have attic know it doesn't do https, for now

rm unused dep nix-templating

fix imports

.forgejo/workflows/cd.yaml

@@ -1,24 +0,0 @@
-name: deploy-infra
-
-on:
-  workflow_dispatch: # allows manual triggering
-  push:
-    branches:
-      # - main
-
-jobs:
-  deploy:
-    runs-on: native
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Set up SSH key to access age secrets
-        run: |
-          env
-          mkdir -p ~/.ssh
-          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-
-      - name: Deploy
-        run: nix-shell --run 'nixops4 apply default'

.forgejo/workflows/ci.yaml

@@ -10,43 +10,43 @@ on:
 
 jobs:
   check-pre-commit:
-    runs-on: nix
+    runs-on: native
     steps:
       - uses: actions/checkout@v4
       - run: nix-build -A tests
 
   check-data-model:
-    runs-on: nix
+    runs-on: native
     steps:
       - uses: actions/checkout@v4
       - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
 
   check-peertube:
-    runs-on: nix
+    runs-on: native
     steps:
       - uses: actions/checkout@v4
-      - run: attic login fediversity http://attic.fediversity.net:8080 ${{ secrets.ATTIC_PULL_KEY }} && attic use demo && nix-build services -A tests.peertube
+      - run: nix-shell --run 'attic push demo $(nix-build services -A tests.peertube)'
 
   check-panel:
-    runs-on: nix
+    runs-on: native
     steps:
       - uses: actions/checkout@v4
       - run: nix-build panel -A tests
 
   check-deployment-basic:
-    runs-on: nix
+    runs-on: native
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-basic -L
 
   check-deployment-cli:
-    runs-on: nix
+    runs-on: native
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-cli -L
 
   check-deployment-panel:
-    runs-on: nix
+    runs-on: native
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-panel -L

.forgejo/workflows/update.yaml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   lockfile:
-    runs-on: nix
+    runs-on: native
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

deployment/check/basic/constants.nix

@@ -1,8 +0,0 @@
-{
-  targetMachines = [
-    "hello"
-    "cowsay"
-  ];
-  pathToRoot = ../../..;
-  pathFromRoot = ./.;
-}

deployment/check/basic/default.nix

@@ -1,14 +0,0 @@
-{
-  runNixOSTest,
-  inputs,
-  sources,
-}:
-
-runNixOSTest {
-  imports = [
-    ../common/nixosTest.nix
-    ./nixosTest.nix
-  ];
-  _module.args = { inherit inputs sources; };
-  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
-}

deployment/check/basic/deployment.nix

@@ -1,36 +0,0 @@
-{
-  inputs,
-  sources,
-  lib,
-  providers,
-  ...
-}:
-
-let
-  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
-in
-
-{
-  providers = {
-    inherit (inputs.nixops4.modules.nixops4Provider) local;
-  };
-
-  resources = lib.genAttrs targetMachines (nodeName: {
-    type = providers.local.exec;
-
-    imports = [
-      inputs.nixops4-nixos.modules.nixops4Resource.nixos
-      ../common/targetResource.nix
-    ];
-
-    _module.args = { inherit inputs sources; };
-
-    inherit nodeName pathToRoot pathFromRoot;
-
-    nixos.module =
-      { pkgs, ... }:
-      {
-        environment.systemPackages = [ pkgs.${nodeName} ];
-      };
-  });
-}

deployment/check/basic/flake-part.nix

@@ -0,0 +1,57 @@
+{
+  self,
+  inputs,
+  lib,
+  sources,
+  ...
+}:
+
+let
+  inherit (lib) genAttrs;
+
+  targetMachines = [
+    "hello"
+    "cowsay"
+  ];
+  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
+  pathFromRoot = ./.;
+
+in
+{
+  _class = "flake";
+
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks.deployment-basic = pkgs.testers.runNixOSTest {
+        imports = [
+          ../common/nixosTest.nix
+          ./nixosTest.nix
+        ];
+        _module.args = { inherit inputs sources; };
+        inherit targetMachines pathToRoot pathFromRoot;
+      };
+    };
+
+  nixops4Deployments.check-deployment-basic =
+    { providers, ... }:
+    {
+      providers = {
+        inherit (inputs.nixops4.modules.nixops4Provider) local;
+      };
+      resources = genAttrs targetMachines (nodeName: {
+        type = providers.local.exec;
+        imports = [
+          inputs.nixops4-nixos.modules.nixops4Resource.nixos
+          ../common/targetResource.nix
+        ];
+        _module.args = { inherit inputs sources; };
+        inherit nodeName pathToRoot pathFromRoot;
+        nixos.module =
+          { pkgs, ... }:
+          {
+            environment.systemPackages = [ pkgs.${nodeName} ];
+          };
+      });
+    };
+}

deployment/check/basic/flake-under-test.nix

@@ -1,22 +0,0 @@
-{
-  inputs = {
-    nixops4.follows = "nixops4-nixos/nixops4";
-    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
-  };
-
-  outputs =
-    inputs:
-    import ./mkFlake.nix inputs (
-      { inputs, sources, ... }:
-      {
-        imports = [
-          inputs.nixops4.modules.flake.default
-        ];
-
-        nixops4Deployments.check-deployment-basic = {
-          imports = [ ./deployment/check/basic/deployment.nix ];
-          _module.args = { inherit inputs sources; };
-        };
-      }
-    );
-}

deployment/check/basic/nixosTest.nix

@@ -1,15 +1,10 @@
-{ inputs, lib, ... }:
+{ inputs, ... }:
 
 {
   _class = "nixosTest";
 
   name = "deployment-basic";
 
-  sourceFileset = lib.fileset.unions [
-    ./constants.nix
-    ./deployment.nix
-  ];
-
   nodes.deployer =
     { pkgs, ... }:
     {

deployment/check/cli/constants.nix

@@ -1,12 +0,0 @@
-{
-  targetMachines = [
-    "garage"
-    "mastodon"
-    "peertube"
-    "pixelfed"
-    "attic"
-  ];
-  pathToRoot = ../../..;
-  pathFromRoot = ./.;
-  enableAcme = true;
-}

deployment/check/cli/default.nix

@@ -1,19 +0,0 @@
-{
-  runNixOSTest,
-  inputs,
-  sources,
-}:
-
-runNixOSTest {
-  imports = [
-    ../common/nixosTest.nix
-    ./nixosTest.nix
-  ];
-  _module.args = { inherit inputs sources; };
-  inherit (import ./constants.nix)
-    targetMachines
-    pathToRoot
-    pathFromRoot
-    enableAcme
-    ;
-}

deployment/check/cli/deployments.nix

@@ -1,59 +0,0 @@
-{
-  inputs,
-  sources,
-  lib,
-}:
-
-let
-  inherit (builtins) fromJSON readFile listToAttrs;
-  inherit (import ./constants.nix)
-    targetMachines
-    pathToRoot
-    pathFromRoot
-    enableAcme
-    ;
-
-  makeTargetResource = nodeName: {
-    imports = [ ../common/targetResource.nix ];
-    _module.args = { inherit inputs sources; };
-    inherit
-      nodeName
-      pathToRoot
-      pathFromRoot
-      enableAcme
-      ;
-  };
-
-  ## The deployment function - what we are here to test!
-  ##
-  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
-  ## function calls.
-  makeTestDeployment =
-    args:
-    (import ../..)
-      {
-        inherit lib;
-        inherit (inputs) nixops4 nixops4-nixos;
-        fediversity = import ../../../services/fediversity;
-      }
-      (listToAttrs (
-        map (nodeName: {
-          name = "${nodeName}ConfigurationResource";
-          value = makeTargetResource nodeName;
-        }) targetMachines
-      ))
-      (fromJSON (readFile ../../configuration.sample.json) // args);
-
-in
-{
-  check-deployment-cli-nothing = makeTestDeployment { };
-
-  check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
-    mastodon.enable = true;
-    pixelfed.enable = true;
-  };
-
-  check-deployment-cli-peertube = makeTestDeployment {
-    peertube.enable = true;
-  };
-}

deployment/check/cli/flake-under-test.nix

@@ -1,26 +0,0 @@
-{
-  inputs = {
-    nixops4.follows = "nixops4-nixos/nixops4";
-    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
-  };
-
-  outputs =
-    inputs:
-    import ./mkFlake.nix inputs (
-      {
-        inputs,
-        sources,
-        lib,
-        ...
-      }:
-      {
-        imports = [
-          inputs.nixops4.modules.flake.default
-        ];
-
-        nixops4Deployments = import ./deployment/check/cli/deployments.nix {
-          inherit inputs sources lib;
-        };
-      }
-    );
-}

deployment/check/cli/nixosTest.nix

@@ -1,9 +1,4 @@
-{
+{ inputs, hostPkgs, ... }:
-  inputs,
-  hostPkgs,
-  lib,
-  ...
-}:
 
 let
   ## Some places need a dummy file that will in fact never be used. We create
@@ -16,21 +11,6 @@ in
 
   name = "deployment-cli";
 
-  sourceFileset = lib.fileset.unions [
-    ./constants.nix
-    ./deployments.nix
-
-    # REVIEW: I would like to be able to grab all of `/deployment` minus
-    # `/deployment/check`, but I can't because there is a bunch of other files
-    # in `/deployment`. Maybe we can think of a reorg making things more robust
-    # here? (comment also in panel test)
-    ../../default.nix
-    ../../options.nix
-    ../../configuration.sample.json
-
-    ../../../services/fediversity
-  ];
-
   nodes.deployer =
     { pkgs, ... }:
     {

deployment/check/common/deployerNode.nix

@@ -54,14 +54,14 @@ in
 
     system.extraDependencies =
       [
+        inputs.flake-parts
+        inputs.flake-parts.inputs.nixpkgs-lib
         inputs.nixops4
         inputs.nixops4-nixos
         inputs.nixpkgs
 
-        sources.flake-parts
         sources.nixpkgs
         sources.flake-inputs
-        sources.git-hooks
         sources.vars
 
         pkgs.stdenv

deployment/check/common/nixosTest.nix

@@ -13,7 +13,6 @@ let
     toJSON
     ;
   inherit (lib)
-    types
     fileset
     mkOption
     genAttrs
@@ -28,6 +27,14 @@ let
 
   forConcat = xs: f: concatStringsSep "\n" (map f xs);
 
+  ## The whole repository, with the flake at its root.
+  ## FIXME: We could probably have fileset be the union of ./. with flake.nix
+  ## and flake.lock - I doubt we need anything else.
+  src = fileset.toSource {
+    fileset = config.pathToRoot;
+    root = config.pathToRoot;
+  };
+
   ## We will need to override some inputs by the empty flake, so we make one.
   emptyFlake = runCommandNoCC "empty-flake" { } ''
     mkdir $out
@@ -46,39 +53,9 @@ in
     ## FIXME: I wish I could just use `testScript` but with something like
     ## `mkOrder` to put this module's string before something else.
     extraTestScript = mkOption { };
-
-    sourceFileset = mkOption {
-      ## REVIEW: Upstream to nixpkgs?
-      type = types.mkOptionType {
-        name = "fileset";
-        description = "fileset";
-        descriptionClass = "noun";
-        check = (x: (builtins.tryEval (fileset.unions [ x ])).success);
-        merge = (_: defs: fileset.unions (map (x: x.value) defs));
-      };
-      description = ''
-        A fileset that will be copied to the deployer node in the current
-        working directory. This should contain all the files that are
-        necessary to run that particular test, such as the NixOS
-        modules necessary to evaluate a deployment.
-      '';
-    };
   };
 
   config = {
-    sourceFileset = fileset.unions [
-      # NOTE: not the flake itself; it will be overridden.
-      ../../../mkFlake.nix
-      ../../../flake.lock
-      ../../../npins
-
-      ./sharedOptions.nix
-      ./targetNode.nix
-      ./targetResource.nix
-
-      (config.pathToCwd + "/flake-under-test.nix")
-    ];
-
     acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
 
     nodes =
@@ -126,16 +103,8 @@ in
         ${n}.wait_for_unit("multi-user.target")
       '')}
 
-      ## A subset of the repository that is necessary for this test. It will be
-      ## copied inside the test. The smaller this set, the faster our CI, because we
-      ## won't need to re-run when things change outside of it.
       with subtest("Unpacking"):
-        deployer.succeed("cp -r --no-preserve=mode ${
+        deployer.succeed("cp -r --no-preserve=mode ${src}/* .")
-          fileset.toSource {
-            root = ../../..;
-            fileset = config.sourceFileset;
-          }
-        }/* .")
 
       with subtest("Configure the network"):
         ${forConcat config.targetMachines (
@@ -165,16 +134,11 @@ in
 
       ## NOTE: This is super slow. It could probably be optimised in Nix, for
       ## instance by allowing to grab things directly from the host's store.
-      ##
+      with subtest("Override the lock"):
-      ## NOTE: We use the repository as-is (cf `src` above), overriding only
-      ## `flake.nix` by our `flake-under-test.nix`. We also override the flake
-      ## lock file to use locally available inputs, as we cannot download them.
-      ##
-      with subtest("Override the flake and its lock"):
-        deployer.succeed("cp ${config.pathFromRoot}/flake-under-test.nix flake.nix")
         deployer.succeed("""
           nix flake lock --extra-experimental-features 'flakes nix-command' \
             --offline -v \
+            --override-input flake-parts ${inputs.flake-parts} \
             --override-input nixops4 ${inputs.nixops4.packages.${system}.flake-in-a-bottle} \
             \
             --override-input nixops4-nixos ${inputs.nixops4-nixos} \
@@ -186,6 +150,9 @@ in
               inputs.nixops4-nixos.inputs.nixops4.packages.${system}.flake-in-a-bottle
             } \
             --override-input nixops4-nixos/git-hooks-nix ${emptyFlake} \
+            \
+            --override-input nixpkgs ${inputs.nixpkgs} \
+            --override-input git-hooks ${inputs.git-hooks} \
             ;
         """)
 

deployment/check/panel/constants.nix

@@ -1,12 +0,0 @@
-{
-  targetMachines = [
-    "garage"
-    "mastodon"
-    "peertube"
-    "pixelfed"
-    "attic"
-  ];
-  pathToRoot = ../../..;
-  pathFromRoot = ./.;
-  enableAcme = true;
-}

deployment/check/panel/default.nix

@@ -1,19 +0,0 @@
-{
-  runNixOSTest,
-  inputs,
-  sources,
-}:
-
-runNixOSTest {
-  imports = [
-    ../common/nixosTest.nix
-    ./nixosTest.nix
-  ];
-  _module.args = { inherit inputs sources; };
-  inherit (import ./constants.nix)
-    targetMachines
-    pathToRoot
-    pathFromRoot
-    enableAcme
-    ;
-}

deployment/check/panel/deployment.nix

@@ -1,58 +0,0 @@
-{
-  inputs,
-  sources,
-  lib,
-}:
-
-let
-  inherit (builtins) fromJSON listToAttrs;
-  inherit (import ./constants.nix)
-    targetMachines
-    pathToRoot
-    pathFromRoot
-    enableAcme
-    ;
-
-  makeTargetResource = nodeName: {
-    imports = [ ../common/targetResource.nix ];
-    _module.args = { inherit inputs sources; };
-    inherit
-      nodeName
-      pathToRoot
-      pathFromRoot
-      enableAcme
-      ;
-  };
-
-  ## The deployment function - what we are here to test!
-  ##
-  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
-  ## function calls.
-  makeTestDeployment =
-    args:
-    (import ../..)
-      {
-        inherit lib;
-        inherit (inputs) nixops4 nixops4-nixos;
-        fediversity = import ../../../services/fediversity;
-      }
-      (listToAttrs (
-        map (nodeName: {
-          name = "${nodeName}ConfigurationResource";
-          value = makeTargetResource nodeName;
-        }) targetMachines
-      ))
-      args;
-
-in
-makeTestDeployment (
-  fromJSON (
-    let
-      env = builtins.getEnv "DEPLOYMENT";
-    in
-    if env == "" then
-      throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
-    else
-      env
-  )
-)

deployment/check/panel/flake-part.nix

@@ -0,0 +1,95 @@
+{
+  self,
+  inputs,
+  lib,
+  sources,
+  ...
+}:
+
+let
+  inherit (builtins)
+    fromJSON
+    listToAttrs
+    ;
+
+  targetMachines = [
+    "garage"
+    "mastodon"
+    "peertube"
+    "pixelfed"
+    "attic"
+  ];
+  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
+  pathFromRoot = ./.;
+  enableAcme = true;
+
+in
+{
+  _class = "flake";
+
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks.deployment-panel = pkgs.testers.runNixOSTest {
+        imports = [
+          ../common/nixosTest.nix
+          ./nixosTest.nix
+        ];
+        _module.args = { inherit inputs sources; };
+        inherit
+          targetMachines
+          pathToRoot
+          pathFromRoot
+          enableAcme
+          ;
+      };
+    };
+
+  nixops4Deployments =
+    let
+      makeTargetResource = nodeName: {
+        imports = [ ../common/targetResource.nix ];
+        _module.args = { inherit inputs sources; };
+        inherit
+          nodeName
+          pathToRoot
+          pathFromRoot
+          enableAcme
+          ;
+      };
+
+      ## The deployment function - what we are here to test!
+      ##
+      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
+      ## function calls.
+      makeTestDeployment =
+        args:
+        (import ../..)
+          {
+            inherit lib;
+            inherit (inputs) nixops4 nixops4-nixos;
+            fediversity = import ../../../services/fediversity;
+          }
+          (listToAttrs (
+            map (nodeName: {
+              name = "${nodeName}ConfigurationResource";
+              value = makeTargetResource nodeName;
+            }) targetMachines
+          ))
+          args;
+
+    in
+    {
+      check-deployment-panel = makeTestDeployment (
+        fromJSON (
+          let
+            env = builtins.getEnv "DEPLOYMENT";
+          in
+          if env == "" then
+            throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
+          else
+            env
+        )
+      );
+    };
+}

deployment/check/panel/flake-under-test.nix

@@ -1,26 +0,0 @@
-{
-  inputs = {
-    nixops4.follows = "nixops4-nixos/nixops4";
-    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
-  };
-
-  outputs =
-    inputs:
-    import ./mkFlake.nix inputs (
-      {
-        inputs,
-        sources,
-        lib,
-        ...
-      }:
-      {
-        imports = [
-          inputs.nixops4.modules.flake.default
-        ];
-
-        nixops4Deployments.check-deployment-panel = import ./deployment/check/panel/deployment.nix {
-          inherit inputs sources lib;
-        };
-      }
-    );
-}

deployment/check/panel/nixosTest.nix

@@ -127,20 +127,6 @@ in
 
   name = "deployment-panel";
 
-  sourceFileset = lib.fileset.unions [
-    ./constants.nix
-    ./deployment.nix
-
-    # REVIEW: I would like to be able to grab all of `/deployment` minus
-    # `/deployment/check`, but I can't because there is a bunch of other files
-    # in `/deployment`. Maybe we can think of a reorg making things more robust
-    # here? (comment also in CLI test)
-    ../../default.nix
-    ../../options.nix
-
-    ../../../services/fediversity
-  ];
-
   ## The panel's module sets `nixpkgs.overlays` which clashes with
   ## `pkgsReadOnly`. We disable it here.
   node.pkgsReadOnly = false;

deployment/flake-part.nix

@@ -1,26 +1,9 @@
-{ inputs, sources, ... }:
-
 {
   _class = "flake";
 
-  perSystem =
+  imports = [
-    { pkgs, ... }:
+    ./check/basic/flake-part.nix
-    {
+    ./check/cli/flake-part.nix
-      checks = {
+    ./check/panel/flake-part.nix
-        deployment-basic = import ./check/basic {
+  ];
-          inherit (pkgs.testers) runNixOSTest;
-          inherit inputs sources;
-        };
-
-        deployment-cli = import ./check/cli {
-          inherit (pkgs.testers) runNixOSTest;
-          inherit inputs sources;
-        };
-
-        deployment-panel = import ./check/panel {
-          inherit (pkgs.testers) runNixOSTest;
-          inherit inputs sources;
-        };
-      };
-    };
 }

flake.lock

@@ -59,6 +59,22 @@
       }
     },
     "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1733328505,
@@ -74,7 +90,7 @@
         "type": "github"
       }
     },
-    "flake-compat_3": {
+    "flake-compat_4": {
       "flake": false,
       "locked": {
         "lastModified": 1696426674,
@@ -127,6 +143,24 @@
       }
     },
     "flake-parts_3": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib_3"
+      },
+      "locked": {
+        "lastModified": 1738453229,
+        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_4": {
       "inputs": {
         "nixpkgs-lib": [
           "nixops4-nixos",
@@ -167,12 +201,32 @@
         "type": "github"
       }
     },
-    "git-hooks-nix": {
+    "git-hooks": {
       "inputs": {
         "flake-compat": "flake-compat",
         "gitignore": "gitignore",
         "nixpkgs": "nixpkgs"
       },
+      "locked": {
+        "lastModified": 1742649964,
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "git-hooks-nix": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": "gitignore_2",
+        "nixpkgs": "nixpkgs_2"
+      },
       "locked": {
         "lastModified": 1737465171,
         "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
@@ -227,6 +281,27 @@
       }
     },
     "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "gitignore_2": {
       "inputs": {
         "nixpkgs": [
           "nixops4-nixos",
@@ -266,8 +341,8 @@
     },
     "nix": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat_3",
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_4",
         "git-hooks-nix": "git-hooks-nix_2",
         "nixfmt": "nixfmt",
         "nixpkgs": [
@@ -341,10 +416,10 @@
     },
     "nixops4": {
       "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts_3",
         "nix": "nix",
         "nix-cargo-integration": "nix-cargo-integration",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
         "nixpkgs-old": "nixpkgs-old"
       },
       "locked": {
@@ -363,7 +438,7 @@
     },
     "nixops4-nixos": {
       "inputs": {
-        "flake-parts": "flake-parts",
+        "flake-parts": "flake-parts_2",
         "git-hooks-nix": "git-hooks-nix",
         "nixops4": "nixops4",
         "nixops4-nixos": [
@@ -445,6 +520,18 @@
         "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
       }
     },
+    "nixpkgs-lib_3": {
+      "locked": {
+        "lastModified": 1738452942,
+        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
+      }
+    },
     "nixpkgs-old": {
       "locked": {
         "lastModified": 1735563628,
@@ -478,6 +565,22 @@
       }
     },
     "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1730768919,
+        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1738410390,
         "narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=",
@@ -518,7 +621,7 @@
     },
     "purescript-overlay": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
         "nixpkgs": [
           "nixops4-nixos",
           "nixops4",
@@ -561,6 +664,8 @@
     },
     "root": {
       "inputs": {
+        "flake-parts": "flake-parts",
+        "git-hooks": "git-hooks",
         "nixops4": [
           "nixops4-nixos",
           "nixops4"

flake.nix

@@ -1,47 +1,83 @@
 {
   inputs = {
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    git-hooks.url = "github:cachix/git-hooks.nix";
     nixops4.follows = "nixops4-nixos/nixops4";
     nixops4-nixos.url = "github:nixops4/nixops4-nixos";
   };
 
   outputs =
-    inputs:
+    inputs@{ self, flake-parts, ... }:
-    import ./mkFlake.nix inputs (
+    let
-      { inputs, sources, ... }:
+      sources = import ./npins;
+      inherit (import sources.flake-inputs) import-flake;
+      inherit (sources) git-hooks;
+      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
+      # XXX - this is just importing a flake
+      nixpkgs = import-flake { src = sources.nixpkgs; };
+      # XXX - this overrides the inputs attached to `self`
+      inputs' = self.inputs // {
+        nixpkgs = nixpkgs;
+      };
+      self' = self // {
+        inputs = inputs';
+      };
+    in
+    # XXX - finally we override the overall set of `inputs` -- we need both:
+    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
+    flake-parts.lib.mkFlake
       {
-        imports = [
+        inputs = inputs // {
-          "${sources.git-hooks}/flake-module.nix"
+          inherit nixpkgs;
-          inputs.nixops4.modules.flake.default
+        };
-
+        self = self';
-          ./deployment/flake-part.nix
+        specialArgs = {
-          ./infra/flake-part.nix
+          inherit sources;
-          ./keys/flake-part.nix
+        };
-          ./secrets/flake-part.nix
-        ];
-
-        perSystem =
-          {
-            pkgs,
-            lib,
-            ...
-          }:
-          {
-            formatter = pkgs.nixfmt-rfc-style;
-
-            pre-commit.settings.hooks =
-              let
-                ## Add a directory here if pre-commit hooks shouldn't apply to it.
-                optout = [ "npins" ];
-                excludes = map (dir: "^${dir}/") optout;
-                addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
-              in
-              addExcludes {
-                nixfmt-rfc-style.enable = true;
-                deadnix.enable = true;
-                trim-trailing-whitespace.enable = true;
-                shellcheck.enable = true;
-              };
-          };
       }
-    );
+      (
+        { inputs, ... }:
+        {
+          systems = [
+            "x86_64-linux"
+            "aarch64-linux"
+            "x86_64-darwin"
+            "aarch64-darwin"
+          ];
+
+          imports = [
+            "${git-hooks}/flake-module.nix"
+            inputs.nixops4.modules.flake.default
+
+            ./deployment/flake-part.nix
+            ./infra/flake-part.nix
+            ./keys/flake-part.nix
+            ./secrets/flake-part.nix
+          ];
+
+          perSystem =
+            {
+              pkgs,
+              lib,
+              ...
+            }:
+            {
+              formatter = pkgs.nixfmt-rfc-style;
+
+              pre-commit.settings.hooks =
+                let
+                  ## Add a directory here if pre-commit hooks shouldn't apply to it.
+                  optout = [ "npins" ];
+                  excludes = map (dir: "^${dir}/") optout;
+                  addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
+                in
+                addExcludes {
+                  nixfmt-rfc-style.enable = true;
+                  deadnix.enable = true;
+                  trim-trailing-whitespace.enable = true;
+                  shellcheck.enable = true;
+                };
+            };
+        }
+      );
 }

keys/cd-ssh-key.pub

@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age

keys/default.nix

@@ -35,5 +35,4 @@ in
   contributors = collectKeys ./contributors;
   systems = collectKeys ./systems;
   panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
-  cd = removeTrailingWhitespace (readFile ./cd-ssh-key.pub);
 }

machines/dev/forgejo-ci/forgejo-actions-runner.nix

@@ -1,56 +1,62 @@
 {
-  pkgs,
   lib,
+  pkgs,
   config,
+  sources,
   ...
 }:
-let
-  system = builtins.currentSystem;
-  sources = import ../../../npins;
-  packages =
-    let
-      inherit (import sources.flake-inputs) import-flake;
-      inherit ((import-flake { src = ../../..; }).inputs) nixops4;
-    in
-    [
-      pkgs.coreutils
-      pkgs.findutils
-      pkgs.gnugrep
-      pkgs.gawk
-      pkgs.git
-      pkgs.nix
-      pkgs.bash
-      pkgs.jq
-      pkgs.nodejs
-      pkgs.npins
-      nixops4.packages.${system}.default
-    ];
-  storeDeps = pkgs.runCommand "store-deps" { } ''
-    mkdir -p $out/bin
-    for dir in ${toString packages}; do
-      for bin in "$dir"/bin/*; do
-        ln -s "$bin" "$out/bin/$(basename "$bin")"
-      done
-    done
-    # Add SSL CA certs
-    mkdir -p $out/etc/ssl/certs
-    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
-  '';
-  numInstances = 5;
-in
 
-let
-  user = "gitea-runner";
-in
 {
   _class = "nixos";
 
   imports = with sources; [
-    "${home-manager}/nixos"
+    (import "${home-manager}/nixos")
     "${vars}/options.nix"
     "${vars}/backends/on-machine.nix"
   ];
 
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+
+    instances.default = {
+      enable = true;
+
+      name = config.networking.fqdn;
+      url = "https://git.fediversity.eu";
+      tokenFile = config.age.secrets.forgejo-runner-token.path;
+
+      settings = {
+        log.level = "info";
+        runner = {
+          file = ".runner";
+          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
+          capacity = 1;
+          timeout = "3h";
+          insecure = false;
+          fetch_timeout = "5s";
+          fetch_interval = "2s";
+        };
+      };
+
+      ## This runner supports Docker (with a default Ubuntu image) and native
+      ## modes. In native mode, it contains a few default packages.
+      labels = [
+        "docker:docker://node:16-bullseye"
+        "native:host"
+      ];
+
+      hostPackages = with pkgs; [
+        bash
+        git
+        nix
+        nodejs
+      ];
+    };
+  };
+
+  ## For the Docker mode of the runner.
+  virtualisation.docker.enable = true;
+
   vars.settings.on-machine.enable = true;
   vars.generators."templates" = rec {
     dependencies = [ "attic" ];
@@ -79,214 +85,10 @@ in
   };
 
   home-manager = {
-    users.${user}.home = {
+    users.gitea-runner.home = {
       stateVersion = "25.05";
       file.".config/attic/config.toml".source =
         config.vars.generators."templates".files."attic.toml".path;
     };
   };
-
-  services.gitea-actions-runner = {
-    package = pkgs.forgejo-actions-runner;
-    instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (_: {
-      enable = true;
-      name = config.networking.fqdn;
-      url = "https://git.fediversity.eu";
-      tokenFile = config.age.secrets.forgejo-runner-token.path;
-      ## This runner supports Docker (with a default Ubuntu image) and native
-      ## modes. In native mode, it contains a few default packages.
-      labels = [
-        "nix:docker://gitea-runner-nix"
-        "docker:docker://node:16-bullseye"
-        "native:host"
-      ];
-      hostPackages = with pkgs; [
-        bash
-        git
-        nix
-        nodejs
-      ];
-      settings = {
-        container = {
-          options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
-          # the default network that also respects our dns server settings
-          network = "host";
-          valid_volumes = [
-            "/nix"
-            "${storeDeps}/bin"
-            "${storeDeps}/etc/ssl"
-          ];
-        };
-        log.level = "info";
-        runner = {
-          file = ".runner";
-          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
-          capacity = 1;
-          timeout = "3h";
-          insecure = false;
-          fetch_timeout = "5s";
-          fetch_interval = "2s";
-        };
-      };
-    });
-  };
-
-  users = {
-    users.nixuser = {
-      group = "nixuser";
-      description = "Used for running nix ci jobs";
-      home = "/var/empty";
-      isSystemUser = true;
-    };
-    groups.nixuser = { };
-  };
-  virtualisation = {
-    ## For the Docker mode of the runner.
-    ## Podman seemed to get stuck on the checkout step
-    docker.enable = true;
-    containers.containersConf.settings = {
-      # podman (at least) seems to not work with systemd-resolved
-      containers.dns_servers = [
-        "8.8.8.8"
-        "8.8.4.4"
-      ];
-    };
-  };
-  systemd.services =
-    {
-      gitea-runner-nix-image = {
-        wantedBy = [ "multi-user.target" ];
-        after = [ "docker.service" ];
-        requires = [ "docker.service" ];
-        path = [
-          pkgs.docker
-          pkgs.gnutar
-          pkgs.shadow
-          pkgs.getent
-        ];
-        # we also include etc here because the cleanup job also wants the nixuser to be present
-        script = ''
-          set -eux -o pipefail
-          mkdir -p etc/nix
-
-          # Create an unpriveleged user that we can use also without the run-as-user.sh script
-          touch etc/passwd etc/group
-          groupid=$(cut -d: -f3 < <(getent group nixuser))
-          userid=$(cut -d: -f3 < <(getent passwd nixuser))
-          groupadd --prefix $(pwd) --gid "$groupid" nixuser
-          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
-          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
-
-          cat <<NIX_CONFIG > etc/nix/nix.conf
-          accept-flake-config = true
-          experimental-features = nix-command flakes
-          NIX_CONFIG
-
-          cat <<NSSWITCH > etc/nsswitch.conf
-          passwd:    files mymachines systemd
-          group:     files mymachines systemd
-          shadow:    files
-
-          hosts:     files mymachines dns myhostname
-          networks:  files
-
-          ethers:    files
-          services:  files
-          protocols: files
-          rpc:       files
-          NSSWITCH
-
-          # list the content as it will be imported into the container
-          tar -cv . | tar -tvf -
-          tar -cv . | docker import - gitea-runner-nix
-        '';
-        serviceConfig = {
-          RuntimeDirectory = "gitea-runner-nix-image";
-          WorkingDirectory = "/run/gitea-runner-nix-image";
-          Type = "oneshot";
-          RemainAfterExit = true;
-        };
-      };
-    }
-    // lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (
-      _:
-      let
-        requires = [ "gitea-runner-nix-image.service" ];
-      in
-      {
-        inherit requires;
-        after = requires;
-        # TODO: systemd confinement
-        serviceConfig = {
-          # Hardening (may overlap with DynamicUser=)
-          # The following options are only for optimizing output of systemd-analyze
-          AmbientCapabilities = "";
-          CapabilityBoundingSet = "";
-          # ProtectClock= adds DeviceAllow=char-rtc r
-          DeviceAllow = "";
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateMounts = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectSystem = "strict";
-          RemoveIPC = true;
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          UMask = "0066";
-          ProtectProc = "invisible";
-          SystemCallFilter = [
-            "~@clock"
-            "~@cpu-emulation"
-            "~@module"
-            "~@mount"
-            "~@obsolete"
-            "~@raw-io"
-            "~@reboot"
-            "~@swap"
-            # needed by go?
-            #"~@resources"
-            "~@privileged"
-            "~capset"
-            "~setdomainname"
-            "~sethostname"
-          ];
-          SupplementaryGroups = [ "docker" ];
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-            "AF_NETLINK"
-          ];
-
-          # Needs network access
-          PrivateNetwork = false;
-          # Cannot be true due to Node
-          MemoryDenyWriteExecute = false;
-
-          # The more restrictive "pid" option makes `nix` commands in CI emit
-          # "GC Warning: Couldn't read /proc/stat"
-          # You may want to set this to "pid" if not using `nix` commands
-          ProcSubset = "all";
-          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
-          # ASLR (address space layout randomization) which requires the
-          # `personality` syscall
-          # You may want to set this to `true` if not using coverage tooling on
-          # compiled code
-          LockPersonality = false;
-
-          # Note that this has some interactions with the User setting; so you may
-          # want to consult the systemd docs if using both.
-          DynamicUser = true;
-        };
-      }
-    );
 }

machines/dev/vm02116/forgejo.nix

@@ -110,8 +110,4 @@ in
       };
     };
   };
-
-  # needed to imperatively run forgejo commands e.g. to generate runner tokens.
-  # example: `sudo su - forgejo -c 'nix-shell -p forgejo --run "gitea actions generate-runner-token -C /var/lib/forgejo/custom"'`
-  users.users.forgejo.isNormalUser = true;
 }

mkFlake.nix

@@ -1,54 +0,0 @@
-## This file contains a tweak of flake-parts's `mkFlake` function to splice in
-## sources taken from npins.
-
-## NOTE: Much of the logic in this file feels like it should be not super
-## specific to fediversity. Could it make sense to extract the core of this to
-## another place it feels closer to in spirit, such as @fricklerhandwerk's
-## flake-inputs (which this code already depends on anyway, and which already
-## contained two distinct helpers for migrating away from flakes)? cf
-## https://git.fediversity.eu/Fediversity/Fediversity/pulls/447#issuecomment-8671
-
-inputs@{ self, ... }:
-
-let
-  sources = import ./npins;
-  inherit (import sources.flake-inputs) import-flake;
-
-  # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
-  # XXX - this is just importing a flake
-  nixpkgs = import-flake { src = sources.nixpkgs; };
-
-  # XXX - this overrides the inputs attached to `self`
-  inputs' = self.inputs // {
-    nixpkgs = nixpkgs;
-  };
-  self' = self // {
-    inputs = inputs';
-  };
-
-  flake-parts-lib = import "${sources.flake-parts}/lib.nix" { inherit (nixpkgs) lib; };
-in
-
-flakeModule:
-
-flake-parts-lib.mkFlake
-  {
-    # XXX - finally we override the overall set of `inputs` -- we need both:
-    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
-    inputs = inputs // {
-      inherit nixpkgs;
-    };
-    self = self';
-    specialArgs = {
-      inherit sources;
-    };
-  }
-  {
-    systems = [
-      "x86_64-linux"
-      "aarch64-linux"
-      "x86_64-darwin"
-      "aarch64-darwin"
-    ];
-    imports = [ flakeModule ];
-  }

secrets/forgejo-database-password.age

@@ -1,19 +1,17 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A bBCQmvfRUwJuIXbpVJ092XUBVszGrb6gILGbgV9j9BY
+-> ssh-ed25519 Jpc21A 9edPaA2tT4SeYNTPzF0E157daC2o+JH/WQQCT+vLbFg
-7DEGwhqdfqMs5cxXtlMkSTPjw4qhczBgW0dmoJ6dh6g
+C48EtLdhB75TTzfEZTw1DypicHiVlSmFzjfbqfO9N/8
--> ssh-ed25519 BAs8QA oiVedFC6UklEFCJUybGr93+XrddyCtV4r4TnE4nhpWI
+-> ssh-ed25519 BAs8QA T+kXpZg1v0XRkub5DWir7vYwO7KaOJLZBNYxxXiBUCw
-xasnkP4NCl9TuYSE1u0Xi0b/PiwcrfHCz2QMnpTjLcU
+zBRwMTDpyI7twEwUGsmJYyYPw9btBx5Kakj1yT+XY8U
--> ssh-ed25519 ofQnlg LrMcWdaEUVyIgd/KznwJW/2sucIu5MuxDEcEJAmf8mA
+-> ssh-ed25519 ofQnlg 4UoEDY/tdKz8LrX1BkBU1/cn+vSaYLUl7xX9YmzANBY
-p6pQoisuXre2J4r6ArV6C6lKO2J/aNdBFhqLPBoZ2wA
+8CACq1n3AJgD9IyPN23iRvThqsfQFF5+jmkKnhun24U
--> ssh-ed25519 COspvA q2OGeVofPKyGCpr4Mf9VoaRvZCWTRl8n2mvkQOdTnyQ
+-> ssh-ed25519 COspvA HxcbkqHL+LpVmwb+Fo5JuUU+C+Pxzdxtb0yZHixwuzM
-M+ffAGecJG/94k/Z5DdokltrZppS2IcxkZa8JKHwIMs
+7FIhxdbjHJlgQQgjrHHUK5cecqs5aT7X3I8TWf8c2gc
--> ssh-ed25519 2XrTgw Bsz/G4QderToPSfMKOR6s5yWb0xCGUlsjGJxJYQNBRc
+-> ssh-ed25519 2XrTgw R6Ia8MVIZKPnNZ0rspZ34EqoY8fOLeB9H7vnvNBLg1g
-JYrXZb8qj1Yi9u5bnI/WzuNxy7gyFLCTIUaGNmcOYnk
+55NUqz5Yygt6FKJ3bR5iHxQp8G7S2gyFwrJNX1Pb/2Y
--> ssh-ed25519 awJeHA KKJMQSt0PvC6P+T/kxQv96tSBdLQLiY2f8q35IwGm28
+-> ssh-ed25519 awJeHA hJdTuAScoewVMt7HWiisSkL0zSeClFzYzzKL84G893o
-p7Cf2HLlPl0qmsO6Hh5zwVgKkEs3A6fdSBndMKsacbk
+ou780VLrW1s4d6L+lEVu3kXaGn4dvtFPA31supwEL50
--> ssh-ed25519 Fa25Dw 3m/qyannP4gjXxkUuO0LQRU8Z8HXOg4WReMDd7786y8
+-> ssh-ed25519 Fa25Dw mJcqnXA3fQeoKrG7RJ7nVeLxPvrxqbj+lJdx6jQ9IR8
-dNMyiBGeJDrBScE9TEyZZ7+MGMG6FLuoRTK82EVeX1w
+f5Q7mrQSSDsm1Z/uSAnvx66mgnRC3XaBLQrVL9f/Ijs
--> ssh-ed25519 i+ecmQ oCs4Ep2K75yjmUOh1ox4F25tGq+O/mZ2/c2E8+IRlEc
+--- W/KmboXTLV12X6WtVQKHNe+ZHvS2q9EHUZwofSgJSE8
-0Wc9gDxhvHK5tEVM5kJ0mQXc3kp7tJ2JNHg54N0+tJ8
+^kûÚ	h©0ÔkÇ ¢¸_Ç·ûQÞm‘’7\òÖ}÷Áë?½qø‚<ÿm
---- mXrqbcHxjjkS5MrQaCVm4hTsAUEENAWlIYtiYx6rtas
-ž`€úì}öÙ7Ù>­iŒbàéëÕè/&ɪŠwŽ„ì7àí[ã±Hˆc“

secrets/secrets.nix

@@ -7,12 +7,11 @@ let
 
   keys = import ../keys;
   contributors = attrValues keys.contributors;
-  cd = [ keys.cd ];
 in
 
 concatMapAttrs
   (name: systems: {
-    "${name}.age".publicKeys = contributors ++ systems ++ cd;
+    "${name}.age".publicKeys = contributors ++ systems;
   })
 
   (

secrets/wiki-basicauth-htpasswd.age

@@ -1,19 +1,18 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A NStZFZPTHMhVCnQ5Zkbl39vWztrxfsSXok24/e8H7QQ
+-> ssh-ed25519 Jpc21A EuMYAiZX+4A12eu19mIY7u+WYF7NJ9qJosQSVlxR6n8
-JjHP6Cus76PGYYxpbnc2cSZ79zvdD8LISYDPbvXsnqU
+bK5CMXAmP23t1p9bgmqoVg4Qcu2qYKGc4t36v8e9eow
--> ssh-ed25519 BAs8QA iocHfHjWlEUsbtibqEbYDceAqURr2vjxuYapqon9hyU
+-> ssh-ed25519 BAs8QA IwRyitDNTzUPzQAUbDNEKjFiF8WPD/OyztOZQeoTEzw
-ljL+olZdhWtHeV3uh3pOu22+sY13wPn2vKQDduPSqVs
+OwiTWvk4NmUgExav0uH6HlThDNU5hsKXfR6KHsFOV3I
--> ssh-ed25519 ofQnlg 9YVfMKyoP3+xtzg/ok2I9yf3YdIYoBpUJa/3d2N/8lI
+-> ssh-ed25519 ofQnlg 3TcMbLX1JsQL8+Gqy7IFZwykZr2BspvPCuZT1SHtnQQ
-2yUalyj7O3c1YDA2xTb9QNYrFBDHwcyGBX3mydv0ifI
+Ci5OeBj2aiC8ut9jIEUMt3qfYH+cJrnVud6AH54Ndn8
--> ssh-ed25519 COspvA cOSNsZXBbhQ/B49fq3KwcY6siVrTz48doTrta/0d/Hw
+-> ssh-ed25519 COspvA 0t9f3Wu3ILv4QTJhwT619y+7XFrryCLbpIZC6aE+qQI
-jcRtVxA/tVFM9btPAPI6zKk8BwAVlaQlvHC203MpmIQ
+oPQP48F6oO/tkqLZDdjkGtIap7KHiAknbpTNL6/yLaU
--> ssh-ed25519 2XrTgw d3EKtYkxjeJZ8kt3ofIklGmRwUCgTIB/WVVlvxggGRk
+-> ssh-ed25519 2XrTgw YOZsaYQH9vMH0QqSXGh8GyhRV4MbcBGPFfFaKpo3Ckk
-IhcrpWN9xFsKRw9iCfYMONPOU7TpTt4kTBNwMDtk7zo
+kUShJbADA+6bpx2adxvzlI/0jSM5bIBfZfdSE/7Vm5Y
--> ssh-ed25519 awJeHA Ei64e3+FJDM6S8NP+YfEWEg9t72qTXZ0IdZE8dYQPm4
+-> ssh-ed25519 awJeHA dF3m0hQWX9c0EezDr56Kt/F4d1Uim7NwvIX6zRws0Eo
-ggRc86sXin06eXJkLbK8CdJFDa1237WMfSgwNd5ngmM
+pst243yrARODwrnyz8cJAzgDxdPOUsRbs7yPZePABFs
--> ssh-ed25519 dgBsjw 9etK6tNrFlWVAKTz5U0TitkiGYLKTad3QiRWVpLPrwM
+-> ssh-ed25519 dgBsjw PUYHcP/tgNnKyvlIoJRcNcW3zabVV1iHXIWfKqgW9xc
-xHLzFnRtcvpVZYZrxWz5q4uadhHrHVlfqjteOWfIccE
+tXNjSuVH/g/oN5o75FPkFFpviF7SeFSN9kbqURvgMDE
--> ssh-ed25519 i+ecmQ SDTnYBLMOaH173B/wqaOifE6a90gSesRqMHmX7/iZFk
+--- wHgBAN9c6F6T5hFJGo8uH8zqDkQDwx3/jVNKUtQ3arE
-kS9tuKnMXCXNUnoZ06DisOOyZHe/mZl4a0JRA+eynE8
+«Ñ¢Á
---- C0R5WxDDCqQGxyvFoeNX838az0bjp55PGh//1NFG4LE
+ò@µú¡fÃ`m;ÕcæäU²€ùò£Íd…eS’èyfv¿»¡€J?ø `œfj£Äa}lÃó ¿Úxç²BÇt2èfìôm08ÓoÝtRál9˜èx¤¢ŒÅž›æ÷
-ŠÉY—±³<EFBFBD>„ÏKRÇËej±éŒ7xÑíE¹ Óì¾7jÏ
-œJý«[ÀF?Ÿ=-w‘XMC~)èÅ›ƒ<E280BA>Éõb«ëƒCÜ4ÌÖÞOwý~–¿š8ñv—ÙÜžèX»ØÆ’ƒí!5¦

services/README.md

@@ -21,11 +21,11 @@ For those that know it, we could say that the current module is an analogous of
 
 ## Content of this directory
 
-- [fediversity](./fediversity) contains the definition of the services. Look in
+- [fediversity][./fediversity] contains the definition of the services. Look in
   particular at its `default.nix` that contains the definition of the options.
 
-- [vm](./vm) contains options specific to making the service run in local QEMU
+- [vm][./vm] contains options specific to making the service run in local QEMU
   VMs. These modules will for instance override the defaults to disable SSL, and
   they will add virtualisation options to forward ports, for instance.
 
-- [tests](./tests) contain full NixOS tests of the services.
+- [tests][./tests] contain full NixOS tests of the services.