Add a deployment for forgejo-ci

use passed args tag part
Make forgejo-ci a Forgejo actions runner
2025-07-02 12:43:18 +02:00 · 2025-07-02 12:43:18 +02:00 · 2025-07-02 12:43:16 +02:00 · 2025-07-01 23:55:33 +02:00 · 2025-07-01 21:08:15 +02:00 · 2025-07-01 13:09:06 +02:00
35 changed files with 326 additions and 102 deletions
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -25,13 +25,13 @@ jobs:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
-      - run: cd services && nix-build -A tests.peertube
+      - run: nix-build services -A tests.peertube
  check-panel:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
-      - run: cd panel && nix-build -A tests
+      - run: nix-build panel -A tests
  check-deployment-basic:
    runs-on: native
--- a/.forgejo/workflows/update.yaml
+++ b/.forgejo/workflows/update.yaml
@ -2,8 +2,9 @@ name: update-dependencies
 on:
  workflow_dispatch: # allows manual triggering
-  schedule:
+  # FIXME: re-enable when manual run works
-    - cron: '0 0 1 * *' # monthly
+  # schedule:
  #   - cron: '0 0 1 * *' # monthly
 jobs:
  lockfile:
--- a/default.nix
+++ b/default.nix
@ -10,6 +10,8 @@ let
    gitignore
    ;
  inherit (pkgs) lib;
  inherit (import sources.flake-inputs) import-flake;
  inherit ((import-flake { src = ./.; }).inputs) nixops4;
  pre-commit-check =
    (import "${git-hooks}/nix" {
      inherit nixpkgs system;
@ -56,8 +58,14 @@ in
      in
      [
        pkgs.npins
        pkgs.nil
        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
        pkgs.openssh
        pkgs.httpie
        pkgs.jq
        pkgs.nix-unit
        test-loop
        nixops4.packages.${system}.default
      ];
  };
--- a/deployment/check/basic/flake-part.nix
+++ b/deployment/check/basic/flake-part.nix
@ -2,6 +2,7 @@
  self,
  inputs,
  lib,
  sources,
  ...
 }:
@ -27,7 +28,7 @@ in
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit targetMachines pathToRoot pathFromRoot;
      };
    };
@ -44,7 +45,7 @@ in
          inputs.nixops4-nixos.modules.nixops4Resource.nixos
          ../common/targetResource.nix
        ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit nodeName pathToRoot pathFromRoot;
        nixos.module =
          { pkgs, ... }:
--- a/deployment/check/cli/flake-part.nix
+++ b/deployment/check/cli/flake-part.nix
@ -2,6 +2,7 @@
  self,
  inputs,
  lib,
  sources,
  ...
 }:
@ -30,7 +31,7 @@ in
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit
          targetMachines
          pathToRoot
@ -44,7 +45,7 @@ in
    let
      makeTargetResource = nodeName: {
        imports = [ ../common/targetResource.nix ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit
          nodeName
          pathToRoot
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@ -3,6 +3,7 @@
  lib,
  pkgs,
  config,
  sources,
  ...
 }:
@ -14,8 +15,6 @@ let
    types
    ;
  sources = import ../../../npins;
 in
 {
  _class = "nixos";
@ -78,7 +77,7 @@ in
              config.system.extraDependenciesFromModule
              {
                nixpkgs.hostPlatform = "x86_64-linux";
-                _module.args.inputs = inputs;
+                _module.args = { inherit inputs sources; };
                enableAcme = config.enableAcme;
                acmeNodeIP = config.acmeNodeIP;
              }
--- a/deployment/check/common/nixosTest.nix
+++ b/deployment/check/common/nixosTest.nix
@ -3,6 +3,7 @@
  lib,
  config,
  hostPkgs,
  sources,
  ...
 }:
@ -61,7 +62,7 @@ in
      {
        deployer = {
          imports = [ ./deployerNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
          enableAcme = config.enableAcme;
          acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
        };
@ -88,7 +89,7 @@ in
        genAttrs config.targetMachines (_: {
          imports = [ ./targetNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
          enableAcme = config.enableAcme;
          acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
        });
--- a/deployment/check/common/targetResource.nix
+++ b/deployment/check/common/targetResource.nix
@ -2,6 +2,7 @@
  inputs,
  lib,
  config,
  sources,
  ...
 }:
@ -40,7 +41,7 @@ in
        (lib.modules.importJSON (config.pathToCwd + "/${config.nodeName}-network.json"))
      ];
-      _module.args.inputs = inputs;
+      _module.args = { inherit inputs sources; };
      enableAcme = config.enableAcme;
      acmeNodeIP = trim (readFile (config.pathToCwd + "/acme_server_ip"));
--- a/deployment/check/panel/flake-part.nix
+++ b/deployment/check/panel/flake-part.nix
@ -2,6 +2,7 @@
  self,
  inputs,
  lib,
  sources,
  ...
 }:
@ -33,7 +34,7 @@ in
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit
          targetMachines
          pathToRoot
@ -47,7 +48,7 @@ in
    let
      makeTargetResource = nodeName: {
        imports = [ ../common/targetResource.nix ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit
          nodeName
          pathToRoot
--- a/deployment/check/panel/nixosTest.nix
+++ b/deployment/check/panel/nixosTest.nix
@ -155,7 +155,6 @@ in
          SECRET_KEY = dummyFile;
        };
        port = panelPort;
        nixops4Package = inputs.nixops4.packages.${pkgs.system}.default;
        deployment = {
          flake = "/run/fedipanel/flake";
--- a/flake.nix
+++ b/flake.nix
@ -11,7 +11,7 @@
    let
      sources = import ./npins;
      inherit (import sources.flake-inputs) import-flake;
-      inherit (sources) git-hooks agenix;
+      inherit (sources) git-hooks;
      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
      # XXX - this is just importing a flake
      nixpkgs = import-flake { src = sources.nixpkgs; };
@ -31,6 +31,9 @@
          inherit nixpkgs;
        };
        self = self';
        specialArgs = {
          inherit sources;
        };
      }
      (
        { inputs, ... }:
@ -43,18 +46,19 @@
          ];
          imports = [
-            (import "${git-hooks}/flake-module.nix")
+            "${git-hooks}/flake-module.nix"
            inputs.nixops4.modules.flake.default
            ./deployment/flake-part.nix
            ./infra/flake-part.nix
            ./keys/flake-part.nix
            ./secrets/flake-part.nix
          ];
          perSystem =
            {
              pkgs,
              lib,
              inputs',
              ...
            }:
            {
@ -73,21 +77,6 @@
                  trim-trailing-whitespace.enable = true;
                  shellcheck.enable = true;
                };
              devShells.default = pkgs.mkShell {
                packages = [
                  pkgs.npins
                  pkgs.nil
                  (pkgs.callPackage "${agenix}/pkgs/agenix.nix" { })
                  pkgs.openssh
                  pkgs.httpie
                  pkgs.jq
                  # exposing this env var as a hack to pass info in from form
                  (inputs'.nixops4.packages.default.overrideAttrs {
                    impureEnvVars = [ "DEPLOYMENT" ];
                  })
                ];
              };
            };
        }
      );
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@ -8,7 +8,6 @@ in
  _class = "nixos";
  imports = [
    ./hardware.nix
    ./networking.nix
    ./users.nix
  ];
--- a/infra/common/nixos/networking.nix
+++ b/infra/common/nixos/networking.nix
@ -1,7 +1,7 @@
 { config, lib, ... }:
 let
-  inherit (lib) mkDefault;
+  inherit (lib) mkDefault mkIf mkMerge;
 in
 {
@ -13,53 +13,52 @@ in
      settings.PasswordAuthentication = false;
    };
-    networking = {
+    networking = mkMerge [
-      hostName = config.fediversityVm.name;
+      {
-      domain = config.fediversityVm.domain;
+        hostName = config.fediversityVm.name;
        domain = config.fediversityVm.domain;
-      ## REVIEW: Do we actually need that, considering that we have static IPs?
+        ## REVIEW: Do we actually need that, considering that we have static IPs?
-      useDHCP = mkDefault true;
+        useDHCP = mkDefault true;
-      interfaces = {
+        ## Disable the default firewall and use nftables instead, with a custom
-        eth0 = {
+        ## Procolix-made ruleset.
-          ipv4 = {
+        firewall.enable = false;
-            addresses = [
+        nftables = {
-              {
+          enable = true;
-                inherit (config.fediversityVm.ipv4) address prefixLength;
+          rulesetFile = ./nftables-ruleset.nft;
              }
            ];
          };
          ipv6 = {
            addresses = [
              {
                inherit (config.fediversityVm.ipv6) address prefixLength;
              }
            ];
          };
        };
-      };
+      }
-      defaultGateway = {
+      ## IPv4
-        address = config.fediversityVm.ipv4.gateway;
+      (mkIf config.fediversityVm.ipv4.enable {
-        interface = "eth0";
+        interfaces.${config.fediversityVm.ipv4.interface}.ipv4.addresses = [
-      };
+          { inherit (config.fediversityVm.ipv4) address prefixLength; }
-      defaultGateway6 = {
+        ];
-        address = config.fediversityVm.ipv6.gateway;
+        defaultGateway = {
-        interface = "eth0";
+          address = config.fediversityVm.ipv4.gateway;
-      };
+          interface = config.fediversityVm.ipv4.interface;
        };
        nameservers = [
          "95.215.185.6"
          "95.215.185.7"
        ];
      })
-      nameservers = [
+      ## IPv6
-        "95.215.185.6"
+      (mkIf config.fediversityVm.ipv6.enable {
-        "95.215.185.7"
+        interfaces.${config.fediversityVm.ipv6.interface}.ipv6.addresses = [
-        "2a00:51c0::5fd7:b906"
+          { inherit (config.fediversityVm.ipv6) address prefixLength; }
-        "2a00:51c0::5fd7:b907"
+        ];
-      ];
+        defaultGateway6 = {
-
+          address = config.fediversityVm.ipv6.gateway;
-      firewall.enable = false;
+          interface = config.fediversityVm.ipv6.interface;
-      nftables = {
+        };
-        enable = true;
+        nameservers = [
-        rulesetFile = ./nftables-ruleset.nft;
+          "2a00:51c0::5fd7:b906"
-      };
+          "2a00:51c0::5fd7:b907"
-    };
+        ];
      })
    ];
  };
 }
--- a/infra/common/options.nix
+++ b/infra/common/options.nix
@ -6,7 +6,7 @@ let
 in
 {
-  _class = "nixops4Resource";
+  # `config` not set and imported from multiple places: no fixed module class
  options.fediversityVm = {
@ -91,6 +91,17 @@ in
    };
    ipv4 = {
      enable = mkOption {
        default = true;
      };
      interface = mkOption {
        description = ''
          The interface that carries the machine's IPv4 network.
        '';
        default = "eth0";
      };
      address = mkOption {
        description = ''
          The IP address of the machine, version 4. It will be injected as a
@ -116,6 +127,17 @@ in
    };
    ipv6 = {
      enable = mkOption {
        default = true;
      };
      interface = mkOption {
        description = ''
          The interface that carries the machine's IPv6 network.
        '';
        default = "eth0";
      };
      address = mkOption {
        description = ''
          The IP address of the machine, version 6. It will be injected as a
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@ -15,8 +15,6 @@
      availableKernelModules = [
        "ata_piix"
        "uhci_hcd"
        "virtio_pci"
        "virtio_scsi"
        "sd_mod"
        "sr_mod"
      ];
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -2,6 +2,9 @@
  inputs,
  lib,
  config,
  sources,
  keys,
  secrets,
  ...
 }:
@ -9,12 +12,6 @@ let
  inherit (lib) attrValues elem mkDefault;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;
  sources = import ../../npins;
  inherit (sources) agenix disko;
  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;
 in
 {
@ -36,8 +33,8 @@ in
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
-      (import "${agenix}/modules/age.nix")
+      "${sources.agenix}/modules/age.nix"
-      (import "${disko}/module.nix")
+      "${sources.disko}/module.nix"
      ./options.nix
      ./nixos
    ];
@ -46,15 +43,15 @@ in
    ## configuration.
    fediversityVm = config.fediversityVm;
-    ## Read all the secrets, filter the ones that are supposed to be readable
+    ## Read all the secrets, filter the ones that are supposed to be readable with
-    ## with this host's public key, and add them correctly to the configuration
+    ## public key, and create a mapping from `<name>.file` to the absolute path of
-    ## as `age.secrets.<name>.file`.
+    ## the secret's file.
    age.secrets = concatMapAttrs (
      name: secret:
      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
-        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+        ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
      })
-    ) secrets;
+    ) secrets.mapping;
    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
    ## supports users with password-less sudo.
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -1,6 +1,9 @@
 {
  inputs,
  lib,
  sources,
  keys,
  secrets,
  ...
 }:
@ -13,7 +16,6 @@ let
    filterAttrs
    ;
  inherit (lib.attrsets) genAttrs;
  sources = import ../../npins;
  ## Given a machine's name and whether it is a test VM, make a resource module,
  ## except for its missing provider. (Depending on the use of that resource, we
@ -22,7 +24,14 @@ let
    { vmName, isTestVm }:
    {
      # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
-      _module.args = { inherit inputs; };
+      _module.args = {
        inherit
          inputs
          sources
          keys
          secrets
          ;
      };
      imports =
        [
@ -31,11 +40,12 @@ let
        ++ (
          if isTestVm then
            [
              ./common/proxmox-qemu-vm.nix
              ../machines/operator/${vmName}
              {
                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
                  # allow our panel vm access to the test machines
-                  (import ../keys).panel
+                  keys.panel
                ];
              }
            ]
@ -157,6 +167,10 @@ in
 {
  _class = "flake";
  # NOTE: `forgejo-ci`, being a physical machine and not a Proxmox VM, gets
  # custom treatment.
  imports = [ ./forgejo-ci/flake-part.nix ];
  ## - Each normal or test machine gets a NixOS configuration.
  ## - Each normal or test machine gets a VM options entry.
  ## - Each normal machine gets a deployment.
--- a/infra/forgejo-ci/configuration.nix
+++ b/infra/forgejo-ci/configuration.nix
@ -0,0 +1,58 @@
 {
  config,
  lib,
  ...
 }:
 let
  inherit (lib) mkDefault mkForce;
 in
 {
  _class = "nixos";
  imports = [
    ../common/options.nix
    ../common/nixos
    ./forgejo-actions-runner.nix
  ];
  fediversityVm = {
    # XXX this needs an SSH config entry to locate and access the machine
    name = "forgejo-ci";
    domain = "procolix.com";
    ipv4 = {
      interface = "enp1s0f0";
      address = "192.168.201.65";
      prefixLength = 24;
      gateway = "192.168.201.1";
    };
    ipv6.enable = false;
  };
  networking = {
    nftables.enable = mkForce false;
    hostId = "1d6ea552";
  };
  hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
  fileSystems."/" = {
    device = "rpool/root";
    fsType = "zfs";
  };
  fileSystems."/home" = {
    device = "rpool/home";
    fsType = "zfs";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/50B2-DD3F";
    fsType = "vfat";
    options = [
      "fmask=0077"
      "dmask=0077"
    ];
  };
 }
--- a/infra/forgejo-ci/flake-part.nix
+++ b/infra/forgejo-ci/flake-part.nix
@ -0,0 +1,58 @@
 {
  lib,
  inputs,
  sources,
  keys,
  secrets,
  ...
 }:
 ## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
 ## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
 ## should be integrated with the code for other machines (in particular VMs).
 let
  inherit (lib) attrValues elem;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;
  hostPublicKey = keys.systems.forgejo-ci;
 in
 {
  _class = "flake";
  nixops4Deployments.forgejo-ci =
    { providers, ... }:
    {
      providers.local = inputs.nixops4.modules.nixops4Provider.local;
      resources.forgejo-ci = {
        type = providers.local.exec;
        imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
        ssh = {
          host = "forgejo-ci";
          hostPublicKey = hostPublicKey;
        };
        nixpkgs = inputs.nixpkgs;
        nixos.module = {
          imports = with sources; [
            "${agenix}/modules/age.nix"
            "${disko}/module.nix"
            ./configuration.nix
          ];
          age.secrets = concatMapAttrs (
            name: secret:
            optionalAttrs (elem hostPublicKey secret.publicKeys) ({
              ${removeSuffix ".age" name}.file = ../../secrets/${name};
            })
          ) secrets;
          users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
        };
      };
    };
 }
--- a/infra/forgejo-ci/forgejo-actions-runner.nix
+++ b/infra/forgejo-ci/forgejo-actions-runner.nix
@ -0,0 +1,47 @@
 { pkgs, config, ... }:
 {
  _class = "nixos";
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = config.networking.fqdn;
      url = "https://git.fediversity.eu";
      tokenFile = config.age.secrets.forgejo-runner-token.path;
      settings = {
        log.level = "info";
        runner = {
          file = ".runner";
          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
          capacity = 1;
          timeout = "3h";
          insecure = false;
          fetch_timeout = "5s";
          fetch_interval = "2s";
        };
      };
      ## This runner supports Docker (with a default Ubuntu image) and native
      ## modes. In native mode, it contains a few default packages.
      labels = [
        "docker:docker://node:16-bullseye"
        "native:host"
      ];
      hostPackages = with pkgs; [
        bash
        git
        nix
        nodejs
      ];
    };
  };
  ## For the Docker mode of the runner.
  virtualisation.docker.enable = true;
 }
--- a/keys/flake-part.nix
+++ b/keys/flake-part.nix
@ -0,0 +1 @@
 { _module.args.keys = import ./.; }
--- a/keys/systems/forgejo-ci.pub
+++ b/keys/systems/forgejo-ci.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@ -16,4 +16,10 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
  nixos.module = {
    imports = [
      ../../../infra/common/proxmox-qemu-vm.nix
    ];
  };
 }
--- a/machines/dev/fedi201/default.nix
+++ b/machines/dev/fedi201/default.nix
@ -19,6 +19,7 @@
  nixos.module = {
    imports = [
      ../../../infra/common/proxmox-qemu-vm.nix
      ./fedipanel.nix
    ];
  };
--- a/machines/dev/vm02116/default.nix
+++ b/machines/dev/vm02116/default.nix
@ -14,6 +14,7 @@
    { lib, ... }:
    {
      imports = [
        ../../../infra/common/proxmox-qemu-vm.nix
        ./forgejo.nix
      ];
--- a/machines/dev/vm02187/default.nix
+++ b/machines/dev/vm02187/default.nix
@ -14,6 +14,7 @@
    { lib, ... }:
    {
      imports = [
        ../../../infra/common/proxmox-qemu-vm.nix
        ./wiki.nix
      ];
--- a/machines/machines.md
+++ b/machines/machines.md
@ -11,5 +11,6 @@ Machine | Proxmox | Description
 [`fedi201`](./fedi201) | fediversity | FediPanel
 [`vm02116`](./vm02116) | procolix | Forgejo
 [`vm02187`](./vm02187) | procolix | Wiki
 | `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 This table excludes all machines with names starting with `test`.
--- a/machines/machines.md.sh
+++ b/machines/machines.md.sh
@ -37,6 +37,7 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
 done
 cat <<\EOF
 | `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 This table excludes all machines with names starting with `test`.
 EOF
--- a/panel/default.nix
+++ b/panel/default.nix
@ -22,7 +22,7 @@ in
      manage
      # NixOps4 and its dependencies
-      # FIXME: grab NixOps4 and add it here
+      pkgs.nixops4
      pkgs.nix
      pkgs.openssh
    ];
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -147,6 +147,7 @@ in
        NixOps4 from the package's npins-based code, we will have to do with
        this workaround.
      '';
      default = pkgs.nixops4;
    };
    deployment = {
--- a/panel/nix/overlay.nix
+++ b/panel/nix/overlay.nix
@ -8,4 +8,17 @@ let
 in
 {
  python3 = prev.lib.attrsets.recursiveUpdate prev.python3 { pkgs = extraPython3Packages; };
  nixops4 =
    let
      sources = import ../../npins;
      inherit (import sources.flake-inputs) import-flake;
      inherit
        (import-flake {
          src = ../../.;
        })
        inputs
        ;
      inherit (inputs) nixops4;
    in
    nixops4.packages.${prev.system}.default;
 }
--- a/panel/nix/tests.nix
+++ b/panel/nix/tests.nix
@ -13,7 +13,6 @@ let
      secrets = {
        SECRET_KEY = pkgs.writeText "SECRET_KEY" "secret";
      };
      nixops4Package = pkgs.hello; # FIXME: actually pass NixOps4
    };
    virtualisation = {
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -0,0 +1,4 @@
 {
  mapping = import ./secrets.nix;
  rootPath = ./.;
 }
--- a/secrets/flake-part.nix
+++ b/secrets/flake-part.nix
@ -0,0 +1 @@
 { _module.args.secrets = import ./.; }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -26,7 +26,7 @@ concatMapAttrs
    {
      forgejo-database-password = [ vm02116 ];
      forgejo-email-password = [ vm02116 ];
-      forgejo-runner-token = [ ];
+      forgejo-runner-token = [ forgejo-ci ];
      panel-secret-key = [ fedi201 ];
      panel-ssh-key = [ fedi201 ];
      wiki-basicauth-htpasswd = [ vm02187 ];
Author	SHA1	Message	Date
Kiara Grouwstra	d59be61a1b	Add a deployment for forgejo-ci use passed args tag part	2025-07-02 12:43:18 +02:00
Nicolas “Niols” Jeannerod	d7939e03aa	Make `forgejo-ci` a Forgejo actions runner tag runner	2025-07-02 12:43:18 +02:00
Nicolas “Niols” Jeannerod	7811cf9eeb	Copy configuration from forgejo-ci note on ssh config tag conf	2025-07-02 12:43:16 +02:00
Nicolas “Niols” Jeannerod	1c92009879	Do not force QEMU options onto machines	2025-07-01 23:55:33 +02:00
Kiara Grouwstra	a791ad41ec	Inject sources, secrets and keys via module system - avoid `import ../` (#421 ) Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#421 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-01 21:08:15 +02:00
Nicolas “Niols” Jeannerod	c1dc0fef01	Split nameservers between IPv4 and IPv6 (#420 ) Reviewed-on: Fediversity/Fediversity#420 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-01 13:09:06 +02:00
Kiara Grouwstra	5a3cbe4d83	fix agenix package in shell (#422 ) as per Fediversity/Fediversity#419 (comment) Reviewed-on: Fediversity/Fediversity#422 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-01 11:29:38 +02:00
Kiara Grouwstra	fd1d55df5f	move shell from flake	2025-07-01 10:22:58 +02:00
Kiara Grouwstra	0c23115cff	allow configuring network interface (#413 ) Reviewed-on: Fediversity/Fediversity#413 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-30 19:23:51 +02:00
Nicolas “Niols” Jeannerod	3f1c8a9bb7	Document why Nix and OpenSSH lost in #412. Alternatively, we could have a comment on both lines saying eg. “for NixOps4”	2025-06-30 14:30:29 +02:00
Kiara Grouwstra	737aecaba6	set default value for nixops4Package (#412 ) Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Reviewed-on: Fediversity/Fediversity#412 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-30 12:44:53 +02:00
Kiara Grouwstra	d7dbdd923c	make CI test invocations idempotent to better facilitate manual use (#416 ) Reviewed-on: Fediversity/Fediversity#416 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-30 12:42:19 +02:00
Kiara Grouwstra	1c44004cfe	update documentation for #375 (#406 ) Reviewed-on: Fediversity/Fediversity#406 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-27 14:40:40 +02:00
Kiara Grouwstra	ae444d5352	simplify imports (#415 ) Reviewed-on: Fediversity/Fediversity#415 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-27 14:01:41 +02:00
Valentin Gagarin	e77fdd9eec	expose nixops4 in `nix-shell` (#411 ) Instead of Fediversity/Fediversity#406 Eventually we should merge `//panel/default.nix` with `//default.nix` of course. Co-authored-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#411 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-committed-by: Valentin Gagarin <valentin.gagarin@tweag.io>	2025-06-27 12:00:47 +02:00
Kiara Grouwstra	1f1cf0d516	unset class, fixing #408 (#410 ) Reviewed-on: Fediversity/Fediversity#410 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-27 11:53:17 +02:00
Kiara Grouwstra	f94eac698a	disable updater schedule while it hangs	2025-06-26 17:01:40 +02:00
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A`