18 files changed, 352 insertions, 83 deletions

diff --git a/systems/backup-2/flake.lock b/systems/backup-2/flake.lock
index 0863696..2eee849 100644
--- a/systems/backup-2/flake.lock
+++ b/systems/backup-2/flake.lock
@@ -22,7 +22,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Deh1qsi1UFskPSAwq2sUGyPeh7hVVHct8hhy4o6fEzE=",
+        "narHash": "sha256-S6sETV9+RccMB5LcH4vOZJiTdhLS3SRIjFRvEfjd9Ag=",
         "path": "../../flakes/private/chatons",
         "type": "path"
       },
@@ -74,7 +74,7 @@
     "environment": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -86,7 +86,7 @@
     "environment_2": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../../flakes/private/environment",
         "type": "path"
       },
@@ -98,7 +98,7 @@
     "environment_3": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -110,7 +110,7 @@
     "environment_4": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -122,7 +122,7 @@
     "environment_5": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -134,7 +134,7 @@
     "environment_6": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -146,7 +146,7 @@
     "environment_7": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -352,7 +352,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-XdgjCex3Izb2hID+EBVj0YsEE5xvc+I416I2fHpi1LE=",
+        "narHash": "sha256-tY5qk98NpdM4osbPYFeo6/pHiQQU4a4iKw2jCJP99q8=",
         "path": "../../flakes/private/mail-relay",
         "type": "path"
       },
@@ -371,7 +371,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-bWNhkERypwoog3lphO0xURJ4xt58CZEWKn7So7A5mtM=",
+        "narHash": "sha256-Aqubcd5AOuP6XUdvjeCXIP6Yksn8uBXbS62kWXBop1w=",
         "path": "../../flakes/private/milters",
         "type": "path"
       },
@@ -389,7 +389,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-VZjf9fXcyeS3LpVW6NvzJpiJuEtJsGlOOfH8XwL8CdI=",
+        "narHash": "sha256-F7GennKqLc6Cx3DuU6qSPUHmjvpfrrfOshor41vaCz4=",
         "path": "../../flakes/private/monitoring",
         "type": "path"
       },
@@ -425,7 +425,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../../mypackages",
         "type": "path"
       },
@@ -925,7 +925,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-fntajNe0urhuR0NbTOQZLTMhtHnd7p6PVuuEf0oAoFg=",
+        "narHash": "sha256-LDicilQIpNXKg/UD6uyf66h/iL/rhDOkkVjTMdKRzX4=",
         "path": "../../flakes/private/opendmarc",
         "type": "path"
       },
@@ -1104,7 +1104,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-xH6yyfvDLevdZrnKsGXhkZmNMZkOPJOqXnpubkfnoOE=",
+        "narHash": "sha256-uW8mX4yKNyf1lysk3yNW54RILG+JfJ9KQ10dAAge4Hk=",
         "path": "../../flakes/private/system",
         "type": "path"
       },
diff --git a/systems/dilion/flake.lock b/systems/dilion/flake.lock
index f2db2b7..be2ce96 100644
--- a/systems/dilion/flake.lock
+++ b/systems/dilion/flake.lock
@@ -59,7 +59,7 @@
     "environment": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../../flakes/private/environment",
         "type": "path"
       },
@@ -71,7 +71,7 @@
     "environment_2": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -83,7 +83,7 @@
     "environment_3": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -207,7 +207,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-VZjf9fXcyeS3LpVW6NvzJpiJuEtJsGlOOfH8XwL8CdI=",
+        "narHash": "sha256-F7GennKqLc6Cx3DuU6qSPUHmjvpfrrfOshor41vaCz4=",
         "path": "../../flakes/private/monitoring",
         "type": "path"
       },
@@ -243,7 +243,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../../mypackages",
         "type": "path"
       },
@@ -599,7 +599,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-xH6yyfvDLevdZrnKsGXhkZmNMZkOPJOqXnpubkfnoOE=",
+        "narHash": "sha256-uW8mX4yKNyf1lysk3yNW54RILG+JfJ9KQ10dAAge4Hk=",
         "path": "../../flakes/private/system",
         "type": "path"
       },
diff --git a/systems/eldiron/base.nix b/systems/eldiron/base.nix
index fa5e504..4535dcf 100644
--- a/systems/eldiron/base.nix
+++ b/systems/eldiron/base.nix
@@ -189,7 +189,7 @@
         table = ldap_users
         user_column = login
         pw_type = function
-        auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( %p || salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login || '@' || realm = %u
+        auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( convert_to(%p, 'UTF8') || salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login || '@' || realm = %u
         #pwd_query = WITH newsalt as (select gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( %p || (SELECT * FROM newsalt), 'sha1'), 'hex'), salt = (SELECT * FROM newsalt), mechanism = 'SSHA' WHERE login = %u OR login || '@' || realm = %u
       '';
     };
diff --git a/systems/eldiron/borg_backup.nix b/systems/eldiron/borg_backup.nix
index 9956a46..f83594a 100644
--- a/systems/eldiron/borg_backup.nix
+++ b/systems/eldiron/borg_backup.nix
@@ -76,7 +76,7 @@ let
     location = {
       source_directories = map (p: "${profile.rootDir}/${p}") profile.includedPaths;
       repositories = [
-        { path = cfg.remotes.${remote}.remote bucket; label = "backupserver"; }
+        { path = cfg.remotes.${remote}.remote name bucket; label = "backupserver"; }
       ];
       one_file_system = false;
       exclude_if_present = [".duplicity-ignore"];
@@ -88,6 +88,7 @@ let
       ssh_command = "ssh -i ${config.secrets.fullPaths."borg_backup/identity"}";
       compression = "zlib";
       borg_base_directory = "${varDir}/${profile.bucket}";
+      relocated_repo_access_is_ok = true;
     };
     retention = {
       keep_within = "10d";
diff --git a/systems/eldiron/flake.lock b/systems/eldiron/flake.lock
index 0f97917..ac6307e 100644
--- a/systems/eldiron/flake.lock
+++ b/systems/eldiron/flake.lock
@@ -129,7 +129,7 @@
     "environment": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -141,7 +141,7 @@
     "environment_2": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -153,7 +153,7 @@
     "environment_3": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -165,7 +165,7 @@
     "environment_4": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -177,7 +177,7 @@
     "environment_5": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -189,7 +189,7 @@
     "environment_6": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -813,7 +813,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../../mypackages",
         "type": "path"
       },
@@ -830,7 +830,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../mypackages",
         "type": "path"
       },
@@ -847,7 +847,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../mypackages",
         "type": "path"
       },
@@ -864,7 +864,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../mypackages",
         "type": "path"
       },
@@ -1989,7 +1989,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Deh1qsi1UFskPSAwq2sUGyPeh7hVVHct8hhy4o6fEzE=",
+        "narHash": "sha256-S6sETV9+RccMB5LcH4vOZJiTdhLS3SRIjFRvEfjd9Ag=",
         "path": "../../flakes/private/chatons",
         "type": "path"
       },
@@ -2001,7 +2001,7 @@
     "private-environment": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../../flakes/private/environment",
         "type": "path"
       },
@@ -2020,7 +2020,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-bWNhkERypwoog3lphO0xURJ4xt58CZEWKn7So7A5mtM=",
+        "narHash": "sha256-Aqubcd5AOuP6XUdvjeCXIP6Yksn8uBXbS62kWXBop1w=",
         "path": "../../flakes/private/milters",
         "type": "path"
       },
@@ -2038,7 +2038,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-VZjf9fXcyeS3LpVW6NvzJpiJuEtJsGlOOfH8XwL8CdI=",
+        "narHash": "sha256-F7GennKqLc6Cx3DuU6qSPUHmjvpfrrfOshor41vaCz4=",
         "path": "../../flakes/private/monitoring",
         "type": "path"
       },
@@ -2073,7 +2073,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-fntajNe0urhuR0NbTOQZLTMhtHnd7p6PVuuEf0oAoFg=",
+        "narHash": "sha256-LDicilQIpNXKg/UD6uyf66h/iL/rhDOkkVjTMdKRzX4=",
         "path": "../../flakes/private/opendmarc",
         "type": "path"
       },
@@ -2134,7 +2134,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-uqftr7R3cVYwWuu8Xl6VbPVL2pqapv1bfmMJpq3LnZ4=",
+        "narHash": "sha256-mhoBv1NxQoAMlfFGkgGC28cjMTgUxgb2oqNS+k6kWH4=",
         "path": "../../flakes/private/ssh",
         "type": "path"
       },
@@ -2153,7 +2153,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-xH6yyfvDLevdZrnKsGXhkZmNMZkOPJOqXnpubkfnoOE=",
+        "narHash": "sha256-uW8mX4yKNyf1lysk3yNW54RILG+JfJ9KQ10dAAge4Hk=",
         "path": "../../flakes/private/system",
         "type": "path"
       },
@@ -2206,7 +2206,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-TeZKpuqFi0PEnhays+oL+hrNlO/O+IV/4B+Vtim4DKY=",
+        "narHash": "sha256-1uymFn5bZul+Rrnek5YdC2EtgllQlL48VAvQTBh7ao4=",
         "path": "../../flakes/etherpad-lite",
         "type": "path"
       },
@@ -2248,7 +2248,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-kbhkTVO086HibTB2ke3Qc458FwLUp2CqU8XUjuaAIug=",
+        "narHash": "sha256-0jKcrg+vVVhfPgfu0kPo4JtgdFXuP29usmgRoSmsX5U=",
         "path": "../../flakes/grocy",
         "type": "path"
       },
@@ -2329,7 +2329,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../../flakes/mypackages",
         "type": "path"
       },
@@ -2440,7 +2440,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-+z5CIx4Gin8Ygu3qQbd5QMPuChzPkhtSv+kUm6dUW/s=",
+        "narHash": "sha256-B37mhSriF+N+vwuXTL60SvgxMqIsdiAUsL48g1A6VRY=",
         "path": "../../flakes/surfer",
         "type": "path"
       },
diff --git a/systems/eldiron/websites/cloud/default.nix b/systems/eldiron/websites/cloud/default.nix
index c859f32..3f41efe 100644
--- a/systems/eldiron/websites/cloud/default.nix
+++ b/systems/eldiron/websites/cloud/default.nix
@@ -61,7 +61,7 @@ in {
     };
 
     myServices.tools.cloud.farm.instances.immae = {
-      nextcloud = pkgs.webapps-nextcloud_27.override ({
+      nextcloud = pkgs.webapps-nextcloud_27_2.override ({
         # Allow /index.php redirects
         postInstall = ''
           cd $out
diff --git a/systems/eldiron/websites/git/mantisbt.nix b/systems/eldiron/websites/git/mantisbt.nix
index b0ee553..824e2e1 100644
--- a/systems/eldiron/websites/git/mantisbt.nix
+++ b/systems/eldiron/websites/git/mantisbt.nix
@@ -1,4 +1,38 @@
-{ env, mantisbt_2, mantisbt_2-plugins, config }:
+{ env, mantisbt_2, mantisbt_2-plugins, config, writeText }:
+let
+  mantis_config = {
+    config_inc = config.secrets.fullPaths."webapps/tools-mantisbt";
+    custom_constants_inc = writeText "custom_constants_inc.php" ''
+      <?php
+      define('TESTING', 60);
+      ?>
+    '';
+    custom_strings_inc = writeText "custom_strings_inc.php" ''
+      <?php
+      switch( $g_active_language ) {
+        case 'french':
+          $s_status_enum_string = '10:nouveau,20:retour d’informations,30:reçu,40:confirmé,50:affecté,60:à tester,80:traité,90:fermé';
+          $s_acknowledged_bug_title = 'Recevoir l’anomalie';
+          $s_acknowledged_bug_button = 'Recevoir l’anomalie';
+          $s_email_notification_title_for_status_bug_acknowledged = 'L’anomalie suivante a été REÇUE.';
+
+          $s_testing_bug_title = "Mettre l’anomalie en test";
+          $s_testing_bug_button = 'À tester';
+          $s_email_notification_title_for_status_bug_testing = "L’anomalie suivante est prête à être TESTÉE.";
+          break;
+        default: # english
+          $s_status_enum_string = '10:new,20:feedback,30:acknowledged,40:confirmed,50:assigned,60:testing,80:resolved,90:closed';
+
+          $s_testing_bug_title = 'Mark issue Ready for Testing';
+          $s_testing_bug_button = 'Ready for Testing';
+
+          $s_email_notification_title_for_status_bug_testing = 'The following issue is ready for TESTING.';
+          break;
+      }
+      ?>
+    '';
+  };
+in
 rec {
   keys."webapps/tools-mantisbt" = {
     user = apache.user;
@@ -20,7 +54,8 @@ rec {
       $g_allow_anonymous_login = ON;
       $g_anonymous_account     = 'anonymous';
 
-      $g_phpMailer_method       = PHPMAILER_METHOD_SENDMAIL;
+      $g_log_level = LOG_EMAIL_VERBOSE;
+      $g_phpMailer_method       = PHPMAILER_METHOD_MAIL;
       $g_smtp_host              = 'localhost';
       $g_smtp_username          = ''';
       $g_smtp_password          = ''';
@@ -42,10 +77,12 @@ rec {
       $g_ldap_uid_field = 'uid';
       $g_ldap_realname_field = 'cn';
       $g_ldap_organization = '${env.ldap.filter}';
+
+      $g_status_enum_string = '10:new,20:feedback,30:acknowledged,40:confirmed,50:assigned,60:testing,80:resolved,90:closed';
+      $g_status_colors['testing'] = '#ace7ae';
     '';
   };
-  webRoot = (mantisbt_2.override { mantis_config =
-    config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration ]);
+  webRoot = (mantisbt_2.override { inherit mantis_config; }).withPlugins (p: [p.slack p.source-integration ]);
   apache = rec {
     user = "wwwrun";
     group = "wwwrun";
@@ -72,9 +109,8 @@ rec {
   };
   phpFpm = rec {
     serviceDeps = [ "postgresql.service" "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" (
-      [ webRoot config.secrets.fullPaths."webapps/tools-mantisbt" ]
-      ++ webRoot.plugins);
+    basedir = builtins.concatStringsSep ":" ([ webRoot ] ++
+      webRoot.plugins ++ builtins.attrValues mantis_config);
     pool = {
       "listen.owner" = apache.user;
       "listen.group" = apache.group;
@@ -84,7 +120,8 @@ rec {
 
       "php_admin_value[upload_max_filesize]" = "5000000";
 
-      "php_admin_value[open_basedir]" = "${basedir}:/tmp";
+      "php_admin_value[sendmail_path]" = "/run/wrappers/bin/sendmail -t -i";
+      "php_admin_value[open_basedir]" = "${basedir}:/tmp:/run/wrappers/bin/sendmail";
       "php_admin_value[session.save_handler]" = "redis";
       "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:MantisBT:'";
     };
diff --git a/systems/eldiron/websites/mail/default.nix b/systems/eldiron/websites/mail/default.nix
index 0a0342b..e212cd2 100644
--- a/systems/eldiron/websites/mail/default.nix
+++ b/systems/eldiron/websites/mail/default.nix
@@ -111,13 +111,13 @@ in
       phpOptions = config.services.phpfpm.phpOptions + ''
         date.timezone = 'CET'
       '';
-      phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [ all.imagick all.redis ]);
+      phpPackage = pkgs.php82.withExtensions({ enabled, all }: enabled ++ [ all.imagick all.redis ]);
     };
     services.phpfpm.pools.rainloop = {
       user = "wwwrun";
       group = "wwwrun";
       settings = rainloop.phpFpm.pool;
-      phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [ all.redis ]);
+      phpPackage = pkgs.php82.withExtensions({ enabled, all }: enabled ++ [ all.redis ]);
     };
     system.activationScripts = {
       roundcubemail = roundcubemail.activationScript;
diff --git a/systems/eldiron/websites/mail/roundcubemail.nix b/systems/eldiron/websites/mail/roundcubemail.nix
index 21a10fe..1db6c81 100644
--- a/systems/eldiron/websites/mail/roundcubemail.nix
+++ b/systems/eldiron/websites/mail/roundcubemail.nix
@@ -15,15 +15,16 @@ rec {
     text =
       let
         psql_url = with env.postgresql; "pgsql://${user}:${password}@unix(${socket}:${port})/${database}";
+        mysql_postfix_url = with config.myEnv.mail.dovecot.mysql; "mysql://${user}:${password}@unix(${socket})/${database}";
       in ''
       <?php
         $config['db_dsnw'] = '${psql_url}';
-        $config['default_host'] = 'ssl://imap.immae.eu';
+        $config['imap_host'] = 'ssl://imap.immae.eu';
         $config['username_domain'] = array(
           "imap.immae.eu" => "mail.immae.eu"
         );
         $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
-        $config['smtp_server'] = 'tls://smtp.immae.eu';
+        $config['smtp_host'] = 'tls://smtp.immae.eu';
         $config['smtp_port'] = '587';
         $config['managesieve_host'] = 'imap.immae.eu';
         $config['managesieve_port'] = '4190';
@@ -49,16 +50,22 @@ rec {
           'markasjunk',
           'managesieve',
           'newmail_notifier',
+          'reconnect',
           'vcard_attachments',
           'zipdownload',
+          'virtuser_query',
 
-          'automatic_addressbook',
           'message_highlight',
           'carddav',
+          // Intégré à roundcube 'automatic_addressbook',
           // Ne marche pas ?: 'ident_switch',
           // Ne marche pas ?: 'thunderbird_labels',
         );
 
+        $config['virtuser_query_dsn'] = '${mysql_postfix_url}';
+        $config['virtuser_query'] = array(
+          "user" => "SELECT destination FROM forwardings WHERE ((regex = 1 AND '%m' REGEXP CONCAT('^',source,'$')) OR (regex = 0 AND source = '%m')) AND active = 1"
+        );
         $config['language'] = 'fr_FR';
 
         $config['drafts_mbox'] = 'Drafts';
diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix
index 46e6a9f..7d8bf5e 100644
--- a/systems/eldiron/websites/tools/default.nix
+++ b/systems/eldiron/websites/tools/default.nix
@@ -108,6 +108,7 @@ in {
           mailSend
           (ips servers.eldiron.ips.main)
         ];
+        synapse = ips servers.zoldene.ips.main;
       };
 
     services.borgBackup.profiles.global.ignoredPaths = [
diff --git a/systems/eldiron/websites/tools/landing.nix b/systems/eldiron/websites/tools/landing.nix
index 692eaae..da7335a 100644
--- a/systems/eldiron/websites/tools/landing.nix
+++ b/systems/eldiron/websites/tools/landing.nix
@@ -3,8 +3,8 @@ let
   source = builtins.fetchGit {
     url = "https://git.immae.eu/github/bastienwirtz/homer.git";
     ref = "gitolite_local/local_changes";
-    rev = "af6db21ee92824ddd9c4b9574018789619326ffc";
-    narHash = "sha256-TAf2oIPu5ZfRbxahAjOxwQ/z/g82pXmLPU8LhwxRgXs";
+    rev = "f2f414a2e9b02d645acb49f62fdfcceb8eca7d19";
+    narHash = "sha256-WrAx4gLKOVpwHtLh57ZLoWaUnfohwYlIX/LrwORIbFU=";
   };
   yarnModules = yarn2nix-moretea.mkYarnModules rec {
     nodejs = nodejs_16;
diff --git a/systems/eldiron/websites/tools/landing/ldap_password.php b/systems/eldiron/websites/tools/landing/ldap_password.php
index efb4f57..b3b2f15 100644
--- a/systems/eldiron/websites/tools/landing/ldap_password.php
+++ b/systems/eldiron/websites/tools/landing/ldap_password.php
@@ -45,7 +45,7 @@ function changePasswordSQL($user_realm, $newPassword) {
     }
   }
   $con = pg_connect("");
-  $result = pg_query_params($con, "WITH newsalt as (SELECT gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( $1 || (SELECT * FROM newsalt), 'sha1'), 'hex'), mechanism = 'SSHA', salt = (SELECT * FROM newsalt) where login || '@' || realm = $2", array($newPassword, $user_realm));
+  $result = pg_query_params($con, "WITH newsalt as (SELECT gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( convert_to($1, 'UTF8') || (SELECT * FROM newsalt), 'sha1'), 'hex'), mechanism = 'SSHA', salt = (SELECT * FROM newsalt) where login || '@' || realm = $2", array($newPassword, $user_realm));
   if (!$result) {
     $message[] = "Error when accessing database";
     return false;
diff --git a/systems/monitoring-1/flake.lock b/systems/monitoring-1/flake.lock
index b0e16eb..372338d 100644
--- a/systems/monitoring-1/flake.lock
+++ b/systems/monitoring-1/flake.lock
@@ -22,7 +22,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Deh1qsi1UFskPSAwq2sUGyPeh7hVVHct8hhy4o6fEzE=",
+        "narHash": "sha256-S6sETV9+RccMB5LcH4vOZJiTdhLS3SRIjFRvEfjd9Ag=",
         "path": "../../flakes/private/chatons",
         "type": "path"
       },
@@ -74,7 +74,7 @@
     "environment": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -86,7 +86,7 @@
     "environment_2": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../../flakes/private/environment",
         "type": "path"
       },
@@ -98,7 +98,7 @@
     "environment_3": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -110,7 +110,7 @@
     "environment_4": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -122,7 +122,7 @@
     "environment_5": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -259,7 +259,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-XdgjCex3Izb2hID+EBVj0YsEE5xvc+I416I2fHpi1LE=",
+        "narHash": "sha256-tY5qk98NpdM4osbPYFeo6/pHiQQU4a4iKw2jCJP99q8=",
         "path": "../../flakes/private/mail-relay",
         "type": "path"
       },
@@ -277,7 +277,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-VZjf9fXcyeS3LpVW6NvzJpiJuEtJsGlOOfH8XwL8CdI=",
+        "narHash": "sha256-F7GennKqLc6Cx3DuU6qSPUHmjvpfrrfOshor41vaCz4=",
         "path": "../../flakes/private/monitoring",
         "type": "path"
       },
@@ -313,7 +313,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../../mypackages",
         "type": "path"
       },
@@ -735,7 +735,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-xH6yyfvDLevdZrnKsGXhkZmNMZkOPJOqXnpubkfnoOE=",
+        "narHash": "sha256-uW8mX4yKNyf1lysk3yNW54RILG+JfJ9KQ10dAAge4Hk=",
         "path": "../../flakes/private/system",
         "type": "path"
       },
diff --git a/systems/quatresaisons/flake.lock b/systems/quatresaisons/flake.lock
index c427111..5b56444 100644
--- a/systems/quatresaisons/flake.lock
+++ b/systems/quatresaisons/flake.lock
@@ -59,7 +59,7 @@
     "environment": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../../flakes/private/environment",
         "type": "path"
       },
@@ -71,7 +71,7 @@
     "environment_2": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -83,7 +83,7 @@
     "environment_3": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -239,7 +239,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-VZjf9fXcyeS3LpVW6NvzJpiJuEtJsGlOOfH8XwL8CdI=",
+        "narHash": "sha256-F7GennKqLc6Cx3DuU6qSPUHmjvpfrrfOshor41vaCz4=",
         "path": "../../flakes/private/monitoring",
         "type": "path"
       },
@@ -291,7 +291,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../../mypackages",
         "type": "path"
       },
@@ -712,7 +712,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-xH6yyfvDLevdZrnKsGXhkZmNMZkOPJOqXnpubkfnoOE=",
+        "narHash": "sha256-uW8mX4yKNyf1lysk3yNW54RILG+JfJ9KQ10dAAge4Hk=",
         "path": "../../flakes/private/system",
         "type": "path"
       },
diff --git a/systems/zoldene/base.nix b/systems/zoldene/base.nix
index 617cd82..947859a 100644
--- a/systems/zoldene/base.nix
+++ b/systems/zoldene/base.nix
@@ -13,8 +13,10 @@ in
     secrets.nixosModules.users-config-zoldene
     ./virtualisation.nix
     ./certificates.nix
+    ./synapse.nix
   ];
 
+  programs.ssh.package = pkgs.openssh;
   services.openssh = {
     settings.KbdInteractiveAuthentication = false;
     hostKeys = [
diff --git a/systems/zoldene/flake.lock b/systems/zoldene/flake.lock
index 28db0fe..3407528 100644
--- a/systems/zoldene/flake.lock
+++ b/systems/zoldene/flake.lock
@@ -59,7 +59,7 @@
     "environment": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../environment",
         "type": "path"
       },
@@ -193,7 +193,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-PPOh6hf0hakuHCBOgJok208Qc3xKpuwwxhHV2QQRbmA=",
+        "narHash": "sha256-r3UkR0dalaU+FjmDcrMkXeT3BOJryAVzX7Sp8pihjno=",
         "path": "../../mypackages",
         "type": "path"
       },
@@ -387,11 +387,11 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1708475490,
-        "narHash": "sha256-g1v0TsWBQPX97ziznfJdWhgMyMGtoBFs102xSYO4syU=",
+        "lastModified": 1720031269,
+        "narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0e74ca98a74bc7270d28838369593635a5db3260",
+        "rev": "9f4128e00b0ae8ec65918efeba59db998750ead6",
         "type": "github"
       },
       "original": {
@@ -436,7 +436,7 @@
     "private-environment": {
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-Kj3j/3B8V8IHbeSZ3ho33C7ktOcTle2h6dKEWWfVuvU=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
         "path": "../../flakes/private/environment",
         "type": "path"
       },
@@ -455,7 +455,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-xH6yyfvDLevdZrnKsGXhkZmNMZkOPJOqXnpubkfnoOE=",
+        "narHash": "sha256-uW8mX4yKNyf1lysk3yNW54RILG+JfJ9KQ10dAAge4Hk=",
         "path": "../../flakes/private/system",
         "type": "path"
       },
diff --git a/systems/zoldene/logging.nix b/systems/zoldene/logging.nix
index 2b6e331..943d5f1 100644
--- a/systems/zoldene/logging.nix
+++ b/systems/zoldene/logging.nix
@@ -102,6 +102,8 @@ in
         ingestion_burst_size_mb = 200;
         per_stream_rate_limit = "100MB";
         per_stream_rate_limit_burst = "200MB";
+        # Remove after 2024-07-08 see below
+        allow_structured_metadata = false;
       };
 
       schema_config.configs = [
@@ -113,6 +115,14 @@ in
           index.prefix = "index_";
           index.period = "24h";
         }
+        {
+          from = "2024-07-08";
+          store = "tsdb";
+          object_store = "filesystem";
+          schema = "v13";
+          index.prefix = "index_";
+          index.period = "24h";
+        }
       ];
     };
   };
diff --git a/systems/zoldene/synapse.nix b/systems/zoldene/synapse.nix
new file mode 100644
index 0000000..06a1645
--- /dev/null
+++ b/systems/zoldene/synapse.nix
@@ -0,0 +1,211 @@
+{ lib, config, pkgs, name, ... }:
+{
+  config = {
+    security.acme.certs."${name}".extraDomainNames = ["synapse.immae.eu"];
+    services.nginx = {
+      virtualHosts = {
+        "synapse.immae.eu" = {
+          acmeRoot = config.security.acme.defaults.webroot;
+          useACMEHost = name;
+          forceSSL = true;
+
+          locations."~ ^/admin(?:/(.*))?$" = {
+            alias = let
+              synapse-admin = pkgs.fetchzip {
+                url = "https://github.com/Awesome-Technologies/synapse-admin/releases/download/0.10.1/synapse-admin-0.10.1.tar.gz";
+                sha256 = "sha256-M2AYNrnpNoDm20ZTH1OZBHVcjOrHAlqyq5iTQ/At/Xk=";
+                postFetch = ''
+                  sed -i -e 's@"/assets@"./assets@g' $out/index.html
+                '';
+              };
+            in
+              "${synapse-admin}/$1";
+          };
+          locations."/sliding-sync-client/" = {
+            # some svg urls are hardcoded to /client :shrug:
+            alias = "${pkgs.matrix-sliding-sync.src}/client/";
+            tryFiles = "$uri $uri/ /sliding-sync-client/index.html";
+          };
+          locations."~ ^/_matrix/client/unstable/org.matrix.msc3575/sync" = {
+            proxyPass = "http://unix:/run/matrix-synapse/sliding_sync.sock:";
+          };
+          locations."~ ^(/_matrix|/_synapse/client|/_synapse/admin)" = {
+            proxyPass = "http://unix:/run/matrix-synapse/main_client_federation.sock:";
+            extraConfig = ''
+              client_max_body_size 50M;
+            '';
+          };
+        };
+      };
+    };
+
+    systemd.services.postgresql.postStart = lib.mkAfter ''
+      $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-synapse'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-synapse\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
+      $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'matrix-sliding-sync'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE \"matrix-sliding-sync\" LC_COLLATE='C' LC_CTYPE='C' TEMPLATE template0"
+      $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='matrix-synapse'" | grep -q 1 || $PSQL -tAc 'CREATE USER "matrix-synapse"'
+      $PSQL -tAc 'ALTER DATABASE "matrix-synapse" OWNER TO "matrix-synapse";'
+      $PSQL -tAc 'ALTER DATABASE "matrix-sliding-sync" OWNER TO "matrix-synapse";'
+    '';
+
+    disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-sliding-sync" =
+      { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-sliding-sync"; options.mountpoint = "legacy"; };
+    disko.devices.zpool.zfast.datasets."root/persist/var/lib/matrix-synapse" =
+      { type = "zfs_fs"; mountpoint = "/persist/zfast/var/lib/matrix-synapse"; options.mountpoint = "legacy"; };
+
+    environment.persistence."/persist/zfast".directories = [
+      {
+        directory = "/var/lib/matrix-synapse";
+        user = "matrix-synapse";
+        group = "matrix-synapse";
+        mode = "0700";
+      }
+      {
+        directory = "/var/lib/matrix-sliding-sync";
+        user = "matrix-synapse";
+        group = "matrix-synapse";
+        mode = "0700";
+      }
+    ];
+
+    users.users.matrix-synapse.extraGroups = [ "keys" ];
+    users.users.nginx.extraGroups = [ "matrix-synapse" ];
+
+    services.matrix-synapse = {
+      enable = true;
+      log.root.level = "WARNING";
+      plugins = [
+        config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3
+      ];
+      extraConfigFiles = [
+        config.secrets.fullPaths."matrix/homeserver_secrets.yaml"
+      ];
+      settings.modules = [
+        {
+          module = "ldap_auth_provider.LdapAuthProviderModule";
+          config = {
+            enabled = true;
+            uri = "ldaps://${config.myEnv.tools.matrix.ldap.host}:636";
+            start_tls = false;
+            base = config.myEnv.tools.matrix.ldap.base;
+            attributes = {
+              uid = "uid";
+              mail = "mail";
+              name = "cn";
+            };
+            bind_dn = config.myEnv.tools.matrix.ldap.dn;
+            bind_password_file = config.secrets.fullPaths."matrix/ldap_password";
+            filter = config.myEnv.tools.matrix.ldap.filter;
+          };
+        }
+      ];
+      settings.server_name = "immae.eu";
+      settings.signing_key_path = config.secrets.fullPaths."matrix/signing.key";
+      settings.listeners = [
+        {
+          port = 8008;
+          bind_addresses = [ "127.0.0.1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = [ "client" ];
+              compress = true;
+            }
+          ];
+        }
+        {
+          path = "/run/matrix-synapse/main_client_federation.sock";
+          resources = [
+            {
+              compress = true;
+              names = [ "client" ];
+            }
+            {
+              compress = false;
+              names = [ "federation" ];
+            }
+          ];
+          type = "http";
+          x_forwarded = true;
+        }
+      ];
+    };
+    services.matrix-sliding-sync = {
+      enable = true;
+      createDatabase = false;
+      settings.SYNCV3_SERVER = "/run/matrix-synapse/main_client_federation.sock";
+      settings.SYNCV3_BINDADDR = "/run/matrix-synapse/sliding_sync.sock";
+      environmentFile = config.secrets.fullPaths."matrix/sliding-sync";
+    };
+
+    systemd.services.matrix-synapse = {
+      after = [
+        "postgresql.service"
+        "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
+        "var-lib-matrix\\x2dsynapse.mount"
+      ];
+      unitConfig = {
+        BindsTo = [
+          "var-lib-matrix\\x2dsynapse.mount"
+          "persist-zfast-var-lib-matrix\\x2dsynapse.mount"
+        ];
+      };
+      serviceConfig.SupplementaryGroups = [ "keys" ];
+    };
+
+    systemd.services.matrix-sliding-sync = {
+      serviceConfig = {
+        DynamicUser = lib.mkForce false;
+        User = "matrix-synapse";
+        Group = "matrix-synapse";
+        RuntimeDirectory = lib.mkForce "matrix-synapse";
+        SupplementaryGroups = [ "keys" ];
+      };
+      unitConfig = {
+        BindsTo = [
+          "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
+          "var-lib-matrix\\x2dsliding\\x2dsync.mount"
+        ];
+        After = lib.mkForce [
+          "matrix-synapse.service"
+          "postgresql.service"
+          "var-lib-matrix\\x2dsliding\\x2dsync.mount"
+          "persist-zfast-var-lib-matrix\\x2dsliding\\x2dsync.mount"
+        ];
+      };
+    };
+    secrets.keys."matrix/ldap_password" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      text = config.myEnv.tools.matrix.ldap.password;
+    };
+    secrets.keys."matrix/signing.key" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      text = "{{ .matrix.signing_key }}";
+    };
+    secrets.keys."matrix/homeserver_secrets.yaml" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      # Beware, yaml keys are merged at top level, not deep
+      text = ''
+        password_config:
+            enabled: true
+            pepper: "{{ .matrix.password_pepper }}"
+        macaroon_secret_key: "{{ .matrix.macaroon_secret_key }}"
+      '';
+    };
+    secrets.keys."matrix/sliding-sync" = {
+      permissions = "0400";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      text = ''
+        SYNCV3_SECRET={{ .matrix.sliding_sync_secret }}
+      '';
+    };
+  };
+}