add .envrc files

This introduces customisation to `settings.py` that
- allow controlling the relevant parameters from our systemd wrapper
  (more brittle and non-obvious than it should be, see TODOs)
- correctly configure SASS processing and static file compression
  (not as easy as it sounds)

.envrc

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+
+# shellcheck shell=bash
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv --flake .)"
+else
+  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
+  use flake
+fi

.gitignore

@@ -6,7 +6,6 @@ tmp/
 .proxmox
 /.pre-commit-config.yaml
 nixos.qcow2
-.envrc
 .direnv
 result*
 .nixos-test-history

flake.lock

@@ -8,11 +8,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1723293904,
+        "lastModified": 1736955230,
-        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
         "type": "github"
       },
       "original": {
@@ -41,16 +41,16 @@
     "crane_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1699217310,
+        "lastModified": 1727316705,
-        "narHash": "sha256-xpW3VFUG7yE6UE6Wl0dhqencuENSkV7qpnpe9I8VbPw=",
+        "narHash": "sha256-/mumx8AQ5xFuCJqxCIOFCHTVlxHkMT21idpbgbm/TIE=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "d535642bbe6f377077f7c23f0febb78b1463f449",
+        "rev": "5b03654ce046b5167e7b0bccbd8244cb56c16f0e",
         "type": "github"
       },
       "original": {
         "owner": "ipetkov",
-        "ref": "v0.15.0",
+        "ref": "v0.19.0",
         "repo": "crane",
         "type": "github"
       }
@@ -82,11 +82,11 @@
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1731274291,
+        "lastModified": 1738148035,
-        "narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=",
+        "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc",
+        "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         "pyproject-nix": "pyproject-nix"
       },
       "locked": {
-        "lastModified": 1732214960,
+        "lastModified": 1735160684,
-        "narHash": "sha256-ViyEMSYwaza6y55XTDrsRi2K4YKCLsefMTorjWSE27s=",
+        "narHash": "sha256-n5CwhmqKxifuD4Sq4WuRP/h5LO6f23cGnSAuJemnd/4=",
         "owner": "nix-community",
         "repo": "dream2nix",
-        "rev": "a8dac99db44307fdecead13a39c584b97812d0d4",
+        "rev": "8ce6284ff58208ed8961681276f82c2f8f978ef4",
         "type": "github"
       },
       "original": {
@@ -123,6 +123,7 @@
       "inputs": {
         "nixpkgs": [
           "nixops4-nixos",
+          "nixops4",
           "nix-cargo-integration",
           "nixpkgs"
         ],
@@ -130,11 +131,11 @@
         "pyproject-nix": "pyproject-nix_2"
       },
       "locked": {
-        "lastModified": 1722526955,
+        "lastModified": 1735160684,
-        "narHash": "sha256-fFS8aDnfK9Qfm2FLnQ8pqWk8FzvFEv5LvTuZTZLREnc=",
+        "narHash": "sha256-n5CwhmqKxifuD4Sq4WuRP/h5LO6f23cGnSAuJemnd/4=",
         "owner": "nix-community",
         "repo": "dream2nix",
-        "rev": "3fd4c14d3683baac8d1f94286ae14fe160888b51",
+        "rev": "8ce6284ff58208ed8961681276f82c2f8f978ef4",
         "type": "github"
       },
       "original": {
@@ -162,11 +163,11 @@
     "flake-compat_2": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
+        "lastModified": 1733328505,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
         "type": "github"
       },
       "original": {
@@ -207,16 +208,48 @@
         "type": "github"
       }
     },
+    "flake-compat_5": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_6": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-parts": {
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1730504689,
+        "lastModified": 1736143030,
-        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
         "type": "github"
       },
       "original": {
@@ -230,11 +263,11 @@
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
       "locked": {
-        "lastModified": 1730504689,
+        "lastModified": 1736143030,
-        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
         "type": "github"
       },
       "original": {
@@ -252,11 +285,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719994518,
+        "lastModified": 1733312601,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -284,19 +317,38 @@
       }
     },
     "flake-parts_5": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib_4"
+      },
+      "locked": {
+        "lastModified": 1736143030,
+        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_6": {
       "inputs": {
         "nixpkgs-lib": [
           "nixops4-nixos",
+          "nixops4",
           "nix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1719994518,
+        "lastModified": 1733312601,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -309,15 +361,14 @@
       "inputs": {
         "flake-compat": "flake-compat",
         "gitignore": "gitignore",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_3"
-        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1730814269,
+        "lastModified": 1737465171,
-        "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
+        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "d70155fdc00df4628446352fc58adc640cd705c2",
+        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
         "type": "github"
       },
       "original": {
@@ -348,11 +399,70 @@
         ]
       },
       "locked": {
-        "lastModified": 1721042469,
+        "lastModified": 1734279981,
-        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
+        "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
+        "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "git-hooks-nix_2": {
+      "inputs": {
+        "flake-compat": "flake-compat_4",
+        "gitignore": "gitignore_2",
+        "nixpkgs": "nixpkgs_5"
+      },
+      "locked": {
+        "lastModified": 1737465171,
+        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "git-hooks-nix_3": {
+      "inputs": {
+        "flake-compat": [
+          "nixops4-nixos",
+          "nixops4",
+          "nix"
+        ],
+        "gitignore": [
+          "nixops4-nixos",
+          "nixops4",
+          "nix"
+        ],
+        "nixpkgs": [
+          "nixops4-nixos",
+          "nixops4",
+          "nix",
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": [
+          "nixops4-nixos",
+          "nixops4",
+          "nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734279981,
+        "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785",
         "type": "github"
       },
       "original": {
@@ -382,6 +492,28 @@
         "type": "github"
       }
     },
+    "gitignore_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixops4-nixos",
+          "git-hooks-nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -403,39 +535,6 @@
         "type": "github"
       }
     },
-    "libgit2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1715853528,
-        "narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
-        "owner": "libgit2",
-        "repo": "libgit2",
-        "rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
-        "type": "github"
-      },
-      "original": {
-        "owner": "libgit2",
-        "ref": "v1.8.1",
-        "repo": "libgit2",
-        "type": "github"
-      }
-    },
-    "libgit2_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1724328629,
-        "narHash": "sha256-7SuD4k+ORwFPwDm5Qr5eSV6GMVWjMfFed9KYi8riUQo=",
-        "owner": "libgit2",
-        "repo": "libgit2",
-        "rev": "782e29c906f6e44b120843356f286b6a97d89f88",
-        "type": "github"
-      },
-      "original": {
-        "owner": "libgit2",
-        "repo": "libgit2",
-        "type": "github"
-      }
-    },
     "mk-naked-shell": {
       "flake": false,
       "locked": {
@@ -473,7 +572,6 @@
         "flake-compat": "flake-compat_2",
         "flake-parts": "flake-parts_3",
         "git-hooks-nix": "git-hooks-nix",
-        "libgit2": "libgit2",
         "nixpkgs": [
           "nixops4",
           "nixpkgs"
@@ -482,11 +580,11 @@
         "nixpkgs-regression": "nixpkgs-regression"
       },
       "locked": {
-        "lastModified": 1732892090,
+        "lastModified": 1736342444,
-        "narHash": "sha256-Ka/uNdaqpTAiVL++4MPHg8fG5o1tiJeY6G2t5UiKhd8=",
+        "narHash": "sha256-u6OD0BH+UxyfrWMMpBfM5cz/TDWU9lxJOujgzqBnN9A=",
         "owner": "NixOS",
         "repo": "nix",
-        "rev": "64000481168d1da9d2519f055dd1fdee22275c21",
+        "rev": "5230d3ecc4cd3a3d965902a56b5a21bcc99821c3",
         "type": "github"
       },
       "original": {
@@ -510,11 +608,11 @@
         "treefmt": "treefmt"
       },
       "locked": {
-        "lastModified": 1733033761,
+        "lastModified": 1736316962,
-        "narHash": "sha256-g7TCUozMeW3q5Uc+wmZI64yzFucQ3SYlZQepo7prarA=",
+        "narHash": "sha256-nOWLP6pSblYrCipiBb7/SQpGhNe7AHT8m9f++b8/Ni4=",
         "owner": "yusdacra",
         "repo": "nix-cargo-integration",
-        "rev": "413617712f5189397cdf602485f89bf2b0a0e4af",
+        "rev": "1ce1f666c955e73f65de74f3a8c3ca2c3e5d741b",
         "type": "github"
       },
       "original": {
@@ -530,6 +628,7 @@
         "mk-naked-shell": "mk-naked-shell_2",
         "nixpkgs": [
           "nixops4-nixos",
+          "nixops4",
           "nixpkgs"
         ],
         "parts": "parts_2",
@@ -537,11 +636,11 @@
         "treefmt": "treefmt_2"
       },
       "locked": {
-        "lastModified": 1724393640,
+        "lastModified": 1736316962,
-        "narHash": "sha256-fjwO6Pv3d35F6UErY42hc7zXJr6ek0LhSZlgEu+eI04=",
+        "narHash": "sha256-nOWLP6pSblYrCipiBb7/SQpGhNe7AHT8m9f++b8/Ni4=",
         "owner": "yusdacra",
         "repo": "nix-cargo-integration",
-        "rev": "3a8e3bb661db28522aa2d4a55f1fccf9f95ec33e",
+        "rev": "1ce1f666c955e73f65de74f3a8c3ca2c3e5d741b",
         "type": "github"
       },
       "original": {
@@ -552,29 +651,29 @@
     },
     "nix_2": {
       "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_5",
-        "flake-parts": "flake-parts_5",
+        "flake-parts": "flake-parts_6",
-        "libgit2": "libgit2_2",
+        "git-hooks-nix": "git-hooks-nix_3",
         "nixpkgs": [
           "nixops4-nixos",
+          "nixops4",
           "nixpkgs"
         ],
         "nixpkgs-23-11": "nixpkgs-23-11_2",
-        "nixpkgs-regression": "nixpkgs-regression_2",
+        "nixpkgs-regression": "nixpkgs-regression_2"
-        "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1719448136,
+        "lastModified": 1736342444,
-        "narHash": "sha256-ya0iofP+QysNzN7Gx7Btfe83ZW1YLpSdkccUNMnbBFQ=",
+        "narHash": "sha256-u6OD0BH+UxyfrWMMpBfM5cz/TDWU9lxJOujgzqBnN9A=",
         "owner": "NixOS",
         "repo": "nix",
-        "rev": "ed129267dcd7dd2cce48c09b17aefd6cfc488bcd",
+        "rev": "5230d3ecc4cd3a3d965902a56b5a21bcc99821c3",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
+        "ref": "master",
         "repo": "nix",
-        "rev": "ed129267dcd7dd2cce48c09b17aefd6cfc488bcd",
         "type": "github"
       }
     },
@@ -587,11 +686,11 @@
         "nixpkgs-old": "nixpkgs-old"
       },
       "locked": {
-        "lastModified": 1733171846,
+        "lastModified": 1738308843,
-        "narHash": "sha256-MmWzxuH9bwBIM7/LQsJc6x/7S2YofWWPqwzLaqqudDQ=",
+        "narHash": "sha256-I/+T3qhlcHDP628UjWqugdFKHEsjIA3blWqnoPxQTQ0=",
         "owner": "nixops4",
         "repo": "nixops4",
-        "rev": "b9dc536b7a0ea6dd947949c59c545e7fa604351a",
+        "rev": "7e83532e61aa70bccffea93d82e311e0ce07a4d1",
         "type": "github"
       },
       "original": {
@@ -603,21 +702,49 @@
     "nixops4-nixos": {
       "inputs": {
         "flake-parts": "flake-parts_4",
-        "nix": "nix_2",
+        "git-hooks-nix": "git-hooks-nix_2",
-        "nix-cargo-integration": "nix-cargo-integration_2",
+        "nixops4": "nixops4_2",
-        "nixpkgs": "nixpkgs_5"
+        "nixops4-nixos": [
+          "nixops4-nixos"
+        ],
+        "nixpkgs": [
+          "nixops4-nixos",
+          "nixops4",
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1727424043,
+        "lastModified": 1738310839,
-        "narHash": "sha256-00Tm2hCF8xBZk4HmzsaoPGtvRVamq3OujE5xWyHm8FI=",
+        "narHash": "sha256-dWTVaxENWTq6s7mO7xDxt2ml7pEHSYfHkm5h4yCQnIA=",
         "owner": "nixops4",
-        "repo": "nixops4",
+        "repo": "nixops4-nixos",
-        "rev": "924af9b0f3666f22c638c02a21bc73a2ba002674",
+        "rev": "65fe4b132fe299e03ee387d67d3fee1eb4593f4f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixops4",
+        "repo": "nixops4-nixos",
+        "type": "github"
+      }
+    },
+    "nixops4_2": {
+      "inputs": {
+        "flake-parts": "flake-parts_5",
+        "nix": "nix_2",
+        "nix-cargo-integration": "nix-cargo-integration_2",
+        "nixpkgs": "nixpkgs_6",
+        "nixpkgs-old": "nixpkgs-old_2"
+      },
+      "locked": {
+        "lastModified": 1738308843,
+        "narHash": "sha256-I/+T3qhlcHDP628UjWqugdFKHEsjIA3blWqnoPxQTQ0=",
+        "owner": "nixops4",
+        "repo": "nixops4",
+        "rev": "7e83532e61aa70bccffea93d82e311e0ce07a4d1",
         "type": "github"
       },
       "original": {
         "owner": "nixops4",
-        "ref": "eval",
         "repo": "nixops4",
         "type": "github"
       }
@@ -672,26 +799,26 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1730504152,
+        "lastModified": 1735774519,
-        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
+        "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
       }
     },
     "nixpkgs-lib_2": {
       "locked": {
-        "lastModified": 1730504152,
+        "lastModified": 1735774519,
-        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
+        "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
       }
     },
     "nixpkgs-lib_3": {
@@ -706,13 +833,41 @@
         "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
       }
     },
+    "nixpkgs-lib_4": {
+      "locked": {
+        "lastModified": 1735774519,
+        "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
+      }
+    },
     "nixpkgs-old": {
       "locked": {
-        "lastModified": 1733016324,
+        "lastModified": 1735563628,
-        "narHash": "sha256-8qwPSE2g1othR1u4uP86NXxm6i7E9nHPyJX3m3lx7Q4=",
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7e1ca67996afd8233d9033edd26e442836cc2ad6",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-old_2": {
+      "locked": {
+        "lastModified": 1735563628,
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
         "type": "github"
       },
       "original": {
@@ -754,29 +909,13 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1730741070,
-        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1730958623,
+        "lastModified": 1737879851,
-        "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=",
+        "narHash": "sha256-H+FXIKj//kmFHTTW4DFeOjR7F1z2/3eb2iwN6Me4YZk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "85f7e662eda4fa3a995556527c87b2524b691933",
+        "rev": "5d3221fd57cc442a1a522a15eb5f58230f45a304",
         "type": "github"
       },
       "original": {
@@ -788,11 +927,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1730958623,
+        "lastModified": 1730768919,
-        "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=",
+        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "85f7e662eda4fa3a995556527c87b2524b691933",
+        "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
         "type": "github"
       },
       "original": {
@@ -804,11 +943,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1732837521,
+        "lastModified": 1737469691,
-        "narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=",
+        "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "970e93b9f82e2a0f3675757eb0bfc73297cc6370",
+        "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
         "type": "github"
       },
       "original": {
@@ -820,11 +959,27 @@
     },
     "nixpkgs_5": {
       "locked": {
-        "lastModified": 1724819573,
+        "lastModified": 1730768919,
-        "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
+        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2",
+        "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_6": {
+      "locked": {
+        "lastModified": 1737469691,
+        "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
         "type": "github"
       },
       "original": {
@@ -834,13 +989,13 @@
         "type": "github"
       }
     },
-    "nixpkgs_6": {
+    "nixpkgs_7": {
       "locked": {
-        "lastModified": 1734323986,
+        "lastModified": 1738163270,
-        "narHash": "sha256-m/lh6hYMIWDYHCAsn81CDAiXoT3gmxXI9J987W5tZrE=",
+        "narHash": "sha256-B/7Y1v4y+msFFBW1JAdFjNvVthvNdJKiN6EGRPnqfno=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "394571358ce82dff7411395829aa6a3aad45b907",
+        "rev": "59e618d90c065f55ae48446f307e8c09565d5ab0",
         "type": "github"
       },
       "original": {
@@ -859,11 +1014,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1730504689,
+        "lastModified": 1736143030,
-        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
         "type": "github"
       },
       "original": {
@@ -876,16 +1031,17 @@
       "inputs": {
         "nixpkgs-lib": [
           "nixops4-nixos",
+          "nixops4",
           "nix-cargo-integration",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1722555600,
+        "lastModified": 1736143030,
-        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
+        "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
         "type": "github"
       },
       "original": {
@@ -894,41 +1050,6 @@
         "type": "github"
       }
     },
-    "pre-commit-hooks": {
-      "inputs": {
-        "flake-compat": [
-          "nixops4-nixos",
-          "nix"
-        ],
-        "gitignore": [
-          "nixops4-nixos",
-          "nix"
-        ],
-        "nixpkgs": [
-          "nixops4-nixos",
-          "nix",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "nixops4-nixos",
-          "nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1724857454,
-        "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
     "purescript-overlay": {
       "inputs": {
         "flake-compat": "flake-compat_3",
@@ -956,8 +1077,10 @@
     },
     "purescript-overlay_2": {
       "inputs": {
+        "flake-compat": "flake-compat_6",
         "nixpkgs": [
           "nixops4-nixos",
+          "nixops4",
           "nix-cargo-integration",
           "dream2nix",
           "nixpkgs"
@@ -965,11 +1088,11 @@
         "slimlock": "slimlock_2"
       },
       "locked": {
-        "lastModified": 1696022621,
+        "lastModified": 1728546539,
-        "narHash": "sha256-eMjFmsj2G1E0Q5XiibUNgFjTiSz0GxIeSSzzVdoN730=",
+        "narHash": "sha256-Sws7w0tlnjD+Bjck1nv29NjC5DbL6nH5auL9Ex9Iz2A=",
         "owner": "thomashoneyman",
         "repo": "purescript-overlay",
-        "rev": "047c7933abd6da8aa239904422e22d190ce55ead",
+        "rev": "4ad4c15d07bd899d7346b331f377606631eb0ee4",
         "type": "github"
       },
       "original": {
@@ -1020,7 +1143,7 @@
         "git-hooks": "git-hooks",
         "nixops4": "nixops4",
         "nixops4-nixos": "nixops4-nixos",
-        "nixpkgs": "nixpkgs_6"
+        "nixpkgs": "nixpkgs_7"
       }
     },
     "rust-overlay": {
@@ -1032,11 +1155,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733020719,
+        "lastModified": 1736303309,
-        "narHash": "sha256-Chv9+3zrf1DhdB9JyskjoV0vJbCQEgkVqrU3p4RPLv8=",
+        "narHash": "sha256-IKrk7RL+Q/2NC6+Ql6dwwCNZI6T6JH2grTdJaVWHF0A=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "8e18f10703112e6c33e1c0d8b93e8305f6f0a75c",
+        "rev": "a0b81d4fa349d9af1765b0f0b4a899c13776f706",
         "type": "github"
       },
       "original": {
@@ -1046,13 +1169,20 @@
       }
     },
     "rust-overlay_2": {
-      "flake": false,
+      "inputs": {
+        "nixpkgs": [
+          "nixops4-nixos",
+          "nixops4",
+          "nix-cargo-integration",
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1724379657,
+        "lastModified": 1736303309,
-        "narHash": "sha256-+CFDh1FUgyY7q0FiWhKJpHS7LlD3KbiqN5Z4Z+4bGmc=",
+        "narHash": "sha256-IKrk7RL+Q/2NC6+Ql6dwwCNZI6T6JH2grTdJaVWHF0A=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "a18034322c7703fcfe5d7352a77981ba4a936a61",
+        "rev": "a0b81d4fa349d9af1765b0f0b4a899c13776f706",
         "type": "github"
       },
       "original": {
@@ -1089,6 +1219,7 @@
       "inputs": {
         "nixpkgs": [
           "nixops4-nixos",
+          "nixops4",
           "nix-cargo-integration",
           "dream2nix",
           "purescript-overlay",
@@ -1096,11 +1227,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688610262,
+        "lastModified": 1688756706,
-        "narHash": "sha256-Wg0ViDotFWGWqKIQzyYCgayeH8s4U1OZcTiWTQYdAp4=",
+        "narHash": "sha256-xzkkMv3neJJJ89zo3o2ojp7nFeaZc2G0fYwNXNJRFlo=",
         "owner": "thomashoneyman",
         "repo": "slimlock",
-        "rev": "b5c6cdcaf636ebbebd0a1f32520929394493f1a6",
+        "rev": "cf72723f59e2340d24881fd7bf61cb113b4c407c",
         "type": "github"
       },
       "original": {
@@ -1133,11 +1264,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732894027,
+        "lastModified": 1736154270,
-        "narHash": "sha256-2qbdorpq0TXHBWbVXaTqKoikN4bqAtAplTwGuII+oAc=",
+        "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "6209c381904cab55796c5d7350e89681d3b2a8ef",
+        "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
         "type": "github"
       },
       "original": {
@@ -1150,16 +1281,17 @@
       "inputs": {
         "nixpkgs": [
           "nixops4-nixos",
+          "nixops4",
           "nix-cargo-integration",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1724338379,
+        "lastModified": 1736154270,
-        "narHash": "sha256-kKJtaiU5Ou+e/0Qs7SICXF22DLx4V/WhG1P6+k4yeOE=",
+        "narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "070f834771efa715f3e74cd8ab93ecc96fabc951",
+        "rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
         "type": "github"
       },
       "original": {

flake.nix

@@ -8,7 +8,7 @@
     disko.url = "github:nix-community/disko";
 
     nixops4.url = "github:nixops4/nixops4";
-    nixops4-nixos.url = "github:nixops4/nixops4/eval";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
   };
 
   outputs =
@@ -23,13 +23,11 @@
 
       imports = [
         inputs.git-hooks.flakeModule
-        inputs.nixops4-nixos.modules.flake.default
+        inputs.nixops4.modules.flake.default
 
         ./deployment/flake-part.nix
         ./infra/flake-part.nix
-        ./keys/flake-part.nix
         ./services/flake-part.nix
-        ./secrets/flake-part.nix
       ];
 
       perSystem =
@@ -53,6 +51,7 @@
                 "keys"
                 "secrets"
                 "services"
+                "panel"
               ];
               files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$";
             in

infra/README.org

@@ -1,26 +1,49 @@
 #+title: Infra
 
 This directory contains the definition of the VMs that host our infrastructure.
+
+* NixOps4
+
 Their configuration can be updated via NixOps4. Run
 
 #+begin_src sh
 nixops4 deployments list
 #+end_src
 
-to see the available deployments. Given a deployment (eg. ~git~), run
+to see the available deployments. This should be done from the root of the
+repository, otherwise NixOps4 will fail with something like:
+
+#+begin_src
+nixops4 error: evaluation: error:
+       … while calling the 'getFlake' builtin
+
+       error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist, evaluation: error:
+       … while calling the 'getFlake' builtin
+
+       error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist
+#+end_src
+
+Then, given a deployment (eg. ~git~), run
 
 #+begin_src sh
 nixops4 apply <deployment>
 #+end_src
 
+Alternatively, to run the ~default~ deployment, run
+
+#+begin_src sh
+nixops4 apply
+#+end_src
+
 * Deployments
 
+- default :: Contains everything
 - ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions
   runners
 - ~web~ :: Machines hosting our online content, eg. the website or the wiki
 - ~other~ :: Machines without a specific purpose
 
-* Procolix machines
+* Machines
 
 These machines are hosted on the Procolix Proxmox instance, to which
 non-Procolix members of the project do not have access. They host our stable

infra/common/nixos/networking.nix

@@ -1,18 +1,10 @@
 { config, lib, ... }:
 
 let
-  inherit (lib) mkOption mkDefault;
+  inherit (lib) mkDefault;
 
 in
 {
-  options = {
-    procolix.vm = {
-      name = mkOption { };
-      ip4 = mkOption { };
-      ip6 = mkOption { };
-    };
-  };
-
   config = {
     services.openssh = {
       enable = true;
@@ -20,8 +12,8 @@ in
     };
 
     networking = {
-      hostName = config.procolix.vm.name;
+      hostName = config.procolixVm.name;
-      domain = "procolix.com";
+      domain = config.procolixVm.domain;
 
       ## REVIEW: Do we actually need that, considering that we have static IPs?
       useDHCP = mkDefault true;
@@ -31,16 +23,14 @@ in
           ipv4 = {
             addresses = [
               {
-                address = config.procolix.vm.ip4;
+                inherit (config.procolixVm.ipv4) address prefixLength;
-                prefixLength = 24;
               }
             ];
           };
           ipv6 = {
             addresses = [
               {
-                address = config.procolix.vm.ip6;
+                inherit (config.procolixVm.ipv6) address prefixLength;
-                prefixLength = 64;
               }
             ];
           };
@@ -48,11 +38,11 @@ in
       };
 
       defaultGateway = {
-        address = "185.206.232.1";
+        address = config.procolixVm.ipv4.gateway;
         interface = "eth0";
       };
       defaultGateway6 = {
-        address = "2a00:51c0:12:1201::1";
+        address = config.procolixVm.ipv6.gateway;
         interface = "eth0";
       };
 

infra/common/options.nix

@@ -0,0 +1,81 @@
+{ lib, ... }:
+
+let
+  inherit (lib) mkOption;
+
+in
+{
+  options.procolixVm = {
+    name = mkOption {
+      description = ''
+        The name of the machine. Most of the time, this will look like `vm02XXX`
+        or `fediYYY`.
+      '';
+    };
+
+    domain = mkOption {
+      description = ''
+        The domain hosting the machine. Most of the time, this will be either of
+        `procolix.com`, `fediversity.eu` or `abundos.eu`.
+      '';
+      default = "procolix.com";
+    };
+
+    ipv4 = {
+      address = mkOption {
+        description = ''
+          The IP address of the machine, version 4. It will be injected as a
+          value in `networking.interfaces.eth0`, but it will also be used to
+          communicate with the machine via NixOps4.
+        '';
+      };
+
+      prefixLength = mkOption {
+        description = ''
+          The subnet mask of the interface, specified as the number of bits in
+          the prefix.
+        '';
+        default = 24;
+      };
+
+      gateway = mkOption {
+        description = ''
+          The IP address of the default gateway.
+        '';
+        default = "185.206.232.1"; # FIXME: compute default from `address` and `prefixLength`.
+      };
+    };
+
+    ipv6 = {
+      address = mkOption {
+        description = ''
+          The IP address of the machine, version 6. It will be injected as a
+          value in `networking.interfaces.eth0`, but it will also be used to
+          communicate with the machine via NixOps4.
+        '';
+      };
+
+      prefixLength = mkOption {
+        description = ''
+          The subnet mask of the interface, specified as the number of bits in
+          the prefix.
+        '';
+        default = 64;
+      };
+
+      gateway = mkOption {
+        description = ''
+          The IP address of the default gateway.
+        '';
+        default = "2a00:51c0:12:1201::1"; # FIXME: compute default from `address` and `prefixLength`.
+      };
+    };
+
+    hostPublicKey = mkOption {
+      description = ''
+        The host public key of the machine. It is used to filter Age secrets and
+        only keep the relevant ones, and to feed to NixOps4.
+      '';
+    };
+  };
+}

infra/common/resource.nix

@@ -0,0 +1,57 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+let
+  inherit (lib) attrValues elem;
+  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
+  inherit (lib.strings) removeSuffix;
+
+  secretsPrefix = ../../secrets;
+  secrets = import (secretsPrefix + "/secrets.nix");
+  keys = import ../../keys;
+  hostPublicKey = keys.systems.${config.procolixVm.name};
+
+in
+{
+  imports = [ ./options.nix ];
+
+  ssh = {
+    host = config.procolixVm.ipv4.address;
+    hostPublicKey = hostPublicKey;
+  };
+
+  nixpkgs = inputs.nixpkgs;
+
+  ## The configuration of the machine. We strive to keep in this file only the
+  ## options that really need to be injected from the resource. Everything else
+  ## should go into the `./nixos` subdirectory.
+  nixos.module = {
+    imports = [
+      inputs.agenix.nixosModules.default
+      ./options.nix
+      ./nixos
+    ];
+
+    ## Inject the shared options from the resource's `config` into the NixOS
+    ## configuration.
+    procolixVm = config.procolixVm;
+
+    ## Read all the secrets, filter the ones that are supposed to be readable
+    ## with this host's public key, and add them correctly to the configuration
+    ## as `age.secrets.<name>.file`.
+    age.secrets = concatMapAttrs (
+      name: secret:
+      optionalAttrs (elem hostPublicKey secret.publicKeys) ({
+        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+      })
+    ) secrets;
+
+    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
+    ## supports users with password-less sudo.
+    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+  };
+}

infra/fedi300/default.nix

@@ -1,33 +1,34 @@
-{ lib, ... }:
-
 {
-  imports = [
+  procolixVm = {
-    ./forgejo-actions-runner.nix
+    domain = "fediversity.eu";
-  ];
 
-  procolix.vm = {
+    ipv4 = {
-    name = "fedi300";
+      address = "95.215.187.30";
-    ip4 = "95.215.187.30";
+      gateway = "95.215.187.1";
-    ip6 = "2a00:51c0:12:1305::30";
+    };
+    ipv6 = {
+      address = "2a00:51c0:12:1305::30";
+      gateway = "2a00:51c0:13:1305::1";
+    };
   };
 
-  ## FIXME: We should just have an option under `procolix.vm` to distinguish
+  nixos.module = {
-  ## between Procolix VMs and Fediversity ones.
+    imports = [
-  networking.domain = lib.mkForce "fediversity.eu";
+      ./forgejo-actions-runner.nix
-  networking.defaultGateway.address = lib.mkForce "95.215.187.1";
-  networking.defaultGateway6.address = lib.mkForce "2a00:51c0:13:1305::1";
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/cbcfaf6b-39bd-4328-9f53-dea8a9d32ecc";
-    fsType = "ext4";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/1A4E-07F4";
-    fsType = "vfat";
-    options = [
-      "fmask=0022"
-      "dmask=0022"
     ];
+
+    fileSystems."/" = {
+      device = "/dev/disk/by-uuid/cbcfaf6b-39bd-4328-9f53-dea8a9d32ecc";
+      fsType = "ext4";
+    };
+
+    fileSystems."/boot" = {
+      device = "/dev/disk/by-uuid/1A4E-07F4";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
   };
 }

infra/flake-part.nix

@@ -1,60 +1,37 @@
 {
-  self,
   inputs,
   lib,
   ...
 }:
 
 let
-  inherit (lib) attrValues mapAttrs;
+  inherit (lib) attrValues concatLists mapAttrs;
   inherit (lib.attrsets) genAttrs;
 
-  makeResource =
+  addDefaultDeployment =
-    vmid:
+    deployments: deployments // { default = concatLists (attrValues deployments); };
-    { providers, ... }:
-    let
-      vmmodule = import (./. + "/${vmid}");
-    in
-    {
-      type = providers.local.exec;
-      imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
-      ssh = {
-        # FIXME: The following assumes that `vmmodule` does not use arguments
-        # and does not get `proxolix.vm.ip4` from an import, etc. I have tried
-        # an approach with `lib.evalModules` but I cannot get it to work.
-        host = vmmodule.procolix.vm.ip4;
-        opts = "";
-        hostPublicKey = self.keys.systems.${vmid};
-      };
-      nixpkgs = inputs.nixpkgs;
-      nixos.module = {
-        imports = [
-          vmmodule
-          ./common
-          self.nixosModules.ageSecrets
-          {
-            fediversity.hostPublicKey = self.keys.systems.${vmid};
-
-            ## FIXME: Remove direct root authentication once the NixOps4 NixOS
-            ## provider supports users with password-less sudo.
-            users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors;
-          }
-        ];
-      };
-    };
 
   makeDeployments = mapAttrs (
-    _: vmids:
+    _: vmNames:
     { providers, ... }:
     {
-      providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
+      providers.local = inputs.nixops4.modules.nixops4Provider.local;
-      resources = genAttrs vmids (vmid: makeResource vmid { inherit providers; });
+      resources = genAttrs vmNames (vmName: {
+        _module.args = { inherit inputs; };
+        type = providers.local.exec;
+        imports = [
+          inputs.nixops4-nixos.modules.nixops4Resource.nixos
+          ./common/resource.nix
+          (./. + "/${vmName}")
+        ];
+        procolixVm.name = vmName;
+      });
     }
   );
 
 in
 {
-  nixops4Deployments = makeDeployments {
+  nixops4Deployments = makeDeployments (addDefaultDeployment {
     git = [
       "vm02116"
       "fedi300"
@@ -64,5 +41,5 @@ in
       "vm02179"
       "vm02186"
     ];
-  };
+  });
 }

infra/vm02116/default.nix

@@ -1,27 +1,28 @@
 {
-  imports = [
+  procolixVm = {
-    ./forgejo.nix
+    ipv4.address = "185.206.232.34";
-  ];
+    ipv6.address = "2a00:51c0:12:1201::20";
-
-  procolix.vm = {
-    name = "vm02116";
-    ip4 = "185.206.232.34";
-    ip6 = "2a00:51c0:12:1201::20";
   };
 
-  ## vm02116 is running on old hardware based on a Xen VM environment, so it
+  nixos.module = {
-  ## needs these extra options. Once the VM gets moved to a newer node, these
+    imports = [
-  ## two options can safely be removed.
+      ./forgejo.nix
-  boot.initrd.availableKernelModules = [ "xen_blkfront" ];
+    ];
-  services.xe-guest-utilities.enable = true;
 
-  fileSystems."/" = {
+    ## vm02116 is running on old hardware based on a Xen VM environment, so it
-    device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
+    ## needs these extra options. Once the VM gets moved to a newer node, these
-    fsType = "ext4";
+    ## two options can safely be removed.
-  };
+    boot.initrd.availableKernelModules = [ "xen_blkfront" ];
+    services.xe-guest-utilities.enable = true;
 
-  fileSystems."/boot" = {
+    fileSystems."/" = {
-    device = "/dev/disk/by-uuid/2CE2-1173";
+      device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
-    fsType = "vfat";
+      fsType = "ext4";
+    };
+
+    fileSystems."/boot" = {
+      device = "/dev/disk/by-uuid/2CE2-1173";
+      fsType = "vfat";
+    };
   };
 }

infra/vm02179/configuration.nix

@@ -1,7 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    cowsay
-  ];
-}

infra/vm02179/default.nix

@@ -1,23 +1,22 @@
 {
-  imports = [ ./configuration.nix ];
+  procolixVm = {
-
+    ipv4.address = "185.206.232.179";
-  procolix.vm = {
+    ipv6.address = "2a00:51c0:12:1201::179";
-    name = "vm02179";
-    ip4 = "185.206.232.179";
-    ip6 = "2a00:51c0:12:1201::179";
   };
 
-  fileSystems."/" = {
+  nixos.module = {
-    device = "/dev/disk/by-uuid/119863f8-55cf-4e2f-ac17-27599a63f241";
+    fileSystems."/" = {
-    fsType = "ext4";
+      device = "/dev/disk/by-uuid/119863f8-55cf-4e2f-ac17-27599a63f241";
-  };
+      fsType = "ext4";
+    };
 
-  fileSystems."/boot" = {
+    fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/D9F4-9BF0";
+      device = "/dev/disk/by-uuid/D9F4-9BF0";
-    fsType = "vfat";
+      fsType = "vfat";
-    options = [
+      options = [
-      "fmask=0022"
+        "fmask=0022"
-      "dmask=0022"
+        "dmask=0022"
-    ];
+      ];
+    };
   };
 }

infra/vm02186/default.nix

@@ -1,21 +1,22 @@
 {
-  procolix.vm = {
+  procolixVm = {
-    name = "vm02186";
+    ipv4.address = "185.206.232.186";
-    ip4 = "185.206.232.186";
+    ipv6.address = "2a00:51c0:12:1201::186";
-    ip6 = "2a00:51c0:12:1201::186";
   };
 
-  fileSystems."/" = {
+  nixos.module = {
-    device = "/dev/disk/by-uuid/833ac0f9-ad8c-45ae-a9bf-5844e378c44a";
+    fileSystems."/" = {
-    fsType = "ext4";
+      device = "/dev/disk/by-uuid/833ac0f9-ad8c-45ae-a9bf-5844e378c44a";
-  };
+      fsType = "ext4";
+    };
 
-  fileSystems."/boot" = {
+    fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/B4D5-3AF9";
+      device = "/dev/disk/by-uuid/B4D5-3AF9";
-    fsType = "vfat";
+      fsType = "vfat";
-    options = [
+      options = [
-      "fmask=0022"
+        "fmask=0022"
-      "dmask=0022"
+        "dmask=0022"
-    ];
+      ];
+    };
   };
 }

infra/vm02187/default.nix

@@ -1,25 +1,26 @@
 {
-  imports = [
+  procolixVm = {
-    ./wiki.nix
+    ipv4.address = "185.206.232.187";
-  ];
+    ipv6.address = "2a00:51c0:12:1201::187";
-
-  procolix.vm = {
-    name = "vm02187";
-    ip4 = "185.206.232.187";
-    ip6 = "2a00:51c0:12:1201::187";
   };
 
-  fileSystems."/" = {
+  nixos.module = {
-    device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
+    imports = [
-    fsType = "ext4";
+      ./wiki.nix
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/6AB5-4FA8";
-    fsType = "vfat";
-    options = [
-      "fmask=0022"
-      "dmask=0022"
     ];
+
+    fileSystems."/" = {
+      device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
+      fsType = "ext4";
+    };
+
+    fileSystems."/boot" = {
+      device = "/dev/disk/by-uuid/6AB5-4FA8";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
   };
 }

keys/README.md

@@ -0,0 +1,32 @@
+# Keys
+
+This directory contains the SSH public keys of both contributors to the projects
+and systems that we administrate. Keys are used both for [secrets](../secrets)
+decryption and [infra](../infra) management.
+
+Which private keys can be used to decrypt secrets is defined in
+[`secrets.nix`](../secrets/secrets.nix) as _all the contributors_ as well as the
+specific systems that need access to the secret in question. Adding a
+contributor of system's key to a secret requires rekeying the secret, which can
+only be done by some key that had already access to it. (Alternatively, one can
+overwrite a secret without knowing its contents.)
+
+In infra management, the systems' keys are used for security reasons; they
+identify the machine that we are talking to. The contributor keys are used to
+give access to the `root` user on these machines, which allows, among other
+things, to deploy their configurations with NixOps4.
+
+## Adding a contributor
+
+Adding a contributor consists of three steps:
+
+1. The contributor in question adds a file with their key to the
+   `./contributors` directory, and opens a pull request with it.
+
+2. An already-existing contributor uses their keys to [re-key the secrets](../secrets#adding-a-contributor), taking that new key into
+   account.
+
+3. An already-existing contributor redeploys the [infrastructure](../infra) to take into
+   account the new access.
+
+4. The pull request is accepted and merged.

keys/contributors/kiara

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHTIqF4CAylSxKPiSo5JOPuocn0y2z38wOSsQ1MUaZ2 kiara@procolix.eu

keys/flake-part.nix

@@ -1,3 +0,0 @@
-{
-  flake.keys = import ./.;
-}

panel/.envrc

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+
+# shellcheck shell=bash
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv)"
+else
+  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
+  use_nix
+fi

panel/.gitignore

@@ -0,0 +1,13 @@
+# Nix
+.direnv
+result*
+
+# Python
+*.pyc
+__pycache__
+
+# Django, application-specific
+db.sqlite3
+src/db.sqlite3
+src/static
+.credentials

panel/README.md

@@ -0,0 +1,46 @@
+# Fediversity Panel
+
+The Fediversity Panel is a web service for managing Fediversity deployments with a graphical user interface, written in Django.
+
+## Development
+
+- To obtain all tools related to this project, enter the development environment with `nix-shell`.
+
+  If you want to do that automatically on entering this directory:
+
+  - [Set up `direnv`](https://github.com/nix-community/nix-direnv#installation)
+  - Run `direnv allow` in the directory where repository is stored on your machine
+
+    > **Note**
+    >
+    > This is a security boundary, and allows automatically running code from this repository on your machine.
+
+- Run NixOS integration tests and Django unit tests:
+
+  ```bash
+  nix-build -A tests
+  ```
+
+- List all available Django management commands with:
+
+  ```shell-session
+  manage
+  ```
+
+- Run the server locally
+
+  ```shell-session
+  manage runserver
+  ```
+
+- Whenever you add a field in the database schema, run:
+
+  ```console
+  manage makemigrations
+  ```
+
+  Then before starting the server again, run:
+
+  ```
+  manage migrate
+  ```

panel/default.nix

@@ -0,0 +1,53 @@
+{
+  system ? builtins.currentSystem,
+  sources ? import ../npins,
+  pkgs ? import sources.nixpkgs {
+    inherit system;
+    config = { };
+    overlays = [ ];
+  },
+}:
+let
+  package =
+    let
+      callPackage = pkgs.lib.callPackageWith (pkgs // pkgs.python3.pkgs);
+    in
+    callPackage ./nix/package.nix { };
+
+  pkgs' = pkgs.extend (_final: _prev: { panel = package; });
+
+  manage = pkgs.writeScriptBin "manage" ''
+    exec ${pkgs.lib.getExe pkgs.python3} ${toString ./src/manage.py} $@
+  '';
+in
+{
+  shell = pkgs.mkShellNoCC {
+    inputsFrom = [ package ];
+    packages = [
+      pkgs.npins
+      manage
+    ];
+    env = {
+      NPINS_DIRECTORY = toString ../npins;
+    };
+    shellHook = ''
+      # in production, secrets are passed via CREDENTIALS_DIRECTORY by systemd.
+      # use this directory for testing with local secrets
+      mkdir -p .credentials
+      echo secret > ${builtins.toString ./.credentials}/SECRET_KEY
+      export CREDENTIALS_DIRECTORY=${builtins.toString ./.credentials}
+      export DATABASE_URL="sqlite:///${toString ./src}/db.sqlite3"
+    '';
+  };
+
+  tests = pkgs'.callPackage ./nix/tests.nix { };
+  inherit package;
+
+  # re-export inputs so they can be overridden granularly
+  # (they can't be accessed from the outside any other way)
+  inherit
+    sources
+    system
+    pkgs
+    ;
+}

panel/nix/configuration.nix

@@ -0,0 +1,199 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    concatStringsSep
+    mapAttrsToList
+    mkDefault
+    mkEnableOption
+    mkIf
+    mkOption
+    mkPackageOption
+    optionalString
+    types
+    ;
+  inherit (pkgs) writeShellApplication;
+
+  # TODO: configure the name globally for everywhere it's used
+  name = "panel";
+
+  cfg = config.services.${name};
+
+  database-url = "sqlite:////var/lib/${name}/db.sqlite3";
+
+  python-environment = pkgs.python3.withPackages (
+    ps: with ps; [
+      cfg.package
+      uvicorn
+    ]
+  );
+
+  configFile = pkgs.concatText "configuration.py" [
+    ((pkgs.formats.pythonVars { }).generate "settings.py" cfg.settings)
+    (builtins.toFile "extra-settings.py" cfg.extra-settings)
+  ];
+
+  manage-service = writeShellApplication {
+    name = "manage";
+    text = ''exec ${cfg.package}/bin/manage.py "$@"'';
+  };
+
+  manage-admin = writeShellApplication {
+    # This allows running the `manage` command in the system environment, e.g. to initialise an admin user
+    # Executing
+    name = "manage";
+    text =
+      ''
+        systemd-run --pty \
+          --same-dir \
+          --wait \
+          --collect \
+          --service-type=exec \
+          --unit "manage-${name}.service" \
+          --property "User=${name}" \
+          --property "Group=${name}" \
+          --property "Environment=DATABASE_URL=${database-url} USER_SETTINGS_FILE=${configFile}" \
+      ''
+      + optionalString (credentials != [ ]) (
+        (concatStringsSep " \\\n" (map (cred: "--property 'LoadCredential=${cred}'") credentials)) + " \\\n"
+      )
+      + ''
+        ${lib.getExe manage-service} "$@"
+      '';
+  };
+
+  credentials = mapAttrsToList (name: secretPath: "${name}:${secretPath}") cfg.secrets;
+in
+# TODO: for a more clever and generic way of running Django services:
+#       https://git.dgnum.eu/mdebray/djangonix/
+#       unlicensed at the time of writing, but surely worth taking some inspiration from...
+{
+  options.services.${name} = {
+    enable = mkEnableOption "Service configuration for `${name}`";
+    # NOTE: this requires that the package is present in `pkgs`
+    package = mkPackageOption pkgs name { };
+    production = mkOption {
+      type = types.bool;
+      default = true;
+    };
+    restart = mkOption {
+      description = "systemd restart behavior";
+      type = types.enum [
+        "no"
+        "on-success"
+        "on-failure"
+        "on-abnormal"
+        "on-abort"
+        "always"
+      ];
+      default = "always";
+    };
+    domain = mkOption { type = types.str; };
+    host = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+    };
+    port = mkOption {
+      type = types.port;
+      default = 8000;
+    };
+    settings = mkOption {
+      type = types.attrsOf types.anything;
+      default = {
+        STATIC_ROOT = mkDefault "/var/lib/${name}/static";
+        DEBUG = mkDefault false;
+        ALLOWED_HOSTS = mkDefault [
+          cfg.domain
+          cfg.host
+          "localhost"
+          "[::1]"
+        ];
+        CSRF_TRUSTED_ORIGINS = mkDefault [ "https://${cfg.domain}" ];
+        COMPRESS_OFFLINE = true;
+        LIBSASS_OUTPUT_STYLE = "compressed";
+      };
+      description = ''
+        Django configuration as an attribute set.
+        Name-value pairs will be converted to Python variable assignments.
+      '';
+    };
+    extra-settings = mkOption {
+      type = types.lines;
+      default = "";
+      description = ''
+        Django configuration written in Python verbatim.
+        Contents will be appended to the definitions in `settings`.
+      '';
+    };
+    secrets = mkOption {
+      type = types.attrsOf types.path;
+      default = { };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ manage-admin ];
+
+    services = {
+      nginx.enable = true;
+      nginx.virtualHosts = {
+        ${cfg.domain} =
+          {
+            locations = {
+              "/".proxyPass = "http://localhost:${toString cfg.port}";
+              "/static/".alias = "/var/lib/${name}/static/";
+            };
+          }
+          // lib.optionalAttrs cfg.production {
+            enableACME = true;
+            forceSSL = true;
+          };
+      };
+    };
+
+    users.users.${name} = {
+      isSystemUser = true;
+      group = name;
+    };
+
+    users.groups.${name} = { };
+    systemd.services.${name} = {
+      description = "${name} ASGI server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [
+        python-environment
+        manage-service
+      ];
+      preStart = ''
+        # Auto-migrate on first run or if the package has changed
+        versionFile="/var/lib/${name}/package-version"
+        if [[ $(cat "$versionFile" 2>/dev/null) != ${cfg.package} ]]; then
+          manage migrate --no-input
+          manage collectstatic --no-input --clear
+          manage compress --force
+          echo ${cfg.package} > "$versionFile"
+        fi
+      '';
+      script = ''
+        uvicorn ${name}.asgi:application --host ${cfg.host} --port ${toString cfg.port}
+      '';
+      serviceConfig = {
+        Restart = "always";
+        User = name;
+        WorkingDirectory = "/var/lib/${name}";
+        StateDirectory = name;
+        RuntimeDirectory = name;
+        LogsDirectory = name;
+      } // lib.optionalAttrs (credentials != [ ]) { LoadCredential = credentials; };
+      environment = {
+        USER_SETTINGS_FILE = "${configFile}";
+        DATABASE_URL = database-url;
+      };
+    };
+  };
+}

panel/nix/package.nix

@@ -0,0 +1,57 @@
+{
+  lib,
+  buildPythonPackage,
+  setuptools,
+  django_4,
+  django-compressor,
+  django-libsass,
+  dj-database-url,
+}:
+let
+  src =
+    with lib.fileset;
+    toSource {
+      root = ../src;
+      fileset = intersection (gitTracked ../../.) ../src;
+    };
+  pyproject = with lib; fromTOML pyproject-toml;
+  # TODO: define this globally
+  name = "panel";
+  # TODO: we may want this in a file so it's easier to read statically
+  version = "0.0.0";
+  pyproject-toml = ''
+    [project]
+    name = "Fediversity-Panel"
+    version = "${version}"
+
+    [tool.setuptools]
+    packages = [ "${name}" ]
+    include-package-data = true
+  '';
+in
+buildPythonPackage {
+  pname = name;
+  inherit (pyproject.project) version;
+  pyproject = true;
+  inherit src;
+
+  preBuild = ''
+    echo "recursive-include ${name} *" > MANIFEST.in
+    cp ${builtins.toFile "source" pyproject-toml} pyproject.toml
+  '';
+
+  propagatedBuildInputs = [
+    setuptools
+    django_4
+    django-compressor
+    django-libsass
+    dj-database-url
+  ];
+
+  postInstall = ''
+    mkdir -p $out/bin
+    cp -v ${src}/manage.py $out/bin/manage.py
+    chmod +x $out/bin/manage.py
+    wrapProgram $out/bin/manage.py --prefix PYTHONPATH : "$PYTHONPATH"
+  '';
+}

panel/nix/tests.nix

@@ -0,0 +1,62 @@
+{ lib, pkgs }:
+let
+  # TODO: specify project/service name globally
+  name = "panel";
+  defaults = {
+    services.${name} = {
+      enable = true;
+      production = false;
+      restart = "no";
+      domain = "example.com";
+      secrets = {
+        SECRET_KEY = pkgs.writeText "SECRET_KEY" "secret";
+      };
+    };
+
+    virtualisation = {
+      memorySize = 2048;
+      cores = 2;
+    };
+  };
+in
+lib.mapAttrs (name: test: pkgs.testers.runNixOSTest (test // { inherit name; })) {
+  application-tests = {
+    inherit defaults;
+    nodes.server = _: { imports = [ ./configuration.nix ]; };
+    # run all application-level tests managed by Django
+    # https://docs.djangoproject.com/en/5.0/topics/testing/overview/
+    testScript = ''
+      server.succeed("manage test")
+    '';
+  };
+  admin = {
+    inherit defaults;
+    nodes.server = _: { imports = [ ./configuration.nix ]; };
+    # check that the admin interface is served
+    testScript = ''
+      server.wait_for_unit("multi-user.target")
+      server.wait_for_unit("${name}.service")
+      server.wait_for_open_port(8000)
+      server.succeed("curl --fail -L -H 'Host: example.org' http://localhost/admin")
+    '';
+  };
+
+  sass-processing = {
+    inherit defaults;
+    nodes.server = _: { imports = [ ./configuration.nix ]; };
+    extraPythonPackages = ps: with ps; [ beautifulsoup4 ];
+    skipTypeCheck = true;
+    # check that stylesheets are pre-processed and served
+    testScript = ''
+      from bs4 import BeautifulSoup
+      server.wait_for_unit("multi-user.target")
+      server.wait_for_unit("${name}.service")
+      server.wait_for_open_port(8000)
+      stdout = server.succeed("curl --fail -H 'Host: example.org' http://localhost")
+      # the CSS is auto-generated with a hash in the file name
+      html = BeautifulSoup(stdout, 'html.parser')
+      css = html.find('link', type="text/css")['href']
+      server.succeed(f"curl --fail -H 'Host: example.org' http://localhost/{css}")
+    '';
+  };
+}

panel/shell.nix

@@ -0,0 +1 @@
+(import ./. { }).shell

panel/src/manage.py

@@ -0,0 +1,22 @@
+#!/nix/store/px2nj16i5gc3d4mnw5l1nclfdxhry61p-python3-3.12.7/bin/python
+"""Django's command-line utility for administrative tasks."""
+import os
+import sys
+
+
+def main():
+    """Run administrative tasks."""
+    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'panel.settings')
+    try:
+        from django.core.management import execute_from_command_line
+    except ImportError as exc:
+        raise ImportError(
+            "Couldn't import Django. Are you sure it's installed and "
+            "available on your PYTHONPATH environment variable? Did you "
+            "forget to activate a virtual environment?"
+        ) from exc
+    execute_from_command_line(sys.argv)
+
+
+if __name__ == '__main__':
+    main()

panel/src/panel/asgi.py

@@ -0,0 +1,16 @@
+"""
+ASGI config for panel project.
+
+It exposes the ASGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/4.2/howto/deployment/asgi/
+"""
+
+import os
+
+from django.core.asgi import get_asgi_application
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'panel.settings')
+
+application = get_asgi_application()

panel/src/panel/settings.py

@@ -0,0 +1,171 @@
+"""
+Django settings for panel project.
+
+Generated by 'django-admin startproject' using Django 4.2.16.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/4.2/topics/settings/
+
+For the full list of settings and their values, see
+https://docs.djangoproject.com/en/4.2/ref/settings/
+"""
+
+import sys
+import os
+import importlib.util
+import dj_database_url
+
+from os import environ as env
+from pathlib import Path
+
+# Build paths inside the project like this: BASE_DIR / 'subdir'.
+BASE_DIR = Path(__file__).resolve().parent.parent
+
+
+# Quick-start development settings - unsuitable for production
+# See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
+
+def get_secret(name: str, encoding: str = "utf-8") -> str:
+    credentials_dir = env.get("CREDENTIALS_DIRECTORY")
+
+    if credentials_dir is None:
+        raise RuntimeError("No credentials directory available.")
+
+    try:
+        with open(f"{credentials_dir}/{name}", encoding=encoding) as f:
+            secret = f.read().removesuffix("\n")
+    except FileNotFoundError:
+        raise RuntimeError(f"No secret named {name} found in {credentials_dir}.")
+
+    return secret
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = get_secret("SECRET_KEY")
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = True
+
+ALLOWED_HOSTS = []
+
+
+# Application definition
+
+INSTALLED_APPS = [
+    "panel",
+    'django.contrib.admin',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+    'compressor',
+]
+
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+]
+
+ROOT_URLCONF = 'panel.urls'
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'panel.wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/4.2/ref/settings/#databases
+# https://github.com/jazzband/dj-database-url
+
+DATABASES = {
+    'default': dj_database_url.config(),
+}
+
+
+# Password validation
+# https://docs.djangoproject.com/en/4.2/ref/settings/#auth-password-validators
+
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/4.2/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/4.2/howto/static-files/
+
+STATIC_URL = 'static/'
+
+STATIC_ROOT = os.path.join(BASE_DIR, "static/")
+
+STATICFILES_FINDERS = [
+    "django.contrib.staticfiles.finders.FileSystemFinder",
+    "django.contrib.staticfiles.finders.AppDirectoriesFinder",
+    "compressor.finders.CompressorFinder",
+]
+
+STATICFILES_STORAGE = 'django.contrib.staticfiles.storage.ManifestStaticFilesStorage'
+
+COMPRESS_PRECOMPILERS = [
+    ("text/x-sass", "django_libsass.SassCompiler"),
+]
+
+# Default primary key field type
+# https://docs.djangoproject.com/en/4.2/ref/settings/#default-auto-field
+
+DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
+
+# Customization via user settings
+# This must be at the end, as it must be able to override the above
+# TODO: we may want to do this with a flat environment instead, and get all values from `os.environ.get()`.
+#       this would make it more obvious which moving parts there are, if that environment is specified for development/staging/production in a visible place.
+user_settings_file = env.get("USER_SETTINGS_FILE", None)
+if user_settings_file is not None:
+    spec = importlib.util.spec_from_file_location("user_settings", user_settings_file)
+    if spec is None or spec.loader is None:
+        raise RuntimeError("User settings specification failed!")
+    module = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(module)
+    sys.modules["user_settings"] = module
+    from user_settings import *  # noqa: F403 # pyright: ignore [reportMissingImports]

panel/src/panel/static/style.sass

@@ -0,0 +1,5 @@
+body
+  padding: 0
+  margin: 0
+  font-family: sans-serif
+  box-sizing: border-box

panel/src/panel/templates/base.html

@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <title>{% block title %}Fediversity Panel{% endblock %}</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+
+    {% load compress %}
+    {% compress css %}
+    <link rel="stylesheet" type="text/x-sass" href="/static/style.sass" />
+    {% endcompress %}
+
+    {% block extra_head %}{% endblock extra_head %}
+  </head>
+
+  <body>
+    {% block navigation %}
+    <nav>
+    </nav>
+    {% endblock navigation %}
+
+    {% block layout %}
+    <article>
+      {% block content %}{% endblock content %}
+    </article>
+    {% endblock layout %}
+  </body>
+</html>

panel/src/panel/templates/index.html

@@ -0,0 +1,7 @@
+{% extends "base.html" %}
+
+{% block content %}
+<h1>Fediversity Panel</h1>
+
+<p>Hello world!</p>
+{% endblock %}

panel/src/panel/urls.py

@@ -0,0 +1,24 @@
+"""
+URL configuration for panel project.
+
+The `urlpatterns` list routes URLs to views. For more information please see:
+    https://docs.djangoproject.com/en/4.2/topics/http/urls/
+Examples:
+Function views
+    1. Add an import:  from my_app import views
+    2. Add a URL to urlpatterns:  path('', views.home, name='home')
+Class-based views
+    1. Add an import:  from other_app.views import Home
+    2. Add a URL to urlpatterns:  path('', Home.as_view(), name='home')
+Including another URLconf
+    1. Import the include() function: from django.urls import include, path
+    2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
+"""
+from django.contrib import admin
+from django.urls import path
+from panel import views
+
+urlpatterns = [
+    path('admin/', admin.site.urls),
+    path('', views.Index.as_view(), name='index'),
+]

panel/src/panel/views.py

@@ -0,0 +1,4 @@
+from django.views.generic import TemplateView
+
+class Index(TemplateView):
+    template_name = 'index.html'

panel/src/panel/wsgi.py

@@ -0,0 +1,16 @@
+"""
+WSGI config for panel project.
+
+It exposes the WSGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/4.2/howto/deployment/wsgi/
+"""
+
+import os
+
+from django.core.wsgi import get_wsgi_application
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'panel.settings')
+
+application = get_wsgi_application()

secrets/README.md

@@ -49,3 +49,8 @@ As an example, let us add a secret in a file “cheeses” whose content should
    service that you are using must be able to read from a file at runtime, and
    if the NixOS default module options do not provide that, you must find a way
    around it.
+
+### Adding a contributor
+
+Rekeying can be done by running `agenix --rekey` (or `-r` for
+short) in the current directory. This requires access to the secrets using [contributor keys](../keys).

secrets/flake-part.nix

@@ -1,39 +0,0 @@
-{
-  inputs,
-  lib,
-  ...
-}:
-
-let
-  inherit (builtins) elem;
-  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
-  inherit (lib.strings) removeSuffix;
-
-  secrets = import ./secrets.nix;
-in
-{
-  flake = {
-    inherit secrets;
-
-    nixosModules.ageSecrets = (
-      { config, ... }:
-      {
-        imports = [ inputs.agenix.nixosModules.default ];
-
-        options.fediversity.hostPublicKey = lib.mkOption {
-          description = ''
-            The host public key of the machine. It is used in particular
-            to filter Age secrets and only keep the relevant ones.
-          '';
-        };
-
-        config.age.secrets = concatMapAttrs (
-          name: secret:
-          optionalAttrs (elem config.fediversity.hostPublicKey secret.publicKeys) ({
-            ${removeSuffix ".age" name}.file = ./. + "/${name}";
-          })
-        ) secrets;
-      }
-    );
-  };
-}

secrets/forgejo-database-password.age

@@ -1,9 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg wo0Yxrm+saKiGo4Woo8A+I6fXyLV0OfguJsrRPCc7Ds
+-> ssh-ed25519 ofQnlg G6Wg5L2ohyZZ9NnCAQ03ycAbP7HBa6/wGjNCsNF8nR0
-tHJU5jzLj8qFrYzPOdECBC7ugbryxWvF2Lp4lPN7Tyw
+OCh5tR7JSEZUAd4oDqNlKUznNus/EZrLTjzCNpFfSTM
--> ssh-ed25519 1MUEqQ jYC4xvbi/9g9yUppVgCcBP6X3WiaqUpBxvmGqezntkk
+-> ssh-ed25519 COspvA Qbs9EvqDbPzMB3ciM9e37gXaCp2OAQ/rG6LzMhdBkwE
-jCZxTWxN35Tcc8HLmlWyL+7V48fXBriD+yF35kIMTlk
+/eBnkgGBhuweXzd2aw1XXoaHc8JbXLrqMqcY8CAqDr4
--> ssh-ed25519 Fa25Dw O7SPXB23UF0uYlkgDNWP9rUHVJAA8RwFqhyPU38Nk1s
+-> ssh-ed25519 1MUEqQ jacwM4dAbNezkeMY9FzmGlXtTneLoMUFJtfm6dyNsVA
-BRemDl0+rszCOQw4G1GYVpxbhb0gMq5pxyguKjncXCk
+AodDTXYSkPoxS807xw+l0WbO9dMau9xp2Y9h0Ir6o8s
---- n4IPbDBJwmEGQTlsYxRQSI+9Db14zAd3ji2X248XbsI
+-> ssh-ed25519 Fa25Dw quSJ54tQOBBNtnkc/4dxH1z7SfIfJsr+9iORnT4XXmg
-¬¡\ÛµûðÓZ³ù:”ÑûY8`§Àõ5Ö¿ó`¬¦ÉÍ•=䨄A—Ê
+q//oLKS+eRHwraOEDayxrnLmUJ1Zfahr/ZXvuqYvtzc
+--- NLwY5C6WKTUSVYbmeSUJE1SiM19/rDb3pqMrVUx/l0c
+ÒtÍ
+÷ZÉÇ:¸+pâa£œ¯l¹¿½ò1z 
+ë-y)nZ5û·•Ãhì

secrets/forgejo-email-password.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg prrfNlkyvRBGfJuBx54mKbwAfHL8t6Y+uLmt3jGEvHs
+-> ssh-ed25519 ofQnlg dmH3/gWbrhiYDSEzfEvwto/7ULietn9DHs7bqNRLuDE
-Sg8zLilpIGA4nq2bQToGgYeGP2sLCeqzKuGF2YzuXdM
+na8BTt4OCwwwJb/NNkUU1NWZKzsMyW84REcaz0bEX7c
--> ssh-ed25519 1MUEqQ daSO/J5Bw59xVlAYcsyIixqsZIolBIUAca9MmhXZoCI
+-> ssh-ed25519 COspvA bk/ixd0gon+sxmhW+OBGY9sRaCVOZ267TELGFkkuUxs
-vjzpcxlKWk3VG2N6MayegZ8sF/2SmJVGBSSef8zAtR8
+Y+XnlUVETv4fqA5uGd3VaHIs4mAJQQw+xmGweWPOP70
--> ssh-ed25519 Fa25Dw GsQSZx3mY6RBdZBzYZnn+s4og7/HgXPDAamNh80VNxQ
+-> ssh-ed25519 1MUEqQ /mf6QgPlFqYGdQJHJbe2TEIusTxw0ftsemWst07nW3I
-1jh4jyVVunbrUfwGduwz7drINatxYG8VWXC1nG2WnG4
+SLzAtO31Evm/mOheVhMmV6QKoaNG0KYnIUaeThrp3CU
---- KMa4vGnd/X4pkboVfhkCeheagMC/T7e1RlqeF/tCheE
+-> ssh-ed25519 Fa25Dw HzNVxKLwujLVxs37JczAImZwE3CsSVbBbN7yCvvvQQU
-ï»c×àuH¬>¾h5žM!ÑßfK«„‚xr»u*@Ä–&ûÙÄ<>O©
˜‘s4™å\w
+yHh5wFtGdHgCZsuY70VVCeW+q3Tj3pJKclkVFXKZiPU
+--- bi4B3ePG1HS3N5Y3civ4tvTZTk5dERKu4+LJwsN7Los
+ƒ%ŠåÚ;"Úq1v}Öþ¾ü:iÑê]â™ØjA0
.Ó
eåÇ°q÷À9¢®<7F>

secrets/forgejo-runner-token.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg zcQ+yhPezo8dh1pwIadOcRCQGFb8B0tHp2zBH/cFpi0
+-> ssh-ed25519 ofQnlg 42Tz44DFTDA7OdAqynPLKsAYJctXivj3wWkkIwYTInM
-xGlfqN9MQQYn6u8hWtTgVO0ObGoXVybnRMUf5y/DdjQ
+pQ5rW2TH4IK/kjcLNOmkLgKMAuD/yzw9nOZn2NZNOv8
--> ssh-ed25519 1MUEqQ bn5IoZMZzs6FFeHu1c3deHnWEXUmkbcGBu+i5gsyKTE
+-> ssh-ed25519 COspvA iYtbO/GMmP2g+82xxPrvDsye2p+FpqGpG1a+Fr1jql0
-FeK8Cd/vbZpe2inZDFNofdcFxbMcs/wntxjwcu0+tE0
+LYTL9v1c5UcikMIN2ivCLzzAtlKaY7z3PVJW/8OxrLM
--> ssh-ed25519 rJoYaw DCOdl91tl1Y+5LXTaiaHYY+VJsRoGYnId0MElsn4uGA
+-> ssh-ed25519 1MUEqQ 2JWKsR0gWXjustfZtj5Zg6aEflw+tMJ+Ii0k1FtdKVQ
-4SDCll3OAeqTtMo5uCK7njUiybqUPv+Lk9qqsgWOV6Q
+lo534OLXItxUMRN/hZ351PLTYVYC9KjXJ8WrlqP4XVM
---- Y79OpvgT6uv5Eg1SJqtz0k0FduXuJf5wbTdeDXEvMWs
+-> ssh-ed25519 rJoYaw ePSTkrq9Nxk9kzAZR0O6P2KU8WZ40+/X7gI587WqRhk
-4k²†n¸WO¡ñ%{QXgNÅ«P™ªIüsÄÌ<wJ<77>*Ž£únåCužCÂW'ܼ¡¥¯íãLÞ	—ɨ¦suàõ³¶É¹Žyð/
+pQC9YAZdnKIyZ6ueN9iM+iAL9fkt0Dzo9WGfhTRABG4
+--- CWPCtLLBJ+OYjuocYoSgOd0r7/nUIewTeMWbQx8MHXQ
+>";ýùc¹LSm’{Òžô/ðšHÂ*"¾ß´.rÍ<72>bVo+WZO^§–~òÀÉ‹”w]1h=™¡­ªHÚ­·Sî‘tˆÐš,Erg¢—›n

secrets/wiki-basicauth-htpasswd.age

@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg hHpU+STQq9dp0WbcT9xvNV1Ev2ePnTafL+n5meqsrCI
+-> ssh-ed25519 ofQnlg /QZHjQ6K2LrdYy62eg8gnAdavrzDccR/iLlGr5wSrBo
-azxpqTlOHwAyys2vggKZMwoW0p7KvyHWEmpT2JT31aI
+15uXcdLt4TjPvYFCKmTnQ/iiNtB7NhEYo4dfIRSe7o0
--> ssh-ed25519 1MUEqQ eP4gkEEbnb/uAJF7AfOMYsNriR5xWNIHhB7Qz6y77VY
+-> ssh-ed25519 COspvA BAd2Tm1HCkBEMnUsTK/yShK/yWeKjGvXnQ0kq3/ockc
-6OF56XdugUnuLeyuaRbadHfQZx3YqMV51lkbUmkHeCA
+PSMOXVdrJ+2wm7Yu/aY1drR1q9mN/bRkJVVy32Or1Jg
--> ssh-ed25519 dgBsjw YVBXOkkr5Mcjk4wVEJi0/20vmcT5baDp8NpfMxlgFFo
+-> ssh-ed25519 1MUEqQ wN0GUypdmU8+tM3nrNlr5ljtLKR3Li/vGsFIPa9hznA
-+LZp7R7zKaM/G9pOsy14Es+DRold2mDekOw4NodOgnA
+TBV3WXW7FesaYHzI7oe8j1uUAq7VwK0QabL3pnwwUFM
---- +ihHVdjEVvkoiH7dLKkZ5y1fmUs5CNsjxFvSUb3Z0gM
+-> ssh-ed25519 dgBsjw /fT6/NmACig4Rv9QPttrTn5p/ptifT5WeJ3+DyxRHUk
-`f'Ó\ö=›Tpp/jˆ‹ÁéñZV¢âÀ~Ó½#‘ŸÕ=!÷O·*ø¦Û5(f²¹.þª<C3BE>
d‡Ú¹’Æ´ÿ¤N=oPòyó·.f­x•ÌÚŒ–í'%ÿû¶÷r~“.@ÀŒ
+oUGvejnhu+c6+ta30APDvXHH2+XrZpqk2SmwTf3StvA
+--- UBiWukQgMUU3OG2VTcM32qlf90kE4ipqBaucGUZSZiw
+“ŽæX¿èÇI¢®ÅLØÄêg~kCz^	T}<7D>VV¸À°>Eí‚#UÒ¿B
*ÆÜC¸Dà“òÝ´kQÛú×^%EøÍäLláËTÛnñ²zÌhìn¾FJÑ鉊ˆq

secrets/wiki-password.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ofQnlg q8Y0C7n4sd7hdZLl1YWBezW60syE8QpEqWIZP0Qv7FA
+-> ssh-ed25519 ofQnlg fc4Kx1F73+x5k20ZAr+nwJ2//MKSbW0XrPwidaw3O34
-fwKB4/lrbx+M9lluVNQAJcC2ZHHkNPkeJD9OI/GgceI
+/sVyDyaHqBqWgB4aEBYCB9n0cVzEWUTdgqKvM4aAzJ8
--> ssh-ed25519 1MUEqQ U1zOZ6q9M4XzMdioD0RdwZ9K6czaaK4+LR7uTnBSmH0
+-> ssh-ed25519 COspvA pfbE6BX+5WeYtuCfL1kRdnD3tVOV33fEJR4G0EndGBA
-HKypw83VUR9wSJA2BfO7XR10vQnOZkttaL86DcOwwrg
+ssywMgaFasyglxpIMjn9xxQViV5srAz8qS7t3aIJjnM
--> ssh-ed25519 dgBsjw 8mrgKvzJOWKYfmF/L4m9R6hKuL49HO8kKPvz8YJsjyc
+-> ssh-ed25519 1MUEqQ sqw/QOSTfTBzC2YOEDLzkB51VnGPZcz9JX5JYZ+/hjg
-dRcj6g247Oh3dmEnNtN7Rjx2qbbcxT+nWtEu5Rmnkj8
+p2pa5eakbFbNDhOfDZaXvb69ACh/F/2lFDTUQc4WlZ4
---- HzehAstQl9boOJdx1IDvzUw0xXzFFbPlORmxMtHSd9Y
+-> ssh-ed25519 dgBsjw QaKOQLbsEpD71x7Hk3ZoZV3/xgxv4+jG1wWiKmrhOik
-ÔÏd„ÃH<C383>™¦¨
+wyJP3apJB9jBcAOMK0D72lD7FqCkBEuwX0UyCvqOUJc
-f½¸»ÕCè½IM¾Å<C2BE>£ýU;’R™/D¼-ݯŠs~Ë"ßTŒõ&䌺Û]á
+--- J/CTHVy20+V7iS/R0LeeUNzIxE6dU3lnVWAFHyEjbE8
+^TG™ÃÔUë•9óÁ)	]6èn<C3A8>…<CíýÐ|ñ¥€If…Ä1ò³*9ä&MJS–=
	TÔÆXéKol{I

website/default.nix

@@ -1,4 +1,4 @@
-{ sources ? import ./npins
+{ sources ? import ../npins
 , system ? builtins.currentSystem
 , pkgs ? import sources.nixpkgs {
     inherit system;
@@ -65,12 +65,12 @@ rec {
   tests = with pkgs; with lib;
     let
       source = fileset.toSource {
-        root = ./.;
+        root = ../.;
         fileset = fileset.unions [
           ./default.nix
           ./tests.nix
           ./lib.nix
-          ./npins
+          ../npins
         ];
       };
     in
@@ -86,7 +86,7 @@ rec {
         # adding it verbatim will result in <hash'>-<hash>-source, so rename it first
         cp -r ${sources.nixpkgs} source
         nix-store --add --store "$HOME" source
-        ${getExe nix-unit} --gc-roots-dir "$HOME" --store "$HOME" ${source}/tests.nix "$@"
+        ${getExe nix-unit} --gc-roots-dir "$HOME" --store "$HOME" ${source}/website/tests.nix "$@"
         touch $out
       '';
 }