factor out settings for use in base install

infra/common/nixos/base.nix

@@ -0,0 +1,37 @@
+# base configuration used also in the initial NixOS install,
+# enabling to then push further configs.
+{ lib, modulesPath, ... }:
+let
+  inherit (lib) attrValues;
+  keys = import ../../../keys;
+in
+{
+  imports = [
+    "${modulesPath}/virtualisation/qemu-guest-agent.nix"
+    "${modulesPath}/virtualisation/qemu-vm.nix"
+    "${modulesPath}/profiles/qemu-guest.nix"
+    ./hardware.nix
+    ./users.nix
+  ];
+  time.timeZone = "Europe/Amsterdam";
+  i18n.defaultLocale = "en_US.UTF-8";
+  system.stateVersion = "24.05"; # do not change
+  services.qemuGuest.enable = true;
+  networking.firewall.enable = true;
+
+  services.openssh = {
+    enable = true;
+    settings.PasswordAuthentication = false;
+  };
+
+  ## TODO Remove direct root authentication, see #24
+  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+
+  # FIXME un-hardcode
+  networking.nameservers = [
+    "95.215.185.6"
+    "95.215.185.7"
+    "2a00:51c0::5fd7:b906"
+    "2a00:51c0::5fd7:b907"
+  ];
+}

infra/common/nixos/default.nix

@@ -1,21 +1,9 @@
-{ lib, ... }:
-
-let
-  inherit (lib) mkDefault;
-
-in
 {
   imports = [
-    ./hardware.nix
+    ./base.nix
     ./networking.nix
-    ./users.nix
   ];
 
-  time.timeZone = "Europe/Amsterdam";
-  i18n.defaultLocale = "en_US.UTF-8";
-  system.stateVersion = "24.05"; # do not change
-  nixpkgs.hostPlatform = mkDefault "x86_64-linux";
-
   ## This is just nice to have, but it is also particularly important for the
   ## Forgejo CI runners because the Nix configuration in the actions is directly
   ## taken from here.

infra/common/nixos/hardware.nix

@@ -1,8 +1,11 @@
 { modulesPath, ... }:
-
+let
+  sources = import ../../../npins;
+in
 {
   imports = [
     "${modulesPath}/profiles/qemu-guest.nix"
+    "${sources.disko}/module.nix"
   ];
 
   boot = {

infra/common/nixos/networking.nix

@@ -6,11 +6,6 @@ let
 in
 {
   config = {
-    services.openssh = {
-      enable = true;
-      settings.PasswordAuthentication = false;
-    };
-
     networking = {
       hostName = config.fediversityVm.name;
       domain = config.fediversityVm.domain;
@@ -46,13 +41,6 @@ in
         interface = "eth0";
       };
 
-      nameservers = [
-        "95.215.185.6"
-        "95.215.185.7"
-        "2a00:51c0::5fd7:b906"
-        "2a00:51c0::5fd7:b907"
-      ];
-
       firewall.enable = false;
       nftables = {
         enable = true;

infra/common/resource.nix

@@ -8,8 +8,6 @@ let
   inherit (lib) attrValues elem mkDefault;
   inherit (lib.attrsets) concatMapAttrs optionalAttrs;
   inherit (lib.strings) removeSuffix;
-  sources = import ../../npins;
-  inherit (sources) nixpkgs agenix disko;
 
   secretsPrefix = ../../secrets;
   secrets = import (secretsPrefix + "/secrets.nix");
@@ -17,48 +15,27 @@ let
 
 in
 {
-  imports = [ ./options.nix ];
+  imports = [
+    ./options.nix
+    ./nixos
+  ];
 
   fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
 
-  ssh = {
-    host = config.fediversityVm.ipv4.address;
-    hostPublicKey = config.fediversityVm.hostPublicKey;
-  };
+  ## Read all the secrets, filter the ones that are supposed to be readable
+  ## with this host's public key, and add them correctly to the configuration
+  ## as `age.secrets.<name>.file`.
+  age.secrets = concatMapAttrs (
+    name: secret:
+    optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
+      ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+    }
+  ) secrets;
 
-  inherit nixpkgs;
-
-  ## The configuration of the machine. We strive to keep in this file only the
-  ## options that really need to be injected from the resource. Everything else
-  ## should go into the `./nixos` subdirectory.
-  nixos.module = {
-    imports = [
-      (import "${agenix}/modules/age.nix")
-      (import "${disko}/module.nix")
-      ./options.nix
-      ./nixos
-    ];
-
-    ## Inject the shared options from the resource's `config` into the NixOS
-    ## configuration.
-    fediversityVm = config.fediversityVm;
-
-    ## Read all the secrets, filter the ones that are supposed to be readable
-    ## with this host's public key, and add them correctly to the configuration
-    ## as `age.secrets.<name>.file`.
-    age.secrets = concatMapAttrs (
-      name: secret:
-      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
-        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
-      })
-    ) secrets;
-
-    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
-    ## supports users with password-less sudo.
-    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
-      # allow our panel vm access to the test machines
-      keys.panel
-    ];
-
-  };
+  ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
+  ## supports users with password-less sudo.
+  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
+    # allow our panel vm access to the test machines
+    keys.panel
+  ];
 }

infra/common/shared.nix

@@ -0,0 +1,26 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (config.terraform) hostname domain initialUser;
+  sources = import ../../npins;
+in
+{
+  imports = [
+    "${sources.agenix}/modules/age.nix"
+    ../../services/fediversity
+    ./resource.nix
+  ];
+  fediversityVm.name = hostname;
+  fediversity = {
+    inherit domain;
+    temp.initialUser = {
+      inherit (initialUser) username email displayName;
+      # FIXME: disgusting, but nvm, this is going to be replaced by
+      # proper central authentication at some point
+      passwordFile = pkgs.writeText "password" initialUser.password;
+    };
+  };
+}

infra/makeInstallerIso.nix

@@ -7,7 +7,7 @@
 {
   nixpkgs,
   hostKeys ? { },
-  nixosConfiguration,
+  nixosConfiguration ? import ../infra/common/nixos/base.nix,
 }:
 
 let