diff --git a/.gitignore b/.gitignore
index b2be92b..87a3018 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 result
+*.qcow2
diff --git a/flake.nix b/flake.nix
index e645f3d..f0b2d45 100644
--- a/flake.nix
+++ b/flake.nix
@@ -59,6 +59,11 @@
               specialArgs = inputs;
               modules = [ ./hosts/vm/livre ] ++ baseModules;
             };
+            
+            mediakiwi = nixosSystem {
+              specialArgs = inputs;
+              modules = [ ./hosts/vm/mediakiwi ] ++ baseModules;
+            };
 
             neo = nixosSystem {
               specialArgs = inputs;
diff --git a/hosts/vm/mediakiwi/default.nix b/hosts/vm/mediakiwi/default.nix
new file mode 100644
index 0000000..bba9007
--- /dev/null
+++ b/hosts/vm/mediakiwi/default.nix
@@ -0,0 +1,28 @@
+{ ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./mediawiki.nix
+
+    ../../../modules
+    ../../../modules/crans/nullmailer.nix
+  ];
+
+  networking.hostName = "mediakiwi";
+  boot.loader.grub.devices = [ "/dev/sda" ];
+
+  crans = {
+    enable = true;
+
+    networking = {
+      id = 144;
+      srvNat.enable = true;
+    };
+
+    # Enable when deploying the real mediakiwi
+    resticClient.enable = false;
+  };
+
+  system.stateVersion = "25.05";
+}
diff --git a/hosts/vm/mediakiwi/hardware-configuration.nix b/hosts/vm/mediakiwi/hardware-configuration.nix
new file mode 100644
index 0000000..de32983
--- /dev/null
+++ b/hosts/vm/mediakiwi/hardware-configuration.nix
@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/74148438-bd6e-4c19-a41c-d20c907f1fc1";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/hosts/vm/mediakiwi/mediawiki.nix b/hosts/vm/mediakiwi/mediawiki.nix
new file mode 100644
index 0000000..2f706bc
--- /dev/null
+++ b/hosts/vm/mediakiwi/mediawiki.nix
@@ -0,0 +1,257 @@
+{ lib, pkgs, config, ... }:
+
+let
+  version = pkgs.mediawiki.version;
+  major = lib.versions.major version;
+  minor = lib.versions.minor version;
+in
+{
+  age.secrets.mediawiki-admin-passwd = {
+    file = ../../../secrets/mediakiwi/mediawiki-admin-passwd.age;
+    owner = "mediawiki";
+  };
+
+  age.secrets.mediawiki-ldap = {
+    file = ../../../secrets/mediakiwi/mediawiki-ldap.age;
+    owner = "mediawiki";
+  };
+
+  age.secrets.mediawiki-openid = {
+    file = ../../../secrets/mediakiwi/mediawiki-openid.age;
+    owner = "mediawiki";
+  };
+
+  environment.systemPackages = with pkgs; [
+    imagemagick
+
+    # For the PdfHandler extension
+    ghostscript
+    poppler-utils
+  ];
+
+  services.phpfpm.pools.mediawiki.phpOptions = ''
+    upload_max_filesize = 512M
+    post_max_size = 512M
+    max_execution_time = 1000
+    max_input_time = 2000
+    default_socket_timeout = 2000
+    extension = ${pkgs.phpExtensions.mbstring}/lib/php/extensions/mbstring.so
+    extension = ${pkgs.phpExtensions.luasandbox}/lib/php/extensions/luasandbox.so
+  '';
+
+  services.nginx.clientMaxBodySize = "512M";
+
+  services.syslogd.enable = true;
+
+  services.mediawiki = {
+    enable = true;
+
+    name = "Wiki Crans";
+
+    nginx.hostName = "mediawiki.crans.org";
+
+    webserver = "nginx";
+
+    passwordFile = config.age.secrets.mediawiki-admin-passwd.path;
+
+    extraConfig = ''
+      # TODO remove log error in test
+      error_reporting( -1 );
+      ini_set('display_errors', 1);
+      ini_set('display_startup_errors', 1);
+
+      # Server settings
+      $wgFavicon = 'https://www.crans.org/images/favicon.ico';
+      $wgLogo = 'https://www.crans.org/images/crans.svg';
+
+      # Files and Uploads
+      $wgMaxUploadSize = 512 * 1024 * 1024;
+      $wgUseImageMagick = true;
+      $wgImageMagickConvertCommand = '${ pkgs.imagemagick }/bin/convert';
+      $wgStrictFileExtensions = false;
+      $wgFileExtensions[] = 'pdf';      
+
+      # Limite mémoire, quand on fait de gros importi (9M de xml), le parser
+      # prends plus que 50M 
+      $wgMemoryLimit = 512 * 1024 * 1024;
+
+      # E-mail settings
+      $wgEnableEmail = true;
+      # $wgSMTP = [
+      #   'host'      => 'smtp.adm.crans.org',
+      #   'IDHost'    => 'crans.org',
+      #   'localhost' => 'crans.org',
+      #   'port'      => ,
+      #   'auth'      => false,
+      #   # 'username'  => ,
+      #   # 'password'  => ,
+      # ];
+      $wgPasswordSender = 'root@crans.org';
+      $wgEmergencyContact = 'contact@crans.org';
+      $wgNoReplyAddress = 'root@crans.org';
+      $wgEnableUserEmail = false;
+      # $wgEnableSpecialMute = true;
+      $wgAllowHTMLEmail = true;
+
+      $wgEnotifUseRealName = false;
+      $wgEnotifFromEditor = false;
+      $wgEnotifRevealEditorAddress = false;
+      $wgEnotifUserTalk = true;
+      $wgEnotifMinorEdits = true;
+      $wgEnotifWatchlist = true;
+      # Peut-être utilisé pour les Wikistes
+      $wgUsersNotifiedOnAllChanges = [];
+
+      # Auth
+      $wgPluggableAuth_EnableLocalLogin = true;
+      $LDAPAuthentication2AllowLocalLogin = true;
+      $LDAPProviderDomainConfigs = "${config.age.secrets.mediawiki-ldap.path}";
+      $wgPluggableAuth_Config = [
+        "Compte Crans" => [
+          'plugin' => 'LDAPAuthentication2',
+          'data' => [
+            'domain' => 'crans'
+          ]
+        ],
+        "Note BDE" => [
+          'plugin' => 'OpenIDConnect',
+          'data' => require('${config.age.secrets.mediawiki-openid.path}'),
+        ]
+      ];
+
+      # Theme
+      $wgDefaultSkin = 'citizen';
+      $wgCitizenThemeColor = '#AD1F1F';
+      $wgCitizenEnableARFonts = true;
+      $wgCitizenEnableCJKFonts = true;
+
+      $wgLanguageCode = 'fr';
+
+      # Disable anonymous editing
+      $wgGroupPermissions['*']['edit'] = false;
+      $wgGroupPermissions['*']['read'] = false;
+
+      # Extensions
+      $wgWikiEditorRealtimePreview = true;
+      $wgCiteBookReferencing = true;
+      $wgPdfProcessor = '${ pkgs.ghostscript }/bin/gs';
+      $wgPdfPostProcessor = $wgImageMagickConvertCommand;
+      $wgPdfInfo = '${ pkgs.poppler-utils }/bin/pdfinfo';
+      $wgPdftoText = '${ pkgs.poppler-utils }/bin/pdftotext';
+      $wgScribuntoDefaultEngine = 'luasandbox';
+
+      # Custom Namespaces
+      define("NS_ARCHIVE", 3000);
+      define("NS_ARCHIVE_TALK", 3001);
+      $wgExtraNamespaces[NS_ARCHIVE] = "Archive";
+      $wgExtraNamespaces[NS_ARCHIVE_TALK] = "Discussion_archive";
+
+      # Debug
+      $wgShowExceptionDetails = true;
+      $wgDebugToolbar = true;
+      # $wgShowDebug = true;
+      # $wgDevelopmentWarnings = true;
+    '';
+
+    skins = {
+      Citizen = pkgs.fetchFromGitHub {
+        name = "Citizen";
+        owner = "StarCitizenTools";
+        repo = "mediawiki-skins-Citizen";
+        tag = "v3.2.0";
+        sha256 = "sha256-XtjYMBK2pINwbAzAKFJ+nWxcFXQd2E/Gqf3x+3Pa8VE=";
+      };
+    };
+
+    extensions = {
+      # Enables embedded extensions
+      AbuseFilter = null; # pour faire de la modération
+      CategoryTree = null; # pour faire des arbres de catégories
+      Cite = null; # pour faire des références/footnotes
+      CiteThisPage = null; # pour avoir la citation (à la bibtex) d'une page
+      CodeEditor = null; # pour éditer des macros/scripts wiki
+      DiscussionTools = null; # pour des pages de discussion intéractives
+      Echo = null; # pour le système de notification du wiki
+      Gadgets = null; # pour avoir un système d'outils activable par les users
+      ImageMap = null; # pour mettre des widgets sur des images
+      Linter = null; # requis pour DiscussionTools
+      Math = null; # pour avoir des maths LaTeX
+      MultimediaViewer = null; # pour avoir un affichage sympa des images
+      Nuke = null; # pour purger des pages
+      PageImages = null; # pour set la bonne image représentant un article
+      ParserFunctions = null; # pour la logique et les fonctions de base du templating
+      PdfHandler = null; # pour afficher les pdfs
+      Poem = null; # pour afficher des blocks de texte respectant l'espacement (poèmes, écrits)
+      ReplaceText = null; # pour du méga-renommage à travers le wiki
+      Scribunto = null; # pour faire du scripting et des templates pour le wiki
+      SyntaxHighlight_GeSHi = null; # pour avoir de la coloration syntaxique
+      TemplateData = null; # pour faire de la doc sur les templates
+      # TemplateStyles = null; # pour styliser les templates (bundlé pour la prochaine version de mediawiki)
+      TextExtracts = null; # pour set le bon text représentant un article
+      Thanks = null; # pour remercier des gens en notif
+      TitleBlacklist = null; # pour faire de la modération
+      VisualEditor = null; # pour éditer visuellement les pages
+      WikiEditor = null; # pour éditer le code wiki des pages
+
+      # Bundled with next version, put as null in the next update
+      TemplateStyles = pkgs.fetchFromGitHub {
+        name = "TemplateStyles";
+        owner = "wikimedia";
+        repo = "mediawiki-extensions-TemplateStyles";
+        rev = "REL" + major + "_" + minor;
+        # Le SHA doit être changé à chaque nouveau commit de traduction.
+        # Pas de meilleure solution à ma connaissance pour suivre les releases.
+        sha256 = "sha256-fCBccHTIBJrUyxe6oP7VR84HO65ICETE73X4rswQo4c=";
+      };
+
+      # Popups
+      Popups = pkgs.fetchFromGitHub {
+        name = "Popups";
+        owner = "wikimedia";
+        repo = "mediawiki-extensions-Popups";
+        rev = "REL" + major + "_" + minor;
+        # Le SHA doit être changé à chaque nouveau commit de traduction.
+        # Pas de meilleure solution à ma connaissance pour suivre les releases.
+        sha256 = "sha256-Vn/XGVYvM5doPtTEONESdVhgZlH/Fku74MeQbGrwU/E=";
+      };
+
+      # Auth
+      PluggableAuth = pkgs.fetchFromGitHub {
+        name = "PluggableAuth";
+        owner = "wikimedia";
+        repo = "mediawiki-extensions-PluggableAuth";
+        rev = "REL" + major + "_" + minor;
+        # Le SHA doit être changé à chaque nouveau commit de traduction.
+        # Pas de meilleure solution à ma connaissance pour suivre les releases.
+        sha256 = "sha256-3+nzeWemVAHGmLz3ZMvDSvP2UCmsnEiGJcE/oEakr2s=";
+      };
+      LDAPProvider = pkgs.fetchFromGitHub {
+        name = "LDAPProvider";
+        owner = "wikimedia";
+        repo = "mediawiki-extensions-LDAPProvider";
+        rev = "REL" + major + "_" + minor;
+        # Le SHA doit être changé à chaque nouveau commit de traduction.
+        # Pas de meilleure solution à ma connaissance pour suivre les releases.
+        sha256 = "sha256-bpj+MS4XKLoDdtEK+Mv7Ifa6qz215jKhSL1DOOw4ZPs=";
+      };
+      LDAPAuthentication2 = pkgs.fetchFromGitHub {
+        name = "LDAPAuthentication2";
+        owner = "wikimedia";
+        repo = "mediawiki-extensions-LDAPAuthentication2";
+        rev = "REL" + major + "_" + minor;
+        # Le SHA doit être changé à chaque nouveau commit de traduction.
+        # Pas de meilleure solution à ma connaissance pour suivre les releases.
+        sha256 = "sha256-oi5rliHb4KnLbvQxO7MGuLp/FEucoGR/Z0NP1gmbgMc=";
+      };
+      OpenIDConnect = pkgs.fetchFromGitHub {
+        name = "OpenIDConnect";
+        owner = "wikimedia";
+        repo = "mediawiki-extensions-OpenIDConnect";
+        rev = "REL" + major + "_" + minor;
+        # Le SHA doit être changé à chaque nouveau commit de traduction.
+        # Pas de meilleure solution à ma connaissance pour suivre les releases.
+        sha256 = "sha256-KoBULn53xnY+ydodeTGN7YEoqgLr9qhhuR5mNibbh5s=";
+      };
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index b052873..e7a004e 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -40,6 +40,7 @@ let
     collabora = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa2D9fREtO2r2oIx6q9JAKFUHtxGbgEPMjkx09DQSU8 root@collabora";
     jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi";
     livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre";
+    mediakiwi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAiCZU+gdUt2jOxR0niVFsNzw0LIleYvwNhMFIANR5YE root@mediakiwi";
     neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo";
     nextcloud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMgSP9UmuJw8Bi2ML07WHsWvxN8akkc9XZxXyOgdjXkq root@nextcloud";
     periodique = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTdfSIL3AWIv0mjRDam6E/qsjoqwJ8QSm1Cb0xqs1s1 root@periodique";
diff --git a/secrets/mediakiwi/mediawiki-admin-passwd.age b/secrets/mediakiwi/mediawiki-admin-passwd.age
new file mode 100644
index 0000000..644c203
--- /dev/null
+++ b/secrets/mediakiwi/mediawiki-admin-passwd.age
@@ -0,0 +1,33 @@
+age-encryption.org/v1
+-> ssh-ed25519 vZ8Vgw cJhdOIkMufEIHU+LqOAs4/KTxOiiBL1Knl8ChkApajM
+lSJiqVLy8KS0+pD0MSDgtD2IdMD7toVof4u8zFbc534
+-> piv-p256 ewCc3w A4oqsiewlX50Psnk7HT3nRGHd3+pdgb21kN8Zk1hPwKa
+GAsqMgKtKRCSroHria5qAWSY8XqOUmHDMRCXdLOIJdQ
+-> piv-p256 6CL/Pw A67ODihOF1IhvLWhUsIWAQVmhO/XTJ6GRznS4GkJwxOO
+3zriXUAIS3RLhVDmeCzFka4LerN3/fgIJRyKmJatIFg
+-> ssh-ed25519 eOAUSg px/iV0OQ9ZtNyNJsPIWdEbmemBKaXqfcD4Ew85HcVAo
+7LMHrNse0MjlLNlAwbMexIcSRjK1vDkLSoEfJAtRmLU
+-> ssh-rsa REaZBA
+ewC5fAfzqr04uPsw9l3E8PZKoKIDACP1U5lEnL2++04zv7w9GL0eEHa693leB9z0
+OJNhq2FHU+NH2IofoLm/k46ma3XVWaCNExYiSaRQWo7Cm6fON2F+K32tJaxeFc9n
+xCE7E5YM75e1U9LOqSPdfoeuWUg5iLDhg4uauMPagCgKA5Dd0ndClZyNWYK2C7NQ
+V6MhczLs6cxrFEOQoaudlXnj7TDAiCdVLFmvlas56+QqVA2SXfM+xha3flfkZvR4
+rdcUY/y0ZBoLaZF+K0f2gcqDlL8VgvYFizIPTRAZYEKdMytSJbxv4LFb64E85Lwe
+JFWPCp1lBTVhDFeulN7XBYYOCacw1Pyj+n3at2GIPEZwhnl6++NtBuiWj+g3Cnfr
+BomwuFlcZmykI3p4qzPlwcHaAeY4UhzciNo+frDMKCUhUmczBoRMK45oa8nv5AC3
+z2h8OZGtKNpg55/FZJ9NONr/GA3xR74iB6chpANx8h6e8QDnUo9FZyl+qZcQ/Ghr
+
+-> ssh-ed25519 J/iReg IFdFOpdEUjMHdunUN7vfJ09lkDLA/SPOQY4b8UjT0S8
+qQEZnxKcLpbhc3u1zE3QCI8X/XTCRuWOwPsOL2SzdzI
+-> ssh-ed25519 GNhSGw 6aFCUFK8BqLZrP5m1qGYxdRihpaoJyueHJa/00T/ZHM
+Jfa1/KfD1JCYdIsdF6h+FjV3yozWfiscNWv2Krkdjz8
+-> ssh-ed25519 eXMAtA sFwZS3oq80e8CfDruygKRW1oP5aGfpHqeOrqEcoRL0o
+lYaTFhvGXqVnd7WHFZXe8FZ9pWtk6dL9M6h3DC3Eov4
+-> ssh-ed25519 5hXocQ 4eznATzeJliAZkVeR69DD2Gr8YKWcarlSSOEPjk9Cxg
+Rd6iAIj7jCs7/sDisd9ErKG63bA6jW07XqY4MdKBGjA
+-> ssh-ed25519 bRHVVA YSXkgUVhRpXYbbeVpsdLZzncNIysYNrLvc5q3JTaLWI
+g9xoh/G4NnKmjXPuLy5flQCjVYGbkAR5RHOqnhi95/U
+-> ssh-ed25519 HgW9eA 4uEzjQxKg8KIXPGyMRdXdJb4BPC5ZTRok9tAXa6AwwQ
+BXnFdGZlCjYakDN81w1fxF2P94b2ZAZAhlBsbM3I3PA
+--- ragIvYUEISd+PwMW5KyGj0r7HOZQiHIDbY6vHewuZ1I
+�KJ�׀����%���Xpl�v��t��!q^��aܠ�t|���"&7
\ No newline at end of file
diff --git a/secrets/mediakiwi/mediawiki-ldap.age b/secrets/mediakiwi/mediawiki-ldap.age
new file mode 100644
index 0000000..b28cc2b
Binary files /dev/null and b/secrets/mediakiwi/mediawiki-ldap.age differ
diff --git a/secrets/mediakiwi/mediawiki-openid.age b/secrets/mediakiwi/mediawiki-openid.age
new file mode 100644
index 0000000..ceae6cf
Binary files /dev/null and b/secrets/mediakiwi/mediawiki-openid.age differ
diff --git a/secrets/restic/mediakiwi/base-password.age b/secrets/restic/mediakiwi/base-password.age
new file mode 100644
index 0000000..f7742d3
--- /dev/null
+++ b/secrets/restic/mediakiwi/base-password.age
@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 vZ8Vgw +B57yVih+Nm3HaJfX53NcVTIUChaN4QRHpIhNRh0wig
+2Icnq7jf1+suEjUYnQ1ABx3gdTefT6eZJ6KVEupA3Xg
+-> piv-p256 ewCc3w A2uBciAE9cSCBJWLowDc4d5D4GQsroJ1EX3BJsr0w8+T
+FUJZET8ck71xPBh2eWF8930JacE89+R2n2i32hFhAlg
+-> piv-p256 6CL/Pw AgCcZy/RvYFO4WZz5/Os29sXgkDGdDLSPl4ZBdJjONPk
+J7eaYHcgnrLEm4PMVh8qXHB8g/qpx7huoRgHNgO2aXw
+-> ssh-ed25519 I2EdxQ +7WH3VaqC48ABO8Wpcb7hlY04lhKetfyYm3+62JESFo
+iZXrtZ0+UFdvcn75ceJ6gxdXc410BZdgnPSaJsG3muA
+-> ssh-ed25519 J/iReg rUhw71duo5PP4M3ySN7xHW1ebsXJ6iYFdj3eZUriGgA
+pSAHL6A9lCJ5qFqK26PJLG84d6nIs4psL3ea5Pd8Tac
+-> ssh-ed25519 GNhSGw zRjF+gRLm7IibS6joIBlOInFygsHVo7vf10IsYWx20o
+93aGm4IS9bc/noU/2l3sMAKJbf5EkDU5gDDxDDdomak
+-> ssh-ed25519 eXMAtA 2QLLIa6MylYi7h0KOyeZCxQQuyMPtcRTWu5Mg8oRpSI
+VwWCwogmcmAQs86ABxxbuWdK7XWh071HPdQdPeeS7I8
+-> ssh-ed25519 5hXocQ AIMNW8H9VIA/wabPNGB54KGv2OT4iUtX4b6emWTpYk0
+vIj14LjtUcJ2GVDrStg40xHjpkEAkv53qnXdtaweuAk
+--- iqSZN2bLs1BukHdpv8L48ir+5W4DeJ4ZviSn2hj9Eqc
+w?��
+pj�sN���	������m�)}Z�,�!|3��#�K�֖�^��&o,�0�/K�1J����;�'��-�Q�ۜG��
+@������1޹?�p�ز �.�][���5D�$+
�#���9ۛ��$���P���j�_˓���Tq�x9�s�H8=;1��WS�j�+�����"�H����ݐ\_���1y��gG�P�<��!�1j��`���2�CR�L"8��� *eP���ᗱ�������)�u=GNT����aw�_�Ȓ��M�ki��@�>
\ No newline at end of file
diff --git a/secrets/restic/mediakiwi/base-repo.age b/secrets/restic/mediakiwi/base-repo.age
new file mode 100644
index 0000000..65e03c8
Binary files /dev/null and b/secrets/restic/mediakiwi/base-repo.age differ