runs-on: docker

rm runner file
explicitly specify container image
2025-07-02 18:47:35 +02:00 · 2025-07-02 18:47:35 +02:00 · 2025-07-02 18:47:35 +02:00 · 2025-07-02 18:47:35 +02:00 · 2025-07-02 18:47:35 +02:00 · 2025-07-02 18:47:35 +02:00
29 changed files with 235 additions and 50 deletions
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -10,43 +10,57 @@ on:
 jobs:
  check-pre-commit:
-    runs-on: native
+    runs-on: docker
    container:
      image: icewind1991/nix-runner
    steps:
      - uses: actions/checkout@v4
      - run: nix-build -A tests
  check-data-model:
-    runs-on: native
+    runs-on: docker
    container:
      image: icewind1991/nix-runner
    steps:
      - uses: actions/checkout@v4
      - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
  check-peertube:
-    runs-on: native
+    runs-on: docker
    container:
      image: icewind1991/nix-runner
    steps:
      - uses: actions/checkout@v4
      - run: nix-build services -A tests.peertube
  check-panel:
-    runs-on: native
+    runs-on: docker
    container:
      image: icewind1991/nix-runner
    steps:
      - uses: actions/checkout@v4
      - run: nix-build panel -A tests
  check-deployment-basic:
-    runs-on: native
+    runs-on: docker
    container:
      image: icewind1991/nix-runner
    steps:
      - uses: actions/checkout@v4
      - run: nix build .#checks.x86_64-linux.deployment-basic -L
  check-deployment-cli:
-    runs-on: native
+    runs-on: docker
    container:
      image: icewind1991/nix-runner
    steps:
      - uses: actions/checkout@v4
      - run: nix build .#checks.x86_64-linux.deployment-cli -L
  check-deployment-panel:
-    runs-on: native
+    runs-on: docker
    container:
      image: icewind1991/nix-runner
    steps:
      - uses: actions/checkout@v4
      - run: nix build .#checks.x86_64-linux.deployment-panel -L
--- a/.forgejo/workflows/update.yaml
+++ b/.forgejo/workflows/update.yaml
@ -8,7 +8,7 @@ on:
 jobs:
  lockfile:
-    runs-on: native
+    runs-on: nix
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
--- a/deployment/check/basic/flake-part.nix
+++ b/deployment/check/basic/flake-part.nix
@ -2,6 +2,7 @@
  self,
  inputs,
  lib,
  sources,
  ...
 }:
@ -27,7 +28,7 @@ in
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit targetMachines pathToRoot pathFromRoot;
      };
    };
@ -44,7 +45,7 @@ in
          inputs.nixops4-nixos.modules.nixops4Resource.nixos
          ../common/targetResource.nix
        ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit nodeName pathToRoot pathFromRoot;
        nixos.module =
          { pkgs, ... }:
--- a/deployment/check/cli/flake-part.nix
+++ b/deployment/check/cli/flake-part.nix
@ -2,6 +2,7 @@
  self,
  inputs,
  lib,
  sources,
  ...
 }:
@ -30,7 +31,7 @@ in
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit
          targetMachines
          pathToRoot
@ -44,7 +45,7 @@ in
    let
      makeTargetResource = nodeName: {
        imports = [ ../common/targetResource.nix ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit
          nodeName
          pathToRoot
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@ -3,6 +3,7 @@
  lib,
  pkgs,
  config,
  sources,
  ...
 }:
@ -14,8 +15,6 @@ let
    types
    ;
  sources = import ../../../npins;
 in
 {
  _class = "nixos";
@ -78,7 +77,7 @@ in
              config.system.extraDependenciesFromModule
              {
                nixpkgs.hostPlatform = "x86_64-linux";
-                _module.args.inputs = inputs;
+                _module.args = { inherit inputs sources; };
                enableAcme = config.enableAcme;
                acmeNodeIP = config.acmeNodeIP;
              }
--- a/deployment/check/common/nixosTest.nix
+++ b/deployment/check/common/nixosTest.nix
@ -3,6 +3,7 @@
  lib,
  config,
  hostPkgs,
  sources,
  ...
 }:
@ -61,7 +62,7 @@ in
      {
        deployer = {
          imports = [ ./deployerNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
          enableAcme = config.enableAcme;
          acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
        };
@ -88,7 +89,7 @@ in
        genAttrs config.targetMachines (_: {
          imports = [ ./targetNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
          enableAcme = config.enableAcme;
          acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
        });
--- a/deployment/check/common/targetResource.nix
+++ b/deployment/check/common/targetResource.nix
@ -2,6 +2,7 @@
  inputs,
  lib,
  config,
  sources,
  ...
 }:
@ -40,7 +41,7 @@ in
        (lib.modules.importJSON (config.pathToCwd + "/${config.nodeName}-network.json"))
      ];
-      _module.args.inputs = inputs;
+      _module.args = { inherit inputs sources; };
      enableAcme = config.enableAcme;
      acmeNodeIP = trim (readFile (config.pathToCwd + "/acme_server_ip"));
--- a/deployment/check/panel/flake-part.nix
+++ b/deployment/check/panel/flake-part.nix
@ -2,6 +2,7 @@
  self,
  inputs,
  lib,
  sources,
  ...
 }:
@ -33,7 +34,7 @@ in
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit
          targetMachines
          pathToRoot
@ -47,7 +48,7 @@ in
    let
      makeTargetResource = nodeName: {
        imports = [ ../common/targetResource.nix ];
-        _module.args.inputs = inputs;
+        _module.args = { inherit inputs sources; };
        inherit
          nodeName
          pathToRoot
--- a/flake.nix
+++ b/flake.nix
@ -31,6 +31,9 @@
          inherit nixpkgs;
        };
        self = self';
        specialArgs = {
          inherit sources;
        };
      }
      (
        { inputs, ... }:
@ -48,6 +51,8 @@
            ./deployment/flake-part.nix
            ./infra/flake-part.nix
            ./keys/flake-part.nix
            ./secrets/flake-part.nix
          ];
          perSystem =
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@ -8,7 +8,6 @@ in
  _class = "nixos";
  imports = [
    ./hardware.nix
    ./networking.nix
    ./users.nix
  ];
@ -24,4 +23,9 @@ in
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };
 }
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@ -6,17 +6,10 @@
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    initrd = {
      availableKernelModules = [
        "ata_piix"
        "uhci_hcd"
        "virtio_pci"
        "virtio_scsi"
        "sd_mod"
        "sr_mod"
      ];
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -2,6 +2,9 @@
  inputs,
  lib,
  config,
  sources,
  keys,
  secrets,
  ...
 }:
@ -9,12 +12,6 @@ let
  inherit (lib) attrValues elem mkDefault;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;
  sources = import ../../npins;
  inherit (sources) agenix disko;
  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;
 in
 {
@ -36,8 +33,8 @@ in
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
-      "${agenix}/modules/age.nix"
+      "${sources.agenix}/modules/age.nix"
-      "${disko}/module.nix"
+      "${sources.disko}/module.nix"
      ./options.nix
      ./nixos
    ];
@ -46,15 +43,15 @@ in
    ## configuration.
    fediversityVm = config.fediversityVm;
-    ## Read all the secrets, filter the ones that are supposed to be readable
+    ## Read all the secrets, filter the ones that are supposed to be readable with
-    ## with this host's public key, and add them correctly to the configuration
+    ## public key, and create a mapping from `<name>.file` to the absolute path of
-    ## as `age.secrets.<name>.file`.
+    ## the secret's file.
    age.secrets = concatMapAttrs (
      name: secret:
      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
-        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+        ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
      })
-    ) secrets;
+    ) secrets.mapping;
    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
    ## supports users with password-less sudo.
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -1,6 +1,9 @@
 {
  inputs,
  lib,
  sources,
  keys,
  secrets,
  ...
 }:
@ -13,7 +16,6 @@ let
    filterAttrs
    ;
  inherit (lib.attrsets) genAttrs;
  sources = import ../../npins;
  ## Given a machine's name and whether it is a test VM, make a resource module,
  ## except for its missing provider. (Depending on the use of that resource, we
@ -22,7 +24,14 @@ let
    { vmName, isTestVm }:
    {
      # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
-      _module.args = { inherit inputs; };
+      _module.args = {
        inherit
          inputs
          sources
          keys
          secrets
          ;
      };
      imports =
        [
@ -31,11 +40,12 @@ let
        ++ (
          if isTestVm then
            [
              ./common/proxmox-qemu-vm.nix
              ../machines/operator/${vmName}
              {
                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
                  # allow our panel vm access to the test machines
-                  (import ../keys).panel
+                  keys.panel
                ];
              }
            ]
--- a/keys/flake-part.nix
+++ b/keys/flake-part.nix
@ -0,0 +1,5 @@
 {
  _class = "flake";
  _module.args.keys = import ./.;
 }
--- a/keys/systems/forgejo-ci.pub
+++ b/keys/systems/forgejo-ci.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@ -16,4 +16,10 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
  nixos.module = {
    imports = [
      ../../../infra/common/proxmox-qemu-vm.nix
    ];
  };
 }
--- a/machines/dev/fedi201/default.nix
+++ b/machines/dev/fedi201/default.nix
@ -19,6 +19,7 @@
  nixos.module = {
    imports = [
      ../../../infra/common/proxmox-qemu-vm.nix
      ./fedipanel.nix
    ];
  };
--- a/machines/dev/fedi201/fedipanel.nix
+++ b/machines/dev/fedi201/fedipanel.nix
@ -1,5 +1,6 @@
 {
  config,
  sources,
  ...
 }:
 let
@ -10,6 +11,7 @@ in
  imports = [
    (import ../../../panel { }).module
    (import "${sources.home-manager}/nixos")
  ];
  security.acme = {
--- a/machines/dev/forgejo-ci/default.nix
+++ b/machines/dev/forgejo-ci/default.nix
@ -0,0 +1,70 @@
 { lib, ... }:
 let
  inherit (lib) mkDefault mkForce;
 in
 {
  _class = "nixops4Resource";
  # NOTE: This needs an SSH config entry `forgejo-ci` to locate and access the
  # machine. This is because different people access the machine in different
  # way (eg. via a proxy vs. via Procolix's VPN). This might look like:
  #
  #     Host forgejo-ci
  #          HostName 45.142.234.216
  #          HostKeyAlias forgejo-ci
  #
  # The `HostKeyAlias` statement is crucial. Without it, deployment will fail
  # with the SSH error “Host key verification failed”.
  ssh.host = mkForce "forgejo-ci";
  fediversityVm = {
    domain = "procolix.com";
    ipv4 = {
      interface = "enp1s0f0";
      address = "192.168.201.65";
      prefixLength = 24;
      gateway = "192.168.201.1";
    };
    ipv6.enable = false;
  };
  nixos.module =
    { config, ... }:
    {
      _class = "nixos";
      imports = [
        ./forgejo-actions-runner.nix
      ];
      hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
      networking = {
        nftables.enable = mkForce false;
        hostId = "1d6ea552";
      };
      ## NOTE: This is a physical machine, so is not covered by disko
      fileSystems."/" = {
        device = "rpool/root";
        fsType = "zfs";
      };
      fileSystems."/home" = {
        device = "rpool/home";
        fsType = "zfs";
      };
      fileSystems."/boot" = {
        device = "/dev/disk/by-uuid/50B2-DD3F";
        fsType = "vfat";
        options = [
          "fmask=0077"
          "dmask=0077"
        ];
      };
    };
 }
--- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@ -0,0 +1,47 @@
 { pkgs, config, ... }:
 {
  _class = "nixos";
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = config.networking.fqdn;
      url = "https://git.fediversity.eu";
      tokenFile = config.age.secrets.forgejo-runner-token.path;
      settings = {
        log.level = "info";
        runner = {
          file = ".runner";
          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
          capacity = 1;
          timeout = "3h";
          insecure = false;
          fetch_timeout = "5s";
          fetch_interval = "2s";
        };
      };
      ## This runner supports Docker (with a default Ubuntu image) and native
      ## modes. In native mode, it contains a few default packages.
      labels = [
        "docker:docker://node:16-bullseye"
        "native:host"
      ];
      hostPackages = with pkgs; [
        bash
        git
        nix
        nodejs
      ];
    };
  };
  ## For the Docker mode of the runner.
  virtualisation.docker.enable = true;
 }
--- a/machines/dev/vm02116/default.nix
+++ b/machines/dev/vm02116/default.nix
@ -14,6 +14,7 @@
    { lib, ... }:
    {
      imports = [
        ../../../infra/common/proxmox-qemu-vm.nix
        ./forgejo.nix
      ];
--- a/machines/dev/vm02187/default.nix
+++ b/machines/dev/vm02187/default.nix
@ -14,6 +14,7 @@
    { lib, ... }:
    {
      imports = [
        ../../../infra/common/proxmox-qemu-vm.nix
        ./wiki.nix
      ];
--- a/machines/machines.md
+++ b/machines/machines.md
@ -7,9 +7,10 @@ Currently, this repository keeps track of the following VMs:
 Machine | Proxmox | Description
 --------|---------|-------------
-[`fedi200`](./fedi200) | fediversity | Testing machine for Hans
+[`fedi200`](./dev/fedi200) | fediversity | Testing machine for Hans
-[`fedi201`](./fedi201) | fediversity | FediPanel
+[`fedi201`](./dev/fedi201) | fediversity | FediPanel
-[`vm02116`](./vm02116) | procolix | Forgejo
+[`vm02116`](./dev/vm02116) | procolix | Forgejo
-[`vm02187`](./vm02187) | procolix | Wiki
+[`vm02187`](./dev/vm02187) | procolix | Wiki
 | `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 This table excludes all machines with names starting with `test`.
--- a/machines/machines.md.sh
+++ b/machines/machines.md.sh
@ -32,11 +32,12 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
    description=$(echo "$vmOptions" | jq -r ".$machine.description" | head -n 1)
    # shellcheck disable=SC2016
-    printf '[`%s`](./%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
+    printf '[`%s`](./dev/%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
  fi
 done
 cat <<\EOF
 | `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 This table excludes all machines with names starting with `test`.
 EOF
--- a/npins/sources.json
+++ b/npins/sources.json
@ -96,6 +96,19 @@
      "url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
      "hash": "02wxkdpbhlm3yk5mhkhsp3kwakc16xpmsf2baw57nz1dg459qv8w"
    },
    "home-manager": {
      "type": "Git",
      "repository": {
        "type": "GitHub",
        "owner": "nix-community",
        "repo": "home-manager"
      },
      "branch": "master",
      "submodules": false,
      "revision": "863842639722dd12ae9e37ca83bcb61a63b36f6c",
      "url": "https://github.com/nix-community/home-manager/archive/863842639722dd12ae9e37ca83bcb61a63b36f6c.tar.gz",
      "hash": "0rw9n8d4v87pzlmw7ws15f0sldb51fd9528skpbzmrzl4pinsgij"
    },
    "htmx": {
      "type": "GitRelease",
      "repository": {
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -0,0 +1,4 @@
 {
  mapping = import ./secrets.nix;
  rootPath = ./.;
 }
--- a/secrets/flake-part.nix
+++ b/secrets/flake-part.nix
@ -0,0 +1,5 @@
 {
  _class = "flake";
  _module.args.secrets = import ./.;
 }
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -26,7 +26,7 @@ concatMapAttrs
    {
      forgejo-database-password = [ vm02116 ];
      forgejo-email-password = [ vm02116 ];
-      forgejo-runner-token = [ ];
+      forgejo-runner-token = [ forgejo-ci ];
      panel-secret-key = [ fedi201 ];
      panel-ssh-key = [ fedi201 ];
      wiki-basicauth-htpasswd = [ vm02187 ];
Author	SHA1	Message	Date
Kiara Grouwstra	3e8c0c7738	runs-on: docker	2025-07-02 18:47:35 +02:00
Kiara Grouwstra	6143e4545b	rm runner file	2025-07-02 18:47:35 +02:00
Kiara Grouwstra	d062c5a21b	explicitly specify container image	2025-07-02 18:47:35 +02:00
Kiara Grouwstra	abf62856d7	add label for new runner	2025-07-02 18:47:35 +02:00
Kiara Grouwstra	14600ee06e	try out existing nix container made for gitea actions	2025-07-02 18:47:35 +02:00
Nicolas “Niols” Jeannerod	0c53b55106	Switch all CI jobs to `nixos` label	2025-07-02 18:47:35 +02:00
Nicolas “Niols” Jeannerod	13c92280ab	Clean up `lib` in `forgejo-ci` and extend on the `.ssh/config` comment (#428 ) Reviewed-on: Fediversity/Fediversity#428 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-02 17:49:44 +02:00
Kiara Grouwstra	871672d447	Add `forgejo-ci` machine to our infrastructure (#389 ) picked up from https://git.fediversity.eu/Fediversity/Fediversity/compare/main...niols:forgejo-ci. closes #356. Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#389 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-02 17:43:09 +02:00
Kiara Grouwstra	6da42936e7	add missing home-manager import to fedipanel VM (#425 ) Reviewed-on: Fediversity/Fediversity#425 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-02 17:32:38 +02:00
Kiara Grouwstra	8df70a2ff0	classify recent flake-parts files	2025-07-02 13:25:23 +02:00
Kiara Grouwstra	5a92c2c0bc	docs: fix links to machines (#426 ) Reviewed-on: Fediversity/Fediversity#426 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-02 13:16:38 +02:00
Nicolas “Niols” Jeannerod	1c92009879	Do not force QEMU options onto machines	2025-07-01 23:55:33 +02:00
Kiara Grouwstra	a791ad41ec	Inject sources, secrets and keys via module system - avoid `import ../` (#421 ) Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#421 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-01 21:08:15 +02:00
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A`