.forgejo/workflows/cd.yaml

@@ -13,7 +13,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Set up SSH key for age secrets and SSH
+      - name: Set up SSH key to access age secrets
         run: |
           env
           mkdir -p ~/.ssh
@@ -21,4 +21,4 @@ jobs:
           chmod 600 ~/.ssh/id_ed25519
 
       - name: Deploy
-        run: nix-shell --run 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519 && SHELL=$(which bash) nixops4 apply -v default'
+        run: nix-shell --run 'nixops4 apply default'

.forgejo/workflows/ci.yaml

@@ -27,12 +27,6 @@ jobs:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.test-mastodon-service -L
 
-  check-pixelfed:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.test-pixelfed-garage-service -L
-
   check-peertube:
     runs-on: native
     steps:

infra/README.md

@@ -1,13 +1,14 @@
 # Infra
 
-This directory contains the definition of [the VMs](../machines/machines.md) that host our
+This directory contains the definition of [the VMs](machines.md) that host our
 infrastructure.
 
 ## Provisioning VMs with an initial configuration
 
-> NOTE[Niols]: This is still very manual and clunky. Two things will happen:
+NOTE[Niols]: This is very manual and clunky. Two things will happen. In the near
-> 1. In the near future, I will improve the provisioning script to make this a bit less clunky.
+future, I will improve the provisioning script to make this a bit less clunky.
-> 2. In the far future, NixOps4 will be able to communicate with Proxmox directly and everything will become much cleaner.
+In the far future, NixOps4 will be able to communicate with Proxmox directly and
+everything will become much cleaner.
 
 1. Choose names for your VMs. It is recommended to choose `fediXXX`, with `XXX`
    above 100. For instance, `fedi117`.
@@ -24,7 +25,8 @@ infrastructure.
    Those files need to exist during provisioning, but their content matters only
    when updating the machines' configuration.
 
-   > FIXME: Remove this step by making the provisioning script not fail with the public key does not exist yet.
+   FIXME: Remove this step by making the provisioning script not fail with the
+   public key does not exist yet.
 
 3. Run the provisioning script:
    ```
@@ -42,7 +44,7 @@ infrastructure.
    ssh fedi117.abundos.eu 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' > keys/systems/fedi117.pub
    ```
 
-   > FIXME: Make the provisioning script do that for us.
+   FIXME: Make the provisioning script do that for us.
 
 7. Regenerate the list of machines:
    ```
@@ -54,7 +56,7 @@ infrastructure.
    just enough for it to boot and be reachable. Go on to the next section to
    update the machine and put an actual configuration.
 
-   > FIXME: Figure out why the full configuration isn't on the machine at this
+   FIXME: Figure out why the full configuration isn't on the machine at this
    point and fix it.
 
 ## Updating existing VM configurations

infra/common/proxmox-qemu-vm.nix

@@ -1,4 +1,15 @@
-{ sources, ... }:
+let
+  # pulling this in manually over from module args resolves an infinite recursion.
+  # FIXME: instead untangle `//infra/flake-part.nix` and make it stop passing wild functions.
+  # move moving towards a portable-services-like pattern where some things are submodules.
+  # Right now those wild functions are for parameterising a bunch of things,
+  # and the modular way to do that would be options --
+  # obviously you can't use those for `imports`,
+  # so one way to decouple fixpoints is to isolate them into submodules.
+  # Therefore one approach would be to try to go down the call graph,
+  # and see where what's currently a function could be a `submodule` field of something else.
+  sources = import ../../npins;
+in
 {
   _class = "nixos";
 

infra/common/resource.nix

@@ -58,8 +58,6 @@ in
     users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
       # allow our panel vm access to the test machines
       keys.panel
-      # allow continuous deployment access
-      keys.cd
     ];
 
   };

infra/flake-part.nix

@@ -23,19 +23,20 @@ let
   makeResourceModule =
     { vmName, isTestVm }:
     {
-      nixos.module.imports = [
+      # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
-        ./common/proxmox-qemu-vm.nix
+      _module.args = {
-      ];
-
-      nixos.specialArgs = {
         inherit
-          sources
           inputs
+          sources
           keys
           secrets
           ;
       };
 
+      nixos.module.imports = [
+        ./common/proxmox-qemu-vm.nix
+      ];
+
       imports =
         [
           ./common/resource.nix
@@ -65,39 +66,17 @@ let
     vmNames:
     { providers, ... }:
     {
-      # XXX: this type merge is for adding `specialArgs` to resource modules
+      providers.local = inputs.nixops4.modules.nixops4Provider.local;
-      options.resources = mkOption {
+      resources = genAttrs vmNames (vmName: {
-        type =
+        type = providers.local.exec;
-          with lib.types;
+        imports = [
-          lazyAttrsOf (submoduleWith {
+          inputs.nixops4-nixos.modules.nixops4Resource.nixos
-            class = "nixops4Resource";
+          (makeResourceModule {
-            modules = [ ];
+            inherit vmName;
-            # TODO(@fricklerhandwerk): we may want to pass through all of `specialArgs`
+            isTestVm = false;
-            # once we're sure it's sane. leaving it here for better control during refactoring.
+          })
-            specialArgs = {
+        ];
-              inherit
+      });
-                sources
-                inputs
-                keys
-                secrets
-
-                ;
-            };
-          });
-      };
-      config = {
-        providers.local = inputs.nixops4.modules.nixops4Provider.local;
-        resources = genAttrs vmNames (vmName: {
-          type = providers.local.exec;
-          imports = [
-            inputs.nixops4-nixos.modules.nixops4Resource.nixos
-            (makeResourceModule {
-              inherit vmName;
-              isTestVm = false;
-            })
-          ];
-        });
-      };
     };
   makeDeployment' = vmName: makeDeployment [ vmName ];
 

machines/dev/fedi201/fedipanel.nix

@@ -1,17 +1,17 @@
 {
   config,
-  sources,
   ...
 }:
 let
   name = "panel";
+  sources = import ../../../npins;
 in
 {
   _class = "nixos";
 
   imports = [
     (import ../../../panel { }).module
-    "${sources.home-manager}/nixos"
+    (import "${sources.home-manager}/nixos")
   ];
 
   security.acme = {

panel/default.nix

@@ -45,7 +45,7 @@ in
     '';
   };
 
-  module = ./nix/configuration.nix;
+  module = import ./nix/configuration.nix;
   tests = pkgs.callPackage ./nix/tests.nix { };
 
   # re-export inputs so they can be overridden granularly

services/tests/pixelfed-garage.nix

@@ -113,7 +113,6 @@ let
 
         ${seleniumQuit}'';
 
-  dummyFile = pkgs.writeText "dummy" "dummy";
 in
 {
   name = "test-pixelfed-garage";
@@ -171,12 +170,6 @@ in
         users.users.selenium = {
           isNormalUser = true;
         };
-        fediversity.temp.initialUser = {
-          username = "dummy";
-          displayName = "dummy";
-          email = "dummy";
-          passwordFile = dummyFile;
-        };
       };
   };