117 files changed, 556 insertions, 2 deletions

diff --git a/app/bad.csi-s3/deploy/dummy-volume.hcl b/app/bad.csi-s3/deploy/dummy-volume.hcl
new file mode 100644
index 0000000..67dfd39
--- /dev/null
+++ b/app/bad.csi-s3/deploy/dummy-volume.hcl
@@ -0,0 +1,20 @@
+id           = "dummy-volume"
+name         = "dummy-volume"
+type         = "csi"
+plugin_id    = "csi-s3"
+
+capability {
+  access_mode     = "single-node-writer"
+  attachment_mode = "file-system"
+}
+
+secrets {
+  accessKeyId = "GKfd94f06139bb73de5642baf5"
+  secretAccessKey = "a4fa6c956d847b145a823c4615e4655126c67babf3cce2337b4d73cd381d7f06"
+  endpoint = "https://garage-staging.home.adnab.me"
+  region = "garage-staging"
+}
+
+parameters {
+  mounter = "rclone"
+}
diff --git a/app/dummy/deploy/.gitignore b/app/dummy/deploy/.gitignore
deleted file mode 100644
index 3af34ab..0000000
--- a/app/dummy/deploy/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-dummy-volume.hcl
diff --git a/app/secretmgr.py b/app/secretmgr.py
index 3364b32..8b17f61 120000..100755
--- a/app/secretmgr.py
+++ b/app/secretmgr.py
@@ -1 +1,380 @@
-../../infrastructure/app/secretmgr.py
\ No newline at end of file
+#!/usr/bin/env python3
+
+# DEPENDENCY: python-consul
+import consul
+
+# DEPENDENCY: python-ldap
+import ldap
+
+# DEPENDENCY: passlib
+from passlib.hash import ldap_salted_sha1
+
+import os
+import sys
+import glob
+import subprocess
+import getpass
+import base64
+from secrets import token_bytes
+
+
+"""
+TODO: this will be a utility to handle secrets in the Consul database
+for the various components of the Deuxfleurs infrastructure
+
+Functionnalities:
+- check that secrets are correctly configured
+- help user fill in secrets
+- create LDAP service users and fill in corresponding secrets
+- maybe one day: manage SSL certificates and keys
+
+It uses files placed in <module_name>/secrets/* to know what secrets
+it should handle. These secret files contain directives for what to do
+about these secrets.
+
+Example directives:
+
+USER <description>
+(a secret that must be filled in by the user)
+
+USER_LONG <description>
+(the same, indicates that the secret fits on several lines)
+
+CMD <command>
+(a secret that is generated by running this command)
+
+CMD_ONCE <command>
+(same, but value is not changed when doing a regen)
+
+CONST <constant value>
+(the secret has a constant value set here)
+
+CONST_LONG
+<constant value, several lines>
+(same)
+
+SERVICE_DN <service name> <service description>
+(the LDAP DN of a service user)
+
+SERVICE_PASSWORD <service name>
+(the LDAP password for the corresponding service user)
+
+SSL_CERT <cert name> <list of domains>
+(a SSL domain for the given domains)
+
+SSL_KEY <cert name>
+(the SSL key going with corresponding certificate)
+
+RSA_PUBLIC_KEY <key name> <key description>
+(a public RSA key)
+
+RSA_PRIVATE_KEY <key name>
+(the corresponding private RSA key)
+"""
+
+
+# Parameters
+LDAP_URL = "ldap://localhost:1389"
+SERVICE_DN_SUFFIX = "ou=services,ou=users,dc=deuxfleurs,dc=fr"
+consul_server = consul.Consul()
+
+
+# ----
+
+USER             = "USER"
+USER_LONG        = "USER_LONG"
+CMD              = "CMD"
+CMD_ONCE         = "CMD_ONCE"
+CONST            = "CONST"
+CONST_LONG       = "CONST_LONG"
+SERVICE_DN       = "SERVICE_DN"
+SERVICE_PASSWORD = "SERVICE_PASSWORD"
+SSL_CERT         = "SSL_CERT"
+SSL_KEY          = "SSL_KEY"
+RSA_PUBLIC_KEY   = "RSA_PUBLIC_KEY"
+RSA_PRIVATE_KEY  = "RSA_PRIVATE_KEY"
+
+class bcolors:
+    HEADER = '\033[95m'
+    OKBLUE = '\033[94m'
+    OKCYAN = '\033[96m'
+    OKGREEN = '\033[92m'
+    WARNING = '\033[93m'
+    FAIL = '\033[91m'
+    ENDC = '\033[0m'
+    BOLD = '\033[1m'
+    UNDERLINE = '\033[4m'
+
+def read_secret(key, file_path):
+    lines = [l.strip() for l in open(file_path, "r")]
+    if len(lines) == 0:
+        print(bcolors.FAIL, "ERROR:", bcolors.ENDC, "Empty file in", file_path)
+        sys.exit(-1)
+    l0 = lines[0].split(" ")
+    stype = l0[0]
+    secret = {"type": stype, "key": key}
+    if stype in [USER, USER_LONG]:
+        secret["desc"] = " ".join(l0[1:])
+    elif stype in [CMD, CMD_ONCE]:
+        secret["cmd"] = " ".join(l0[1:])
+    elif stype == CONST:
+        secret["value"] = " ".join(l0[1:])
+    elif stype == CONST_LONG:
+        secret["value"] = "\n".join(lines[1:])
+    elif stype in [SERVICE_DN, SERVICE_PASSWORD]:
+        secret["service"] = l0[1]
+        if stype == SERVICE_DN:
+            secret["service_desc"] = " ".join(l0[2:])
+    elif stype in [SSL_CERT, SSL_KEY]:
+        secret["cert_name"] = l0[1]
+        if stype == SSL_CERT:
+            secret["cert_domains"] = l0[2:]
+    elif stype in [RSA_PUBLIC_KEY, RSA_PRIVATE_KEY]:
+        secret["key_name"] = l0[1]
+        if stype == RSA_PUBLIC_KEY:
+            secret["key_desc"] = " ".join(l0[2:])
+    else:
+        print(bcolors.FAIL, "ERROR:", bcolors.ENDC, "Invalid secret type", stype, "in", file_path)
+        sys.exit(-1)
+
+    return secret
+
+def read_secrets(module_list):
+    secrets = {}
+    for mod in module_list:
+        for file_path in glob.glob(mod.strip('/') + "/secrets/**", recursive=True):
+            if os.path.isfile(file_path):
+                key = '/'.join(file_path.split("/")[1:])
+                secrets[key] = read_secret(key, file_path)
+    return secrets
+
+def get_secrets_services(secrets):
+    services = {}
+    for key, secret in secrets.items():
+        if secret["type"] not in [SERVICE_DN, SERVICE_PASSWORD]:
+            continue
+        svc = secret["service"]
+        print(svc, "@", key, bcolors.OKCYAN, "...", bcolors.ENDC)
+        if svc not in services:
+            services[svc] = {
+                "dn": "cn=%s,%s"%(svc, SERVICE_DN_SUFFIX),
+                "desc": "(not provided)",
+                "pass": None,
+                "dn_at": [],
+                "pass_at": [],
+            }
+        if secret["type"] == SERVICE_DN:
+            services[svc]["dn_at"].append(key)
+            services[svc]["desc"] = secret["service_desc"]
+
+        if secret["type"] == SERVICE_PASSWORD:
+            services[svc]["pass_at"].append(key)
+            _, data = consul_server.kv.get(key)
+            if data is not None:
+                if services[svc]["pass"] is None:
+                    services[svc]["pass"] = data["Value"].decode('ascii').strip()
+
+    return services
+
+ldap_admin_conn = None
+def get_ldap_admin_conn():
+    global ldap_admin_conn
+    if ldap_admin_conn is None:
+        ldap_admin_conn = ldap.initialize(LDAP_URL)
+        ldap_user = input("LDAP admin user (full DN, please!): ")
+        ldap_pass = getpass.getpass("LDAP admin password: ")
+        ldap_admin_conn.simple_bind_s(ldap_user, ldap_pass)
+    return ldap_admin_conn
+
+# ---- CHECK COMMAND ----
+
+def check_secrets(module_list):
+    secrets = read_secrets(module_list)
+    print("Found", len(secrets), "secrets to check")
+    print()
+
+    check_secrets_presence(secrets)
+    check_secrets_services(secrets)
+
+def check_secrets_presence(secrets):
+    print("Checking secrets presence...")
+    for key in secrets.keys():
+        _, data = consul_server.kv.get(key)
+        if data is None:
+            print(key, bcolors.FAIL, "x", bcolors.ENDC)
+        else: 
+            print(key, bcolors.OKGREEN, "✓", bcolors.ENDC)
+    print()
+
+def check_secrets_services(secrets):
+    print("Checking secrets for LDAP service users...")
+    services = get_secrets_services(secrets)
+
+    for svc_name, svc in services.items():
+        for dn_key in svc["dn_at"]:
+            _, data = consul_server.kv.get(dn_key)
+            if data is not None:
+                got_val = data["Value"].decode('ascii').strip()
+                if got_val != svc["dn"]:
+                    print(svc_name, "wrong DN at", dn_key, bcolors.FAIL, "x", bcolors.ENDC)
+                    print("got:", got_val, "instead of:", svc["dn"])
+
+        if svc["pass"] is None:
+            print(svc_name, bcolors.FAIL, "no password stored", bcolors.ENDC)
+        else:
+            for pass_key in svc["pass_at"]:
+                _, data = consul_server.kv.get(pass_key)
+                if data is not None:
+                    got_val = data["Value"].decode('ascii').strip()
+                    if got_val != svc["pass"]:
+                        print(svc_name, "wrong pass at", dn_key, bcolors.FAIL, "x", bcolors.ENDC)
+
+            l = ldap.initialize(LDAP_URL)
+            try:
+                l.simple_bind_s(svc["dn"], svc["pass"])
+                print(svc_name, bcolors.OKGREEN, "✓", bcolors.ENDC)
+            except Exception as e:
+                print(svc_name, bcolors.FAIL, e, bcolors.ENDC)
+    print()
+
+
+# ---- GEN COMMAND ----
+
+def gen_secrets(module_list, regen):
+    secrets = read_secrets(module_list)
+    print("Found", len(secrets), "secrets to check and maybe generate")
+    print()
+
+    gen_secrets_base(secrets, regen)
+    gen_secrets_services(secrets, regen)
+
+    check_secrets_presence(secrets)
+    check_secrets_services(secrets)
+
+def gen_secrets_base(secrets, regen):
+    print("Filling in user secrets and cmd secrets...")
+
+    for key, secret in secrets.items():
+        _, data = consul_server.kv.get(key)
+        if data is not None and not regen:
+            continue
+
+        if secret["type"] == USER:
+            print("----")
+            print(key)
+            print("Description:", secret["desc"])
+            print("Enter value for secret, or ^C to skip:")
+            try:
+                val = input().strip()
+                consul_server.kv.put(key, val)
+                print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
+            except KeyboardInterrupt:
+                print(bcolors.WARNING, "Skipped.", bcolors.ENDC)
+
+        if secret["type"] == USER_LONG:
+            print("----")
+            print(key)
+            print("Description:", secret["desc"])
+            print("Enter value for secret, or ^C to skip:")
+            print("THIS IS A LONG VALUE, ENTER SEVERAL LINES AND FINISH WITH A LINE CONTAINING A SINGLE .")
+            try:
+                lines = []
+                while True:
+                    line = input().strip()
+                    if line == ".":
+                        break
+                    lines.append(line)
+                val = "\n".join(lines)
+                consul_server.kv.put(key, val)
+                print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
+            except KeyboardInterrupt:
+                print(bcolors.WARNING, "Skipped.", bcolors.ENDC)
+
+        if secret["type"] in [CONST, CONST_LONG]:
+            print("----")
+            print(key)
+            print("Resetting to constant value.")
+            consul_server.kv.put(key, secret["value"])
+            print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
+
+        if secret["type"] == CMD or (secret["type"] == CMD_ONCE and data is None):
+            print("----")
+            print(key)
+            print("Executing command:", secret["cmd"])
+            val = subprocess.check_output(["sh", "-c", secret["cmd"]])
+            consul_server.kv.put(key, val)
+            print(bcolors.OKCYAN, "Value set.", bcolors.ENDC)
+
+    print()
+
+def gen_secrets_services(secrets, regen):
+    print("Generating LDAP service accounts...")
+    services = get_secrets_services(secrets)
+
+    for svc_name, svc in services.items():
+        print("----")
+        print("Service:", svc_name)
+        print("Description:", svc["desc"])
+
+        for dn_key in svc["dn_at"]:
+            _, data = consul_server.kv.get(dn_key)
+            if data is None or data["Value"].decode('ascii').strip() != svc["dn"]:
+                print(bcolors.OKCYAN, "Setting DN", bcolors.ENDC, "at", dn_key)
+                consul_server.kv.put(dn_key, svc["dn"])
+
+        if svc["pass"] is None or regen:
+            print(bcolors.OKCYAN, "Generating new password", bcolors.ENDC)
+            svc["pass"] = base64.urlsafe_b64encode(token_bytes(12)).decode('ascii')
+
+        l = ldap.initialize(LDAP_URL)
+        try:
+            l.simple_bind_s(svc["dn"], svc["pass"])
+        except:
+            fix_service_user(svc)
+
+        for pass_key in svc["pass_at"]:
+            _, data = consul_server.kv.get(pass_key)
+            if data is None or data["Value"].decode('ascii').strip() != svc["pass"]:
+                print(bcolors.OKCYAN, "Setting password", bcolors.ENDC, "at", pass_key)
+                consul_server.kv.put(pass_key, svc["pass"])
+
+    print()
+
+def fix_service_user(svc):
+    print("Fixing service user", svc["dn"], "...")
+    l = get_ldap_admin_conn()
+    res = l.search_s(svc["dn"], ldap.SCOPE_BASE, "objectclass=*")
+    pass_crypt = ldap_salted_sha1.hash(svc["pass"])
+    if res is None or len(res) == 0:
+        print(bcolors.OKCYAN, "Creating entity...", bcolors.ENDC)
+        l.add_s(svc["dn"],
+                [
+                    ("objectclass",     [b"person", b"top"]),
+                    ("displayname",     [svc["desc"].encode('ascii')]),
+                    ("userpassword",     [pass_crypt.encode('ascii')]),
+                ])
+    else:
+        print(bcolors.OKCYAN, "Resetting entity password", bcolors.ENDC)
+        l.modify_s(svc["dn"],
+                [
+                    (ldap.MOD_REPLACE, "userpassword", [pass_crypt.encode('ascii')])
+                ])
+
+# ---- MAIN ----
+
+if __name__ == "__main__":
+    for i, val in enumerate(sys.argv):
+        if val == "check":
+            check_secrets(sys.argv[i+1:])
+            break
+        elif val == "gen":
+            gen_secrets(sys.argv[i+1:], False)
+            break
+        elif val == "regen":
+            gen_secrets(sys.argv[i+1:], True)
+            break
+        else:
+            print("Usage:")
+            print("    secretmgr.py [check|gen|regen] <module name>...")
+
+
diff --git a/app/cryptpad/build/README.md b/cluster/prod/app/cryptpad/build/README.md
index 079d836..079d836 100644
--- a/app/cryptpad/build/README.md
+++ b/cluster/prod/app/cryptpad/build/README.md
diff --git a/app/cryptpad/build/common.nix b/cluster/prod/app/cryptpad/build/common.nix
index 957d381..957d381 100644
--- a/app/cryptpad/build/common.nix
+++ b/cluster/prod/app/cryptpad/build/common.nix
diff --git a/app/cryptpad/build/default.nix b/cluster/prod/app/cryptpad/build/default.nix
index f0a5c00..f0a5c00 100644
--- a/app/cryptpad/build/default.nix
+++ b/cluster/prod/app/cryptpad/build/default.nix
diff --git a/app/cryptpad/build/docker.nix b/cluster/prod/app/cryptpad/build/docker.nix
index 168963d..168963d 100644
--- a/app/cryptpad/build/docker.nix
+++ b/cluster/prod/app/cryptpad/build/docker.nix
diff --git a/app/cryptpad/build/nix.lock/bower.json b/cluster/prod/app/cryptpad/build/nix.lock/bower.json
index faae9d9..faae9d9 100644
--- a/app/cryptpad/build/nix.lock/bower.json
+++ b/cluster/prod/app/cryptpad/build/nix.lock/bower.json
diff --git a/app/cryptpad/build/nix.lock/bower.nix b/cluster/prod/app/cryptpad/build/nix.lock/bower.nix
index cf06e51..cf06e51 100644
--- a/app/cryptpad/build/nix.lock/bower.nix
+++ b/cluster/prod/app/cryptpad/build/nix.lock/bower.nix
diff --git a/app/cryptpad/build/nix.lock/node-env.nix b/cluster/prod/app/cryptpad/build/nix.lock/node-env.nix
index 5f05578..5f05578 100644
--- a/app/cryptpad/build/nix.lock/node-env.nix
+++ b/cluster/prod/app/cryptpad/build/nix.lock/node-env.nix
diff --git a/app/cryptpad/build/nix.lock/node-packages.nix b/cluster/prod/app/cryptpad/build/nix.lock/node-packages.nix
index e60d27a..e60d27a 100644
--- a/app/cryptpad/build/nix.lock/node-packages.nix
+++ b/cluster/prod/app/cryptpad/build/nix.lock/node-packages.nix
diff --git a/app/cryptpad/build/nix.lock/npm.nix b/cluster/prod/app/cryptpad/build/nix.lock/npm.nix
index 53bdef1..53bdef1 100644
--- a/app/cryptpad/build/nix.lock/npm.nix
+++ b/cluster/prod/app/cryptpad/build/nix.lock/npm.nix
diff --git a/app/cryptpad/build/nix.lock/package-lock.json b/cluster/prod/app/cryptpad/build/nix.lock/package-lock.json
index 3385f7e..3385f7e 100644
--- a/app/cryptpad/build/nix.lock/package-lock.json
+++ b/cluster/prod/app/cryptpad/build/nix.lock/package-lock.json
diff --git a/app/cryptpad/build/nix.lock/package.json b/cluster/prod/app/cryptpad/build/nix.lock/package.json
index 2bca4de..2bca4de 100644
--- a/app/cryptpad/build/nix.lock/package.json
+++ b/cluster/prod/app/cryptpad/build/nix.lock/package.json
diff --git a/app/cryptpad/build/shell.nix b/cluster/prod/app/cryptpad/build/shell.nix
index bf701fe..bf701fe 100644
--- a/app/cryptpad/build/shell.nix
+++ b/cluster/prod/app/cryptpad/build/shell.nix
diff --git a/app/cryptpad/config/application_config.js b/cluster/prod/app/cryptpad/config/application_config.js
index 94a613d..94a613d 100644
--- a/app/cryptpad/config/application_config.js
+++ b/cluster/prod/app/cryptpad/config/application_config.js
diff --git a/app/cryptpad/config/config.js b/cluster/prod/app/cryptpad/config/config.js
index 3ed7074..3ed7074 100644
--- a/app/cryptpad/config/config.js
+++ b/cluster/prod/app/cryptpad/config/config.js
diff --git a/app/cryptpad/deploy/backup.hcl b/cluster/prod/app/cryptpad/deploy/backup.hcl
index 99dee2f..99dee2f 100644
--- a/app/cryptpad/deploy/backup.hcl
+++ b/cluster/prod/app/cryptpad/deploy/backup.hcl
diff --git a/app/cryptpad/deploy/cryptpad.hcl b/cluster/prod/app/cryptpad/deploy/cryptpad.hcl
index 726fe5a..726fe5a 100644
--- a/app/cryptpad/deploy/cryptpad.hcl
+++ b/cluster/prod/app/cryptpad/deploy/cryptpad.hcl
diff --git a/app/cryptpad/secrets/cryptpad_backup/backup_aws_access_key_id b/cluster/prod/app/cryptpad/secrets/cryptpad_backup/backup_aws_access_key_id
index 9235e53..9235e53 100644
--- a/app/cryptpad/secrets/cryptpad_backup/backup_aws_access_key_id
+++ b/cluster/prod/app/cryptpad/secrets/cryptpad_backup/backup_aws_access_key_id
diff --git a/app/cryptpad/secrets/cryptpad_backup/backup_aws_secret_access_key b/cluster/prod/app/cryptpad/secrets/cryptpad_backup/backup_aws_secret_access_key
index f34677e..f34677e 100644
--- a/app/cryptpad/secrets/cryptpad_backup/backup_aws_secret_access_key
+++ b/cluster/prod/app/cryptpad/secrets/cryptpad_backup/backup_aws_secret_access_key
diff --git a/app/cryptpad/secrets/cryptpad_backup/backup_restic_password b/cluster/prod/app/cryptpad/secrets/cryptpad_backup/backup_restic_password
index fbaa5fa..fbaa5fa 100644
--- a/app/cryptpad/secrets/cryptpad_backup/backup_restic_password
+++ b/cluster/prod/app/cryptpad/secrets/cryptpad_backup/backup_restic_password
diff --git a/app/cryptpad/secrets/cryptpad_backup/backup_restic_repository b/cluster/prod/app/cryptpad/secrets/cryptpad_backup/backup_restic_repository
index 3f6cb93..3f6cb93 100644
--- a/app/cryptpad/secrets/cryptpad_backup/backup_restic_repository
+++ b/cluster/prod/app/cryptpad/secrets/cryptpad_backup/backup_restic_repository
diff --git a/app/drone-ci/config/litestream.yml b/cluster/prod/app/drone-ci/config/litestream.yml
index 813c824..813c824 100644
--- a/app/drone-ci/config/litestream.yml
+++ b/cluster/prod/app/drone-ci/config/litestream.yml
diff --git a/app/drone-ci/deploy/server.hcl b/cluster/prod/app/drone-ci/deploy/server.hcl
index 85eb776..85eb776 100644
--- a/app/drone-ci/deploy/server.hcl
+++ b/cluster/prod/app/drone-ci/deploy/server.hcl
diff --git a/app/drone-ci/integration/README.md b/cluster/prod/app/drone-ci/integration/README.md
index b3c1cc6..b3c1cc6 100644
--- a/app/drone-ci/integration/README.md
+++ b/cluster/prod/app/drone-ci/integration/README.md
diff --git a/app/drone-ci/integration/docker-compose.yml b/cluster/prod/app/drone-ci/integration/docker-compose.yml
index 1e37255..1e37255 100644
--- a/app/drone-ci/integration/docker-compose.yml
+++ b/cluster/prod/app/drone-ci/integration/docker-compose.yml
diff --git a/app/drone-ci/secrets/drone-ci/cookie_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret
index 04c819e..04c819e 100644
--- a/app/drone-ci/secrets/drone-ci/cookie_secret
+++ b/cluster/prod/app/drone-ci/secrets/drone-ci/cookie_secret
diff --git a/app/drone-ci/secrets/drone-ci/db_enc_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret
index 3f9e696..3f9e696 100644
--- a/app/drone-ci/secrets/drone-ci/db_enc_secret
+++ b/cluster/prod/app/drone-ci/secrets/drone-ci/db_enc_secret
diff --git a/app/drone-ci/secrets/drone-ci/oauth_client_id b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id
index c801b28..c801b28 100644
--- a/app/drone-ci/secrets/drone-ci/oauth_client_id
+++ b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_id
diff --git a/app/drone-ci/secrets/drone-ci/oauth_client_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret
index b79b688..b79b688 100644
--- a/app/drone-ci/secrets/drone-ci/oauth_client_secret
+++ b/cluster/prod/app/drone-ci/secrets/drone-ci/oauth_client_secret
diff --git a/app/drone-ci/secrets/drone-ci/rpc_secret b/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret
index 04c819e..04c819e 100644
--- a/app/drone-ci/secrets/drone-ci/rpc_secret
+++ b/cluster/prod/app/drone-ci/secrets/drone-ci/rpc_secret
diff --git a/app/drone-ci/secrets/drone-ci/s3_ak b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak
index 3a8e4a2..3a8e4a2 100644
--- a/app/drone-ci/secrets/drone-ci/s3_ak
+++ b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_ak
diff --git a/app/drone-ci/secrets/drone-ci/s3_db_bucket b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket
index c36f17d..c36f17d 100644
--- a/app/drone-ci/secrets/drone-ci/s3_db_bucket
+++ b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_db_bucket
diff --git a/app/drone-ci/secrets/drone-ci/s3_sk b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk
index 46fd9fa..46fd9fa 100644
--- a/app/drone-ci/secrets/drone-ci/s3_sk
+++ b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_sk
diff --git a/app/drone-ci/secrets/drone-ci/s3_storage_bucket b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket
index ca2702c..ca2702c 100644
--- a/app/drone-ci/secrets/drone-ci/s3_storage_bucket
+++ b/cluster/prod/app/drone-ci/secrets/drone-ci/s3_storage_bucket
diff --git a/app/frontend/deploy/frontend-tricot-prod.hcl b/cluster/prod/app/frontend/deploy/frontend-tricot-prod.hcl
index 804345b..804345b 100644
--- a/app/frontend/deploy/frontend-tricot-prod.hcl
+++ b/cluster/prod/app/frontend/deploy/frontend-tricot-prod.hcl
diff --git a/app/jitsi/build/jitsi-conference-focus/0001-Remove-broken-command-line-args-parameters-setting.patch b/cluster/prod/app/jitsi/build/jitsi-conference-focus/0001-Remove-broken-command-line-args-parameters-setting.patch
index 14d48c5..14d48c5 100644
--- a/app/jitsi/build/jitsi-conference-focus/0001-Remove-broken-command-line-args-parameters-setting.patch
+++ b/cluster/prod/app/jitsi/build/jitsi-conference-focus/0001-Remove-broken-command-line-args-parameters-setting.patch
diff --git a/app/jitsi/build/jitsi-conference-focus/Dockerfile b/cluster/prod/app/jitsi/build/jitsi-conference-focus/Dockerfile
index 241c61b..241c61b 100644
--- a/app/jitsi/build/jitsi-conference-focus/Dockerfile
+++ b/cluster/prod/app/jitsi/build/jitsi-conference-focus/Dockerfile
diff --git a/app/jitsi/build/jitsi-conference-focus/jicofo b/cluster/prod/app/jitsi/build/jitsi-conference-focus/jicofo
index 8fc8fce..8fc8fce 100755
--- a/app/jitsi/build/jitsi-conference-focus/jicofo
+++ b/cluster/prod/app/jitsi/build/jitsi-conference-focus/jicofo
diff --git a/app/jitsi/build/jitsi-meet/Dockerfile b/cluster/prod/app/jitsi/build/jitsi-meet/Dockerfile
index d8c7cf8..d8c7cf8 100644
--- a/app/jitsi/build/jitsi-meet/Dockerfile
+++ b/cluster/prod/app/jitsi/build/jitsi-meet/Dockerfile
diff --git a/app/jitsi/build/jitsi-videobridge/0001-Remove-deprecated-argument.patch b/cluster/prod/app/jitsi/build/jitsi-videobridge/0001-Remove-deprecated-argument.patch
index 575d93f..575d93f 100644
--- a/app/jitsi/build/jitsi-videobridge/0001-Remove-deprecated-argument.patch
+++ b/cluster/prod/app/jitsi/build/jitsi-videobridge/0001-Remove-deprecated-argument.patch
diff --git a/app/jitsi/build/jitsi-videobridge/Dockerfile b/cluster/prod/app/jitsi/build/jitsi-videobridge/Dockerfile
index 1f2509b..1f2509b 100644
--- a/app/jitsi/build/jitsi-videobridge/Dockerfile
+++ b/cluster/prod/app/jitsi/build/jitsi-videobridge/Dockerfile
diff --git a/app/jitsi/build/jitsi-videobridge/jvb_run b/cluster/prod/app/jitsi/build/jitsi-videobridge/jvb_run
index 8d595e6..8d595e6 100755
--- a/app/jitsi/build/jitsi-videobridge/jvb_run
+++ b/cluster/prod/app/jitsi/build/jitsi-videobridge/jvb_run
diff --git a/app/jitsi/build/jitsi-xmpp/Dockerfile b/cluster/prod/app/jitsi/build/jitsi-xmpp/Dockerfile
index a060fda..a060fda 100644
--- a/app/jitsi/build/jitsi-xmpp/Dockerfile
+++ b/cluster/prod/app/jitsi/build/jitsi-xmpp/Dockerfile
diff --git a/app/jitsi/build/jitsi-xmpp/xmpp_prosody b/cluster/prod/app/jitsi/build/jitsi-xmpp/xmpp_prosody
index af179e5..af179e5 100755
--- a/app/jitsi/build/jitsi-xmpp/xmpp_prosody
+++ b/cluster/prod/app/jitsi/build/jitsi-xmpp/xmpp_prosody
diff --git a/app/jitsi/config/config.js b/cluster/prod/app/jitsi/config/config.js
index 9464f37..9464f37 100644
--- a/app/jitsi/config/config.js
+++ b/cluster/prod/app/jitsi/config/config.js
diff --git a/app/jitsi/config/jicofo.conf b/cluster/prod/app/jitsi/config/jicofo.conf
index 5586348..5586348 100644
--- a/app/jitsi/config/jicofo.conf
+++ b/cluster/prod/app/jitsi/config/jicofo.conf
diff --git a/app/jitsi/config/nginx.conf b/cluster/prod/app/jitsi/config/nginx.conf
index 32cc3c1..32cc3c1 100644
--- a/app/jitsi/config/nginx.conf
+++ b/cluster/prod/app/jitsi/config/nginx.conf
diff --git a/app/jitsi/config/prosody.cfg.lua b/cluster/prod/app/jitsi/config/prosody.cfg.lua
index 7141f8b..7141f8b 100644
--- a/app/jitsi/config/prosody.cfg.lua
+++ b/cluster/prod/app/jitsi/config/prosody.cfg.lua
diff --git a/app/jitsi/config/videobridge.conf b/cluster/prod/app/jitsi/config/videobridge.conf
index a7c166a..a7c166a 100644
--- a/app/jitsi/config/videobridge.conf
+++ b/cluster/prod/app/jitsi/config/videobridge.conf
diff --git a/app/jitsi/deploy/jitsi.hcl b/cluster/prod/app/jitsi/deploy/jitsi.hcl
index 7e12ae3..7e12ae3 100644
--- a/app/jitsi/deploy/jitsi.hcl
+++ b/cluster/prod/app/jitsi/deploy/jitsi.hcl
diff --git a/app/jitsi/integration/README.md b/cluster/prod/app/jitsi/integration/README.md
index 97a559e..97a559e 100644
--- a/app/jitsi/integration/README.md
+++ b/cluster/prod/app/jitsi/integration/README.md
diff --git a/app/jitsi/integration/docker-compose.yml b/cluster/prod/app/jitsi/integration/docker-compose.yml
index db7bc81..db7bc81 100644
--- a/app/jitsi/integration/docker-compose.yml
+++ b/cluster/prod/app/jitsi/integration/docker-compose.yml
diff --git a/app/jitsi/integration/jicofo/jicofo.conf b/cluster/prod/app/jitsi/integration/jicofo/jicofo.conf
index f0a817e..f0a817e 100644
--- a/app/jitsi/integration/jicofo/jicofo.conf
+++ b/cluster/prod/app/jitsi/integration/jicofo/jicofo.conf
diff --git a/app/jitsi/integration/jvb/logging.properties b/cluster/prod/app/jitsi/integration/jvb/logging.properties
index 3453971..3453971 100644
--- a/app/jitsi/integration/jvb/logging.properties
+++ b/cluster/prod/app/jitsi/integration/jvb/logging.properties
diff --git a/app/jitsi/integration/jvb/videobridge.conf b/cluster/prod/app/jitsi/integration/jvb/videobridge.conf
index a11edc6..a11edc6 100644
--- a/app/jitsi/integration/jvb/videobridge.conf
+++ b/cluster/prod/app/jitsi/integration/jvb/videobridge.conf
diff --git a/app/jitsi/integration/meet/config.js b/cluster/prod/app/jitsi/integration/meet/config.js
index 04414c3..04414c3 100644
--- a/app/jitsi/integration/meet/config.js
+++ b/cluster/prod/app/jitsi/integration/meet/config.js
diff --git a/app/jitsi/integration/meet/nginx.conf b/cluster/prod/app/jitsi/integration/meet/nginx.conf
index 16a63f9..16a63f9 100644
--- a/app/jitsi/integration/meet/nginx.conf
+++ b/cluster/prod/app/jitsi/integration/meet/nginx.conf
diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua b/cluster/prod/app/jitsi/integration/prosody/prosody.cfg.lua
index b5bc0b9..b5bc0b9 100644
--- a/app/jitsi/integration/prosody/prosody.cfg.lua
+++ b/cluster/prod/app/jitsi/integration/prosody/prosody.cfg.lua
diff --git a/app/jitsi/integration/prosody/prosody.cfg.lua.back b/cluster/prod/app/jitsi/integration/prosody/prosody.cfg.lua.back
index d03d7c9..d03d7c9 100644
--- a/app/jitsi/integration/prosody/prosody.cfg.lua.back
+++ b/cluster/prod/app/jitsi/integration/prosody/prosody.cfg.lua.back
diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.crt b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt
index f4ab925..f4ab925 100644
--- a/app/jitsi/secrets/jitsi/auth.jitsi.crt
+++ b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.crt
diff --git a/app/jitsi/secrets/jitsi/auth.jitsi.key b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key
index 82e7b6b..82e7b6b 100644
--- a/app/jitsi/secrets/jitsi/auth.jitsi.key
+++ b/cluster/prod/app/jitsi/secrets/jitsi/auth.jitsi.key
diff --git a/app/jitsi/secrets/jitsi/jicofo_pass b/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass
index 6a0f5fc..6a0f5fc 100644
--- a/app/jitsi/secrets/jitsi/jicofo_pass
+++ b/cluster/prod/app/jitsi/secrets/jitsi/jicofo_pass
diff --git a/app/jitsi/secrets/jitsi/jitsi.crt b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt
index 2eed97c..2eed97c 100644
--- a/app/jitsi/secrets/jitsi/jitsi.crt
+++ b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.crt
diff --git a/app/jitsi/secrets/jitsi/jitsi.key b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key
index af53ca0..af53ca0 100644
--- a/app/jitsi/secrets/jitsi/jitsi.key
+++ b/cluster/prod/app/jitsi/secrets/jitsi/jitsi.key
diff --git a/app/jitsi/secrets/jitsi/jvb_pass b/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass
index 6a0f5fc..6a0f5fc 100644
--- a/app/jitsi/secrets/jitsi/jvb_pass
+++ b/cluster/prod/app/jitsi/secrets/jitsi/jvb_pass
diff --git a/cluster/prod/garage/config/garage.toml b/cluster/prod/garage/config/garage.toml
new file mode 100644
index 0000000..a721886
--- /dev/null
+++ b/cluster/prod/garage/config/garage.toml
@@ -0,0 +1,24 @@
+block_size = 1048576
+
+metadata_dir = "/meta"
+data_dir = "/data"
+
+replication_mode = "3"
+
+rpc_bind_addr = "[::]:3901"
+rpc_secret = "{{ key "secrets/garage/rpc_secret" | trimSpace }}"
+
+sled_cache_capacity = 536870912
+sled_sync_interval_ms = 10000
+
+[s3_api]
+s3_region = "garage"
+api_bind_addr = "[::]:3900"
+root_domain = ".garage.deuxfleurs.fr"
+
+[s3_web]
+bind_addr = "[::]:3902"
+root_domain = ".web.deuxfleurs.fr"
+
+[admin]
+api_bind_addr = "[::1]:3903"
diff --git a/cluster/prod/garage/deploy/garage.hcl b/cluster/prod/garage/deploy/garage.hcl
new file mode 100644
index 0000000..665515a
--- /dev/null
+++ b/cluster/prod/garage/deploy/garage.hcl
@@ -0,0 +1,131 @@
+job "garage" {
+  datacenters = ["dc1", "saturne", "neptune"]
+  type = "system"
+  priority = 80
+
+  constraint {
+    attribute = "${attr.cpu.arch}"
+    value     = "amd64"
+  }
+
+  group "garage" {
+    network {
+      port "s3" { static = 3900 }
+      port "rpc" { static = 3901 }
+      port "web" { static = 3902 }
+    }
+
+	update {
+		max_parallel = 1
+		min_healthy_time = "30s"
+		healthy_deadline = "5m"
+	}
+
+    task "server" {
+      driver = "docker"
+      config {
+        advertise_ipv6_address = true
+        image = "dxflrs/amd64_garage:v0.7.1"
+        command = "/garage"
+        args = [ "server" ]
+        network_mode = "host"
+        volumes = [
+          "/mnt/storage/garage/data:/data",
+          "/mnt/ssd/garage/meta:/meta",
+          "secrets/garage.toml:/etc/garage.toml",
+        ]
+        logging {
+          type = "journald"
+        }
+      }
+
+      template {
+        data = file("../config/garage.toml")
+        destination = "secrets/garage.toml"
+      }
+
+      resources {
+        memory = 1500
+        cpu = 1000
+      }
+
+      kill_signal = "SIGINT"
+      kill_timeout = "20s"
+
+      service {
+        tags = [
+          "garage_api",
+          "tricot garage.deuxfleurs.fr",
+          "tricot *.garage.deuxfleurs.fr",
+        ]
+        port = 3900
+        address_mode = "driver"
+        name = "garage-api"
+        check {
+          type = "tcp"
+          port = 3900
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        tags = ["garage-rpc"]
+        port = 3901
+        address_mode = "driver"
+        name = "garage-rpc"
+        check {
+          type = "tcp"
+          port = 3901
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      service {
+        tags = [
+            "garage-web",
+            "tricot * 1",
+            "tricot-add-header Content-Security-Policy default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://code.jquery.com/; frame-ancestors 'self'",
+            "tricot-add-header Strict-Transport-Security max-age=63072000; includeSubDomains; preload",
+            "tricot-add-header X-Frame-Options SAMEORIGIN",
+            "tricot-add-header X-XSS-Protection 1; mode=block",
+        ]
+        port = 3902
+        address_mode = "driver"
+        name = "garage-web"
+        check {
+          type = "tcp"
+          port = 3902
+          address_mode = "driver"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+
+      restart { 
+        interval = "30m"  
+        attempts = 10  
+        delay    = "15s"  
+        mode     = "delay"
+      }
+    }
+  }
+}
diff --git a/app/garage-staging/secrets/garage-staging/rpc_secret b/cluster/prod/garage/secrets/garage/rpc_secret
index d831d53..d831d53 100644
--- a/app/garage-staging/secrets/garage-staging/rpc_secret
+++ b/cluster/prod/garage/secrets/garage/rpc_secret
diff --git a/app/directory/config/bottin/config.json.tpl b/cluster/staging/app/directory/config/bottin/config.json.tpl
index 844f7b7..844f7b7 100644
--- a/app/directory/config/bottin/config.json.tpl
+++ b/cluster/staging/app/directory/config/bottin/config.json.tpl
diff --git a/app/directory/config/guichet/config.json.tpl b/cluster/staging/app/directory/config/guichet/config.json.tpl
index 1a843a8..1a843a8 100644
--- a/app/directory/config/guichet/config.json.tpl
+++ b/cluster/staging/app/directory/config/guichet/config.json.tpl
diff --git a/app/directory/deploy/directory.hcl b/cluster/staging/app/directory/deploy/directory.hcl
index 405c321..405c321 100644
--- a/app/directory/deploy/directory.hcl
+++ b/cluster/staging/app/directory/deploy/directory.hcl
diff --git a/app/directory/secrets/directory/guichet/mail_domain b/cluster/staging/app/directory/secrets/directory/guichet/mail_domain
index 5db1ba3..5db1ba3 100644
--- a/app/directory/secrets/directory/guichet/mail_domain
+++ b/cluster/staging/app/directory/secrets/directory/guichet/mail_domain
diff --git a/app/directory/secrets/directory/guichet/mail_from b/cluster/staging/app/directory/secrets/directory/guichet/mail_from
index 9075cbf..9075cbf 100644
--- a/app/directory/secrets/directory/guichet/mail_from
+++ b/cluster/staging/app/directory/secrets/directory/guichet/mail_from
diff --git a/app/directory/secrets/directory/guichet/s3_access_key b/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key
index e5b37ff..e5b37ff 100644
--- a/app/directory/secrets/directory/guichet/s3_access_key
+++ b/cluster/staging/app/directory/secrets/directory/guichet/s3_access_key
diff --git a/app/directory/secrets/directory/guichet/s3_bucket b/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket
index cb059cf..cb059cf 100644
--- a/app/directory/secrets/directory/guichet/s3_bucket
+++ b/cluster/staging/app/directory/secrets/directory/guichet/s3_bucket
diff --git a/app/directory/secrets/directory/guichet/s3_endpoint b/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint
index b414269..b414269 100644
--- a/app/directory/secrets/directory/guichet/s3_endpoint
+++ b/cluster/staging/app/directory/secrets/directory/guichet/s3_endpoint
diff --git a/app/directory/secrets/directory/guichet/s3_region b/cluster/staging/app/directory/secrets/directory/guichet/s3_region
index ef16924..ef16924 100644
--- a/app/directory/secrets/directory/guichet/s3_region
+++ b/cluster/staging/app/directory/secrets/directory/guichet/s3_region
diff --git a/app/directory/secrets/directory/guichet/s3_secret_key b/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key
index f3e7f0f..f3e7f0f 100644
--- a/app/directory/secrets/directory/guichet/s3_secret_key
+++ b/cluster/staging/app/directory/secrets/directory/guichet/s3_secret_key
diff --git a/app/directory/secrets/directory/guichet/smtp_pass b/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass
index fc9d1e3..fc9d1e3 100644
--- a/app/directory/secrets/directory/guichet/smtp_pass
+++ b/cluster/staging/app/directory/secrets/directory/guichet/smtp_pass
diff --git a/app/directory/secrets/directory/guichet/smtp_server b/cluster/staging/app/directory/secrets/directory/guichet/smtp_server
index c453935..c453935 100644
--- a/app/directory/secrets/directory/guichet/smtp_server
+++ b/cluster/staging/app/directory/secrets/directory/guichet/smtp_server
diff --git a/app/directory/secrets/directory/guichet/smtp_user b/cluster/staging/app/directory/secrets/directory/guichet/smtp_user
index c9c8bd0..c9c8bd0 100644
--- a/app/directory/secrets/directory/guichet/smtp_user
+++ b/cluster/staging/app/directory/secrets/directory/guichet/smtp_user
diff --git a/app/directory/secrets/directory/guichet/web_hostname b/cluster/staging/app/directory/secrets/directory/guichet/web_hostname
index afe2512..afe2512 100644
--- a/app/directory/secrets/directory/guichet/web_hostname
+++ b/cluster/staging/app/directory/secrets/directory/guichet/web_hostname
diff --git a/app/directory/secrets/directory/ldap_base_dn b/cluster/staging/app/directory/secrets/directory/ldap_base_dn
index ea5c7ae..ea5c7ae 100644
--- a/app/directory/secrets/directory/ldap_base_dn
+++ b/cluster/staging/app/directory/secrets/directory/ldap_base_dn
diff --git a/app/docker-compose.yml b/cluster/staging/app/docker-compose.yml
index 812c148..812c148 100644
--- a/app/docker-compose.yml
+++ b/cluster/staging/app/docker-compose.yml
diff --git a/app/drone-ci/build/.gitignore b/cluster/staging/app/drone-ci/build/.gitignore
index ef92077..ef92077 100644
--- a/app/drone-ci/build/.gitignore
+++ b/cluster/staging/app/drone-ci/build/.gitignore
diff --git a/app/drone-ci/build/Makefile b/cluster/staging/app/drone-ci/build/Makefile
index 2814a0d..2814a0d 100644
--- a/app/drone-ci/build/Makefile
+++ b/cluster/staging/app/drone-ci/build/Makefile
diff --git a/app/drone-ci/build/build-qcow2.nix b/cluster/staging/app/drone-ci/build/build-qcow2.nix
index 3ad45f4..3ad45f4 100644
--- a/app/drone-ci/build/build-qcow2.nix
+++ b/cluster/staging/app/drone-ci/build/build-qcow2.nix
diff --git a/app/drone-ci/build/machine-config.nix b/cluster/staging/app/drone-ci/build/machine-config.nix
index 73d3f09..73d3f09 100644
--- a/app/drone-ci/build/machine-config.nix
+++ b/cluster/staging/app/drone-ci/build/machine-config.nix
diff --git a/app/drone-ci/deploy/bad-runner-vm.hcl b/cluster/staging/app/drone-ci/deploy/bad-runner-vm.hcl
index 7c3a7e2..7c3a7e2 100644
--- a/app/drone-ci/deploy/bad-runner-vm.hcl
+++ b/cluster/staging/app/drone-ci/deploy/bad-runner-vm.hcl
diff --git a/app/drone-ci/deploy/runner-docker.hcl b/cluster/staging/app/drone-ci/deploy/runner-docker.hcl
index d7c6ef4..d7c6ef4 100644
--- a/app/drone-ci/deploy/runner-docker.hcl
+++ b/cluster/staging/app/drone-ci/deploy/runner-docker.hcl
diff --git a/app/frontend/deploy/frontend-tricot.hcl b/cluster/staging/app/frontend/deploy/frontend-tricot.hcl
index 745e77c..745e77c 100644
--- a/app/frontend/deploy/frontend-tricot.hcl
+++ b/cluster/staging/app/frontend/deploy/frontend-tricot.hcl
diff --git a/app/garage-staging/config/garage.toml b/cluster/staging/app/garage/config/garage.toml
index 60ab797..60ab797 100644
--- a/app/garage-staging/config/garage.toml
+++ b/cluster/staging/app/garage/config/garage.toml
diff --git a/app/garage-staging/deploy/garage.hcl b/cluster/staging/app/garage/deploy/garage.hcl
index a1907d4..a1907d4 100644
--- a/app/garage-staging/deploy/garage.hcl
+++ b/cluster/staging/app/garage/deploy/garage.hcl
diff --git a/cluster/staging/app/garage/secrets/garage-staging/rpc_secret b/cluster/staging/app/garage/secrets/garage-staging/rpc_secret
new file mode 100644
index 0000000..d831d53
--- /dev/null
+++ b/cluster/staging/app/garage/secrets/garage-staging/rpc_secret
@@ -0,0 +1 @@
+CMD_ONCE openssl rand -hex 32
diff --git a/app/im/build/matrix-synapse/Dockerfile b/cluster/staging/app/im/build/matrix-synapse/Dockerfile
index 0496b19..0496b19 100644
--- a/app/im/build/matrix-synapse/Dockerfile
+++ b/cluster/staging/app/im/build/matrix-synapse/Dockerfile
diff --git a/app/im/build/matrix-synapse/entrypoint.sh b/cluster/staging/app/im/build/matrix-synapse/entrypoint.sh
index b93a702..b93a702 100755
--- a/app/im/build/matrix-synapse/entrypoint.sh
+++ b/cluster/staging/app/im/build/matrix-synapse/entrypoint.sh
diff --git a/app/im/build/matrix-synapse/matrix-s3-async b/cluster/staging/app/im/build/matrix-synapse/matrix-s3-async
index e435144..e435144 100755
--- a/app/im/build/matrix-synapse/matrix-s3-async
+++ b/cluster/staging/app/im/build/matrix-synapse/matrix-s3-async
diff --git a/app/im/build/matrix-synapse/matrix-s3-async-sqlite b/cluster/staging/app/im/build/matrix-synapse/matrix-s3-async-sqlite
index 4bba072..4bba072 100755
--- a/app/im/build/matrix-synapse/matrix-s3-async-sqlite
+++ b/cluster/staging/app/im/build/matrix-synapse/matrix-s3-async-sqlite
diff --git a/app/im/config/homeserver.yaml b/cluster/staging/app/im/config/homeserver.yaml
index 38db527..38db527 100644
--- a/app/im/config/homeserver.yaml
+++ b/cluster/staging/app/im/config/homeserver.yaml
diff --git a/app/im/config/litestream.yml b/cluster/staging/app/im/config/litestream.yml
index e444e38..e444e38 100644
--- a/app/im/config/litestream.yml
+++ b/cluster/staging/app/im/config/litestream.yml
diff --git a/app/im/config/synapse.log.config.yaml b/cluster/staging/app/im/config/synapse.log.config.yaml
index 0b5622e..0b5622e 100644
--- a/app/im/config/synapse.log.config.yaml
+++ b/cluster/staging/app/im/config/synapse.log.config.yaml
diff --git a/app/im/deploy/im.hcl b/cluster/staging/app/im/deploy/im.hcl
index c60b095..c60b095 100644
--- a/app/im/deploy/im.hcl
+++ b/cluster/staging/app/im/deploy/im.hcl
diff --git a/app/im/secrets/synapse/form_secret b/cluster/staging/app/im/secrets/synapse/form_secret
index 37cf6ed..37cf6ed 100644
--- a/app/im/secrets/synapse/form_secret
+++ b/cluster/staging/app/im/secrets/synapse/form_secret
diff --git a/app/im/secrets/synapse/macaroon_secret_key b/cluster/staging/app/im/secrets/synapse/macaroon_secret_key
index 5f7f959..5f7f959 100644
--- a/app/im/secrets/synapse/macaroon_secret_key
+++ b/cluster/staging/app/im/secrets/synapse/macaroon_secret_key
diff --git a/app/im/secrets/synapse/registration_shared_secret b/cluster/staging/app/im/secrets/synapse/registration_shared_secret
index 60edd0e..60edd0e 100644
--- a/app/im/secrets/synapse/registration_shared_secret
+++ b/cluster/staging/app/im/secrets/synapse/registration_shared_secret
diff --git a/app/im/secrets/synapse/s3_access_key b/cluster/staging/app/im/secrets/synapse/s3_access_key
index 692dc34..692dc34 100644
--- a/app/im/secrets/synapse/s3_access_key
+++ b/cluster/staging/app/im/secrets/synapse/s3_access_key
diff --git a/app/im/secrets/synapse/s3_secret_key b/cluster/staging/app/im/secrets/synapse/s3_secret_key
index 8bef13c..8bef13c 100644
--- a/app/im/secrets/synapse/s3_secret_key
+++ b/cluster/staging/app/im/secrets/synapse/s3_secret_key
diff --git a/app/im/secrets/synapse/signing_key b/cluster/staging/app/im/secrets/synapse/signing_key
index 6821360..6821360 100644
--- a/app/im/secrets/synapse/signing_key
+++ b/cluster/staging/app/im/secrets/synapse/signing_key
diff --git a/app/telemetry/config/apm-config.yaml b/cluster/staging/app/telemetry/config/apm-config.yaml
index 07a88bd..07a88bd 100644
--- a/app/telemetry/config/apm-config.yaml
+++ b/cluster/staging/app/telemetry/config/apm-config.yaml
diff --git a/app/telemetry/config/filebeat.yml b/cluster/staging/app/telemetry/config/filebeat.yml
index 310afd1..310afd1 100644
--- a/app/telemetry/config/filebeat.yml
+++ b/cluster/staging/app/telemetry/config/filebeat.yml
diff --git a/app/telemetry/config/grafana-litestream.yml b/cluster/staging/app/telemetry/config/grafana-litestream.yml
index a537d9c..a537d9c 100644
--- a/app/telemetry/config/grafana-litestream.yml
+++ b/cluster/staging/app/telemetry/config/grafana-litestream.yml
diff --git a/app/telemetry/config/grafana/provisioning/datasources/elastic.yaml b/cluster/staging/app/telemetry/config/grafana/provisioning/datasources/elastic.yaml
index 7d2277c..7d2277c 100644
--- a/app/telemetry/config/grafana/provisioning/datasources/elastic.yaml
+++ b/cluster/staging/app/telemetry/config/grafana/provisioning/datasources/elastic.yaml
diff --git a/app/telemetry/config/otel-config.yaml b/cluster/staging/app/telemetry/config/otel-config.yaml
index bcf1baa..bcf1baa 100644
--- a/app/telemetry/config/otel-config.yaml
+++ b/cluster/staging/app/telemetry/config/otel-config.yaml
diff --git a/app/telemetry/deploy/telemetry-system.hcl b/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
index 3e26c2e..3e26c2e 100644
--- a/app/telemetry/deploy/telemetry-system.hcl
+++ b/cluster/staging/app/telemetry/deploy/telemetry-system.hcl
diff --git a/app/telemetry/deploy/telemetry.hcl b/cluster/staging/app/telemetry/deploy/telemetry.hcl
index 21685a1..21685a1 100644
--- a/app/telemetry/deploy/telemetry.hcl
+++ b/cluster/staging/app/telemetry/deploy/telemetry.hcl