nixos-anywhere -> terraform-nixos

intended to swap out nixos-anywhere for terraform-nixos, over:

- don't need nixos-anywhere to install nixos; we preload nixos to VMs
- [awkward non-flake
usage](https://nix-community.github.io/nixos-anywhere/howtos/use-without-flakes.html#3-set-nixos-version-to-use)
-  seemed not to pick up on config changes, as observed by test VMs
losing their panel keys after TF sync

however, it seems that terraform-nixos has its own flaws:

- its output using a random id, i.e. forcing to push even on no changes
- so far did not get ssh authentication to work

launch/README.md

@@ -5,9 +5,9 @@
 ### updating TF modules
 
 ```sh
-$ npins update nixos-anywhere
+$ npins update terraform-nixos
 $ cd launch/
-$ echo "{\"nixos-anywhere\": $(nix-instantiate --eval --json -E '(import ../npins).nixos-anywhere.outPath')}" > .auto.tfvars.json
+$ echo "{\"terraform-nixos\": $(nix-instantiate --eval --json -E '(import ../npins).terraform-nixos.outPath')}" > .auto.tfvars.json
 ```
 
 ### local development

launch/default.nix

@@ -16,7 +16,7 @@ in
   shell = pkgs.mkShellNoCC {
     packages = [
       pkgs.npins
-      pkgs.jq # implicit dep of nixos-anywhere TF: https://github.com/nix-community/nixos-anywhere/issues/416
+      pkgs.gnugrep # used in terraform-nixos
       (import ./tf.nix { inherit lib pkgs; })
     ];
   };

launch/main.tf

@@ -1,4 +1,4 @@
-variable "nixos-anywhere" {
+variable "terraform-nixos" {
   type = string
 }
 
@@ -58,7 +58,7 @@ variable "initialUser" {
 #   hostname = "test01"
 #   config = "garage"
 #   initialUser = var.initialUser
-#   nixos-anywhere = var.nixos-anywhere
+#   terraform-nixos = var.terraform-nixos
 # }
 
 module "mastodon" {
@@ -68,7 +68,7 @@ module "mastodon" {
   hostname = "test06"
   config = "mastodon"
   initialUser = var.initialUser
-  nixos-anywhere = var.nixos-anywhere
+  terraform-nixos = var.terraform-nixos
 }
 
 module "pixelfed" {
@@ -78,7 +78,7 @@ module "pixelfed" {
   hostname = "test04"
   config = "pixelfed"
   initialUser = var.initialUser
-  nixos-anywhere = var.nixos-anywhere
+  terraform-nixos = var.terraform-nixos
 }
 
 module "peertube" {
@@ -88,5 +88,5 @@ module "peertube" {
   hostname = "test03"
   config = "peertube"
   initialUser = var.initialUser
-  nixos-anywhere = var.nixos-anywhere
+  terraform-nixos = var.terraform-nixos
 }

launch/mastodon.nix

@@ -1,3 +1,4 @@
+{ pkgs, ... }:
 let
   mastodonS3KeyConfig =
     { pkgs, ... }:
@@ -6,15 +7,14 @@ let
       s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
     };
 in
-import ./shared.nix {
-  module =
-    { pkgs, ... }:
 {
+  imports = [
+    ./shared.nix
+  ];
   fediversity = {
     mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
       enable = true;
     };
     temp.cores = 1; # FIXME: should come from NixOps4 eventually
   };
-    };
 }

launch/peertube.nix

@@ -1,3 +1,4 @@
+{ pkgs, ... }:
 let
   peertubeS3KeyConfig =
     { pkgs, ... }:
@@ -6,10 +7,10 @@ let
       s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
     };
 in
-import ./shared.nix {
-  module =
-    { pkgs, ... }:
 {
+  imports = [
+    ./shared.nix
+  ];
   fediversity = {
     peertube = peertubeS3KeyConfig { inherit pkgs; } // {
       enable = true;
@@ -19,5 +20,4 @@ import ./shared.nix {
       secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
     };
   };
-    };
 }

launch/pixelfed.nix

@@ -1,3 +1,4 @@
+{ pkgs, ... }:
 let
   pixelfedS3KeyConfig =
     { pkgs, ... }:
@@ -6,14 +7,13 @@ let
       s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
     };
 in
-import ./shared.nix {
-  module =
-    { pkgs, ... }:
 {
+  imports = [
+    ./shared.nix
+  ];
   fediversity = {
     pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
       enable = true;
     };
   };
-    };
 }

launch/shared.nix

@@ -1,25 +1,7 @@
 {
-  system ? "x86_64-linux",
-  sources ? import ../npins,
-  pkgs ? import sources.nixpkgs {
-    inherit system;
-    config = { };
-    overlays = [ (import ../panel/nix/overlay.nix) ];
-  },
-  module,
-  ...
-}:
-import "${sources.nixpkgs}/nixos/lib/eval-config.nix" {
-  modules = [
-    "${sources.disko}/module.nix"
-    "${sources.agenix}/modules/age.nix"
-    ../services/fediversity
-    ./resource.nix
-    # FIXME: get VM details from TF
-    module
-    (
-      {
+  pkgs,
   terraform,
+  sources,
   ...
 }:
 let
@@ -27,6 +9,11 @@ import "${sources.nixpkgs}/nixos/lib/eval-config.nix" {
 in
 {
   imports = [
+    "${sources.disko}/module.nix"
+    "${sources.agenix}/modules/age.nix"
+    ../services/fediversity
+    ./resource.nix
+    # FIXME: get VM details from TF
     ../infra/test-machines/${hostname}
   ];
   fediversityVm.name = hostname;
@@ -40,6 +27,3 @@ import "${sources.nixpkgs}/nixos/lib/eval-config.nix" {
     };
   };
 }
-    )
-  ];
-}

launch/tf-env.nix

@@ -14,10 +14,10 @@ pkgs.stdenv.mkDerivation {
     runHook preBuild
     pushd launch/
 
-    # pass nixos-anywhere path to TF through variable
+    # pass terraform-nixos path to TF through variable
     # when switching TF to nix take this directly from `inputs`
     # https://codeberg.org/kiara/e2ed-hetzner/commit/84b2a349d3e48ea2a17340bceff762d834fd4046
-    echo "{\"nixos-anywhere\": \"${sources.nixos-anywhere}\"}" > .auto.tfvars.json
+    echo "{\"terraform-nixos\": \"${sources.terraform-nixos}\"}" > .auto.tfvars.json
 
     # point to the relevant providers
     tofu init -input=false

launch/vm/main.tf

@@ -1,4 +1,8 @@
-variable "nixos-anywhere" {
+variable "terraform-nixos" {
+  type = string
+}
+
+variable "config" {
   type = string
 }
 
@@ -10,10 +14,6 @@ variable "hostname" {
   type = string
 }
 
-variable "config" {
-  type = string
-}
-
 variable "initialUser" {
   type = object({
     displayName = string
@@ -24,28 +24,32 @@ variable "initialUser" {
 }
 
 module "deploy" {
-  # source = "github.com/nix-community/nixos-anywhere//terraform/all-in-one"
-  source = "${var.nixos-anywhere}//terraform/all-in-one"
-  file                   = "${path.module}/../${var.config}.nix"
-  nixos_system_attr      = "config.system.build.toplevel"
-  nixos_partitioner_attr = "config.system.build.diskoScript"
-  # when instance id changes, it will trigger a reinstall
-  instance_id = var.hostname
-  target_user = "root"
+  source = "${var.terraform-nixos}//deploy_nixos"
   target_host = "${var.hostname}.abundos.eu"
-  extra_files_script = "${path.module}/../pass-ssh-key.sh"
-  extra_environment = {
-    host = var.hostname
-  }
-  special_args = {
-    terraform = {
+  target_user= "root" # FIXME: #24
+  target_system = "x86_64-linux"
+  NIX_PATH = "nixpkgs=${data.external.pins.result["nixpkgs"]}:sources=${path.root}/../npins"
+  nixos_config = "${path.root}/${var.config}.nix"
+  extra_eval_args = [
+    "--arg",
+    "specialArgs",
+    <<-EOT
+      {
+        sources = import <sources>;
+        terraform = builtins.fromJSON ''${jsonencode({
           domain = var.domain
           hostname = var.hostname
           initialUser = var.initialUser
+        })}'';
       }
+    EOT
+  ]
+  # build_on_target = false
+  # triggers = {
+  #   # pins = data.external.pins.result
+  # }
 }
-  nix_options = {
-    show-trace = true
-  }
-  # build_on_remote = true
+
+data "external" "pins" {
+  program = ["nix", "eval", "--json", "-f", "${path.root}/../npins/default.nix"]
 }

npins/sources.json

@@ -66,23 +66,23 @@
       "url": "https://github.com/nix-community/nix-unit/archive/2071bbb765681ac3d8194ec560c8b27ff2a3b541.tar.gz",
       "hash": "0blz1kcmn9vnr9q3iqp2mv13hv3pdccljmmc54f8j7ybf5v0wgmp"
     },
-    "nixos-anywhere": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "KiaraGrouwstra",
-        "repo": "nixos-anywhere"
-      },
-      "branch": "special-args-nested-flake-fixed",
-      "revision": "5aa35145f045eb23fa8773821d5626bcf54dbe0e",
-      "url": "https://github.com/KiaraGrouwstra/nixos-anywhere/archive/5aa35145f045eb23fa8773821d5626bcf54dbe0e.tar.gz",
-      "hash": "0m67iyd04wl183il1cfi623xpxcvbbpc5x1gh74478qc3fgr0g54"
-    },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",
       "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre777917.b7ba7f9f45c5/nixexprs.tar.xz",
       "hash": "0jb6b7sv66bn06pchj2l88z0i5dlz0c2vb3z6pjjlq2p8q11zigg"
+    },
+    "terraform-nixos": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "KiaraGrouwstra",
+        "repo": "terraform-nixos"
+      },
+      "branch": "special-args",
+      "revision": "e3e120e80dbbb53b4bfda4380d02e74eef4b5ffd",
+      "url": "https://github.com/KiaraGrouwstra/terraform-nixos/archive/e3e120e80dbbb53b4bfda4380d02e74eef4b5ffd.tar.gz",
+      "hash": "03z8xxsbkv2mwfkd8w6dj3jlckrsgbi5wpp680dlyrzlw78zvf8b"
     }
   },
   "version": 3

panel/env.nix

@@ -10,7 +10,7 @@
     pkgs.coreutils
     pkgs.openssh
     pkgs.git
-    pkgs.jq # implicit dep of nixos-anywhere TF: https://github.com/nix-community/nixos-anywhere/issues/416
+    pkgs.gnugrep # used in terraform-nixos
     (import ../launch/tf.nix { inherit lib pkgs; })
   ];
 }

panel/src/panel/views.py

@@ -138,7 +138,7 @@ class DeploymentStatus(ConfigurationForm):
         deployment_params = dummy_user | json.loads(submission)
         env = {
             "PATH": settings.bin_path,
-            # used in nixos-anywhere for ssh-copy-id to make `.ssh` in for ssh-copy-id.
+            # used in terraform for ssh-copy-id to make `.ssh` in for ssh-copy-id.
             # run thru subprocess, HOME points to the read-only `/var/empty`.
             # in local dev, it will just reject the `/tmp` and make it in HOME after all.
             "HOME": "/tmp",