From 1b66028f32638169d5192add24649cf7cdd60be3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
 <nicolas.jeannerod@moduscreate.com>
Date: Wed, 30 Jul 2025 12:31:03 +0200
Subject: [PATCH] Fix infra and add more tests (#478)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains a bunch of small fixes having to do with infra code. The goal is not to fix everything as that would require a full rewrite. Instead, we fix just what is necessary to get some testing going on. Once that is available, we will be able to work on a full refactor with more guarantees. Something of note is that most of the difficulty was to find code that would make both `nixops4 apply` _and_ `nix build .#nixosConfigurations.<machine>` happy. The takeaway is that the tests that we are adding now will not catch a whole class of tests having to do with how NixOps4 wires up the resources. Still, this is probably less significant as we are supposed to use NixOps4 every now and then.

The commits should be read separately.

Reviewed-on: https://git.fediversity.eu/Fediversity/Fediversity/pulls/478
Reviewed-by: kiara Grouwstra <kiara@procolix.eu>
Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>
Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>
---
 .forgejo/workflows/ci.yaml         | 19 +++++++
 infra/common/proxmox-qemu-vm.nix   | 12 +++--
 infra/common/resource.nix          |  3 --
 infra/flake-part.nix               | 79 ++++++++++++------------------
 machines/dev/fedi200/default.nix   |  6 ---
 machines/dev/fedi201/default.nix   |  1 -
 machines/dev/fedi201/fedipanel.nix |  2 -
 machines/dev/vm02116/default.nix   |  1 -
 machines/dev/vm02187/default.nix   |  1 -
 9 files changed, 59 insertions(+), 65 deletions(-)

diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml
index 7bc68bf5..3f553ef1 100644
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@@ -56,3 +56,22 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-panel -L
+
+  ## NOTE: NixOps4 does not provide a good “dry run” mode, so we instead check
+  ## proxies for resources, namely whether their `.#vmOptions.<machine>` and
+  ## `.#nixosConfigurations.<machine>` outputs evaluate and build correctly, and
+  ## whether we can dry run `infra/proxmox-*.sh` on them. This will not catch
+  ## everything, and in particular not issues in how NixOps4 wires up the
+  ## resources, but that is still something.
+  check-resources:
+    runs-on: native
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          set -euC
+          machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).nixosConfigurations)')
+          for machine in $machines; do
+            echo ==================== [ $machine ] ====================
+            nix eval .#vmOptions.$machine
+            nix build .#nixosConfigurations.$machine.config.system.build.toplevel
+          done
diff --git a/infra/common/proxmox-qemu-vm.nix b/infra/common/proxmox-qemu-vm.nix
index 9176d0eb..6b4970b3 100644
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@@ -1,10 +1,14 @@
-{ sources, ... }:
+{ ... }:
+
 {
   _class = "nixos";
 
-  imports = [
-    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
-  ];
+  ## FIXME: It would be nice, but the following leads to infinite recursion
+  ## in the way we currently plug `sources` in.
+  ##
+  # imports = [
+  #   "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+  # ];
 
   boot = {
     initrd = {
diff --git a/infra/common/resource.nix b/infra/common/resource.nix
index 26b57c29..d50103da 100644
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@@ -2,7 +2,6 @@
   inputs,
   lib,
   config,
-  sources,
   keys,
   secrets,
   ...
@@ -33,8 +32,6 @@ in
   ## should go into the `./nixos` subdirectory.
   nixos.module = {
     imports = [
-      "${sources.agenix}/modules/age.nix"
-      "${sources.disko}/module.nix"
       ./options.nix
       ./nixos
     ];
diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 41a8d72d..cad2b1b3 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -23,19 +23,30 @@ let
   makeResourceModule =
     { vmName, isTestVm }:
     {
-      nixos.module.imports = [
-        ./common/proxmox-qemu-vm.nix
-      ];
-
-      nixos.specialArgs = {
+      # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
+      _module.args = {
         inherit
-          sources
           inputs
           keys
           secrets
+          sources
           ;
       };
 
+      nixos.module.imports = [
+        ## FIXME: It would be preferrable to have those `sources`-related
+        ## imports in the modules that use them. However, doing so triggers
+        ## infinite recursions because of the way we propagate `sources`.
+        ## `sources` must be propagated by means of `specialArgs`, but this
+        ## requires a bigger change.
+        "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+        "${sources.agenix}/modules/age.nix"
+        "${sources.disko}/module.nix"
+        "${sources.home-manager}/nixos"
+
+        ./common/proxmox-qemu-vm.nix
+      ];
+
       imports =
         [
           ./common/resource.nix
@@ -65,39 +76,17 @@ let
     vmNames:
     { providers, ... }:
     {
-      # XXX: this type merge is for adding `specialArgs` to resource modules
-      options.resources = mkOption {
-        type =
-          with lib.types;
-          lazyAttrsOf (submoduleWith {
-            class = "nixops4Resource";
-            modules = [ ];
-            # TODO(@fricklerhandwerk): we may want to pass through all of `specialArgs`
-            # once we're sure it's sane. leaving it here for better control during refactoring.
-            specialArgs = {
-              inherit
-                sources
-                inputs
-                keys
-                secrets
-
-                ;
-            };
-          });
-      };
-      config = {
-        providers.local = inputs.nixops4.modules.nixops4Provider.local;
-        resources = genAttrs vmNames (vmName: {
-          type = providers.local.exec;
-          imports = [
-            inputs.nixops4-nixos.modules.nixops4Resource.nixos
-            (makeResourceModule {
-              inherit vmName;
-              isTestVm = false;
-            })
-          ];
-        });
-      };
+      providers.local = inputs.nixops4.modules.nixops4Provider.local;
+      resources = genAttrs vmNames (vmName: {
+        type = providers.local.exec;
+        imports = [
+          inputs.nixops4-nixos.modules.nixops4Resource.nixos
+          (makeResourceModule {
+            inherit vmName;
+            isTestVm = false;
+          })
+        ];
+      });
     };
   makeDeployment' = vmName: makeDeployment [ vmName ];
 
@@ -139,7 +128,7 @@ let
     ## this is only needed to expose NixOS configurations for provisioning
     ## purposes, and eventually all of this should be handled by NixOps4.
     options = {
-      nixos.module = mkOption { }; # NOTE: not just `nixos` otherwise merging will go wrong
+      nixos.module = mkOption { type = lib.types.deferredModule; }; # NOTE: not just `nixos` otherwise merging will go wrong
       nixpkgs = mkOption { };
       ssh = mkOption { };
     };
@@ -157,13 +146,9 @@ let
   ## Given a VM name, make a NixOS configuration for this machine.
   makeConfiguration =
     isTestVm: vmName:
-    let
-      inherit (sources) nixpkgs;
-    in
-    import "${nixpkgs}/nixos" {
-      modules = [
-        (makeResourceConfig { inherit vmName isTestVm; }).nixos.module
-      ];
+    import "${sources.nixpkgs}/nixos" {
+      configuration = (makeResourceConfig { inherit vmName isTestVm; }).nixos.module;
+      system = "x86_64-linux";
     };
 
   makeVmOptions = isTestVm: vmName: {
diff --git a/machines/dev/fedi200/default.nix b/machines/dev/fedi200/default.nix
index c92c8d52..23ba6de8 100644
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@@ -16,10 +16,4 @@
       gateway = "2a00:51c0:13:1305::1";
     };
   };
-
-  nixos.module = {
-    imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
-    ];
-  };
 }
diff --git a/machines/dev/fedi201/default.nix b/machines/dev/fedi201/default.nix
index 00717597..bb5058b8 100644
--- a/machines/dev/fedi201/default.nix
+++ b/machines/dev/fedi201/default.nix
@@ -19,7 +19,6 @@
 
   nixos.module = {
     imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
       ./fedipanel.nix
     ];
   };
diff --git a/machines/dev/fedi201/fedipanel.nix b/machines/dev/fedi201/fedipanel.nix
index 96a826cf..494212de 100644
--- a/machines/dev/fedi201/fedipanel.nix
+++ b/machines/dev/fedi201/fedipanel.nix
@@ -1,6 +1,5 @@
 {
   config,
-  sources,
   ...
 }:
 let
@@ -11,7 +10,6 @@ in
 
   imports = [
     (import ../../../panel { }).module
-    "${sources.home-manager}/nixos"
   ];
 
   security.acme = {
diff --git a/machines/dev/vm02116/default.nix b/machines/dev/vm02116/default.nix
index 77253a7c..e9338028 100644
--- a/machines/dev/vm02116/default.nix
+++ b/machines/dev/vm02116/default.nix
@@ -14,7 +14,6 @@
     { lib, ... }:
     {
       imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
         ./forgejo.nix
       ];
 
diff --git a/machines/dev/vm02187/default.nix b/machines/dev/vm02187/default.nix
index ab3e5d12..2f91d753 100644
--- a/machines/dev/vm02187/default.nix
+++ b/machines/dev/vm02187/default.nix
@@ -14,7 +14,6 @@
     { lib, ... }:
     {
       imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
         ./wiki.nix
       ];