a";
-        };
-        doCheck = false;
-      });
-      kombu = super.kombu.overridePythonAttrs(old: rec {
-        version = "3.0.37";
-        src = self.fetchPypi {
-          inherit version;
-          inherit (old) pname;
-          sha256 = "e064a00c66b4d1058cd2b0523fb8d98c82c18450244177b6c0f7913016642650";
-        };
-        propagatedBuildInputs = old.propagatedBuildInputs ++ [ self.anyjson ];
-        doCheck = false;
-      });
-      markdown = super.markdown.overridePythonAttrs(old: rec {
-        version = "3.1.1";
-        src = self.fetchPypi {
-          inherit version;
-          inherit (old) pname;
-          sha256 = "2e50876bcdd74517e7b71f3e7a76102050edec255b3983403f1a63e7c8a41e7a";
-        };
-      });
-      sqlalchemy = super.sqlalchemy.overridePythonAttrs(old: rec {
-        version = "1.1.18";
-        src = self.fetchPypi {
-          inherit version;
-          inherit (old) pname;
-          sha256 = "8b0ec71af9291191ba83a91c03d157b19ab3e7119e27da97932a4773a3f664a9";
-        };
-        doCheck = false;
-      });
-      tempita_5_3_dev = super.buildPythonPackage (mylibs.fetchedGithub ./tempita.json // rec {
-        buildInputs = with self; [ nose ];
-        disabled = false;
-      });
-      sqlalchemy_migrate = super.sqlalchemy_migrate.overridePythonAttrs(old: rec {
-        propagatedBuildInputs = with self; [ pbr tempita_5_3_dev decorator sqlalchemy six sqlparse ];
-      });
-      pasteScript = super.pasteScript.overridePythonAttrs(old: rec {
-        version = "2.0.2";
-        name = "PasteScript-${version}";
-        src = fetchurl {
-          url = "mirror://pypi/P/PasteScript/${name}.tar.gz";
-          sha256 = "1h3nnhn45kf4pbcv669ik4faw04j58k8vbj1hwrc532k0nc28gy0";
-        };
-        propagatedBuildInputs = with self; [ six paste PasteDeploy ];
-      });
-      werkzeug = super.werkzeug.overridePythonAttrs(old: rec {
-        version = "0.16.1";
-        src = self.fetchPypi {
-          inherit version;
-          inherit (old) pname;
-          sha256 = "b353856d37dec59d6511359f97f6a4b2468442e454bd1c98298ddce53cac1f04";
-        };
-      });
-    };
-    in
-      python36.override { inherit packageOverrides; };
-  pythonEnv = python-pkgs: with python-pkgs; [
-    waitress alembic dateutil wtforms pybcrypt
-    pytest pytest_xdist werkzeug celery
-    kombu jinja2 Babel webtest configobj markdown
-    sqlalchemy itsdangerous pytz sphinx six
-    oauthlib unidecode jsonschema PasteDeploy
-    requests PyLD exifread
-    typing pasteScript lxml
-    # For images plugin
-    pillow
-    # For video plugin
-    gst-python
-    # migrations
-    sqlalchemy_migrate
-    # authentication
-    ldap3
-    redis
-    psycopg2
-  ];
-  python = overridePython.withPackages pythonEnv;
-  gmg = writeScript "gmg" ''
-    #!${python}/bin/python
-    __requires__ = 'mediagoblin'
-    import sys
-    from pkg_resources import load_entry_point
-
-    if __name__ == '__main__':
-        sys.exit(
-            load_entry_point('mediagoblin', 'console_scripts', 'gmg')()
-        )
-    '';
-  mediagoblinSrc = fetchgit {
-    name = "mediagoblin";
-    url = "git://git.savannah.gnu.org/mediagoblin.git";
-    rev = "cd465ebfec837a75a44c4ebd727dffe2fff6d850";
-    sha256 = "1yz4i4i97z3rxl534a6psaybyjbyp5nnc52v3nvbpzc4pd2s69mx";
-    fetchSubmodules = true; # important!
-  };
-  bowerComponents = buildBowerComponents {
-    name = "mediagoblin-bower-components";
-    generated = ./bower-packages.nix;
-    src = mediagoblinSrc;
-  };
-  pluginNames = [ "basicsearch" ];
-  allPlugins = lib.attrsets.genAttrs pluginNames
-    (name: callPackage (./plugins + "/${name}") {});
-  toPassthru = pkg: {
-    inherit allPlugins;
-    withPlugins = withPlugins pkg;
-  };
-  withPlugins = pkg: toPlugins:
-    let
-      plugins = toPlugins allPlugins;
-      toBuildPlugin = n: "ln -s ${n} mediagoblin/plugins/${n.pluginName}";
-      newMediagoblin = pkg.overrideAttrs(old: {
-        postBuild = old.postBuild + "\n" + builtins.concatStringsSep "\n" (map toBuildPlugin plugins);
-        passthru = toPassthru newMediagoblin;
-      });
-    in newMediagoblin;
-  package = stdenv.mkDerivation rec {
-    pname = "mediagoblin";
-    name = "${pname}-${version}";
-    version = "cd465eb-stable";
-    src = mediagoblinSrc;
-    preConfigure = ''
-      # ./bootstrap.sh
-      aclocal -I m4 --install
-      autoreconf -fvi
-      # end
-      export HOME=$PWD
-      '';
-    configureFlags = [ "--with-python3" "--without-virtualenv" ];
-    postBuild = ''
-      cp -a ${bowerComponents}/bower_components/* extlib
-      chmod -R u+w extlib
-      make extlib
-      '';
-    installPhase = let
-      libpaths = with gst_all_1; [
-        python
-        gstreamer
-        gst-plugins-base
-        gst-libav
-        gst-plugins-good
-        gst-plugins-bad
-        gst-plugins-ugly
-      ];
-      plugin_paths = builtins.concatStringsSep ":" (map (x: "${x}/lib") libpaths);
-      typelib_paths = with gst_all_1; "${gstreamer}/lib/girepository-1.0:${gst-plugins-base}/lib/girepository-1.0";
-    in ''
-      sed -i "s/registry.has_key(current_theme_name)/current_theme_name in registry/" mediagoblin/tools/theme.py
-      sed -i -e "s@\[DEFAULT\]@[DEFAULT]\nhere = $out@" mediagoblin/config_spec.ini
-      sed -i -e "/from gi.repository import GstPbutils/s/^/gi.require_version('GstPbutils', '1.0')\n/" mediagoblin/media_types/video/transcoders.py
-      cp ${./ldap_fix.py} mediagoblin/plugins/ldap/tools.py
-      find . -name '*.pyc' -delete
-      find . -type f -exec sed -i "s|$PWD|$out|g" {} \;
-      python setup.py build
-      cp -a . $out
-      mkdir $out/bin
-      makeWrapper ${gmg} $out/bin/gmg --prefix PYTHONPATH : "$out:$PYTHONPATH" \
-        --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
-        --prefix GI_TYPELIB_PATH : ${typelib_paths}
-      makeWrapper ${python}/bin/paster $out/bin/paster --prefix PYTHONPATH : "$out:$PYTHONPATH" \
-        --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
-        --prefix GI_TYPELIB_PATH : ${typelib_paths}
-      makeWrapper ${python}/bin/celery $out/bin/celery --prefix PYTHONPATH : "$out:$PYTHONPATH" \
-        --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
-        --prefix GI_TYPELIB_PATH : ${typelib_paths}
-      '';
-    buildInputs = [ makeWrapper automake autoconf which nodePackages.bower nodejs python ];
-    propagatedBuildInputs = with gst_all_1; [ python gst-libav gst-plugins-good gst-plugins-bad gst-plugins-ugly gstreamer ];
-    passthru = toPassthru package;
-  };
-in package
diff --git a/pkgs/webapps/mediagoblin/ldap_fix.py b/pkgs/webapps/mediagoblin/ldap_fix.py
deleted file mode 100644
index 10cc375..0000000
--- a/pkgs/webapps/mediagoblin/ldap_fix.py
+++ /dev/null
@@ -1,93 +0,0 @@
-# GNU MediaGoblin -- federated, autonomous media hosting
-# Copyright (C) 2011, 2012 MediaGoblin contributors.  See AUTHORS.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from ldap3 import Server, Connection, SUBTREE
-from ldap3.core.exceptions import LDAPException
-import logging
-
-import six
-
-from mediagoblin.tools import pluginapi
-
-_log = logging.getLogger(__name__)
-
-
-class LDAP(object):
-    def __init__(self):
-        self.ldap_settings = pluginapi.get_config('mediagoblin.plugins.ldap')
-
-    def _connect(self, server):
-        _log.info('Connecting to {0}.'.format(server['LDAP_SERVER_URI']))
-        self.server = Server(server['LDAP_SERVER_URI'])
-
-        if 'LDAP_START_TLS' in server and server['LDAP_START_TLS'] == 'true':
-            _log.info('Initiating TLS')
-            self.server.start_tls()
-
-    def _manager_auth(self, settings, username, password):
-        conn = Connection(self.server,
-                settings['LDAP_BIND_DN'],
-                settings['LDAP_BIND_PW'],
-                auto_bind=True)
-        found = conn.search(
-                search_base=settings['LDAP_SEARCH_BASE'],
-                search_filter=settings['LDAP_SEARCH_FILTER'].format(username=username),
-                search_scope=SUBTREE,
-                attributes=[settings['EMAIL_SEARCH_FIELD']])
-        if (not found) or len(conn.entries) > 1:
-            return False, None
-
-        user = conn.entries[0]
-        user_dn = user.entry_dn
-        try:
-            email = user.entry_attributes_as_dict[settings['EMAIL_SEARCH_FIELD']][0]
-        except KeyError:
-            email = None
-
-        Connection(self.server, user_dn, password, auto_bind=True)
-
-        return username, email
-
-    def _direct_auth(self, settings, username, password):
-        user_dn = settings['LDAP_USER_DN_TEMPLATE'].format(username=username)
-        conn = Connection(self.server, user_dn, password, auto_bind=True)
-        email_found = conn.search(
-                search_base=settings['LDAP_SEARCH_BASE'],
-                search_filter='uid={0}'.format(username),
-                search_scope=SUBTREE,
-                attributes=[settings['EMAIL_SEARCH_FIELD']])
-
-        if email_found:
-            try:
-                email = conn.entries[0].entry_attributes_as_dict[settings['EMAIL_SEARCH_FIELD']][0]
-            except KeyError:
-                email = None
-
-        return username, email
-
-    def login(self, username, password):
-        for k, v in six.iteritems(self.ldap_settings):
-            try:
-                self._connect(v)
-
-                if 'LDAP_BIND_DN' in v:
-                    return self._manager_auth(v, username, password)
-                else:
-                    return self._direct_auth(v, username, password)
-
-            except LDAPException as e:
-                _log.info(e)
-
-        return False, None
diff --git a/pkgs/webapps/mediagoblin/plugins/basicsearch/default.nix b/pkgs/webapps/mediagoblin/plugins/basicsearch/default.nix
deleted file mode 100644
index 16be613..0000000
--- a/pkgs/webapps/mediagoblin/plugins/basicsearch/default.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ stdenv, fetchFromGitHub }:
-stdenv.mkDerivation rec {
-  name = "mediagoblin-plugin-basicsearch-${version}";
-  version = "ba0a154-master";
-  src = fetchFromGitHub {
-    owner = "ayleph";
-    repo = "mediagoblin-basicsearch";
-    rev = "ba0a1547bd24ebaf363227fe17644d38c6ce8a6b";
-    sha256 = "0d4r7xkf4gxmgaxlb264l44xbanis77g49frwfhfzsflxmdwgncy";
-  };
-  phases = "unpackPhase installPhase";
-  installPhase = ''
-    cp -R ./basicsearch $out
-    '';
-  passthru = {
-    pluginName = "basicsearch";
-  };
-}
diff --git a/pkgs/webapps/mediagoblin/tempita.json b/pkgs/webapps/mediagoblin/tempita.json
deleted file mode 100644
index 5371e17..0000000
--- a/pkgs/webapps/mediagoblin/tempita.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "tag": "47414a7-master",
-  "meta": {
-    "name": "tempita",
-    "url": "https://github.com/gjhiggins/tempita",
-    "branch": "master"
-  },
-  "github": {
-    "owner": "gjhiggins",
-    "repo": "tempita",
-    "rev": "47414a7c6e46a9a9afe78f0bce2ea299fa84d10d",
-    "sha256": "0f33jjjs5rvp7ar2j6ggyfykcrsrn04jaqcq71qfvycf6b7nw3rn",
-    "fetchSubmodules": true
-  }
-}
diff --git a/shell.nix b/shell.nix
index 3d27d03..5da8687 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,18 +1,4 @@
-{ pkgs ? import <nixpkgs> { overlays = builtins.attrValues (import ./overlays); },
-  pkgs-nix ? import <nixpkgs-nix> { overlays = builtins.attrValues (import ./overlays); }
-}:
-let
-  patchedNix = pkgs-nix.nixUnstable.overrideAttrs(old: {
-    patches = old.patches ++ [
-      # Fix the ETag bug. PR merged. Remove when updating to >= 20210125
-      # https://github.com/NixOS/nixpkgs/pull/109309#issuecomment-768331750
-      (pkgs-nix.fetchpatch {
-        url = "https://patch-diff.githubusercontent.com/raw/NixOS/nix/pull/4470.diff";
-        sha256 = "sha256-d4RNOKMxa4NMbFgYcqWRv2ByHt8F/XUWV+6P9qHz7S4=";
-      })
-    ];
-  });
-in
+{ pkgs ? import <nixpkgs> { overlays = builtins.attrValues (import ./overlays); } }:
 pkgs.mkShell {
-  buildInputs = [ patchedNix pkgs.python3 pkgs.sops pkgs.morph pkgs.niv pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake pkgs.yq ];
+  buildInputs = [ pkgs.nixUnstable pkgs.python3 pkgs.sops pkgs.morph pkgs.niv pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake pkgs.yq ];
 }