update nixpkgs to unstable - resolves manual deploy error on bootloader already on newer version

in case we want that file for something else, we can move this (and its
ignore) to something separate.

deployment/default.nix

@@ -36,7 +36,7 @@
 panelConfig:
 
 let
-  inherit (lib) mkMerge mkIf;
+  inherit (lib) mkIf;
 
 in
 
@@ -101,90 +101,81 @@ in
 
     in
 
-    mkMerge [
+    {
+      garage-configuration = makeConfigurationResource garageConfigurationResource (
+        { pkgs, ... }:
+        mkIf (panelConfig.mastodon.enable || panelConfig.peertube.enable || panelConfig.pixelfed.enable) {
+          fediversity = {
+            inherit (panelConfig) domain;
+            garage.enable = true;
+            pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
+            mastodon = mastodonS3KeyConfig { inherit pkgs; };
+            peertube = peertubeS3KeyConfig { inherit pkgs; };
+          };
+        }
+      );
 
-      (mkIf (panelConfig.mastodon.enable || panelConfig.peertube.enable || panelConfig.pixelfed.enable) {
-        garage-configuration = makeConfigurationResource garageConfigurationResource (
-          { pkgs, ... }:
-          {
-            fediversity = {
-              inherit (panelConfig) domain;
-              garage.enable = true;
-              pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
-              mastodon = mastodonS3KeyConfig { inherit pkgs; };
-              peertube = peertubeS3KeyConfig { inherit pkgs; };
+      mastodon-configuration = makeConfigurationResource mastodonConfigurationResource (
+        { pkgs, ... }:
+        mkIf panelConfig.mastodon.enable {
+          fediversity = {
+            inherit (panelConfig) domain;
+            temp.initialUser = {
+              inherit (panelConfig.initialUser) username email displayName;
+              # FIXME: disgusting, but nvm, this is going to be replaced by
+              # proper central authentication at some point
+              passwordFile = pkgs.writeText "password" panelConfig.initialUser.password;
             };
-          }
-        );
-      })
 
-      (mkIf panelConfig.mastodon.enable {
-        mastodon-configuration = makeConfigurationResource mastodonConfigurationResource (
-          { pkgs, ... }:
-          {
-            fediversity = {
-              inherit (panelConfig) domain;
-              temp.initialUser = {
-                inherit (panelConfig.initialUser) username email displayName;
-                # FIXME: disgusting, but nvm, this is going to be replaced by
-                # proper central authentication at some point
-                passwordFile = pkgs.writeText "password" panelConfig.initialUser.password;
-              };
-
-              mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
-                enable = true;
-              };
-
-              temp.cores = 1; # FIXME: should come from NixOps4 eventually
+            mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
+              enable = true;
             };
-          }
-        );
-      })
 
-      (mkIf panelConfig.peertube.enable {
-        peertube-configuration = makeConfigurationResource peertubeConfigurationResource (
-          { pkgs, ... }:
-          {
-            fediversity = {
-              inherit (panelConfig) domain;
-              temp.initialUser = {
-                inherit (panelConfig.initialUser) username email displayName;
-                # FIXME: disgusting, but nvm, this is going to be replaced by
-                # proper central authentication at some point
-                passwordFile = pkgs.writeText "password" panelConfig.initialUser.password;
-              };
+            temp.cores = 1; # FIXME: should come from NixOps4 eventually
+          };
+        }
+      );
 
-              peertube = peertubeS3KeyConfig { inherit pkgs; } // {
-                enable = true;
-                ## NOTE: Only ever used for testing anyway.
-                ##
-                ## FIXME: Generate and store in NixOps4's state.
-                secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
-              };
+      peertube-configuration = makeConfigurationResource peertubeConfigurationResource (
+        { pkgs, ... }:
+        mkIf panelConfig.peertube.enable {
+          fediversity = {
+            inherit (panelConfig) domain;
+            temp.initialUser = {
+              inherit (panelConfig.initialUser) username email displayName;
+              # FIXME: disgusting, but nvm, this is going to be replaced by
+              # proper central authentication at some point
+              passwordFile = pkgs.writeText "password" panelConfig.initialUser.password;
             };
-          }
-        );
-      })
 
-      (mkIf panelConfig.pixelfed.enable {
-        pixelfed-configuration = makeConfigurationResource pixelfedConfigurationResource (
-          { pkgs, ... }:
-          {
-            fediversity = {
-              inherit (panelConfig) domain;
-              temp.initialUser = {
-                inherit (panelConfig.initialUser) username email displayName;
-                # FIXME: disgusting, but nvm, this is going to be replaced by
-                # proper central authentication at some point
-                passwordFile = pkgs.writeText "password" panelConfig.initialUser.password;
-              };
-
-              pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
-                enable = true;
-              };
+            peertube = peertubeS3KeyConfig { inherit pkgs; } // {
+              enable = true;
+              ## NOTE: Only ever used for testing anyway.
+              ##
+              ## FIXME: Generate and store in NixOps4's state.
+              secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
             };
-          }
-        );
-      })
-    ];
+          };
+        }
+      );
+
+      pixelfed-configuration = makeConfigurationResource pixelfedConfigurationResource (
+        { pkgs, ... }:
+        mkIf panelConfig.pixelfed.enable {
+          fediversity = {
+            inherit (panelConfig) domain;
+            temp.initialUser = {
+              inherit (panelConfig.initialUser) username email displayName;
+              # FIXME: disgusting, but nvm, this is going to be replaced by
+              # proper central authentication at some point
+              passwordFile = pkgs.writeText "password" panelConfig.initialUser.password;
+            };
+
+            pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
+              enable = true;
+            };
+          };
+        }
+      );
+    };
 }

flake.nix

@@ -43,7 +43,10 @@
           pre-commit.settings.hooks =
             let
               ## Add a directory here if pre-commit hooks shouldn't apply to it.
-              optout = [ "npins" ];
+              optout = [
+                "npins"
+                "launch/.terraform"
+              ];
               excludes = map (dir: "^${dir}/") optout;
               addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
             in

infra/flake-part.nix

@@ -22,10 +22,26 @@ let
     { vmName, isTestVm }:
     {
       _module.args = { inherit inputs; };
-      imports = [
-        ./common/resource.nix
-        (if isTestVm then ./test-machines + "/${vmName}" else ./machines + "/${vmName}")
-      ];
+      imports =
+        [
+          ./common/resource.nix
+        ]
+        ++ (
+          if isTestVm then
+            [
+              ./test-machines/${vmName}
+              {
+                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
+                  # allow our panel vm access to the test machines
+                  (import ../keys).systems.fedi201
+                ];
+              }
+            ]
+          else
+            [
+              ./machines/${vmName}
+            ]
+        );
       fediversityVm.name = vmName;
     };
 

infra/machines/fedi201/fedipanel.nix

@@ -19,6 +19,24 @@ in
     enable = true;
     production = true;
     domain = "demo.fediversity.eu";
+    # FIXME: make it work without this duplication
+    settings =
+      let
+        cfg = config.services.${name};
+      in
+      {
+        STATIC_ROOT = "/var/lib/${name}/static";
+        DEBUG = false;
+        ALLOWED_HOSTS = [
+          cfg.domain
+          cfg.host
+          "localhost"
+          "[::1]"
+        ];
+        CSRF_TRUSTED_ORIGINS = [ "https://${cfg.domain}" ];
+        COMPRESS_OFFLINE = true;
+        LIBSASS_OUTPUT_STYLE = "compressed";
+      };
     secrets = {
       SECRET_KEY = config.age.secrets.panel-secret-key.path;
     };

infra/test-machines/test11/default.nix

@@ -0,0 +1,19 @@
+{
+  fediversityVm = {
+    vmId = 7011;
+    proxmox = "fediversity";
+
+    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
+    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
+
+    domain = "abundos.eu";
+    ipv4 = {
+      address = "95.215.187.61";
+      gateway = "95.215.187.1";
+    };
+    ipv6 = {
+      address = "2a00:51c0:13:1305::61";
+      gateway = "2a00:51c0:13:1305::1";
+    };
+  };
+}

infra/test-machines/test11/ssh_host_ed25519_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCWc7GuMI3Gzkj+mSep6MVbKDccS52jVw+nBs27yFCGVgAAAIhCymnvQspp
+7wAAAAtzc2gtZWQyNTUxOQAAACCWc7GuMI3Gzkj+mSep6MVbKDccS52jVw+nBs27yFCGVg
+AAAEAvr1aiy0DIjgdLH9bBq9uD4pf8Wakgqr34oWDPB2/E75Zzsa4wjcbOSP6ZJ6noxVso
+NxxLnaNXD6cGzbvIUIZWAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----

infra/test-machines/test11/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZzsa4wjcbOSP6ZJ6noxVsoNxxLnaNXD6cGzbvIUIZW

infra/test-machines/test12/default.nix

@@ -0,0 +1,19 @@
+{
+  fediversityVm = {
+    vmId = 7012;
+    proxmox = "fediversity";
+
+    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
+    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
+
+    domain = "abundos.eu";
+    ipv4 = {
+      address = "95.215.187.62";
+      gateway = "95.215.187.1";
+    };
+    ipv6 = {
+      address = "2a00:51c0:13:1305::62";
+      gateway = "2a00:51c0:13:1305::1";
+    };
+  };
+}

infra/test-machines/test12/ssh_host_ed25519_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBuvrzv3i07NFxONsNP7uJmefebrBhfo0pwzmC3NCAOZwAAAIiA+nIugPpy
+LgAAAAtzc2gtZWQyNTUxOQAAACBuvrzv3i07NFxONsNP7uJmefebrBhfo0pwzmC3NCAOZw
+AAAEDkpXNePQeHnf4vkDkhZI/ab9Ds2igfY0a5U1p4PrEmvm6+vO/eLTs0XE42w0/u4mZ5
+95usGF+jSnDOYLc0IA5nAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----

infra/test-machines/test12/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6+vO/eLTs0XE42w0/u4mZ595usGF+jSnDOYLc0IA5n

infra/test-machines/test13/default.nix

@@ -0,0 +1,19 @@
+{
+  fediversityVm = {
+    vmId = 7013;
+    proxmox = "fediversity";
+
+    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
+    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
+
+    domain = "abundos.eu";
+    ipv4 = {
+      address = "95.215.187.63";
+      gateway = "95.215.187.1";
+    };
+    ipv6 = {
+      address = "2a00:51c0:13:1305::63";
+      gateway = "2a00:51c0:13:1305::1";
+    };
+  };
+}

infra/test-machines/test13/ssh_host_ed25519_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACATzdyp4E+PX6lDfw2CmezguYn/lPgbpI+NUbmseEwAgwAAAIi2z3O2ts9z
+tgAAAAtzc2gtZWQyNTUxOQAAACATzdyp4E+PX6lDfw2CmezguYn/lPgbpI+NUbmseEwAgw
+AAAEDj2sn4VJhBL2a7j41mjdMWIdJ/u1betSxZ393lNd3+pBPN3KngT49fqUN/DYKZ7OC5
+if+U+Bukj41Ruax4TACDAAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----

infra/test-machines/test13/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBPN3KngT49fqUN/DYKZ7OC5if+U+Bukj41Ruax4TACD

infra/test-machines/test14/default.nix

@@ -0,0 +1,19 @@
+{
+  fediversityVm = {
+    vmId = 7014;
+    proxmox = "fediversity";
+
+    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
+    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
+
+    domain = "abundos.eu";
+    ipv4 = {
+      address = "95.215.187.64";
+      gateway = "95.215.187.1";
+    };
+    ipv6 = {
+      address = "2a00:51c0:13:1305::64";
+      gateway = "2a00:51c0:13:1305::1";
+    };
+  };
+}

infra/test-machines/test14/ssh_host_ed25519_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACB028Q86t8RXi7617OrckxNPKNwnpGGZqhXhppHB5n9tQAAAIhfhYlCX4WJ
+QgAAAAtzc2gtZWQyNTUxOQAAACB028Q86t8RXi7617OrckxNPKNwnpGGZqhXhppHB5n9tQ
+AAAEAualLRodpovSzGAhza2OVvg5Yp8xv3A7xUNNbKsMTKSHTbxDzq3xFeLvrXs6tyTE08
+o3CekYZmqFeGmkcHmf21AAAAAAECAwQF
+-----END OPENSSH PRIVATE KEY-----

infra/test-machines/test14/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTbxDzq3xFeLvrXs6tyTE08o3CekYZmqFeGmkcHmf21

launch/.envrc

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+
+# shellcheck shell=bash
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv --flake .)"
+else
+  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
+  use flake
+fi

launch/.gitignore

@@ -0,0 +1,4 @@
+.auto.tfvars.json
+.terraform/
+.terraform.tfstate.lock.info
+terraform.tfstate*

launch/.terraform.lock.hcl

@@ -0,0 +1,16 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:HfVaWMC7Tz+tRfoWZtGCX2MATcgX3HsexoirWdi/voo=",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/null" {
+  version = "3.2.3"
+  hashes = [
+    "h1:qTlGDGC3RmXIPLgwsIh4LHG/DrAR6T6L+Wn6egnQnwE=",
+  ]
+}

launch/README.md

@@ -0,0 +1,19 @@
+# service deployment
+
+## usage
+
+### updating TF modules
+
+```sh
+$ npins update nixos-anywhere
+$ cd launch/
+$ echo "{\"nixos-anywhere\": $(nix-instantiate --eval --json -E '(import ../npins).nixos-anywhere.outPath')}" > .auto.tfvars.json
+```
+
+### local development
+
+```sh
+$ nix-shell
+$ rm -rf .terraform/
+$ tofu init
+```

launch/default.nix

@@ -0,0 +1,31 @@
+{
+  system ? builtins.currentSystem,
+  sources ? import ../npins,
+  inputs ? import sources.flake-inputs {
+    root = ../.;
+  },
+  # match the same version of opentofu that is deployed by the root flake
+  pkgs ? import inputs.nixpkgs {
+    inherit system;
+  },
+}:
+let
+  inherit (pkgs) lib;
+in
+{
+  shell = pkgs.mkShellNoCC {
+    packages = [
+      pkgs.npins
+      pkgs.jq # implicit dep of nixos-anywhere TF: https://github.com/nix-community/nixos-anywhere/issues/416
+      (import ./tf.nix { inherit lib pkgs; })
+    ];
+  };
+
+  # re-export inputs so they can be overridden granularly
+  # (they can't be accessed from the outside any other way)
+  inherit
+    sources
+    system
+    pkgs
+    ;
+}

launch/garage.nix

@@ -0,0 +1,37 @@
+let
+  ## NOTE: All of these secrets are publicly available in this source file
+  ## and will end up in the Nix store. We don't care as they are only ever
+  ## used for testing anyway.
+  ##
+  ## FIXME: Generate and store in NixOps4's state.
+  mastodonS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+    };
+  peertubeS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
+    };
+  pixelfedS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
+    };
+in
+import ./shared.nix {
+  module =
+    { pkgs, ... }:
+    {
+      fediversity = {
+        garage.enable = true;
+        pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
+        mastodon = mastodonS3KeyConfig { inherit pkgs; };
+        peertube = peertubeS3KeyConfig { inherit pkgs; };
+      };
+    };
+}

launch/main.tf

@@ -0,0 +1,92 @@
+variable "nixos-anywhere" {
+  type = string
+}
+
+variable "domain" {
+  type = string
+  default = "fediversity.net"
+}
+
+variable "mastodon" {
+  type = object({
+    enable = bool
+  })
+  default = {
+    enable = false
+  }
+}
+
+variable "pixelfed" {
+  type = object({
+    enable = bool
+  })
+  default = {
+    enable = false
+  }
+}
+
+variable "peertube" {
+  type = object({
+    enable = bool
+  })
+  default = {
+    enable = false
+  }
+}
+
+variable "initialUser" {
+  type = object({
+    displayName = string
+    username = string
+    email = string
+    # TODO: mark (nested) credentials as sensitive
+    # https://discuss.hashicorp.com/t/is-it-possible-to-mark-an-attribute-of-an-object-as-sensitive/24649/2
+    password = string
+  })
+  default = {
+    displayName = "Testy McTestface"
+    username = "test"
+    email = "test@test.com"
+    password = "testtest"
+  }
+}
+
+# module "garage" {
+#   source = "./vm"
+#   count = var.mastodon.enable || var.pixelfed.enable || var.peertube.enable ? 1 : 0
+#   domain = var.domain
+#   hostname = "test01"
+#   config = "garage"
+#   initialUser = var.initialUser
+#   nixos-anywhere = var.nixos-anywhere
+# }
+
+module "mastodon" {
+  source = "./vm"
+  count = var.mastodon.enable ? 1 : 0
+  domain = var.domain
+  hostname = "test02"
+  config = "mastodon"
+  initialUser = var.initialUser
+  nixos-anywhere = var.nixos-anywhere
+}
+
+module "pixelfed" {
+  source = "./vm"
+  count = var.pixelfed.enable ? 1 : 0
+  domain = var.domain
+  hostname = "test04"
+  config = "pixelfed"
+  initialUser = var.initialUser
+  nixos-anywhere = var.nixos-anywhere
+}
+
+module "peertube" {
+  source = "./vm"
+  count = var.peertube.enable ? 1 : 0
+  domain = var.domain
+  hostname = "test03"
+  config = "peertube"
+  initialUser = var.initialUser
+  nixos-anywhere = var.nixos-anywhere
+}

launch/mastodon.nix

@@ -0,0 +1,20 @@
+let
+  mastodonS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+    };
+in
+import ./shared.nix {
+  module =
+    { pkgs, ... }:
+    {
+      fediversity = {
+        mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
+          enable = true;
+        };
+        temp.cores = 1; # FIXME: should come from NixOps4 eventually
+      };
+    };
+}

launch/pass-ssh-key.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+export host="$host"
+
+mkdir -p etc/ssh
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+for keyname in ssh_host_ed25519_key ssh_host_ed25519_key.pub; do
+  if [[ $keyname == *.pub ]]; then
+    umask 0133
+  else
+    umask 0177
+  fi
+  cp "$SCRIPT_DIR/../infra/test-machines/${host}/${keyname}" ./etc/ssh/${keyname}
+done

launch/peertube.nix

@@ -0,0 +1,23 @@
+let
+  peertubeS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
+    };
+in
+import ./shared.nix {
+  module =
+    { pkgs, ... }:
+    {
+      fediversity = {
+        peertube = peertubeS3KeyConfig { inherit pkgs; } // {
+          enable = true;
+          ## NOTE: Only ever used for testing anyway.
+          ##
+          ## FIXME: Generate and store in NixOps4's state.
+          secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
+        };
+      };
+    };
+}

launch/pixelfed.nix

@@ -0,0 +1,19 @@
+let
+  pixelfedS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
+    };
+in
+import ./shared.nix {
+  module =
+    { pkgs, ... }:
+    {
+      fediversity = {
+        pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
+          enable = true;
+        };
+      };
+    };
+}

launch/resource.nix

@@ -0,0 +1,41 @@
+{
+  lib,
+  config,
+  ...
+}:
+
+let
+  inherit (lib) attrValues elem mkDefault;
+  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
+  inherit (lib.strings) removeSuffix;
+
+  secretsPrefix = ../secrets;
+  secrets = import (secretsPrefix + "/secrets.nix");
+  keys = import ../keys;
+
+in
+{
+  fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
+
+  ## The configuration of the machine. We strive to keep in this file only the
+  ## options that really need to be injected from the resource. Everything else
+  ## should go into the `./nixos` subdirectory.
+  imports = [
+    ../infra/common/options.nix
+    ../infra/common/nixos
+  ];
+
+  ## Read all the secrets, filter the ones that are supposed to be readable
+  ## with this host's public key, and add them correctly to the configuration
+  ## as `age.secrets.<name>.file`.
+  age.secrets = concatMapAttrs (
+    name: secret:
+    optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
+      ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+    }
+  ) secrets;
+
+  ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
+  ## supports users with password-less sudo.
+  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+}

launch/shared.nix

@@ -0,0 +1,45 @@
+{
+  system ? "x86_64-linux",
+  sources ? import ../npins,
+  pkgs ? import sources.nixpkgs {
+    inherit system;
+    config = { };
+    overlays = [ (import ../panel/nix/overlay.nix) ];
+  },
+  module,
+  ...
+}:
+import "${sources.nixpkgs}/nixos/lib/eval-config.nix" {
+  modules = [
+    "${sources.disko}/module.nix"
+    "${sources.agenix}/modules/age.nix"
+    ../services/fediversity
+    ./resource.nix
+    # FIXME: get VM details from TF
+    module
+    (
+      {
+        terraform,
+        ...
+      }:
+      let
+        inherit (terraform) hostname;
+      in
+      {
+        imports = [
+          ../infra/test-machines/${hostname}
+        ];
+        fediversityVm.name = hostname;
+        fediversity = {
+          inherit (terraform) domain;
+          temp.initialUser = {
+            inherit (terraform.initialUser) username email displayName;
+            # FIXME: disgusting, but nvm, this is going to be replaced by
+            # proper central authentication at some point
+            passwordFile = pkgs.writeText "password" terraform.initialUser.password;
+          };
+        };
+      }
+    )
+  ];
+}

launch/shell.nix

@@ -0,0 +1 @@
+(import ./. { }).shell

launch/tf-env.nix

@@ -0,0 +1,36 @@
+{
+  lib,
+  pkgs,
+  sources ? import ../npins,
+  ...
+}:
+pkgs.stdenv.mkDerivation {
+  name = "tf-repo";
+  src = ../.;
+  buildInputs = [
+    (import ./tf.nix { inherit lib pkgs; })
+  ];
+  buildPhase = ''
+    runHook preBuild
+    pushd launch/
+
+    # pass nixos-anywhere path to TF through variable
+    # when switching TF to nix take this directly from `inputs`
+    # https://codeberg.org/kiara/e2ed-hetzner/commit/84b2a349d3e48ea2a17340bceff762d834fd4046
+    echo "{\"nixos-anywhere\": \"${sources.nixos-anywhere}\"}" > .auto.tfvars.json
+
+    # point to the relevant providers
+    tofu init -input=false
+
+    popd
+    runHook postBuild
+  '';
+  # FIXME: can the above even work without a connection?
+  installPhase = ''
+    runHook preInstall
+
+    cp -r . $out
+
+    runHook postInstall
+  '';
+}

launch/tf.nix

@@ -0,0 +1,25 @@
+# FIXME: use overlays so this gets imported just once?
+{
+  lib,
+  pkgs,
+  ...
+}:
+let
+  tofuProvider =
+    provider:
+    provider.override (oldArgs: {
+      provider-source-address =
+        lib.replaceStrings [ "https://registry.terraform.io/providers" ] [ "registry.opentofu.org" ]
+          oldArgs.homepage;
+    });
+  tf = pkgs.opentofu;
+  tfPlugins = (
+    p: [
+      p.null
+      p.external
+    ]
+  );
+in
+# tf.withPlugins tfPlugins
+# https://github.com/NixOS/nixpkgs/pull/358522
+tf.withPlugins (p: pkgs.lib.lists.map tofuProvider (tfPlugins p))

launch/vm/main.tf

@@ -0,0 +1,51 @@
+variable "nixos-anywhere" {
+  type = string
+}
+
+variable "domain" {
+  type = string
+}
+
+variable "hostname" {
+  type = string
+}
+
+variable "config" {
+  type = string
+}
+
+variable "initialUser" {
+  type = object({
+    displayName = string
+    username = string
+    password = string
+    email = string
+  })
+}
+
+module "deploy" {
+  # source = "github.com/nix-community/nixos-anywhere//terraform/all-in-one"
+  source = "${var.nixos-anywhere}//terraform/all-in-one"
+  file                   = "${path.module}/../${var.config}.nix"
+  nixos_system_attr      = "config.system.build.toplevel"
+  nixos_partitioner_attr = "config.system.build.diskoScript"
+  # when instance id changes, it will trigger a reinstall
+  instance_id = var.hostname
+  target_user = "root"
+  target_host = "${var.hostname}.abundos.eu"
+  extra_files_script = "${path.module}/../pass-ssh-key.sh"
+  extra_environment = {
+    host = var.hostname
+  }
+  special_args = {
+    terraform = {
+      domain = var.domain
+      hostname = var.hostname
+      initialUser = var.initialUser
+    }
+  }
+  nix_options = {
+    show-trace = true
+  }
+  # build_on_remote = true
+}

npins/sources.json

@@ -1,5 +1,44 @@
 {
   "pins": {
+    "agenix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "ryantm",
+        "repo": "agenix"
+      },
+      "branch": "main",
+      "revision": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+      "url": "https://github.com/ryantm/agenix/archive/e600439ec4c273cf11e06fe4d9d906fb98fa097c.tar.gz",
+      "hash": "006ngydiykjgqs85cl19h9klq8kaqm5zs0ng51dnwy7nzgqxzsdr"
+    },
+    "disko": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "disko"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "version": "v1.11.0",
+      "revision": "cdf8deded8813edfa6e65544f69fdd3a59fa2bb4",
+      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.11.0",
+      "hash": "13brimg7z7k9y36n4jc1pssqyw94nd8qvgfjv53z66lv4xkhin92"
+    },
+    "flake-inputs": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "fricklerhandwerk",
+        "repo": "flake-inputs"
+      },
+      "branch": "main",
+      "revision": "559574c9cbb8af262f3944b67d60fbf0f6ad03c3",
+      "url": "https://github.com/fricklerhandwerk/flake-inputs/archive/559574c9cbb8af262f3944b67d60fbf0f6ad03c3.tar.gz",
+      "hash": "0gbhmp6x2vdzvfnsvqzal3g8f8hx2ia6r73aibc78kazf78m67x6"
+    },
     "htmx": {
       "type": "GitRelease",
       "repository": {
@@ -27,12 +66,24 @@
       "url": "https://github.com/nix-community/nix-unit/archive/2071bbb765681ac3d8194ec560c8b27ff2a3b541.tar.gz",
       "hash": "0blz1kcmn9vnr9q3iqp2mv13hv3pdccljmmc54f8j7ybf5v0wgmp"
     },
+    "nixos-anywhere": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "KiaraGrouwstra",
+        "repo": "nixos-anywhere"
+      },
+      "branch": "special-args-nested-flake-fixed",
+      "revision": "5aa35145f045eb23fa8773821d5626bcf54dbe0e",
+      "url": "https://github.com/KiaraGrouwstra/nixos-anywhere/archive/5aa35145f045eb23fa8773821d5626bcf54dbe0e.tar.gz",
+      "hash": "0m67iyd04wl183il1cfi623xpxcvbbpc5x1gh74478qc3fgr0g54"
+    },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre711046.8edf06bea5bc/nixexprs.tar.xz",
-      "hash": "1mwsn0rvfm603svrq3pca4c51zlix5gkyr4gl6pxhhq3q6xs5s8y"
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre777917.b7ba7f9f45c5/nixexprs.tar.xz",
+      "hash": "0jb6b7sv66bn06pchj2l88z0i5dlz0c2vb3z6pjjlq2p8q11zigg"
     }
   },
   "version": 3
-}
+}

panel/default.nix

@@ -20,11 +20,18 @@ in
       pkgs.npins
       manage
     ];
-    env = import ./env.nix { inherit lib pkgs; } // {
-      NPINS_DIRECTORY = toString ../npins;
-      CREDENTIALS_DIRECTORY = toString ./.credentials;
-      DATABASE_URL = "sqlite:///${toString ./src}/db.sqlite3";
-    };
+    env =
+      let
+        inherit (builtins) toString;
+      in
+      import ./env.nix { inherit lib pkgs; }
+      // {
+        NPINS_DIRECTORY = toString ../npins;
+        CREDENTIALS_DIRECTORY = toString ./.credentials;
+        DATABASE_URL = "sqlite:///${toString ./src}/db.sqlite3";
+        # locally: use a fixed relative reference, so we can use our newest files without copying to the store
+        REPO_DIR = toString ../.;
+      };
     shellHook = ''
       ln -sf ${sources.htmx}/dist/htmx.js src/panel/static/htmx.min.js
       # in production, secrets are passed via CREDENTIALS_DIRECTORY by systemd.

panel/env.nix

@@ -3,16 +3,14 @@
   pkgs,
   ...
 }:
-let
-  inherit (builtins) toString;
-in
 {
-  REPO_DIR = toString ../.;
-  # explicitly use nix, as e.g. lix does not have configurable-impure-env
   BIN_PATH = lib.makeBinPath [
-    # explicitly use nix, as e.g. lix does not have configurable-impure-env
-    pkgs.nix
-    # nixops error maybe due to our flake git hook: executing 'git': No such file or directory
+    pkgs.lix
+    pkgs.bash
+    pkgs.coreutils
+    pkgs.openssh
     pkgs.git
+    pkgs.jq # implicit dep of nixos-anywhere TF: https://github.com/nix-community/nixos-anywhere/issues/416
+    (import ../launch/tf.nix { inherit lib pkgs; })
   ];
 }

panel/nix/configuration.nix

@@ -29,6 +29,7 @@ let
       ((pkgs.formats.pythonVars { }).generate "settings.py" cfg.settings)
       (builtins.toFile "extra-settings.py" cfg.extra-settings)
     ];
+    REPO_DIR = import ../../launch/tf-env.nix { inherit lib pkgs; };
   };
 
   python-environment = pkgs.python3.withPackages (

panel/nix/package.nix

@@ -1,5 +1,6 @@
 {
   lib,
+  pkgs,
   sqlite,
   python3,
   sources ? import ../../npins,
@@ -11,7 +12,7 @@ let
       root = ../src;
       fileset = intersection (gitTracked ../../.) ../src;
     };
-  pyproject = with lib; fromTOML pyproject-toml;
+  pyproject = fromTOML pyproject-toml;
   # TODO: define this globally
   name = "panel";
   # TODO: we may want this in a file so it's easier to read statically
@@ -58,7 +59,9 @@ python3.pkgs.buildPythonPackage {
     mkdir -p $out/bin
     cp -v ${src}/manage.py $out/bin/manage.py
     chmod +x $out/bin/manage.py
-    wrapProgram $out/bin/manage.py --prefix PYTHONPATH : "$PYTHONPATH"
+    wrapProgram $out/bin/manage.py \
+      --set REPO_DIR "${import ../../launch/tf-env.nix { inherit lib pkgs; }}" \
+      --prefix PYTHONPATH : "$PYTHONPATH"
     cp ${sources.htmx}/dist/htmx.min.js* $out/${python3.sitePackages}/panel/static/
   '';
 }

panel/src/panel/settings.py

@@ -10,7 +10,9 @@ For the full list of settings and their values, see
 https://docs.djangoproject.com/en/4.2/ref/settings/
 """
 
+import re
 import sys
+import subprocess
 import os
 import importlib.util
 import dj_database_url
@@ -18,6 +20,8 @@ import dj_database_url
 from os import environ as env
 from pathlib import Path
 
+STORE_PATTERN = re.compile("^/nix/store/[^/]+$")
+
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
 
@@ -171,6 +175,54 @@ COMPRESS_PRECOMPILERS = [
 
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 
+LOGGING = {
+    "version": 1,
+    "disable_existing_loggers": False,
+    "filters": {
+        "require_debug_false": {
+            "()": "django.utils.log.RequireDebugFalse",
+        },
+        "require_debug_true": {
+            "()": "django.utils.log.RequireDebugTrue",
+        },
+    },
+    "formatters": {
+        "django.server": {
+            "()": "django.utils.log.ServerFormatter",
+            "format": "[{server_time}] {message}",
+            "style": "{",
+        }
+    },
+    "handlers": {
+        "console": {
+            "level": "INFO",
+            # "filters": ["require_debug_true"],
+            "class": "logging.StreamHandler",
+        },
+        "django.server": {
+            "level": "INFO",
+            "class": "logging.StreamHandler",
+            "formatter": "django.server",
+        },
+        "mail_admins": {
+            "level": "ERROR",
+            "filters": ["require_debug_false"],
+            "class": "django.utils.log.AdminEmailHandler",
+        },
+    },
+    "loggers": {
+        "django": {
+            "handlers": ["console", "mail_admins"],
+            "level": "INFO",
+        },
+        "django.server": {
+            "handlers": ["django.server"],
+            "level": "INFO",
+            "propagate": False,
+        },
+    },
+}
+
 # Customization via user settings
 # This must be at the end, as it must be able to override the above
 # TODO(@fricklerhandwerk):

panel/src/panel/templates/partials/deployment_result.html

@@ -1,13 +1,15 @@
-{% if deployment_status %}
-  <p>{{ deployment_status }}</p>
+{% if deployment_succeeded %}
+  <p>Deployment Succeeded</p>
 
   <ul>
-  {% for service, state in services.items %}
-    {% if state %}
+  {% for service_name, service_meta in services.items %}
+    {% if service_meta.enable %}
     <li>
-        ✓ {{ service }}
+        ✓ <a target="_blank" href={{ service_meta.url }}>{{ service_name }}</a>
     </li>
     {% endif %}
   {% endfor %}
   </ul>
+{% else %}
+  <p>Deployment Failed</p>
 {% endif %}

panel/src/panel/views.py

@@ -1,5 +1,6 @@
 from enum import Enum
 import json
+from os.path import expanduser
 import subprocess
 import os
 
@@ -102,18 +103,24 @@ class DeploymentStatus(ConfigurationForm):
         # Check for deploy button
         if "deploy" in self.request.POST.keys():
             deployment_result, deployment_params = self.deployment(obj)
-            if deployment_result.returncode == 0:
-                deployment_status = "Deployment Succeeded"
-            else:
-                deployment_status = "Deployment Failed"
+            deployment_succeeded = deployment_result.returncode == 0
 
         return render(self.request, "partials/deployment_result.html", {
-            "deployment_status": deployment_status,
+            "deployment_succeeded": deployment_succeeded,
             "services": {
-                "peertube": deployment_params['peertube']['enable'],
-                "pixelfed": deployment_params['pixelfed']['enable'],
-                "mastodon": deployment_params['mastodon']['enable']
-                }
+                "peertube": {
+                    "enable": deployment_params['peertube']['enable'],
+                    "url": f"https://peertube.{deployment_params['domain']}",
+                    },
+                "pixelfed":{
+                    "enable": deployment_params['pixelfed']['enable'],
+                    "url": f"https://pixelfed.{deployment_params['domain']}",
+                    },
+                "mastodon": {
+                    "enable": deployment_params['mastodon']['enable'],
+                    "url": f"https://mastodon.{deployment_params['domain']}",
+                    },
+                },
             })
 
     def deployment(self, obj):
@@ -128,25 +135,28 @@ class DeploymentStatus(ConfigurationForm):
             },
         }
         # serialize back and forth now we still need to manually inject the dummy user
-        deployment_params = json.dumps(dummy_user | json.loads(submission))
+        deployment_params = dummy_user | json.loads(submission)
         env = {
             "PATH": settings.bin_path,
+            # used in nixos-anywhere for ssh-copy-id to make `.ssh` in for ssh-copy-id.
+            # run thru subprocess, HOME points to the read-only `/var/empty`.
+            # in local dev, it will just reject the `/tmp` and make it in HOME after all.
+            "HOME": "/tmp",
+            "XDG_CACHE_HOME": "/tmp",
+        } | {
             # pass in form info to our deployment
-            "DEPLOYMENT": deployment_params,
+            # FIXME: ensure sensitive info is protected
+            f"TF_VAR_{k}": v if isinstance(v, str) else json.dumps(v) for k, v in deployment_params.items()
         }
+        cwd = f"{settings.repo_dir}/launch"
         cmd = [
-            "nix",
-            "develop",
-            "--extra-experimental-features",
-            "configurable-impure-env",
-            "--command",
-            "nixops4",
+            "tofu",
+            # f"-chdir={cwd}",
             "apply",
-            "test",
+            f"-state={cwd}/terraform.tfstate", # FIXME: separate users' state
+            "--auto-approve",
+            "-lock=false",
         ]
-        deployment_result = subprocess.run(
-            cmd,
-            cwd=settings.repo_dir,
-            env=env,
-        )
-        return deployment_result, json.loads(deployment_params)
+        deployment_result = subprocess.run(cmd, cwd=cwd, env=env)
+        print(deployment_result)
+        return deployment_result, deployment_params