rm explicit dns

rm agent exec
rm /home
2025-08-04 14:28:13 +02:00 · 2025-08-04 14:25:17 +02:00 · 2025-08-04 14:13:27 +02:00 · 2025-08-04 14:04:49 +02:00 · 2025-08-04 12:52:40 +02:00 · 2025-08-04 12:52:20 +02:00
25 changed files with 176 additions and 194 deletions
--- a/.woodpecker/check-resources.yaml
+++ b/.woodpecker/check-resources.yaml
@ -1,30 +0,0 @@
 when:
  - event: manual
  - event: push
    branch: main
 ## NOTE: NixOps4 does not provide a good “dry run” mode, so we instead check
 ## proxies for resources, namely whether their `.#vmOptions.<machine>` and
 ## `.#nixosConfigurations.<machine>` outputs evaluate and build correctly, and
 ## whether we can dry run `infra/proxmox-*.sh` on them. This will not catch
 ## everything, and in particular not issues in how NixOps4 wires up the
 ## resources, but that is still something.
 steps:
  - name: check-resources
    image: nixos/nix
    commands:
    - run: |
        set -euC
        echo ==================== [ VM Options ] ====================
        machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).vmOptions)')
        for machine in $machines; do
          echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
          nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.vmOptions-$machine
        done
        echo
        echo ==================== [ NixOS Configurations ] ====================
        machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).nixosConfigurations)')
        for machine in $machines; do
          echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
          nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.nixosConfigurations-$machine
        done
--- a/deployment/check/common/nixosTest.nix
+++ b/deployment/check/common/nixosTest.nix
@ -48,8 +48,7 @@ in
    extraTestScript = mkOption { };
    sourceFileset = mkOption {
-      ## FIXME: grab `lib.types.fileset` from NixOS, once upstreaming PR
+      ## REVIEW: Upstream to nixpkgs?
      ## https://github.com/NixOS/nixpkgs/pull/428293 lands.
      type = types.mkOptionType {
        name = "fileset";
        description = "fileset";
--- a/infra/common/options.nix
+++ b/infra/common/options.nix
@ -20,13 +20,16 @@ in
      '';
    };
-    isFediversityVm = mkOption {
+    proxmox = mkOption {
-      type = types.bool;
+      type = types.nullOr (
        types.enum [
          "procolix"
          "fediversity"
        ]
      );
      description = ''
-        Whether the machine is a Fediversity VM or not. This is used to
+        The Proxmox instance. This is used for provisioning only and should be
-        determine whether the machine should be provisioned via Proxmox or not.
+        set to `null` if the machine is not a VM.
        Machines that are _not_ Fediversity VM could be physical machines, or
        VMs that live outside Fediversity, eg. on Procolix's Proxmox.
      '';
    };
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@ -1,14 +1,10 @@
-{ ... }:
+{ sources, ... }:
 {
  _class = "nixos";
-  ## FIXME: It would be nice, but the following leads to infinite recursion
+  imports = [
-  ## in the way we currently plug `sources` in.
+    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
-  ##
+  ];
  # imports = [
  #   "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
  # ];
  boot = {
    initrd = {
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -2,6 +2,7 @@
  inputs,
  lib,
  config,
  sources,
  keys,
  secrets,
  ...
@ -32,9 +33,12 @@ in
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
      "${sources.agenix}/modules/age.nix"
      "${sources.disko}/module.nix"
      "${sources.vars}/options.nix"
      "${sources.vars}/backends/on-machine.nix"
      ./options.nix
      ./nixos
      ./proxmox-qemu-vm.nix
    ];
    ## Inject the shared options from the resource's `config` into the NixOS
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -14,40 +14,49 @@ let
    mkOption
    evalModules
    filterAttrs
    mapAttrs'
    deepSeq
    ;
  inherit (lib.attrsets) genAttrs;
-  commonResourceModule = {
+  ## Given a machine's name and whether it is a test VM, make a resource module,
-    # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch
+  ## except for its missing provider. (Depending on the use of that resource, we
-    # flake-parts and have our own data model for how the project is organised
+  ## will provide a different one.)
-    # internally
+  makeResourceModule =
-    _module.args = {
+    { vmName, isTestVm }:
    {
      nixos.module.imports = [
        ./common/proxmox-qemu-vm.nix
      ];
      nixos.specialArgs = {
        inherit
          sources
          inputs
          keys
          secrets
        sources
          ;
      };
-    ## FIXME: It would be preferrable to have those `sources`-related imports in
+      imports =
-    ## the modules that use them. However, doing so triggers infinite recursions
+        [
    ## because of the way we propagate `sources`. `sources` must be propagated by
    ## means of `specialArgs`, but this requires a bigger change.
    nixos.module.imports = [
      "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
      "${sources.agenix}/modules/age.nix"
      "${sources.disko}/module.nix"
      "${sources.home-manager}/nixos"
      "${sources.vars}/options.nix"
      "${sources.vars}/backends/on-machine.nix"
    ];
    imports = [
          ./common/resource.nix
        ]
        ++ (
          if isTestVm then
            [
              ../machines/operator/${vmName}
              {
                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
                  # allow our panel vm access to the test machines
                  keys.panel
                ];
              }
            ]
          else
            [
              ../machines/dev/${vmName}
            ]
        );
      fediversityVm.name = vmName;
    };
  ## Given a list of machine names, make a deployment with those machines'
@ -56,16 +65,40 @@ let
    vmNames:
    { providers, ... }:
    {
      # XXX: this type merge is for adding `specialArgs` to resource modules
      options.resources = mkOption {
        type =
          with lib.types;
          lazyAttrsOf (submoduleWith {
            class = "nixops4Resource";
            modules = [ ];
            # TODO(@fricklerhandwerk): we may want to pass through all of `specialArgs`
            # once we're sure it's sane. leaving it here for better control during refactoring.
            specialArgs = {
              inherit
                sources
                inputs
                keys
                secrets
                ;
            };
          });
      };
      config = {
        providers.local = inputs.nixops4.modules.nixops4Provider.local;
        resources = genAttrs vmNames (vmName: {
          type = providers.local.exec;
          imports = [
            inputs.nixops4-nixos.modules.nixops4Resource.nixos
-          commonResourceModule
+            (makeResourceModule {
-          ../machines/dev/${vmName}
+              inherit vmName;
              isTestVm = false;
            })
          ];
        });
      };
    };
  makeDeployment' = vmName: makeDeployment [ vmName ];
  ## Given an attrset of test configurations (key = test machine name, value =
@ -79,29 +112,21 @@ let
        fediversity = import ../services/fediversity;
      }
      {
-        garageConfigurationResource = {
+        garageConfigurationResource = makeResourceModule {
-          imports = [
+          vmName = "test01";
-            commonResourceModule
+          isTestVm = true;
            ../machines/operator/test01
          ];
        };
-        mastodonConfigurationResource = {
+        mastodonConfigurationResource = makeResourceModule {
-          imports = [
+          vmName = "test06"; # somehow `test02` has a problem - use test06 instead
-            commonResourceModule
+          isTestVm = true;
            ../machines/operator/test06 # somehow `test02` has a problem - use test06 instead
          ];
        };
-        peertubeConfigurationResource = {
+        peertubeConfigurationResource = makeResourceModule {
-          imports = [
+          vmName = "test05";
-            commonResourceModule
+          isTestVm = true;
            ../machines/operator/test05
          ];
        };
-        pixelfedConfigurationResource = {
+        pixelfedConfigurationResource = makeResourceModule {
-          imports = [
+          vmName = "test04";
-            commonResourceModule
+          isTestVm = true;
            ../machines/operator/test04
          ];
        };
      };
@ -114,63 +139,54 @@ let
    ## this is only needed to expose NixOS configurations for provisioning
    ## purposes, and eventually all of this should be handled by NixOps4.
    options = {
-      nixos.module = mkOption { type = lib.types.deferredModule; }; # NOTE: not just `nixos` otherwise merging will go wrong
+      nixos.module = mkOption { }; # NOTE: not just `nixos` otherwise merging will go wrong
      nixpkgs = mkOption { };
      ssh = mkOption { };
    };
  };
  makeResourceConfig =
-    { vmName, isTestVm }:
+    vm:
    (evalModules {
      modules = [
        nixops4ResourceNixosMockOptions
-        commonResourceModule
+        (makeResourceModule vm)
        (if isTestVm then ../machines/operator/${vmName} else ../machines/dev/${vmName})
      ];
    }).config;
  ## Given a VM name, make a NixOS configuration for this machine.
  makeConfiguration =
    isTestVm: vmName:
-    import "${sources.nixpkgs}/nixos" {
+    let
-      configuration = (makeResourceConfig { inherit vmName isTestVm; }).nixos.module;
+      inherit (sources) nixpkgs;
-      system = "x86_64-linux";
+    in
    import "${nixpkgs}/nixos" {
      modules = [
        (makeResourceConfig { inherit vmName isTestVm; }).nixos.module
      ];
    };
-  makeVmOptions =
+  makeVmOptions = isTestVm: vmName: {
-    isTestVm: vmName:
+    inherit ((makeResourceConfig { inherit vmName isTestVm; }).fediversityVm)
-    let
+      proxmox
      config = (makeResourceConfig { inherit vmName isTestVm; }).fediversityVm;
    in
    if config.isFediversityVm then
      {
        inherit (config)
      vmId
      description
      sockets
      cores
      memory
      diskSize
      hostPublicKey
      unsafeHostPrivateKey
      ;
-      }
+  };
    else
      null;
  listSubdirectories = path: attrNames (filterAttrs (_: type: type == "directory") (readDir path));
  machines = listSubdirectories ../machines/dev;
  testMachines = listSubdirectories ../machines/operator;
  nixosConfigurations =
    genAttrs machines (makeConfiguration false)
    // genAttrs testMachines (makeConfiguration true);
  vmOptions =
    filterAttrs (_: value: value != null) # Filter out non-Fediversity VMs
      (genAttrs machines (makeVmOptions false) // genAttrs testMachines (makeVmOptions true));
 in
 {
  _class = "flake";
@ -194,23 +210,10 @@ in
      )
    );
  };
-  flake = { inherit nixosConfigurations vmOptions; };
+  flake.nixosConfigurations =
-
+    genAttrs machines (makeConfiguration false)
-  perSystem =
+    // genAttrs testMachines (makeConfiguration true);
-    { pkgs, ... }:
+  flake.vmOptions =
-    {
+    genAttrs machines (makeVmOptions false)
-      checks =
+    // genAttrs testMachines (makeVmOptions true);
        mapAttrs' (name: nixosConfiguration: {
          name = "nixosConfigurations-${name}";
          value = nixosConfiguration.config.system.build.toplevel;
        }) nixosConfigurations
        // mapAttrs' (name: vmOptions: {
          name = "vmOptions-${name}";
          ## Check that VM options builds/evaluates correctly. `deepSeq e1
          ## e2` evaluates `e1` strictly in depth before returning `e2`. We
          ## use this trick because checks need to be derivations, which VM
          ## options are not.
          value = deepSeq vmOptions pkgs.hello;
        }) vmOptions;
    };
 }
--- a/infra/proxmox-provision.sh
+++ b/infra/proxmox-provision.sh
@ -179,9 +179,15 @@ grab_vm_options () {
    --log-format raw --quiet
  )
  proxmox=$(echo "$options" | jq -r .proxmox)
  vm_id=$(echo "$options" | jq -r .vmId)
  description=$(echo "$options" | jq -r .description)
  if [ "$proxmox" != fediversity ]; then
    die "I do not know how to provision things that are not Fediversity VMs,
 but I got proxmox = '%s' for VM %s." "$proxmox" "$vm_name"
  fi
  sockets=$(echo "$options" | jq -r .sockets)
  cores=$(echo "$options" | jq -r .cores)
  memory=$(echo "$options" | jq -r .memory)
--- a/infra/proxmox-remove.sh
+++ b/infra/proxmox-remove.sh
@ -167,10 +167,16 @@ grab_vm_options () {
      --log-format raw --quiet
    )
    proxmox=$(echo "$options" | jq -r .proxmox)
    vm_id=$(echo "$options" | jq -r .vmId)
-    printf 'done grabing VM options for VM %s. Got id: %d.\n' \
+    if [ "$proxmox" != fediversity ]; then
-      "$vm_name" "$vm_id"
+      die "I do not know how to remove things that are not Fediversity VMs,
  but I got proxmox = '%s' for VM %s." "$proxmox" "$vm_name"
    fi
    printf 'done grabing VM options for VM %s. Found VM %d on %s Proxmox.\n' \
      "$vm_name" "$vm_id" "$proxmox"
  fi
 }
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "fedi200";
    isFediversityVm = true;
    vmId = 200;
    proxmox = "fediversity";
    description = "Testing machine for Hans";
    domain = "abundos.eu";
@ -17,4 +16,10 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
  nixos.module = {
    imports = [
      ../../../infra/common/proxmox-qemu-vm.nix
    ];
  };
 }
--- a/machines/dev/fedi201/default.nix
+++ b/machines/dev/fedi201/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "fedi201";
    isFediversityVm = true;
    vmId = 201;
    proxmox = "fediversity";
    description = "FediPanel";
    domain = "abundos.eu";
@ -20,6 +19,7 @@
  nixos.module = {
    imports = [
      ../../../infra/common/proxmox-qemu-vm.nix
      ./fedipanel.nix
    ];
  };
--- a/machines/dev/fedi201/fedipanel.nix
+++ b/machines/dev/fedi201/fedipanel.nix
@ -1,5 +1,6 @@
 {
  config,
  sources,
  ...
 }:
 let
@ -10,6 +11,7 @@ in
  imports = [
    (import ../../../panel { }).module
    "${sources.home-manager}/nixos"
  ];
  security.acme = {
--- a/machines/dev/fedi203/default.nix
+++ b/machines/dev/fedi203/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "fedi203";
    isFediversityVm = true;
    vmId = 203;
    proxmox = "fediversity";
    description = "woodpecker";
    domain = "abundos.eu";
@ -20,6 +19,7 @@
  nixos.module = {
    imports = [
      ../../../infra/common/proxmox-qemu-vm.nix
      ./woodpecker.nix
    ];
  };
--- a/machines/dev/forgejo-ci/default.nix
+++ b/machines/dev/forgejo-ci/default.nix
@ -20,9 +20,7 @@ in
  ssh.host = mkForce "forgejo-ci";
  fediversityVm = {
    name = "forgejo-ci";
    domain = "procolix.com";
    isFediversityVm = false;
    ipv4 = {
      interface = "enp1s0f0";
--- a/machines/dev/vm02116/default.nix
+++ b/machines/dev/vm02116/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "vm02116";
    isFediversityVm = false;
    vmId = 2116;
    proxmox = "procolix";
    description = "Forgejo";
    ipv4.address = "185.206.232.34";
@ -15,6 +14,7 @@
    { lib, ... }:
    {
      imports = [
        ../../../infra/common/proxmox-qemu-vm.nix
        ./forgejo.nix
      ];
--- a/machines/dev/vm02187/default.nix
+++ b/machines/dev/vm02187/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "vm02187";
    isFediversityVm = false;
    vmId = 2187;
    proxmox = "procolix";
    description = "Wiki";
    ipv4.address = "185.206.232.187";
@ -15,6 +14,7 @@
    { lib, ... }:
    {
      imports = [
        ../../../infra/common/proxmox-qemu-vm.nix
        ./wiki.nix
      ];
--- a/machines/operator/test01/default.nix
+++ b/machines/operator/test01/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test01";
    isFediversityVm = true;
    vmId = 7001;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test02/default.nix
+++ b/machines/operator/test02/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test02";
    isFediversityVm = true;
    vmId = 7002;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test03/default.nix
+++ b/machines/operator/test03/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test03";
    isFediversityVm = true;
    vmId = 7003;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test04/default.nix
+++ b/machines/operator/test04/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test04";
    isFediversityVm = true;
    vmId = 7004;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test05/default.nix
+++ b/machines/operator/test05/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test05";
    isFediversityVm = true;
    vmId = 7005;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test06/default.nix
+++ b/machines/operator/test06/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test06";
    isFediversityVm = true;
    vmId = 7006;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test11/default.nix
+++ b/machines/operator/test11/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test11";
    isFediversityVm = true;
    vmId = 7011;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test12/default.nix
+++ b/machines/operator/test12/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test12";
    isFediversityVm = true;
    vmId = 7012;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test13/default.nix
+++ b/machines/operator/test13/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test13";
    isFediversityVm = true;
    vmId = 7013;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test14/default.nix
+++ b/machines/operator/test14/default.nix
@ -2,9 +2,8 @@
  _class = "nixops4Resource";
  fediversityVm = {
    name = "test14";
    isFediversityVm = true;
    vmId = 7014;
    proxmox = "fediversity";
    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;