upgrade memory to resolve oom

[wip] handling env file (still fails)
use templating fork
2025-07-01 17:57:00 +02:00 · 2025-07-01 17:57:00 +02:00 · 2025-07-01 17:57:00 +02:00 · 2025-07-01 17:57:00 +02:00 · 2025-07-01 17:57:00 +02:00 · 2025-07-01 17:57:00 +02:00
75 changed files with 691 additions and 98 deletions
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -25,13 +25,13 @@ jobs:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
-      - run: cd services && nix-build -A tests.peertube
+      - run: nix-build services -A tests.peertube

  check-panel:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
-      - run: cd panel && nix-build -A tests
+      - run: nix-build panel -A tests

  check-deployment-basic:
    runs-on: native
--- a/.forgejo/workflows/update.yaml
+++ b/.forgejo/workflows/update.yaml
@ -2,20 +2,22 @@ name: update-dependencies

 on:
  workflow_dispatch: # allows manual triggering
-  schedule:
-    - cron: '0 0 1 * *' # monthly
+  # FIXME: re-enable when manual run works
+  # schedule:
+  #   - cron: '0 0 1 * *' # monthly

 jobs:
  lockfile:
-    runs-on: ubuntu-latest
+    runs-on: native
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
-      - name: Install Nix
-        uses: cachix/install-nix-action@v31
-      - name: Install npins
-        run: nix profile install 'nixpkgs#npins'
-      - name: Update npins sources
-        uses: getchoo/update-npins@v0
+      - name: Update pins
+        run: nix-shell --run "npins update"
+      - name: Create PR
+        uses: peter-evans/create-pull-request@v7
        with:
          token: "${{ secrets.DEPLOY_KEY }}"
+          branch: npins-update
+          commit-message: "npins: update sources"
+          title: "npins: update sources"
--- a/default.nix
+++ b/default.nix
@ -10,6 +10,8 @@ let
    gitignore
    ;
  inherit (pkgs) lib;
+  inherit (import sources.flake-inputs) import-flake;
+  inherit ((import-flake { src = ./.; }).inputs) nixops4;
  pre-commit-check =
    (import "${git-hooks}/nix" {
      inherit nixpkgs system;
@ -55,8 +57,15 @@ in
        };
      in
      [
+        pkgs.npins
+        pkgs.nil
+        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
+        pkgs.openssh
+        pkgs.httpie
+        pkgs.jq
        pkgs.nix-unit
        test-loop
+        nixops4.packages.${system}.default
      ];
  };

--- a/deployment/check/basic/flake-part.nix
+++ b/deployment/check/basic/flake-part.nix
@ -17,6 +17,8 @@ let

 in
 {
+  _class = "flake";
+
  perSystem =
    { pkgs, ... }:
    {
--- a/deployment/check/basic/nixosTest.nix
+++ b/deployment/check/basic/nixosTest.nix
@ -1,6 +1,8 @@
 { inputs, ... }:

 {
+  _class = "nixosTest";
+
  name = "deployment-basic";

  nodes.deployer =
--- a/deployment/check/cli/flake-part.nix
+++ b/deployment/check/cli/flake-part.nix
@ -13,6 +13,7 @@ let
    "mastodon"
    "peertube"
    "pixelfed"
+    "attic"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
@ -20,6 +21,8 @@ let

 in
 {
+  _class = "flake";
+
  perSystem =
    { pkgs, ... }:
    {
--- a/deployment/check/cli/nixosTest.nix
+++ b/deployment/check/cli/nixosTest.nix
@ -7,6 +7,8 @@ let
 in

 {
+  _class = "nixosTest";
+
  name = "deployment-cli";

  nodes.deployer =
@ -46,6 +48,11 @@ in
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
+          attic = {
+            enable = true;
+            s3AccessKeyFile = dummyFile;
+            s3SecretKeyFile = dummyFile;
+          };
          temp.cores = 1;
          temp.initialUser = {
            username = "dummy";
@ -70,6 +77,7 @@ in
  nodes.mastodon.virtualisation.memorySize = 4 * 1024;
  nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
  nodes.peertube.virtualisation.memorySize = 5 * 1024;
+  nodes.attic.virtualisation.memorySize = 2 * 1024;

  ## FIXME: The test of presence of the services are very simple: we only
  ## check that there is a systemd service of the expected name on the
@ -84,6 +92,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with no services enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-nothing --show-trace --no-interactive 1>&2")
@ -93,6 +102,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with Mastodon and Pixelfed enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-mastodon-pixelfed --show-trace --no-interactive 1>&2")
@ -102,6 +112,7 @@ in
      mastodon.succeed("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with only Peertube enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-peertube --show-trace --no-interactive 1>&2")
@ -111,5 +122,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.succeed("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
  '';
 }
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@ -18,6 +18,8 @@ let

 in
 {
+  _class = "nixos";
+
  imports = [ ./sharedOptions.nix ];

  options.system.extraDependenciesFromModule = mkOption {
@ -39,7 +41,7 @@ in
      ## default. These values have been trimmed down to the gigabyte.
      ## Memory use is expected to be dominated by the NixOS evaluation,
      ## which happens on the deployer.
-      memorySize = 4 * 1024;
+      memorySize = 5 * 1024;
      diskSize = 4 * 1024;
      cores = 2;
    };
@ -53,13 +55,15 @@ in

    system.extraDependencies =
      [
-        "${inputs.flake-parts}"
-        "${inputs.flake-parts.inputs.nixpkgs-lib}"
-        "${inputs.nixops4}"
-        "${inputs.nixops4-nixos}"
-        "${inputs.nixpkgs}"
-
-        "${sources.flake-inputs}"
+        inputs.flake-parts
+        inputs.flake-parts.inputs.nixpkgs-lib
+        inputs.nixops4
+        inputs.nixops4-nixos
+        inputs.nixpkgs
+        sources.nixpkgs
+        sources.flake-inputs
+        sources.vars
+        sources.nix-templating

        pkgs.stdenv
        pkgs.stdenvNoCC
--- a/deployment/check/common/nixosTest.nix
+++ b/deployment/check/common/nixosTest.nix
@ -42,6 +42,8 @@ let

 in
 {
+  _class = "nixosTest";
+
  imports = [
    ./sharedOptions.nix
  ];
--- a/deployment/check/common/sharedOptions.nix
+++ b/deployment/check/common/sharedOptions.nix
@ -11,6 +11,7 @@ let
  inherit (lib) mkOption types;

 in
+# `config` not set and imported from multiple places: no fixed module class
 {
  options = {
    targetMachines = mkOption {
--- a/deployment/check/common/targetNode.nix
+++ b/deployment/check/common/targetNode.nix
@ -12,6 +12,8 @@ let

 in
 {
+  _class = "nixos";
+
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
    (modulesPath + "/../lib/testing/nixos-test-base.nix")
--- a/deployment/check/common/targetResource.nix
+++ b/deployment/check/common/targetResource.nix
@ -12,6 +12,8 @@ let
 in

 {
+  _class = "nixops4Resource";
+
  imports = [ ./sharedOptions.nix ];

  options = {
--- a/deployment/check/panel/flake-part.nix
+++ b/deployment/check/panel/flake-part.nix
@ -16,6 +16,7 @@ let
    "mastodon"
    "peertube"
    "pixelfed"
+    "attic"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
@ -23,6 +24,8 @@ let

 in
 {
+  _class = "flake";
+
  perSystem =
    { pkgs, ... }:
    {
--- a/deployment/check/panel/nixosTest.nix
+++ b/deployment/check/panel/nixosTest.nix
@ -33,6 +33,7 @@ let
      enableMastodon,
      enablePeertube,
      enablePixelfed,
+      enableAttic,
    }:
    hostPkgs.writers.writePython3Bin "interact-with-panel"
      {
@ -94,6 +95,7 @@ let
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'mastodon.enable']"), ${toPythonBool enableMastodon})
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'peertube.enable']"), ${toPythonBool enablePeertube})
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'pixelfed.enable']"), ${toPythonBool enablePixelfed})
+        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'attic.enable']"), ${toPythonBool enableAttic})

        print("Start deployment...")
        driver.find_element(By.XPATH, "//button[@id = 'deploy-button']").click()
@ -121,6 +123,8 @@ let
 in

 {
+  _class = "nixosTest";
+
  name = "deployment-panel";

  ## The panel's module sets `nixpkgs.overlays` which clashes with
@ -153,7 +157,6 @@ in
          SECRET_KEY = dummyFile;
        };
        port = panelPort;
-        nixops4Package = inputs.nixops4.packages.${pkgs.system}.default;

        deployment = {
          flake = "/run/fedipanel/flake";
@ -193,6 +196,11 @@ in
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
+          attic = {
+            enable = true;
+            s3AccessKeyFile = dummyFile;
+            s3SecretKeyFile = dummyFile;
+          };
          temp.cores = 1;
          temp.initialUser = {
            username = "dummy";
@ -238,6 +246,7 @@ in
  nodes.mastodon.virtualisation.memorySize = 4 * 1024;
  nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
  nodes.peertube.virtualisation.memorySize = 5 * 1024;
+  nodes.attic.virtualisation.memorySize = 4 * 1024;

  ## FIXME: The test of presence of the services are very simple: we only
  ## check that there is a systemd service of the expected name on the
@ -310,6 +319,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with no services enabled"):
      client.succeed("${
@ -318,6 +328,7 @@ in
          enableMastodon = false;
          enablePeertube = false;
          enablePixelfed = false;
+          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")

@ -326,6 +337,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with Mastodon and Pixelfed enabled"):
      client.succeed("${
@ -334,6 +346,7 @@ in
          enableMastodon = true;
          enablePeertube = false;
          enablePixelfed = true;
+          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")

@ -342,6 +355,7 @@ in
      mastodon.succeed("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with only Peertube enabled"):
      client.succeed("${
@ -350,6 +364,7 @@ in
          enableMastodon = false;
          enablePeertube = true;
          enablePixelfed = false;
+          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")

@ -358,5 +373,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.succeed("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
  '';
 }
--- a/deployment/configuration.sample.json
+++ b/deployment/configuration.sample.json
@ -1,8 +1,9 @@
 {
  "domain": "fediversity.net",
-  "mastodon": { "enable": false },
-  "peertube": { "enable": false },
-  "pixelfed": { "enable": false },
+  "mastodon": { "enable": true },
+  "peertube": { "enable": true },
+  "pixelfed": { "enable": true },
+  "attic": { "enable": true },
  "initialUser": {
    "displayName": "Testy McTestface",
    "username": "test",
--- a/deployment/data-model-test.nix
+++ b/deployment/data-model-test.nix
@ -11,6 +11,8 @@ let
    }).config;
 in
 {
+  _class = "nix-unit";
+
  test-eval = {
    expr =
      let
--- a/deployment/data-model.nix
+++ b/deployment/data-model.nix
@ -7,6 +7,8 @@ let
 in
 with types;
 {
+  _class = "nixops4Deployment";
+
  options = {
    runtime-environments = mkOption {
      description = "Collection of runtime environments into which applications can be deployed";
--- a/deployment/default.nix
+++ b/deployment/default.nix
@ -24,6 +24,7 @@
  mastodonConfigurationResource,
  peertubeConfigurationResource,
  pixelfedConfigurationResource,
+  atticConfigurationResource,
 }:

 ## From the hosting provider's perspective, the function is meant to be
@ -55,6 +56,7 @@ let
    mastodon = nonNull panelConfigNullable.mastodon { enable = false; };
    peertube = nonNull panelConfigNullable.peertube { enable = false; };
    pixelfed = nonNull panelConfigNullable.pixelfed { enable = false; };
+    attic = nonNull panelConfigNullable.attic { enable = false; };
  };
 in

@ -65,6 +67,8 @@ let
  cfg = config.deployment;
 in
 {
+  _class = "nixops4Deployment";
+
  options = {
    deployment = lib.mkOption {
      description = ''
@ -105,6 +109,13 @@ in
            s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
            s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
          };
+        atticS3KeyConfig =
+          { pkgs, ... }:
+          {
+            # REVIEW: how were these generated above? how do i add one?
+            s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKaaaaaaaaaaaaaaaaaaaaaaaa";
+            s3SecretKeyFile = pkgs.writeText "s3SecretKey" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+          };

        makeConfigurationResource = resourceModule: config: {
          type = providers.local.exec;
@ -138,13 +149,14 @@ in
      {
        garage-configuration = makeConfigurationResource garageConfigurationResource (
          { pkgs, ... }:
-          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable) {
+          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable || cfg.attic.enable) {
            fediversity = {
              inherit (cfg) domain;
              garage.enable = true;
              pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
              mastodon = mastodonS3KeyConfig { inherit pkgs; };
              peertube = peertubeS3KeyConfig { inherit pkgs; };
+              attic = atticS3KeyConfig { inherit pkgs; };
            };
          }
        );
@ -211,6 +223,25 @@ in
            };
          }
        );
+
+        attic-configuration = makeConfigurationResource atticConfigurationResource (
+          { pkgs, ... }:
+          mkIf cfg.attic.enable {
+            fediversity = {
+              inherit (cfg) domain;
+              temp.initialUser = {
+                inherit (cfg.initialUser) username email displayName;
+                # FIXME: disgusting, but nvm, this is going to be replaced by
+                # proper central authentication at some point
+                passwordFile = pkgs.writeText "password" cfg.initialUser.password;
+              };
+
+              attic = atticS3KeyConfig { inherit pkgs; } // {
+                enable = true;
+              };
+            };
+          }
+        );
      };
  };
 }
--- a/deployment/flake-part.nix
+++ b/deployment/flake-part.nix
@ -1,4 +1,6 @@
 {
+  _class = "flake";
+
  imports = [
    ./check/basic/flake-part.nix
    ./check/cli/flake-part.nix
--- a/deployment/options.nix
+++ b/deployment/options.nix
@ -17,6 +17,8 @@ let
  inherit (lib) types mkOption;
 in
 {
+  _class = "nixops4Deployment";
+
  options = {
    enable = lib.mkEnableOption "Fediversity configuration";
    domain = mkOption {
@ -69,6 +71,19 @@ in
        });
      default = null;
    };
+    attic = mkOption {
+      description = ''
+        Configuration for the Attic service
+      '';
+      type =
+        with types;
+        nullOr (submodule {
+          options = {
+            enable = lib.mkEnableOption "Attic";
+          };
+        });
+      default = null;
+    };
    initialUser = mkOption {
      description = ''
        Some services require an initial user to access them.
--- a/flake.nix
+++ b/flake.nix
@ -11,7 +11,7 @@
    let
      sources = import ./npins;
      inherit (import sources.flake-inputs) import-flake;
-      inherit (sources) git-hooks agenix;
+      inherit (sources) git-hooks;
      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
      # XXX - this is just importing a flake
      nixpkgs = import-flake { src = sources.nixpkgs; };
@ -43,7 +43,7 @@
          ];

          imports = [
-            (import "${git-hooks}/flake-module.nix")
+            "${git-hooks}/flake-module.nix"
            inputs.nixops4.modules.flake.default

            ./deployment/flake-part.nix
@ -54,7 +54,6 @@
            {
              pkgs,
              lib,
-              inputs',
              ...
            }:
            {
@ -73,21 +72,6 @@
                  trim-trailing-whitespace.enable = true;
                  shellcheck.enable = true;
                };
-
-              devShells.default = pkgs.mkShell {
-                packages = [
-                  pkgs.npins
-                  pkgs.nil
-                  (pkgs.callPackage "${agenix}/pkgs/agenix.nix" { })
-                  pkgs.openssh
-                  pkgs.httpie
-                  pkgs.jq
-                  # exposing this env var as a hack to pass info in from form
-                  (inputs'.nixops4.packages.default.overrideAttrs {
-                    impureEnvVars = [ "DEPLOYMENT" ];
-                  })
-                ];
-              };
            };
        }
      );
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@ -5,6 +5,8 @@ let

 in
 {
+  _class = "nixos";
+
  imports = [
    ./hardware.nix
    ./networking.nix
--- a/infra/common/nixos/hardware.nix
+++ b/infra/common/nixos/hardware.nix
@ -1,6 +1,8 @@
 { modulesPath, ... }:

 {
+  _class = "nixos";
+
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

  boot = {
--- a/infra/common/nixos/networking.nix
+++ b/infra/common/nixos/networking.nix
@ -1,63 +1,64 @@
 { config, lib, ... }:

 let
-  inherit (lib) mkDefault;
+  inherit (lib) mkDefault mkIf mkMerge;

 in
 {
+  _class = "nixos";
+
  config = {
    services.openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
    };

-    networking = {
+    networking = mkMerge [
+      {
        hostName = config.fediversityVm.name;
        domain = config.fediversityVm.domain;

        ## REVIEW: Do we actually need that, considering that we have static IPs?
        useDHCP = mkDefault true;

-      interfaces = {
-        eth0 = {
-          ipv4 = {
-            addresses = [
-              {
-                inherit (config.fediversityVm.ipv4) address prefixLength;
-              }
-            ];
-          };
-          ipv6 = {
-            addresses = [
-              {
-                inherit (config.fediversityVm.ipv6) address prefixLength;
-              }
-            ];
-          };
-        };
-      };
-
-      defaultGateway = {
-        address = config.fediversityVm.ipv4.gateway;
-        interface = "eth0";
-      };
-      defaultGateway6 = {
-        address = config.fediversityVm.ipv6.gateway;
-        interface = "eth0";
-      };
-
-      nameservers = [
-        "95.215.185.6"
-        "95.215.185.7"
-        "2a00:51c0::5fd7:b906"
-        "2a00:51c0::5fd7:b907"
-      ];
-
+        ## Disable the default firewall and use nftables instead, with a custom
+        ## Procolix-made ruleset.
        firewall.enable = false;
        nftables = {
          enable = true;
          rulesetFile = ./nftables-ruleset.nft;
        };
+      }
+
+      ## IPv4
+      (mkIf config.fediversityVm.ipv4.enable {
+        interfaces.${config.fediversityVm.ipv4.interface}.ipv4.addresses = [
+          { inherit (config.fediversityVm.ipv4) address prefixLength; }
+        ];
+        defaultGateway = {
+          address = config.fediversityVm.ipv4.gateway;
+          interface = config.fediversityVm.ipv4.interface;
        };
+        nameservers = [
+          "95.215.185.6"
+          "95.215.185.7"
+        ];
+      })
+
+      ## IPv6
+      (mkIf config.fediversityVm.ipv6.enable {
+        interfaces.${config.fediversityVm.ipv6.interface}.ipv6.addresses = [
+          { inherit (config.fediversityVm.ipv6) address prefixLength; }
+        ];
+        defaultGateway6 = {
+          address = config.fediversityVm.ipv6.gateway;
+          interface = config.fediversityVm.ipv6.interface;
+        };
+        nameservers = [
+          "2a00:51c0::5fd7:b906"
+          "2a00:51c0::5fd7:b907"
+        ];
+      })
+    ];
  };
 }
--- a/infra/common/nixos/users.nix
+++ b/infra/common/nixos/users.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixos";
+
  users.users = {
    procolix = {
      isNormalUser = true;
--- a/infra/common/options.nix
+++ b/infra/common/options.nix
@ -6,6 +6,8 @@ let

 in
 {
+  # `config` not set and imported from multiple places: no fixed module class
+
  options.fediversityVm = {

    ##########################################################################
@ -89,6 +91,17 @@ in
    };

    ipv4 = {
+      enable = mkOption {
+        default = true;
+      };
+
+      interface = mkOption {
+        description = ''
+          The interface that carries the machine's IPv4 network.
+        '';
+        default = "eth0";
+      };
+
      address = mkOption {
        description = ''
          The IP address of the machine, version 4. It will be injected as a
@ -114,6 +127,17 @@ in
    };

    ipv6 = {
+      enable = mkOption {
+        default = true;
+      };
+
+      interface = mkOption {
+        description = ''
+          The interface that carries the machine's IPv6 network.
+        '';
+        default = "eth0";
+      };
+
      address = mkOption {
        description = ''
          The IP address of the machine, version 6. It will be injected as a
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -10,7 +10,7 @@ let
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;
  sources = import ../../npins;
-  inherit (sources) agenix disko;
+  inherit (sources) agenix disko vars;

  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
@ -18,6 +18,8 @@ let

 in
 {
+  _class = "nixops4Resource";
+
  imports = [ ./options.nix ];

  fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
@ -34,8 +36,10 @@ in
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
-      (import "${agenix}/modules/age.nix")
-      (import "${disko}/module.nix")
+      "${agenix}/modules/age.nix"
+      "${disko}/module.nix"
+      "${vars}/options.nix"
+      "${vars}/backends/on-machine.nix"
      ./options.nix
      ./nixos
    ];
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -94,6 +94,10 @@ let
          vmName = "test04";
          isTestVm = true;
        };
+        atticConfigurationResource = makeResourceModule {
+          vmName = "test12";
+          isTestVm = true;
+        };
      };

  nixops4ResourceNixosMockOptions = {
@ -155,6 +159,8 @@ let

 in
 {
+  _class = "flake";
+
  ## - Each normal or test machine gets a NixOS configuration.
  ## - Each normal or test machine gets a VM options entry.
  ## - Each normal machine gets a deployment.
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 200;
    proxmox = "fediversity";
--- a/machines/dev/fedi201/default.nix
+++ b/machines/dev/fedi201/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 201;
    proxmox = "fediversity";
--- a/machines/dev/fedi201/fedipanel.nix
+++ b/machines/dev/fedi201/fedipanel.nix
@ -6,6 +6,8 @@ let
  name = "panel";
 in
 {
+  _class = "nixos";
+
  imports = [
    (import ../../../panel { }).module
  ];
--- a/machines/dev/vm02116/default.nix
+++ b/machines/dev/vm02116/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 2116;
    proxmox = "procolix";
--- a/machines/dev/vm02116/forgejo.nix
+++ b/machines/dev/vm02116/forgejo.nix
@ -5,6 +5,8 @@ let

 in
 {
+  _class = "nixos";
+
  services.forgejo = {
    enable = true;

--- a/machines/dev/vm02187/default.nix
+++ b/machines/dev/vm02187/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 2187;
    proxmox = "procolix";
--- a/machines/dev/vm02187/wiki.nix
+++ b/machines/dev/vm02187/wiki.nix
@ -1,6 +1,8 @@
 { config, ... }:

 {
+  _class = "nixos";
+
  services.phpfpm.pools.mediawiki.phpOptions = ''
    upload_max_filesize = 1024M;
    post_max_size = 1024M;
--- a/machines/operator/test01/default.nix
+++ b/machines/operator/test01/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7001;
    proxmox = "fediversity";
--- a/machines/operator/test02/default.nix
+++ b/machines/operator/test02/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7002;
    proxmox = "fediversity";
--- a/machines/operator/test03/default.nix
+++ b/machines/operator/test03/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7003;
    proxmox = "fediversity";
--- a/machines/operator/test04/default.nix
+++ b/machines/operator/test04/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7004;
    proxmox = "fediversity";
--- a/machines/operator/test05/default.nix
+++ b/machines/operator/test05/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7005;
    proxmox = "fediversity";
--- a/machines/operator/test06/default.nix
+++ b/machines/operator/test06/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7006;
    proxmox = "fediversity";
--- a/machines/operator/test11/default.nix
+++ b/machines/operator/test11/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7011;
    proxmox = "fediversity";
--- a/machines/operator/test12/default.nix
+++ b/machines/operator/test12/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7012;
    proxmox = "fediversity";
@ -16,4 +18,10 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
+
+  nixos.module = {
+    imports = [
+      ../../../services/fediversity/attic
+    ];
+  };
 }
--- a/machines/operator/test13/default.nix
+++ b/machines/operator/test13/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7013;
    proxmox = "fediversity";
--- a/machines/operator/test14/default.nix
+++ b/machines/operator/test14/default.nix
@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
  fediversityVm = {
    vmId = 7014;
    proxmox = "fediversity";
--- a/npins/sources.json
+++ b/npins/sources.json
@ -112,6 +112,19 @@
      "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
      "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
    },
+    "nix-templating": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "KiaraGrouwstra",
+        "repo": "nix-templating"
+      },
+      "branch": "lib-default-arg",
+      "submodules": false,
+      "revision": "e1ff247d508b4efd057a4d6bb13cf45b62c2512f",
+      "url": "https://github.com/KiaraGrouwstra/nix-templating/archive/e1ff247d508b4efd057a4d6bb13cf45b62c2512f.tar.gz",
+      "hash": "0g59h4r029jw8vlvn8da62fk9m737s80fg2qk57322iv9lkqlvp0"
+    },
    "nix-unit": {
      "type": "Git",
      "repository": {
@ -137,6 +150,19 @@
      "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921",
      "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz",
      "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj"
+    },
+    "vars": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "kiaragrouwstra",
+        "repo": "vars"
+      },
+      "branch": "templates",
+      "submodules": false,
+      "revision": "6ff942bf2b514edaa1022a92edb6552ac32a09d1",
+      "url": "https://github.com/kiaragrouwstra/vars/archive/6ff942bf2b514edaa1022a92edb6552ac32a09d1.tar.gz",
+      "hash": "1h1q3l1l1c1j4ak5lcj2yh85jwqww74ildiak2dkd4h1js9v6cvw"
    }
  },
  "version": 5
--- a/panel/default.nix
+++ b/panel/default.nix
@ -22,12 +22,12 @@ in
      manage

      # NixOps4 and its dependencies
-      # FIXME: grab NixOps4 and add it here
+      pkgs.nixops4
      pkgs.nix
      pkgs.openssh
    ];
    env = {
-      DEPLOYMENT_FLAKE = ../.;
+      DEPLOYMENT_FLAKE = toString ../.;
      DEPLOYMENT_NAME = "test";
      NPINS_DIRECTORY = toString ../npins;
      CREDENTIALS_DIRECTORY = toString ./.credentials;
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -76,6 +76,8 @@ in
 #       https://git.dgnum.eu/mdebray/djangonix/
 #       unlicensed at the time of writing, but surely worth taking some inspiration from...
 {
+  _class = "nixos";
+
  options.services.${name} = {
    enable = mkEnableOption "Service configuration for `${name}`";
    production = mkOption {
@ -145,6 +147,7 @@ in
        NixOps4 from the package's npins-based code, we will have to do with
        this workaround.
      '';
+      default = pkgs.nixops4;
    };

    deployment = {
--- a/panel/nix/overlay.nix
+++ b/panel/nix/overlay.nix
@ -8,4 +8,17 @@ let
 in
 {
  python3 = prev.lib.attrsets.recursiveUpdate prev.python3 { pkgs = extraPython3Packages; };
+  nixops4 =
+    let
+      sources = import ../../npins;
+      inherit (import sources.flake-inputs) import-flake;
+      inherit
+        (import-flake {
+          src = ../../.;
+        })
+        inputs
+        ;
+      inherit (inputs) nixops4;
+    in
+    nixops4.packages.${prev.system}.default;
 }
--- a/panel/nix/package.nix
+++ b/panel/nix/package.nix
@ -60,6 +60,8 @@ let
    ];
 in
 python3.pkgs.buildPythonPackage {
+  _class = "package";
+
  pname = name;
  inherit (pyproject.project) version;
  pyproject = true;
--- a/panel/nix/python-packages/django-pydantic-field/default.nix
+++ b/panel/nix/python-packages/django-pydantic-field/default.nix
@ -8,6 +8,8 @@
 }:

 buildPythonPackage rec {
+  _class = "package";
+
  pname = "django-pydantic-field";
  version = "v0.3.12";
  pyproject = true;
--- a/panel/nix/python-packages/drf-pydantic/default.nix
+++ b/panel/nix/python-packages/drf-pydantic/default.nix
@ -10,6 +10,8 @@
 }:

 buildPythonPackage rec {
+  _class = "package";
+
  pname = "drf-pydantic";
  version = "v2.7.1";
  pyproject = true;
--- a/panel/nix/tests.nix
+++ b/panel/nix/tests.nix
@ -13,7 +13,6 @@ let
      secrets = {
        SECRET_KEY = pkgs.writeText "SECRET_KEY" "secret";
      };
-      nixops4Package = pkgs.hello; # FIXME: actually pass NixOps4
    };

    virtualisation = {
--- a/services/default.nix
+++ b/services/default.nix
@ -6,8 +6,8 @@
 }:
 {
  tests = {
-    mastodon = import ./tests/mastodon.nix { inherit pkgs; };
-    pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs; };
-    peertube = import ./tests/peertube.nix { inherit pkgs; };
+    mastodon = pkgs.nixosTest ./tests/mastodon.nix;
+    pixelfed-garage = pkgs.nixosTest ./tests/pixelfed-garage.nix;
+    peertube = pkgs.nixosTest ./tests/peertube.nix;
  };
 }
--- a/services/fediversity/attic/default.nix
+++ b/services/fediversity/attic/default.nix
@ -0,0 +1,322 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkIf mkMerge;
+  sources = import ../../../npins;
+in
+{
+  imports = with sources; [
+    ./options.nix
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
+  config = mkMerge [
+    (mkIf
+      (
+        config.fediversity.garage.enable
+        && config.fediversity.attic.s3AccessKeyFile != null
+        && config.fediversity.attic.s3SecretKeyFile != null
+      )
+      {
+        fediversity.garage = {
+          ensureBuckets = {
+            attic = {
+              website = true;
+              # TODO: these are too broad, after getting everything to work narrow it down to the domain we actually want
+              corsRules = {
+                enable = true;
+                allowedHeaders = [ "*" ];
+                allowedMethods = [ "GET" ];
+                allowedOrigins = [ "*" ];
+              };
+            };
+          };
+          ensureKeys = {
+            attic = {
+              inherit (config.fediversity.attic) s3AccessKeyFile s3SecretKeyFile;
+              ensureAccess = {
+                attic = {
+                  read = true;
+                  write = true;
+                  owner = true;
+                };
+              };
+            };
+          };
+        };
+      }
+    )
+    (mkIf config.fediversity.attic.enable {
+
+      services.postgresql = {
+        enable = true;
+        authentication = lib.mkForce ''
+          local all all trust
+        '';
+        ensureDatabases = [
+          "atticd"
+        ];
+        ensureUsers = [
+          {
+            name = "atticd";
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+
+      # open up access to the mastodon web interface. 80 is necessary if only for ACME
+      networking.firewall.allowedTCPPorts = [
+        80
+        443
+        8080
+      ];
+
+      vars.settings.on-machine.enable = true;
+      vars.generators."templates" = rec {
+        dependencies = [ "attic" ];
+        runtimeInputs = [
+          pkgs.coreutils
+          pkgs.gnused
+        ];
+        script = lib.concatStringsSep "\n" (
+          lib.mapAttrsToList (template: _: ''
+            cp "$templates/${template}" "$out/${template}"
+            echo "filling placeholders in template ${template}..."
+            ${lib.concatStringsSep "\n" (
+              lib.mapAttrsToList (
+                parent:
+                { placeholder, ... }:
+                ''
+                  sed -i "s/${placeholder}/$(cat "$in/attic/${parent}")/g" "$out/${template}"
+                  echo "- substituted ${parent}"
+                ''
+              ) config.vars.generators."attic".files
+            )}
+          '') files
+        );
+
+        files."attic.env" = {
+          secret = true;
+          template = pkgs.writeText "attic.env" ''
+            ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.vars.generators.attic.files.token.placeholder}
+            AWS_ACCESS_KEY_ID=$(cat ${config.fediversity.attic.s3AccessKeyFile})
+            AWS_SECRET_ACCESS_KEY=$(cat ${config.fediversity.attic.s3SecretKeyFile})
+          '';
+        };
+      };
+
+      vars.generators.attic = {
+        runtimeInputs = [ pkgs.openssl ];
+        files.token.secret = true;
+        script = ''
+          genrsa -traditional 4096 | base64 -w0 > "$out"/token
+        '';
+      };
+
+      services.atticd = {
+        enable = true;
+        # one `monolithic` and any number of `api-server` nodes
+        mode = "monolithic";
+
+        environmentFile = config.vars.generators."templates".files."attic.env".path;
+
+        # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
+        settings = {
+          # Socket address to listen on
+          # listen = "[::]:8080";
+          listen = "0.0.0.0:8080";
+          # listen = "127.0.0.1:8080";
+
+          # Allowed `Host` headers
+          #
+          # This _must_ be configured for production use. If unconfigured or the
+          # list is empty, all `Host` headers are allowed.
+          allowed-hosts = [ ];
+
+          # The canonical API endpoint of this server
+          #
+          # This is the endpoint exposed to clients in `cache-config` responses.
+          #
+          # This _must_ be configured for production use. If not configured, the
+          # API endpoint is synthesized from the client's `Host` header which may
+          # be insecure.
+          #
+          # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
+          # not `https://domain.tld/attic`).
+          api-endpoint = "https://${config.fediversity.attic.domain}/";
+
+          # Whether to soft-delete caches
+          #
+          # If this is enabled, caches are soft-deleted instead of actually
+          # removed from the database. Note that soft-deleted caches cannot
+          # have their names reused as long as the original database records
+          # are there.
+          #soft-delete-caches = false;
+
+          # Whether to require fully uploading a NAR if it exists in the global cache.
+          #
+          # If set to false, simply knowing the NAR hash is enough for
+          # an uploader to gain access to an existing NAR in the global
+          # cache.
+          #require-proof-of-possession = true;
+
+          # Database connection
+          database = {
+            # Connection URL
+            #
+            # For production use it's recommended to use PostgreSQL.
+            # url = "postgresql:///atticd:password@127.0.0.1:5432/atticd";
+            url = "postgresql:///atticd?host=/run/postgresql";
+
+            # Whether to enable sending on periodic heartbeat queries
+            #
+            # If enabled, a heartbeat query will be sent every minute
+            #heartbeat = false;
+          };
+
+          # File storage configuration
+          storage = {
+            # Storage type
+            #
+            # Can be "local" or "s3".
+            type = "s3";
+
+            # ## Local storage
+
+            # The directory to store all files under
+            # path = "%storage_path%";
+
+            # ## S3 Storage (set type to "s3" and uncomment below)
+
+            # The AWS region
+            region = "garage";
+
+            # The name of the bucket
+            bucket = "attic";
+
+            # Custom S3 endpoint
+            #
+            # Set this if you are using an S3-compatible object storage (e.g., Minio).
+            endpoint = config.fediversity.garage.api.url;
+
+            # Credentials
+            #
+            # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
+            # `AWS_SECRET_ACCESS_KEY` environment variables.
+            # storage.credentials = {
+            #   access_key_id = "";
+            #   secret_access_key = "";
+            # };
+          };
+
+          # Data chunking
+          #
+          # Warning: If you change any of the values here, it will be
+          # difficult to reuse existing chunks for newly-uploaded NARs
+          # since the cutpoints will be different. As a result, the
+          # deduplication ratio will suffer for a while after the change.
+          chunking = {
+            # The minimum NAR size to trigger chunking
+            #
+            # If 0, chunking is disabled entirely for newly-uploaded NARs.
+            # If 1, all NARs are chunked.
+            nar-size-threshold = 65536; # chunk files that are 64 KiB or larger
+
+            # The preferred minimum size of a chunk, in bytes
+            min-size = 16384; # 16 KiB
+
+            # The preferred average size of a chunk, in bytes
+            avg-size = 65536; # 64 KiB
+
+            # The preferred maximum size of a chunk, in bytes
+            max-size = 262144; # 256 KiB
+          };
+
+          # Compression
+          compression = {
+            # Compression type
+            #
+            # Can be "none", "brotli", "zstd", or "xz"
+            type = "zstd";
+
+            # Compression level
+            #level = 8;
+          };
+
+          # Garbage collection
+          garbage-collection = {
+            # The frequency to run garbage collection at
+            #
+            # By default it's 12 hours. You can use natural language
+            # to specify the interval, like "1 day".
+            #
+            # If zero, automatic garbage collection is disabled, but
+            # it can still be run manually with `atticd --mode garbage-collector-once`.
+            interval = "12 hours";
+
+            # Default retention period
+            #
+            # Zero (default) means time-based garbage-collection is
+            # disabled by default. You can enable it on a per-cache basis.
+            #default-retention-period = "6 months";
+          };
+
+          # jwt = {
+          # WARNING: Changing _anything_ in this section will break any existing
+          # tokens. If you need to regenerate them, ensure that you use the the
+          # correct secret and include the `iss` and `aud` claims.
+
+          # JWT `iss` claim
+          #
+          # Set this to the JWT issuer that you want to validate.
+          # If this is set, all received JWTs will validate that the `iss` claim
+          # matches this value.
+          #token-bound-issuer = "some-issuer";
+
+          # JWT `aud` claim
+          #
+          # Set this to the JWT audience(s) that you want to validate.
+          # If this is set, all received JWTs will validate that the `aud` claim
+          # contains at least one of these values.
+          #token-bound-audiences = ["some-audience1", "some-audience2"];
+          # };
+
+          # jwt.signing = {
+          # You must configure JWT signing and verification inside your TOML configuration by setting one of the following options in the [jwt.signing] block:
+          # * token-rs256-pubkey-base64
+          # * token-rs256-secret-base64
+          # * token-hs256-secret-base64
+          # or by setting one of the following environment variables:
+          # * ATTIC_SERVER_TOKEN_RS256_PUBKEY_BASE64
+          # * ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64
+          # * ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
+          # Options will be tried in that same order (configuration options first, then environment options if none of the configuration options were set, starting with the respective RSA pubkey option, the RSA secret option, and finally the HMAC secret option). The first option that is found will be used.
+          # If an RS256 pubkey (asymmetric RSA PEM PKCS1 public key) is provided, it will only be possible to verify received JWTs, and not sign new JWTs.
+          # If an RS256 secret (asymmetric RSA PEM PKCS1 private key) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+          # If an HS256 secret (symmetric HMAC secret) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+
+          # JWT RS256 secret key
+          #
+          # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
+          # TODO
+          # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
+          # environment variable.
+          # token-rs256-secret-base64 = "%token_rs256_secret_base64%";
+
+          # JWT HS256 secret key
+          #
+          # Set this to the base64-encoded HMAC secret key.
+          # You can also set it via the `ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64`
+          # environment variable.
+          #token-hs256-secret-base64 = "";
+          # };
+        };
+      };
+    })
+  ];
+}
--- a/services/fediversity/attic/options.nix
+++ b/services/fediversity/attic/options.nix
@ -0,0 +1,14 @@
+{ config, lib, ... }:
+
+{
+  options.fediversity.attic =
+    (import ../sharedOptions.nix {
+      inherit config lib;
+      serviceName = "attic";
+      serviceDocName = "Attic Nix Cache server";
+    })
+    //
+
+    {
+    };
+}
--- a/services/fediversity/default.nix
+++ b/services/fediversity/default.nix
@ -6,11 +6,14 @@ let

 in
 {
+  _class = "nixos";
+
  imports = [
    ./garage
    ./mastodon
    ./pixelfed
    ./peertube
+    ./attic
  ];

  options = {
--- a/services/fediversity/garage/default.nix
+++ b/services/fediversity/garage/default.nix
@ -97,6 +97,8 @@ let

 in
 {
+  _class = "nixos";
+
  imports = [ ./options.nix ];

  config = mkIf config.fediversity.garage.enable {
--- a/services/fediversity/garage/options.nix
+++ b/services/fediversity/garage/options.nix
@ -5,6 +5,8 @@ let
 in

 {
+  _class = "nixos";
+
  options.fediversity.garage = {
    enable = mkEnableOption "Enable a Garage server on the machine";

--- a/services/fediversity/mastodon/default.nix
+++ b/services/fediversity/mastodon/default.nix
@ -11,6 +11,8 @@ let

 in
 {
+  _class = "nixos";
+
  imports = [ ./options.nix ];

  config = mkMerge [
--- a/services/fediversity/mastodon/options.nix
+++ b/services/fediversity/mastodon/options.nix
@ -1,6 +1,8 @@
 { config, lib, ... }:

 {
+  _class = "nixos";
+
  options.fediversity.mastodon =
    (import ../sharedOptions.nix {
      inherit config lib;
--- a/services/fediversity/peertube/default.nix
+++ b/services/fediversity/peertube/default.nix
@ -5,6 +5,8 @@ let

 in
 {
+  _class = "nixos";
+
  imports = [ ./options.nix ];

  config = mkMerge [
--- a/services/fediversity/peertube/options.nix
+++ b/services/fediversity/peertube/options.nix
@ -6,6 +6,8 @@ let

 in
 {
+  _class = "nixos";
+
  options.fediversity.peertube =
    (import ../sharedOptions.nix {
      inherit config lib;
--- a/services/fediversity/pixelfed/default.nix
+++ b/services/fediversity/pixelfed/default.nix
@ -15,6 +15,8 @@ let

 in
 {
+  _class = "nixos";
+
  imports = [ ./options.nix ];

  config = mkMerge [
--- a/services/fediversity/pixelfed/options.nix
+++ b/services/fediversity/pixelfed/options.nix
@ -1,6 +1,8 @@
 { config, lib, ... }:

 {
+  _class = "nixos";
+
  options.fediversity.pixelfed =
    (import ../sharedOptions.nix {
      inherit config lib;
--- a/services/fediversity/sharedOptions.nix
+++ b/services/fediversity/sharedOptions.nix
@ -14,6 +14,8 @@ let

 in
 {
+  _class = "nixos";
+
  enable = mkEnableOption "Enable a ${serviceDocName} server on the machine";

  s3AccessKeyFile = mkOption {
--- a/services/tests/mastodon.nix
+++ b/services/tests/mastodon.nix
@ -42,7 +42,7 @@ let
      '';
 in

-pkgs.nixosTest {
+{
  name = "mastodon";

  nodes = {
--- a/services/tests/peertube.nix
+++ b/services/tests/peertube.nix
@ -161,7 +161,7 @@ let
  '';
 in

-pkgs.nixosTest {
+{
  name = "peertube";

  nodes = {
--- a/services/tests/pixelfed-garage.nix
+++ b/services/tests/pixelfed-garage.nix
@ -114,7 +114,7 @@ let
        ${seleniumQuit}'';

 in
-pkgs.nixosTest {
+{
  name = "test-pixelfed-garage";

  nodes = {
--- a/services/tests/rebuildableTest.nix
+++ b/services/tests/rebuildableTest.nix
@ -127,6 +127,8 @@ let
      preOverride = pkgs.nixosTest (
        test
        // {
+          _class = "nixosTest";
+
          interactive = (test.interactive or { }) // {
            # no need to // with test.interactive.nodes here, since we are iterating
            # over all of them, and adding back in the config via `imports`
--- a/services/vm/garage-vm.nix
+++ b/services/vm/garage-vm.nix
@ -10,6 +10,8 @@ let

 in
 {
+  _class = "nixos";
+
  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];

  fediversity.garage.enable = true;
--- a/services/vm/interactive-vm.nix
+++ b/services/vm/interactive-vm.nix
@ -1,6 +1,8 @@
 # customize nixos-rebuild build-vm to be a bit more convenient
 { pkgs, ... }:
 {
+  _class = "nixos";
+
  # let us log in
  users.mutableUsers = false;
  users.users.root.hashedPassword = "";
--- a/services/vm/mastodon-vm.nix
+++ b/services/vm/mastodon-vm.nix
@ -6,6 +6,7 @@
  ...
 }:
 {
+  _class = "nixos";

  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];

--- a/services/vm/peertube-vm.nix
+++ b/services/vm/peertube-vm.nix
@ -5,6 +5,8 @@
 }:

 {
+  _class = "nixos";
+
  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];

  fediversity = {
--- a/services/vm/pixelfed-vm.nix
+++ b/services/vm/pixelfed-vm.nix
@ -11,6 +11,8 @@ let
 in

 {
+  _class = "nixos";
+
  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];

  fediversity = {
Author	SHA1	Message	Date
Kiara Grouwstra	d53dff003e	upgrade memory to resolve oom	2025-07-01 17:57:00 +02:00
Kiara Grouwstra	604803aea3	[wip] handling env file (still fails)	2025-07-01 17:57:00 +02:00
Kiara Grouwstra	5d0ecc08c1	use templating fork	2025-07-01 17:57:00 +02:00
Kiara Grouwstra	c1141534a9	add tests, fix some things	2025-07-01 17:57:00 +02:00
Kiara Grouwstra	441097a49b	unrelated improvements	2025-07-01 17:57:00 +02:00
Kiara Grouwstra	86bed1ced1	move from dev to operator	2025-07-01 17:57:00 +02:00
Kiara Grouwstra	721e0ae961	WIP: add attic cache, see #92 flesh out attic TODO keys nginx-port testing fix key fix key	2025-07-01 17:57:00 +02:00
Nicolas “Niols” Jeannerod	c1dc0fef01	Split nameservers between IPv4 and IPv6 (#420 ) Reviewed-on: Fediversity/Fediversity#420 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-01 13:09:06 +02:00
Kiara Grouwstra	5a3cbe4d83	fix agenix package in shell (#422 ) as per Fediversity/Fediversity#419 (comment) Reviewed-on: Fediversity/Fediversity#422 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-01 11:29:38 +02:00
Kiara Grouwstra	fd1d55df5f	move shell from flake	2025-07-01 10:22:58 +02:00
Kiara Grouwstra	0c23115cff	allow configuring network interface (#413 ) Reviewed-on: Fediversity/Fediversity#413 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-30 19:23:51 +02:00
Nicolas “Niols” Jeannerod	3f1c8a9bb7	Document why Nix and OpenSSH lost in #412. Alternatively, we could have a comment on both lines saying eg. “for NixOps4”	2025-06-30 14:30:29 +02:00
Kiara Grouwstra	737aecaba6	set default value for nixops4Package (#412 ) Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Reviewed-on: Fediversity/Fediversity#412 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-30 12:44:53 +02:00
Kiara Grouwstra	d7dbdd923c	make CI test invocations idempotent to better facilitate manual use (#416 ) Reviewed-on: Fediversity/Fediversity#416 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-30 12:42:19 +02:00
Kiara Grouwstra	1c44004cfe	update documentation for #375 (#406 ) Reviewed-on: Fediversity/Fediversity#406 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-27 14:40:40 +02:00
Kiara Grouwstra	ae444d5352	simplify imports (#415 ) Reviewed-on: Fediversity/Fediversity#415 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-27 14:01:41 +02:00
Valentin Gagarin	e77fdd9eec	expose nixops4 in `nix-shell` (#411 ) Instead of Fediversity/Fediversity#406 Eventually we should merge `//panel/default.nix` with `//default.nix` of course. Co-authored-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#411 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-committed-by: Valentin Gagarin <valentin.gagarin@tweag.io>	2025-06-27 12:00:47 +02:00
Kiara Grouwstra	1f1cf0d516	unset class, fixing #408 (#410 ) Reviewed-on: Fediversity/Fediversity#410 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-27 11:53:17 +02:00
Kiara Grouwstra	f94eac698a	disable updater schedule while it hangs	2025-06-26 17:01:40 +02:00
Kiara Grouwstra	46182e7512	fix workflow step title (#404 ) split off from #399 Reviewed-on: Fediversity/Fediversity#404 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-24 08:58:01 +02:00
Kiara Grouwstra	9a25a04bfa	specify `_class` module attributes to explicitly declare module types (#398 ) closes #93. note that this includes classes: - `nixos` - `nixosTest` - `nixops4Resource` - `nixops4Deployment` .. and my (made-up, as per the [docs](https://ryantm.github.io/nixpkgs/module-system/module-system/#module-system-lib-evalModules-param-class)): - `nix-unit` - `package` .. while i did not manage to cover: - service tests, given `pkgs.nixosTest` seemed to not actually like `_class = "nixosTest"` (?!) ... nor #93's mentioned destructured arguments for that matter, as per Fediversity/Fediversity#93 (comment) - let me know if that is still desired as well. Reviewed-on: Fediversity/Fediversity#398 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-23 17:24:54 +02:00
Valentin Gagarin	c1b33121b6	expose npins in shell for CI (#403 ) Should fix Fediversity/Fediversity#65 (comment) Reviewed-on: Fediversity/Fediversity#403 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-committed-by: Valentin Gagarin <valentin.gagarin@tweag.io>	2025-06-23 17:21:32 +02:00
Kiara Grouwstra	d073bd706d	cast `DEPLOYMENT_FLAKE` to string	2025-06-22 14:42:14 +02:00
Kiara Grouwstra	486b316885	run updater natively (#394 ) see Fediversity/Fediversity#65 (comment). closes #65. Reviewed-on: Fediversity/Fediversity#394 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-20 09:41:38 +02:00
Kiara Grouwstra	611c961dcf	separate test declarations from invocations (#396 ) see Fediversity/Fediversity#395 (comment) Reviewed-on: Fediversity/Fediversity#396 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-19 18:11:08 +02:00