use npins

at least that works

default.nix

@@ -0,0 +1,103 @@
+let
+  inputs = import ./npins;
+  system = "x86_64-linux";
+  pkgs = import inputs.nixpkgs { config = { }; overlays = [ ]; system = builtins.currentSystem; };
+  lib = import "${inputs.nixpkgs}/lib" // { inherit nixosSystem; };
+  nixosSystem = args:
+    import "${inputs.nixpkgs}/nixos/lib/eval-config.nix"
+      (
+        {
+          inherit lib;
+          # Allow system to be set modularly in nixpkgs.system.
+          # We set it to null, to remove the "legacy" entrypoint's
+          # non-hermetic default.
+          system = null;
+
+          modules = args.modules;
+        }
+        // builtins.removeAttrs args [ "modules" ]
+      );
+in
+rec {
+  nixosModules = {
+    disko = "${inputs.disko}/module.nix";
+    disk-layout = import ./vm/disk-layout.nix;
+    interactive-vm = import ./vm/interactive-vm.nix;
+    mastodon-vm = import ./vm/mastodon-vm.nix;
+    peertube-vm = import ./vm/peertube-vm.nix;
+    pixelfed-vm = import ./vm/pixelfed-vm.nix;
+  };
+
+  # test with
+  #     nix-build -A nixosConfigurations.<config>.installTest
+  nixosConfigurations = {
+    mastodon = nixosSystem {
+      inherit system;
+      modules = with nixosModules; [
+        disko
+        disk-layout
+        interactive-vm
+        mastodon-vm
+      ];
+    };
+
+    peertube = nixosSystem {
+      inherit system;
+      modules = with nixosModules; [
+        disko
+        disk-layout
+        interactive-vm
+        peertube-vm
+      ];
+    };
+
+    pixelfed = nixosSystem {
+      inherit system;
+      modules = with nixosModules; [
+        disko
+        disk-layout
+        interactive-vm
+        pixelfed-vm
+      ];
+    };
+
+    all = nixosSystem {
+      inherit system;
+      modules = with nixosModules; [
+        interactive-vm
+        disko
+        disk-layout
+        peertube-vm
+        pixelfed-vm
+        mastodon-vm
+      ];
+    };
+  };
+
+  # build with
+  #     nix-build -A installers.<config>
+  installers =
+    let
+      installer = (import ./installer.nix) { inherit lib; outPath = inputs.nixpkgs; };
+    in
+    lib.mapAttrs (_: config: installer config) nixosConfigurations;
+
+  # run with
+  #     $(nix-build -A deploy.<machine> --no-out-link)/bin/deploy
+  deploy =
+    let
+      deployCommand = (pkgs.callPackage ./deploy.nix { });
+    in
+    lib.mapAttrs (name: config: deployCommand name config) nixosConfigurations;
+
+  tests = {
+    mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs; };
+    pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs; };
+  };
+
+  shell = pkgs.mkShell {
+    packages = with pkgs; [
+      nil
+    ];
+  };
+}

npins/default.nix

@@ -0,0 +1,80 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  mkSource =
+    spec:
+    assert spec ? type;
+    let
+      path =
+        if spec.type == "Git" then
+          mkGitSource spec
+        else if spec.type == "GitRelease" then
+          mkGitSource spec
+        else if spec.type == "PyPi" then
+          mkPyPiSource spec
+        else if spec.type == "Channel" then
+          mkChannelSource spec
+        else
+          builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource =
+    {
+      repository,
+      revision,
+      url ? null,
+      hash,
+      branch ? null,
+      ...
+    }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else
+      assert repository.type == "Git";
+      let
+        urlToName =
+          url: rev:
+          let
+            matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
+
+            short = builtins.substring 0 7 rev;
+
+            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
+          in
+          "${if matched == null then "source" else builtins.head matched}${appendShort}";
+        name = urlToName repository.url revision;
+      in
+      builtins.fetchGit {
+        url = repository.url;
+        rev = revision;
+        inherit name;
+        # hash = hash;
+      };
+
+  mkPyPiSource =
+    { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource =
+    { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

npins/sources.json

@@ -0,0 +1,32 @@
+{
+  "pins": {
+    "disko": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "disko"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "v1.8.0",
+      "revision": "624fd86460e482017ed9c3c3c55a3758c06a4e7f",
+      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.8.0",
+      "hash": "06ifryv6rw25cz8zda4isczajdgrvcl3aqr145p8njxx5jya2d77"
+    },
+    "nixpkgs": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "radvendii",
+        "repo": "nixpkgs"
+      },
+      "branch": "nixos_rebuild_tests",
+      "revision": "8648620e5c0d8a63f7319bbdaaa9a7f3bccae0f0",
+      "url": "https://github.com/radvendii/nixpkgs/archive/8648620e5c0d8a63f7319bbdaaa9a7f3bccae0f0.tar.gz",
+      "hash": "18s3731h59rby16hv1vkdjaib91h3myxbr041fndq6j5m7jjkbap"
+    }
+  },
+  "version": 3
+}