diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -875,6 +875,9 @@
   netbox-vagrant:
     domains:
       - inventory-vagrant.internal.softwareheritage.org
+  hedgedoc:
+    domains:
+      - bardo.softwareheritage.org
 
 bind::update_key: local-update
 
diff --git a/data/common/public_keys.yaml b/data/common/public_keys.yaml
--- a/data/common/public_keys.yaml
+++ b/data/common/public_keys.yaml
@@ -566,7 +566,7 @@
   qPDlGRlOgVTd9xUfHFkzB52c70E=
   =92oX
   -----END PGP PUBLIC KEY BLOCK-----
-  
+
 hwraid_levert::apt_config::keyid: 0073C11919A641464163F7116005210E23B3D3B4
 hwraid_levert::apt_config::key: |
   -----BEGIN PGP PUBLIC KEY BLOCK-----
@@ -663,3 +663,226 @@
   72I=
   =ssmE
   -----END PGP PUBLIC KEY BLOCK-----
+
+yarn::apt_config::keyid: 72ECF46A56B4AD39C907BBB71646B01B86E50310
+yarn::apt_config::key: |
+  -----BEGIN PGP PUBLIC KEY BLOCK-----
+  
+  mQINBFf0j5oBEADS6cItqCbf4lOLICohq2aHqM5I1jsz3DC4ddIU5ONbKXP1t0wk
+  FEUPRzd6m80cTo7Q02Bw7enh4J6HvM5XVBSSGKENP6XAsiOZnY9nkXlcQAPFRnCn
+  CjEfoOPZ0cBKjn2IpIXXcC+7xh4p1yruBpOsCbT6BuzA+Nm9j4cpRjdRdWSSmdID
+  TyMZClmYm/NIfCPduYvNZxZXhW3QYeieP7HIonhZSHVu/jauEUyHLVsieUIvAOJI
+  cXYpwLlrw0yy4flHe1ORJzuA7EZ4eOWCuKf1PgowEnVSS7Qp7lksCuljtfXgWelB
+  XGJlAMD90mMbsNpQPF8ywQ2wjECM8Q6BGUcQuGMDBtFihobb+ufJxpUOm4uDt0y4
+  zaw+MVSi+a56+zvY0VmMGVyJstldPAcUlFYBDsfC9+zpzyrAqRY+qFWOT2tj29R5
+  ZNYvUUjEmA/kXPNIwmEr4oj7PVjSTUSpwoKamFFE6Bbha1bzIHpdPIRYc6cEulp3
+  dTOWfp+Cniiblp9gwz3HeXOWu7npTTvJBnnyRSVtQgRnZrrtRt3oLZgmj2fpZFCE
+  g8VcnQOb0iFcIM7VlWL0QR4SOz36/GFyezZkGsMlJwIGjXkqGhcEHYVDpg0nMoq1
+  qUvizxv4nKLanZ5jKrV2J8V09PbL+BERIi6QSeXhXQIui/HfV5wHXC6DywARAQAB
+  tBxZYXJuIFBhY2thZ2luZyA8eWFybkBkYW4uY3g+iQI5BBMBCAAjBQJX9I+aAhsD
+  BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQFkawG4blAxB52Q/9FcyGIEK2
+  QamDhookuoUGGYjIeN+huQPWmc6mLPEKS2Vahk5jnJKVtAFiaqINiUtt/1jZuhF2
+  bVGITvZK79kM6lg42xQcnhypzQPgkN7GQ/ApYqeKqCh1wV43KzT/CsJ9TrI0SC34
+  qYHTEXXUprAuwQitgAJNi5QMdMtauCmpK+Xtl/72aetvL8jMFElOobeGwKgfLo9+
+  We2EkKhSwyiy3W5TYI1UlV+evyyT+N0pmhRUSH6sJpzDnVYYPbCWa2b+0D/PHjXi
+  edKcely/NvqyVGoWZ+j41wkp5Q0wK2ybURS1ajfaKt0OcMhRf9XCfeXAQvU98mEk
+  FlfPaq0CXsjOy8eJXDeoc1dwxjDi2YbfHel0CafjrNp6qIFG9v3JxPUU19hG9lxD
+  Iv7VXftvMpjJCo/J4Qk+MOv7KsabgXg1iZHmllyyH3TY4AA4VA+mlceiiOHdXbKk
+  Q3BfS1jdXPV+2kBfqM4oWANArlrFTqtop8PPsDNqh/6SrVsthr7WTvC5q5h/Lmxy
+  Krm4Laf7JJMvdisfAsBbGZcR0Xv/Vw9cf2OIEzeOWbj5xul0kHT1vHhVNrBNanfe
+  t79RTDGESPbqz+bTS7olHWctl6TlwxA0/qKlI/PzXfOg63Nqy15woq9buca+uTcS
+  ccYO5au+g4Z70IEeQHsq5SC56qDR5/FvYyu5Ag0EV/SPmgEQANDSEMBKp6ER86y+
+  udfKdSLP9gOv6hPsAgCHhcvBsks+ixeX9U9KkK7vj/1q6wodKf9oEbbdykHgIIB1
+  lzY1l7u7/biAtQhTjdEZPh/dt3vjogrJblUEC0rt+fZe325ociocS4Bt9I75Ttkd
+  nWgkE4uOBJsSllpUbqfLBfYR58zz2Rz1pkBqRTkmJFetVNYErYi2tWbeJ59GjUN7
+  w1K3GhxqbMbgx4dF5+rjGs+KI9k6jkGeeQHqhDk+FU70oLVLuH2Dmi9IFjklKmGa
+  3BU7VpNxvDwdoV7ttRYEBcBnPOmL24Sn4Xhe2MDCqgJwwyohd9rk8neV7GtavVea
+  Tv6bnzi1iJRgDld51HFWG8X+y55i5cYWaiXHdHOAG1+t35QUrczm9+sgkiKSk1II
+  TlEFsfwRl16NTCMGzjP5kGCm/W+yyyvBMw7CkENQcd23fMsdaQ/2UNYJau2PoRH/
+  m+IoRehIcmE0npKeLVTDeZNCzpmfY18T542ibK49kdjZiK6G/VyBhIbWEFVu5Ll9
+  +8GbcO9ucYaaeWkFS8Hg0FZafMk59VxKiICKLZ5he/C4f0UssXdyRYU6C5BH8UTC
+  QLg0z8mSSL+Wb2iFVPrn39Do7Zm8ry6LBCmfCf3pI99Q/1VaLDauorooJV3rQ5kC
+  JEiAeqQtLOvyoXIex1VbzlRUXmElABEBAAGJAh8EGAEIAAkFAlf0j5oCGwwACgkQ
+  FkawG4blAxAUUQ//afD0KLHjClHsA/dFiW+5qVzI8kPMHwO1QcUjeXrB6I3SluOT
+  rLSPhOsoS72yAaU9hFuq8g9ecmFrl3Skp/U4DHZXioEmozyZRp7eVsaHTewlfaOb
+  6g7+v52ktYdomcp3BM5v/pPZCnB5rLrH2KaUWbpY6V6tqtCHbF7zftDqcBENJDXf
+  hiCqS19J08GZFjDEqGDrEj3YEmEXZMN7PcXEISPIz6NYI6rw4yVH8AXfQW6vpPzm
+  ycHwI0QsVW2NQdcZ6zZt+phm6shNUbN2iDdg3BJICmIvQf8qhO3bOh0Bwc11FLHu
+  MKuGVxnWN82HyIsuUB7WDLBHEOtg61Zf1nAF1PQK52YuQz3EWI4LL9OqVqfSTY1J
+  jqIfj+u1PY2UHrxZfxlz1M8pXb1grozjKQ5aNqBKRrcMZNx71itR5rv18qGjGR2i
+  Sciu/xah7zAroEQrx72IjYt03tbk/007CvUlUqFIFB8kY1bbfX8JAA+TxelUniUR
+  2CY8eom5HnaPpKE3kGXZ0jWkudbWb7uuWcW1FE/bO+VtexpBL3SoXmwbVMGnJIEi
+  Uvy8m6ez0kzLXzJ/4K4b8bDO4NjFX2ocKdzLA89Z95KcZUxEG0O7kaDCu0x3BEge
+  uArJLecD5je2/2HXAdvkOAOUi6Gc/LiJrtInc0vUFsdqWCUK5Ao/MKvdMFW5Ag0E
+  V/SP2AEQALRcYv/hiv1n3VYuJbFnEfMkGwkdBYLGo3hiHKY8xrsFVePl9SkL8aqd
+  C310KUFNI42gGY/lz54RUHOqfMszTdafFrmwU18ECWGo4oG9qEutIKG7fkxcvk2M
+  tgsOMZFJqVDS1a9I4QTIkv1ellLBhVub9S7vhe/0jDjXs9IyOBpYQrpCXAm6SypC
+  fpqkDJ4qt/yFheATcm3s8ZVTsk2hiz2jnbqfvpte3hr3XArDjZXr3mGAp3YY9JFT
+  zVBOhyhT/92e6tURz8a/+IrMJzhSyIDel9L+2sHHo9E+fA3/h3lg2mo6EZmRTuvE
+  v9GXf5xeP5lSCDwS6YBXevJ8OSPlocC8Qm8ziww6dy/23XTxPg4YTkdf42i7VOpS
+  pa7EvBGne8YrmUzfbrxyAArK05lo56ZWb9ROgTnqM62wfvrCbEqSHidN3WQQEhMH
+  N7vtXeDPhAd8vaDhYBk4A/yWXIwgIbMczYf7Pl7oY3bXlQHb0KW/y7N3OZCr5mPW
+  94VLLH/v+T5R4DXaqTWeWtDGXLih7uXrG9vdlyrULEW+FDSpexKFUQe83a+Vkp6x
+  GX7FdMC9tNKYnPeRYqPF9UQEJg+MSbfkHSAJgky+bbacz+eqacLXMNCEk2LXFV1B
+  66u2EvSkGZiH7+6BNOar84I3qJrU7LBD7TmKBDHtnRr9JXrAxee3ABEBAAGJBEQE
+  GAEIAA8FAlf0j9gCGwIFCQHhM4ACKQkQFkawG4blAxDBXSAEGQEIAAYFAlf0j9gA
+  CgkQ0QH3iZ1B88PaoA//VuGdF5sjxRIOAOYqXypOD9/Kd7lYyxmtCwnvKdM7f8O5
+  iD8oR2Pk1RhYHjpkfMRVjMkaLfxIRXfGQsWfKN2Zsa4zmTuNy7H6X26XW3rkFWpm
+  dECz1siGRvcpL6NvwLPIPQe7tST72q03u1H7bcyLGk0sTppgMoBND7yuaBTBZkAO
+  WizR+13x7FV+Y2j430Ft/DOe/NTc9dAlp6WmF5baOZClULfFzCTf9OcS2+bo68oP
+  gwWwnciJHSSLm6WRjsgoDxo5f3xBJs0ELKCr4jMwpSOTYqbDgEYOQTmHKkX8ZeQA
+  7mokc9guA0WK+DiGZis85lU95mneyJ2RuYcz6/VDwvT84ooe1swVkC2palDqBMwg
+  jZSTzbcUVqZRRnSDCe9jtpvF48WK4ZRiqtGO6Avzg1ZwMmWSr0zHQrLrUMTq/62W
+  KxLyj2oPxgptRg589hIwXVxJRWQjFijvK/xSjRMLgg73aNTq6Ojh98iyKAQ3HfzW
+  6iXBLLuGfvxflFednUSdWorr38MspcFvjFBOly+NDSjPHamNQ2h19iHLrYT7t4ve
+  nU9PvC+ORvXGxTN8mQR9btSdienQ8bBuU/mg/c417w6WbY7tkkqHqUuQC9LoaVdC
+  QFeE/SKGNe+wWN/EKi0QhXR9+UgWA41Gddi83Bk5deuTwbUeYkMDeUlOq3yyemcG
+  VxAA0PSktXnJgUj63+cdXu7ustVqzMjVJySCKSBtwJOge5aayonCNxz7KwoPO34m
+  Gdr9P4iJfc9kjawNV79aQ5aUH9uU2qFlbZOdO8pHOTjy4E+J0wbJb3VtzCJc1Eaa
+  83kZLFtJ45Fv2WQQ2Nv3Fo+yqAtkOkaBZv9Yq0UTaDkSYE9MMzHDVFx11TT21NZD
+  xu2QiIiqBcZfqJtIFHN5jONjwPG08xLAQKfUNROzclZ1h4XYUT+TWouopmpNeay5
+  JSNcp5LsC2Rn0jSFuZGPJ1rBwB9vSFVA/GvOj8qEdfhjN3XbqPLVdOeChKuhlK0/
+  sOLZZG91SHmT5SjP2zM6QKKSwNgHX4xZt4uugSZiY13+XqnrOGO9zRH8uumhsQmI
+  eFEdT27fsXTDTkWPI2zlHTltQjH1iebqqM9gfa2KUt671WyoL1yLhWrgePvDE+He
+  r002OslvvW6aAIIBki3FntPDqdIH89EEB4UEGqiA1eIZ6hGaQfinC7/IOkkm/mEa
+  qdeoI6NRS521/yf7i34NNj3IaL+rZQFbVWdbTEzAPtAs+bMJOHQXSGZeUUFrEQ/J
+  ael6aNg7mlr7cacmDwZWYLoCfY4w9GW6JHi6i63np8EA34CXecfor7cAX4XfaokB
+  XjyEkrnfV6OWYS7f01JJOcqYANhndxz1Ph8bxoRPelf5q+W5Ag0EWBU7dwEQAL1p
+  wH4prFMFMNV7MJPAwEug0Mxf3OsTBtCBnBYNvgFB+SFwKQLyDXUujuGQudjqQPCz
+  /09MOJPwGCOi0uA0BQScJ5JAfOq33qXi1iXCj9akeCfZXCOWtG3Izc3ofS6uee7K
+  fWUF1hNyA3PUwpRtM2pll+sQEO3y/EN7xYGUOM0mlCawrYGtxSNMlWBlMk/y5HK9
+  upz+iHwUaEJ4PjV+P4YmDq0PnPvXE4qhTIvxx0kO5oZF0tAJCoTg1HE7o99/xq9Z
+  rejDR1JJj6btNw1YFQsRDLxRZv4rL9He10lmLhiQE8QN7zOWzyJbRP++tWY2d2zE
+  yFzvsOsGPbBqLDNkbb9d8Bfvp+udG13sHAEtRzI2UWe5SEdVHobAgu5l+m10WlsN
+  TG/L0gJe1eD1bwceWlnSrbqw+y+pam9YKWqdu18ETN6CeAbNo4w7honRkcRdZyoG
+  p9zZf3o1bGBBMla6RbLuJBoRDOy2Ql7B+Z87N0td6KlHI6X8fNbatbtsXR7qLUBP
+  5oRb6nXX4+DnTMDbvFpE2zxnkg+C354Tw5ysyHhM6abB2+zCXcZ3holeyxC+BUrO
+  gGPyLH/s01mg2zmttwC1UbkaGkQ6SwCoQoFEVq9Dp96B6PgZxhEw0GMrKRw53LoX
+  4rZif9Exv6qUFsGY8U9daEdDPF5UHYe7t/nPpfW3ABEBAAGJBEQEGAEIAA8CGwIF
+  AlokZSMFCQQWmKMCKcFdIAQZAQgABgUCWBU7dwAKCRBGwhMN/SSX9XKdD/4/dWSy
+  7h+ejbq8DuaX1vNXea79f+DNTUerJKpi/1nDOTajnXZnhCShP/yVF6kgbu8AVFDM
+  +fno/P++kx+IwNp/q2HGzzCm/jLeb6txAhAo7iw3fDAU89u8zzAahjp8Zq8iQsoo
+  hfLUGnNEaW0Z25/Rzb37Jy/NxxCnK5OtmThmXveQvIFLx8K34xlZ6MwyiUO64smI
+  dtdyLr492LciZpvJK1s2cliZLKu40dwseWAhvK6BOIBx1PLQGL/Pwx95jCNUDASR
+  fhvY3C27B5gvO6kE5O/RKpgKYF25k5uRLkscxn7liH0d+t3Ti4x07lwiLLQCwZ6F
+  NELdfJp5rtCT33es1wYTNfss0HUYHYFdKr0Vg9v6rR7B/yTwuv0TRYbR28M5olKR
+  IZ52B0DVDO9OCkACRVaxeWSxKFV/g1WyTE1QYNFo8t5EH4hX/mM76RGwW46DlOWS
+  fpyC7X4GfmAh+/SfL0rtN4Lr3uBFAhwrx1vW3xeJ2BIptGaxJgRpELLdz3HDb83s
+  MtT8mzeBXwVR3txmlpg36T96sx3J+osDugV34ctsDkO7/3vXIXz/oGh/zOmMH35A
+  9EgBGlxE4RxBfPT122XzBbwzSvT3Gmdr7QmTonEX6y0P3v6HOKRBcjFS0JePfmmz
+  1RJLG/Vy7PQxoV1YZbXc66C03htDYM2B6VtMNQkQFkawG4blAxCiVRAAhq/1L5Yl
+  smItiC6MROtPP+lfAWRmMSkoIuAtzkV/orqPetwWzjYLgApOvVXBuf9FdJ5vAx1I
+  XG3mDx6mQQWkr4t9onwCUuQ7lE29qmvCHB3FpKVJPKiGC6xK38t5dGAJtbUMZBQb
+  1vDuQ7new8dVLzBSH1VZ7gx9AT+WEptWznb1US1AbejO0uT8jsVc/McK4R3LQmVy
+  9+hbTYZFz1zCImuv9SCNZPSdLpDe41QxcMfKiW7XU4rshJULKd4HYG92KjeJU80z
+  gCyppOm85ENiMz91tPT7+A4O7XMlOaJEH8t/2SZGBE/dmHjSKcWIpJYrIZKXTrNv
+  7rSQGvweNG5alvCAvnrLJ2cRpU1Rziw7auEU1YiSse+hQ1ZBIzWhPMunIdnkL/BJ
+  unBTVE7hPMMG7alOLy5Z0ikNytVewasZlm/dj5tEsfvF7tisVTZWVjWCvEMTP5fe
+  cNMEAwbZdBDyQBAN00y7xp4Pwc/kPLuaqESyTTt8jGek/pe7/+6fu0GQmR2gZKGa
+  gAxeZEvXWrxSJp/q81XSQGcO6QYMff7VexY3ncdjSVLro+Z3ZtYt6aVIGAEEA5UE
+  341yCGIeN+nr27CXD4fHF28aPh+AJzYh+uVjQhHbL8agwcyCMLgU88u1U0tT5Qtj
+  wnw+w+3UNhROvn495REpeEwD60iVeiuF5FW5Ag0EWbWWowEQALCiEk5Ic40W7/v5
+  hqYNjrRlxTE/1axOhhzt8eCB7eOeNOMQKwabYxqBceNmol/guzlnFqLtbaA6yZQk
+  zz/K3eNwWQg7CfXO3+p/dN0HtktPfdCk+kY/t7StKRjINW6S9xk9KshiukmdiDq8
+  JKS0HgxqphBB3tDjmo6/RiaOEFMoUlXKSU+BYYpBpLKg53P8F/8nIsK2aZJyk8Xu
+  Bd0UXKI+N1gfCfzoDWnYHs73LQKcjrTaZQauT81J7+TeWoLI28vkVxyjvTXAyjSB
+  nhxTYfwUNGSoawEXyJ1uKCwhIpklxcCMI9Hykg7sKNsvmJ4uNcRJ7cSRfb0g5DR9
+  dLhR+eEvFd+o4PblKk16AI48N8Zg1dLlJuV2cAtl0oBPk+tnbZukvkS5n1IzTSmi
+  iPIXvK2t506VtfFEw4iZrJWf2Q9//TszBM3r1FPATLH7EAeG5P8RV+ri7L7NvzP6
+  ZQClRDUsxeimCSe8v/t0OpheCVMlM9TpVcKGMw8ig/WEodoLOP4iqBs4BKR7fuyd
+  jDqbU0k/sdJTltp7IIdK1e49POIQ7pt+SUrsq/HnPW4woLC1WjouBWyr2M7/a0Sl
+  dPidZ2BUAK7O9oXosidZMJT7dBp3eHrspY4bdkSxsd0nshj0ndtqNktxkrSFRkoF
+  pMz0J/M3Q93CjdHuTLpTHQEWjm/7ABEBAAGJBEQEGAEIAA8FAlm1lqMCGwIFCQJ2
+  LQACKQkQFkawG4blAxDBXSAEGQEIAAYFAlm1lqMACgkQ4HTRbrb/TeMpDQ//eOIs
+  CWY2gYOGACw42JzMVvuTDrgRT4hMhgHCGeKzn1wFL1EsbSQV4Z6pYvnNayuEakgI
+  z14wf4UFs5u1ehfBwatmakSQJn32ANcAvI0INAkLEoqqy81mROjMc9FFrOkdqjcN
+  7yN0BzH9jNYL/gsvmOOwOu+dIH3C1Lgei844ZR1BZK1900mohuRwcji0sdROMcrK
+  rGjqd4yb6f7yl0wbdAxA3IHT3TFGczC7Y41P2OEpaJeVIZZgxkgQsJ14qK/QGpdK
+  vmZAQpjHBipeO/H+qxyOT5Y+f15VLWGOOVL090+ZdtF7h3m4X2+L7xWsFIgdOprf
+  O60gq3e79YFfgNBYU5BGtJGFGlJ0sGtnpzx5QCRka0j/1E5lIu00sW3WfGItFd48
+  hW6wHCloyoi7pBR7xqSEoU/U5o7+nC8wHFrDYyqcyO9Q3mZDw4LvlgnyMOM+qLv/
+  fNgO9USE4T30eSvc0t/5p1hCKNvyxHFghdRSJqn70bm6MQY+kd6+B/k62Oy8eCwR
+  t4PR+LQEIPnxN7xGuNpVO1oMyhhO41osYruMrodzw81icBRKYFlSuDOQ5jlcSajc
+  6TvF22y+VXy7nx1q/CN4tzB/ryUASU+vXS8/QNM6qI/QbbgBy7VtHqDbs2KHp4cP
+  0j9KYQzMrKwtRwfHqVrwFLkCp61EHwSlPsEFiglpMg/8DQ92O4beY0n7eSrilwEd
+  Jg89IeepTBm1QYiLM33qWLR9CABYAIiDG7qxviHozVfX6kUwbkntVpyHAXSbWrM3
+  kD6jPs3u/dimLKVyd29AVrBSn9FC04EjtDWsj1KB7HrFN4oo9o0JLSnXeJb8FnPf
+  3MitaKltvj/kZhegozIs+zvpzuri0LvoB4fNA0T4eAmxkGkZBB+mjNCrUHIakyPZ
+  VzWGL0QGsfK1Q9jvw0OErqHJYX8A1wLre/HkBne+e5ezS6Mc7kFW33Y1arfbHFNA
+  e12juPsOxqK76qNilUbQpPtNvWP3FTpbkAdodMLq/gQ+M5yHwPe8SkpZ8wYCfcwE
+  emz/P+4QhQB8tbYbpcPxJ+aQjVjcHpsLdrlSY3JL/gqockR7+97GrCzqXbgvsqiW
+  r16Zyn6mxYWEHn9HXMh3b+2IYKFFXHffbIBq/mfibDnZtQBrZpn2uyh6F2ZuOsZh
+  0LTD7RL53KV3fi90nS00Gs1kbMkPycL1JLqvYQDpllE2oZ1dKDYkwivGyDQhRNfE
+  RL6JkjyiSxfZ2c84r2HPgnJTi/WBplloQkM+2NfXrBo6kLHSC6aBndRKk2UmUhrU
+  luGcQUyfzYRFH5kVueIYfDaBPus9gb+sjnViFRpqVjefwlXSJEDHWP3Cl2cuo2mJ
+  jeDghj400U6pjSUW3bIC/PK5Ag0EXCxEEQEQAKVjsdljwPDGO+48879LDa1d7GEu
+  /Jm9HRK6INCQiSiS/0mHkeKa6t4DRgCY2ID9lFiegx2Er+sIgL0chs16XJrFO21u
+  kw+bkBdm2HYUKSsUFmr/bms8DkmAM699vRYVUAzO9eXG/g8lVrAzlb3RT7eGHYKd
+  15DT5KxXDQB+T+mWE9qD5RJwEyPjSU+4WjYF+Rr9gbSuAt5UySUb9jTR5HRNj9wt
+  b4YutfP9jbfqy8esQVG9R/hpWKb2laxvn8Qc2Xj93qNIkBt/SILfx9WDJl0wNUmu
+  +zUwpiC2wrLFTgNOpq7g9wRPtg5mi8MXExWwSF2DlD54yxOOAvdVACJFBXEcstQ3
+  SWg8gxljG8eLMpDjwoIBax3DZwiYZjkjJPeydSulh8vKoFBCQkf2PcImXdOk2HqO
+  V1L7FROM6fKydeSLJbx17SNjVdQnq1OsyqSO0catAFNptMHBsN+tiCI29gpGegao
+  umV9cnND69aYvyPBgvdtmzPChjSmc6rzW1yXCJDm2qzwm/BcwJNXW5B3EUPxc0qS
+  Wste9fUna0G4l/WMuaIzVkuTgXf1/r9HeQbjtxAztxH0d0VgdHAWPDkUYmztcZ4s
+  d0PWkVa18qSrOvyhI96gCzdvMRLX17m1kPvP5PlPulvqizjDs8BScqeSzGgSbbQV
+  m5Tx4w2uF4/n3FBnABEBAAGJBFsEGAEIACYCGwIWIQRy7PRqVrStOckHu7cWRrAb
+  huUDEAUCXiUQEgUJA+3GAQIpwV0gBBkBAgAGBQJcLEQRAAoJECPnFmeItj4egdIP
+  /3D4rN79jOl7wG1aDNxiDF57FY9VgB7sAP42u1H2SffpFfz4jC5AG1tHwY9P8tDt
+  0ctdlVUBl4QvlaOI+gvKsBT+Dl2uhLMR17r1jCM7QWl9Smr+td2lwbcaerU67ndB
+  RVIeLA3NUURG97TK+suXLxSYJ63VnF9YLJejg3IFgRjXOmV+x+4+PITEeipjXmaH
+  Fu6fFvgYA0Cal2MFTS9eajh81QIdHVrBSxPYMAU5gwmNN8fWq8UjQxgl8sbehO+y
+  2zVSKEkZRG5L4uo995xG7hESAmJegpbV0AsolSo4XiXCzI24L+fmywr9s33if1sj
+  pjhiqR0bvpQVdRr5YkcVG5VZZo1j4WDwWVxsoyCNek6q/opURHGRVvkk3HG61XLe
+  +SVi28cJRJosfltR8EkQkfih8dwrq+GTzDgZT7BYpTjrDWu0TlAeere879tRH9wX
+  nmgnfXOJMzRjfHdYnBKkl6Flj6oEk9C2T7WcqlmVZ1qxwoVR364qMYUp8PDt8GNQ
+  NhkmoYgkr747znhKCclNtWTMOgFchwoer+NqGGnQXxoBcDaOTgjITcTcvwnFKwUg
+  6si1UzOUJTbE++WLO5Bx53PiZPsceCaYsjQs+S83D4ZcKapyUHIyXWNYQ4Su+Tq5
+  o/zXwjHmfINWlT1+MRKvADMmWIWef5ZjPtd0Xb/GVuhSCRAWRrAbhuUDEOZ9EACs
+  2cj3d+FlGLVh+Y2MXhfUabCTERX5b9bl4oYQ0+gLH3z8y3BdhfGmh9OXqjyCTbp7
+  FBmkUpCp8FIGBgEX3VVbW/lzEfbWatBj89xaUY/oV7CfXHjBqt6YVDVZEzMvJus2
+  7MrLYocwx9kBFhSEM+WUFXE0TD1JctmZZFJiuV7wPj78gwRfY3ZDZBLChvroMX1j
+  FjKSzK+qQrfxbbjsHIMq4lJWnlXwT8uIgV8O3zLPAQlOC94442wFiyjt6w4uISeA
+  LjrgdvtT5vBaaf/H/YJxS8mSpzHjAgh3/WlRQY0olLJ8WdEQbzTfHzXcCt5y66Yz
+  gn97wnjTSti5l+/JxkwJRKZTd7OqtKn7oXvRTES92LK63AdIqdO0c4gV4TdG1DTJ
+  DMD41TicmJ+bsV4C5VmUKTa7KOuJYQoZDx3fOpxGt4bVyS8wSKHnDpqZbq+A5OqO
+  KBTsPFkVOFgeRJIjLCkg8PgnNIpR8tsSazaXvsToXFYncoFLpSxrTd3gVlBAY4Sd
+  dKFEZONl5k9i3fXUUeX20JxWNPOme1HHhF/JrP7i2okOmBvW5NxjW0orhAPGutPi
+  w41oNxwcO0TjuZKtBgTPSuU9C7fanlRx0JGw6laHqwKfM24WdgNwzl+QirkPtzxV
+  fJrV82uhCm9ZTEryg60+MUFe52NglHHRygwN7UlHc7kCDQRcN/VvARAAoEHIkyjF
+  DsfoCxA/b2qNjz+l8OI2WhAMdqxReg7JN9R61qbetj9RYIcWswPSO84c0ioRUk+x
+  JavEFh/6Lg00QKwJKPf0kd1Us6SfqklxGczOaWNLyiM7JthFRNMp0qVX6NjLqGoC
+  NO+d/+nNk6s2x4rLECj/EROmE3ZQQEo5nBXmPlhXpVem23rGfXEQvXDNqFmvqrP+
+  Befn/+aDpo89QIm3sE8G0LfgcajIdSfgLH+NJTvOVAtXXVXJPK39Njr1aBzWTbWh
+  LS2bji7DwP7hshdh7DE2rS623vlzvkkrms8oKkiRpKATdhQ8CEx+mhTFKCj6GtNq
+  hwttCbf98N9GpiHD0has65YtgQQjk2pLR62rZf6czagRfKbFQzXjl2JxS/bsHVhT
+  khyJFqgDcHCSXe7K8uGTAE2AkakGhGyDJYqGVSl0w5IAU8dqDQMc0IpsVMbFk4nX
+  4GgOwixwrzrgCh0jRi+EwUHJYZHBAyzNCkr++D25R0gwNhPMjSKe8Ks6G3hH3XP/
+  ZVlceW/gPfxRixUTk/q7s3xPpPhLMREEpKS1aGcmYxEkrkVBDAzNYKdKP1MYwLn4
+  lh4yNFXWlTClnDyI6UODTHwt8xDddtnT9u+U+xc6OJiYcCOstl+ovS9HmM/Kt9VT
+  EX9cckEEL1IS+9esQMr4b5X02Y1q9Q2uEucAEQEAAYkEWwQYAQgAJgIbAhYhBHLs
+  9GpWtK05yQe7txZGsBuG5QMQBQJeJRAwBQkD4hTBAinBXSAEGQECAAYFAlw39W8A
+  CgkQT3dnk2lHW6p0eg/+K2JJu1RbTSLJPFYQhLcxX+5d2unkuNLIy3kArtZuB992
+  E2Fw00okPGtuPdSyk2ygh4DeYnwmabIWChi7LDp+YnqcI4GfMxNG6RsHs+A/77rL
+  BST3BB1sejZppmKCQZDSC2pvYaZBpS80UvftCZ9RFdY+kTC22Btn/5ekiQOfIqhU
+  H9CyGWS/YlGciomVIVn1hSPN8l4EpBCDtceRaephvzjQIZT3AxOfSlpwJviYjAOk
+  SX4qWyIjC5Ke5kfEOldUuBN1JGAm45tKlrz/LD/+VOc2IWpbkOIAVSldUgpRyiIJ
+  QAZ80trNxrJI7ncaID8lAa7pBptJiL0KorRjk3c6Y7p830Nwe0J5e5+W1RzN4wlR
+  8+9uuRyP8Mcwz/Hz2jwMiv38Vk4tAOe4PYNZuDnpjZ28yCpF3UUgvzjarubFAcg2
+  jd8SauCQFlmOfvT+1qIMSeLmWBOdlzJTUpJRcZqnkEE4WtiMSlxyWVFvUwOmKSGi
+  8CLoGW1Ksh9thQ9zKhvVUiVoKn4Z79HXr4pX6rnp+mweJ2dEZtlqD7HxjVTlCHn9
+  fzClt/Nt0h721fJbS587AC/ZMgg5GV+GKu6Mij0sPAowUJVCIwN9uK/GHICZEAoM
+  SngP8xzKnhU5FD38vwBvsqbKxTtICrv2NuwnQ0WBBQ58w5mv2RCMr2W6iegSKIAJ
+  EBZGsBuG5QMQri4QAI5sCxkA785fla2Ud4cti2Wu/XnY7dRl7ySIUReVaNpvJLez
+  ZR2SrR2DgNB8n+K8/ub/4vvKJzmM35RJOGaX72CtDMWe+b8JuGx/nVWjhUZxVujg
+  JdpwlaK8/+cdaQQFDkFTqAREgbQArfEFteQgOfyvB02WCCGRj1HGuckde30OaCa3
+  J34BxC37Awtfg6uRhYhSP32mK1U7XApRdGcDLqeybN8hnFN8rlr+1GiCu3L5P/RB
+  DljH10TKzyScy8SVb8gI1twN1huqqqUsz77GuBl2OXIY573GxGX83DPNUhSCKaP4
+  uWI5PWUF1Vc0ugrLw2wsL4uEErdnKgT5BCvfC88zd4scm3zmLoWpMDqOrnuLFMMH
+  SJcVg4Z+R56o5/vJfFuhhDbBuoioaZlPkYMba2by/8d4i/CFHjaiGVpnTJRTaNfv
+  wYt1ycwdm//EuWjm21zESkkbcTNn0fVYpxYtIUbCojGzbX6eHxtXPGqkU45+Gwkq
+  lW5cnwIHU8XNKwb2jR0zyFCNMD/Vb1371RpT0KS/0PyJS66J0P386ANQWEsllgdU
+  CkESjj5AT1KordMHBt78XR5ju9T0AcLfJvaDjoA0sSz7Bi2gwd0lqRukY2bwgbpd
+  1K/aPN5Njt4wSdGVBhZI9l/68oyBmedl1jvKQfr7mVrSNFeOh8scZrBldYN1
+  =nmWU
+  -----END PGP PUBLIC KEY BLOCK-----
diff --git a/data/deployments/production/common.yaml b/data/deployments/production/common.yaml
--- a/data/deployments/production/common.yaml
+++ b/data/deployments/production/common.yaml
@@ -17,3 +17,4 @@
 
 elasticsearch::jvm_options::heap_size: 16g
 
+swh::postgresql::shared_buffers: 4GB
diff --git a/data/deployments/production/vagrant.yaml b/data/deployments/production/vagrant.yaml
--- a/data/deployments/production/vagrant.yaml
+++ b/data/deployments/production/vagrant.yaml
@@ -1 +1,3 @@
 elasticsearch::jvm_options::heap_size: 512m
+
+swh::postgresql::shared_buffers: 128MB
diff --git a/data/hostname/bardo.softwareheritage.org.yaml b/data/hostname/bardo.softwareheritage.org.yaml
new file mode 100644
--- /dev/null
+++ b/data/hostname/bardo.softwareheritage.org.yaml
@@ -0,0 +1,51 @@
+groups:
+  hedgedoc:
+    gid: 6000
+
+users:
+  hedgedoc:
+    uid: 6000
+    shell: /bin/bash
+    groups:
+      - hedgedoc
+
+hedgedoc::db::database: hedgedoc
+hedgedoc::db::username: hedgedoc
+# hedgedoc::db::password: in private-data
+
+swh::postgresql::version: '12'
+swh::postgresql::port: 5433
+swh::postgresql::cluster_name: "%{lookup('swh::postgresql::version')}/main"
+swh::postgresql::datadir_base: "%{lookup('swh::base_directory')}/postgres"
+swh::postgresql::datadir: "%{lookup('swh::postgresql::datadir_base')}/%{lookup('swh::postgresql::cluster_name')}"
+swh::postgresql::listen_addresses:
+  - 0.0.0.0
+swh::postgresql::network_accesses:
+  - 192.168.100.0/24 # Monitoring
+  - 192.168.130.0/24 # Staging services
+
+postgresql::globals::version: "%{alias('swh::postgresql::version')}"
+
+postgresql::server::config_entries:
+  shared_buffers: "%{alias('swh::postgresql::shared_buffers')}"
+  cluster_name: "%{alias('swh::postgresql::cluster_name')}"
+
+swh::dbs:
+  hedgedoc:
+    name: "%{alias('hedgedoc::db::db_name')}"
+    user: "%{alias('hedgedoc::db::username')}"
+
+hedgedoc::host: bardo.softwareheritage.org
+hedgedoc::port: 3000
+hedgedoc::user: hedgedoc
+hedgedoc::group: hedgedoc
+
+hedgedoc::db::db_name: hedgedoc
+hedgedoc::db::username: hedgedoc
+
+hedgedoc::allow_anonymous: true
+hedgedoc::allow_anonymous_edits: true
+hedgedoc::runtime_environment: production
+hedgedoc::log_level: debug
+
+hedgedoc::vhost::letsencrypt_cert: hedgedoc
diff --git a/data/subnets/vagrant.yaml b/data/subnets/vagrant.yaml
--- a/data/subnets/vagrant.yaml
+++ b/data/subnets/vagrant.yaml
@@ -49,6 +49,8 @@
 kafka::cluster::public_network: 10.168.130.0/24
 
 static_hostnames:
+  10.168.50.10:
+    host: bardo.softwareheritage.org
   10.168.100.18:
     host: banco.internal.softwareheritage.org
     aliases:
diff --git a/manifests/site.pp b/manifests/site.pp
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -133,6 +133,10 @@
   include profile::postgresql::client
 }
 
+node "bardo.softwareheritage.org" {
+  include role::swh_hedgedoc
+}
+
 node 'scheduler0.internal.staging.swh.network' {
   include role::swh_scheduler
   include profile::postgresql::client
diff --git a/site-modules/profile/manifests/hedgedoc.pp b/site-modules/profile/manifests/hedgedoc.pp
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/manifests/hedgedoc.pp
@@ -0,0 +1,134 @@
+# deploy a hedgedoc instance
+class profile::hedgedoc {
+
+  $packages = [
+    'npm', 'yarn', 'node-gyp'
+  ]
+
+  $keyid = lookup('yarn::apt_config::keyid')
+  $key =   lookup('yarn::apt_config::key')
+
+  # ---- configuration
+  $user = lookup('hedgedoc::user')
+  $group = lookup('hedgedoc::group')
+  $host = lookup('hedgedoc::host')
+  $port = lookup('hedgedoc::port')
+  $base_url = "${host}:${port}"
+
+  $db_name = lookup('hedgedoc::db::db_name')
+  $db_user = lookup('hedgedoc::db::username')
+  $db_password = lookup('swh::deploy::hedgedoc::db::password')
+  $db_port = lookup('swh::postgresql::port')
+  $db_url = "postgres://${db_user}:${db_password}@${host}:${db_port}/${db_name}"
+
+  $allow_anonymous = lookup('hedgedoc::allow_anonymous')
+  $allow_anonymous_edits = lookup('hedgedoc::allow_anonymous_edits')
+  $runtime_environment = lookup('hedgedoc::runtime_environment')
+  $log_level = lookup('hedgedoc::log_level')
+
+  # ---- install
+  $version = "1.7.0"
+  $archive_url = "https://github.com/hedgedoc/hedgedoc/releases/download/${version}/hedgedoc-${version}.tar.gz"
+  $archive_path = "/tmp/hedgedoc-${version}.tar.gz"
+  $root_install_path = "/opt"
+  $install_path = "${root_install_path}/hedgedoc"
+  $upgrade_flag_path = "${install_path}/hedgedoc-${version}-upgrade"
+
+  $sequelizerc_config_sequelizerc_path = "${install_path}/.sequelizerc"
+  $sequelizerc_config_json_path = "${install_path}/config.json"
+
+  $service_name = "hedgedoc"
+  $unit_name = "${service_name}.service"
+
+  apt::source { 'yarn':
+    location => "https://dl.yarnpkg.com/debian/",
+    release  => 'stable',
+    repos    => 'main',
+    key      => {
+      id      => $keyid,
+      content => $key,
+    },
+  } ->
+  package { $packages:
+    ensure => present,
+    notify => Archive['hedgedoc'],
+  }
+
+  file { $install_path:
+    ensure  => 'directory',
+    owner   => $user,
+    group   => $group,
+    mode    => '0644',
+    require => [User[$user], Group[$group]],
+  }
+
+  archive { 'hedgedoc':
+    path          => $archive_path,
+    extract       => true,
+    source        => $archive_url,
+    extract_path  => $root_install_path,
+    creates       => $install_path,
+    checksum      => 'ab1fc7ddf260ca6caff52f3400fc38815481fe353d0edc08de721765f15071f6',
+    checksum_type => 'sha256',
+    cleanup       => true,
+    user          => 'root',
+    group         => 'root',
+    notify        => File[$install_path],
+  } ~>
+  exec {'active-initialize':
+    command      => "touch ${upgrade_flag_path}",
+    path         => '/usr/bin',
+    refreshonly  => true,
+  } ~>
+  exec {'hedgedoc-flag-upgrade':
+    command     => "$install_path/bin/setup",
+    cwd         => $install_path,
+    require     => Postgresql::Server::Db[$db_name],
+    refreshonly => true,
+  } ~>
+  file {$sequelizerc_config_json_path:
+    ensure  => present,
+    owner   => $user,
+    group   => $group,
+    mode    => '0644',
+    content => template("profile/hedgedoc/config.json.erb"),
+  } ~>
+  file {$sequelizerc_config_sequelizerc_path:
+    ensure  => present,
+    owner   => $user,
+    group   => $group,
+    mode    => '0644',
+    content => template("profile/hedgedoc/sequelizerc.erb"),
+  } ~>
+  exec {'yarn-build':
+    command     => "yarn run build",
+    cwd         => $install_path,
+    path        => '/usr/bin',
+    onlyif      => "test -f ${upgrade_flag_path}",
+    refreshonly => true,
+  } ~>
+  exec {'hegdedoc-flag-upgrade-done':
+    command     => "rm ${upgrade_flag_path}",
+    cwd         => $install_path,
+    path        => '/usr/bin',
+    onlyif      => "test -f ${upgrade_flag_path}",
+    refreshonly => true,
+    notify      => Service[$service_name],
+  }
+
+  systemd::unit_file {$unit_name:
+    ensure  => present,
+    content => template('profile/hedgedoc/hedgedoc.service.erb'),
+  }
+
+  service {$service_name:
+    ensure  => 'running',
+    enable  => true,
+    require => [
+      Systemd::Unit_file[$unit_name],
+      Package[$packages],
+      Archive['hedgedoc'],
+    ],
+  }
+
+}
diff --git a/site-modules/profile/templates/hedgedoc/config.json.erb b/site-modules/profile/templates/hedgedoc/config.json.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/hedgedoc/config.json.erb
@@ -0,0 +1,104 @@
+{
+    "<%= @runtime_environment %>": {
+        "sessionSecret": "change-this-secret",
+        "allowAnonymous": <%= @allow_anonymous %>,
+        "allowAnonymousEdit": <%= @allow_anonymous_edits %>,
+        "allowFreeURL": true,
+        "domain": "<%= @base_url %>",
+        "loglevel": "<%= @log_level %>",
+        "allowOrigin": [ "localhost", "<%= @base_url %>"],
+        "hsts": {
+            "enable": true,
+            "maxAgeSeconds": 31536000,
+            "includeSubdomains": true,
+            "preload": true
+        },
+        "csp": {
+            "enable": true,
+            "directives": {
+            },
+            "upgradeInsecureRequests": "auto",
+            "addDefaults": true,
+            "addDisqus": true,
+            "addGoogleAnalytics": true
+        },
+        "cookiePolicy": "lax",
+        "db": {
+            "username": "<%= @db_user %>",
+            "password": "<%= @db_password %>",
+            "database": "<%= @db_name %>",
+            "host": "<%= @host %>",
+            "port": "<%= @db_port %>",
+            "dialect": "postgres"
+        },
+        "facebook": {
+            "clientID": "change this",
+            "clientSecret": "change this"
+        },
+        "twitter": {
+            "consumerKey": "change this",
+            "consumerSecret": "change this"
+        },
+        "github": {
+            "clientID": "change this",
+            "clientSecret": "change this"
+        },
+        "gitlab": {
+            "baseURL": "change this",
+            "clientID": "change this",
+            "clientSecret": "change this",
+            "scope": "use 'read_user' scope for auth user only or remove this property if you need gitlab snippet import/export support (will result to be default scope 'api')",
+            "version": "v4"
+        },
+        "mattermost": {
+            "baseURL": "change this",
+            "clientID": "change this",
+            "clientSecret": "change this"
+        },
+        "dropbox": {
+            "clientID": "change this",
+            "clientSecret": "change this",
+            "appKey": "change this"
+        },
+        "google": {
+            "clientID": "change this",
+            "clientSecret": "change this",
+            "apiKey": "change this"
+        },
+        "ldap": {
+            "url": "ldap://change_this",
+            "bindDn": null,
+            "bindCredentials": null,
+            "searchBase": "change this",
+            "searchFilter": "change this",
+            "searchAttributes": ["change this"],
+            "usernameField": "change this e.g. cn",
+            "useridField": "change this e.g. uid",
+            "tlsOptions": {
+                "changeme": "See https://nodejs.org/api/tls.html#tls_tls_connect_options_callback"
+            }
+        },
+        "imgur": {
+            "clientID": "change this"
+        },
+        "minio": {
+          "accessKey": "change this",
+          "secretKey": "change this",
+          "endPoint": "change this",
+          "secure": true,
+          "port": 9000
+        },
+        "s3": {
+          "accessKeyId": "change this",
+          "secretAccessKey": "change this",
+          "region": "change this"
+        },
+        "s3bucket": "change this",
+        "azure":
+        {
+          "connectionString": "change this",
+          "container": "change this"
+        },
+        "linkifyHeaderStyle": "gfm"
+    }
+}
diff --git a/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb b/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/hedgedoc/hedgedoc.service.erb
@@ -0,0 +1,23 @@
+[Unit]
+Description=Hedgedoc
+Documentation=https://github.com/hedgedoc/hedgedoc
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=<%= @user %>
+Group=<%= @group %>
+Environment=CMD_ALLOW_ANONYMOUS=<%= @allow_anonymous %>
+Environment=CMD_ALLOW_ANONYMOUS_EDITS=<%= @allow_anonymous_edits %>
+Environment=NODE_ENV=<%= @runtime_environment %>
+WorkingDirectory=<%= @install_path %>
+
+ExecStart=/usr/bin/yarn start
+
+Restart=on-failure
+RestartSec=10
+PrivateTmp=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/site-modules/profile/templates/hedgedoc/sequelizerc.erb b/site-modules/profile/templates/hedgedoc/sequelizerc.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/hedgedoc/sequelizerc.erb
@@ -0,0 +1,8 @@
+var path = require('path');
+
+module.exports = {
+    'config':          path.resolve('config.json'),
+    'migrations-path': path.resolve('lib', 'migrations'),
+    'models-path':     path.resolve('lib', 'models'),
+    'url':             '<%= @db_url %>'
+}
diff --git a/site-modules/role/manifests/swh_hedgedoc.pp b/site-modules/role/manifests/swh_hedgedoc.pp
new file mode 100644
--- /dev/null
+++ b/site-modules/role/manifests/swh_hedgedoc.pp
@@ -0,0 +1,4 @@
+class role::swh_hedgedoc inherits role::swh_database {
+  include profile::postgresql::server
+  include profile::hedgedoc
+}