mv out acme logic

Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>

deployment/check/common/nixosTest.nix

@@ -82,39 +82,39 @@ in
 
     nodes =
       {
-        deployer = {
+        deployer = lib.mkMerge [
-          imports = [ ./deployerNode.nix ];
+          {
-          _module.args = { inherit inputs sources; };
+            imports = [ ./deployerNode.nix ];
-          enableAcme = config.enableAcme;
+            _module.args = { inherit inputs sources; };
-          acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
+            enableAcme = config.enableAcme;
+            acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
+          }
+          (lib.mkIf config.enableAcme {
+            security.acme = {
+              acceptTerms = true;
+              defaults.email = "test@test.com";
+              defaults.server = "https://acme.test/dir";
+            };
+            security.pki.certificateFiles = [
+              (import "${inputs.nixpkgs}/nixos/tests/common/acme/server/snakeoil-certs.nix").ca.cert
+            ];
+            networking.extraHosts = "${config.acmeNodeIP} acme.test";
+          })
+        ];
+        acme = lib.mkIf config.enableAcme {
+          ## FIXME: This makes `nodes.acme` into a local resolver. Maybe this will
+          ## break things once we play with DNS?
+          imports = [ "${inputs.nixpkgs}/nixos/tests/common/acme/server" ];
+          ## We aren't testing ACME - we just want certificates.
+          systemd.services.pebble.environment.PEBBLE_VA_ALWAYS_VALID = "1";
         };
       }
-
+      // genAttrs config.targetMachines (_: {
-      //
+        imports = [ ./targetNode.nix ];
-
+        _module.args = { inherit inputs sources; };
-        (
+        enableAcme = config.enableAcme;
-          if config.enableAcme then
+        acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
-            {
+      });
-              acme = {
-                ## FIXME: This makes `nodes.acme` into a local resolver. Maybe this will
-                ## break things once we play with DNS?
-                imports = [ "${inputs.nixpkgs}/nixos/tests/common/acme/server" ];
-                ## We aren't testing ACME - we just want certificates.
-                systemd.services.pebble.environment.PEBBLE_VA_ALWAYS_VALID = "1";
-              };
-            }
-          else
-            { }
-        )
-
-      //
-
-        genAttrs config.targetMachines (_: {
-          imports = [ ./targetNode.nix ];
-          _module.args = { inherit inputs sources; };
-          enableAcme = config.enableAcme;
-          acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
-        });
 
     testScript = ''
       ${forConcat (attrNames config.nodes) (n: ''

deployment/check/panel/nixosTest.nix

@@ -1,5 +1,4 @@
 {
-  inputs,
   lib,
   hostPkgs,
   config,
@@ -151,17 +150,6 @@ in
         (import ../../../panel { }).module
       ];
 
-      ## FIXME: This should be in the common stuff.
-      security.acme = {
-        acceptTerms = true;
-        defaults.email = "test@test.com";
-        defaults.server = "https://acme.test/dir";
-      };
-      security.pki.certificateFiles = [
-        (import "${inputs.nixpkgs}/nixos/tests/common/acme/server/snakeoil-certs.nix").ca.cert
-      ];
-      networking.extraHosts = "${config.acmeNodeIP} acme.test";
-
       services.panel = {
         enable = true;
         production = true;

deployment/data-model.nix

@@ -466,6 +466,7 @@ let
                   inherit sources system;
                   configuration = tf-host.config.nixos-configuration;
                 };
+                inherit (machine.config.boot.uki) name;
 
                 environment = {
                   key_file = key-file;
@@ -478,7 +479,7 @@ let
                   proxmox_password = proxmox-password;
                   ssh_user = username;
                   node_name = node-name;
-                  image = "${machine.config.system.build.image}/${machine.config.boot.uki.name}.raw";
+                  # image = "${machine.config.system.build.image}/${name}.raw";
                 };
                 tf-env = pkgs.callPackage ./run/tf-proxmox/tf-env.nix { };
                 proxmox-host = "192.168.51.81"; # root@fediversity-proxmox
@@ -511,7 +512,11 @@ let
                   # cp $tmpdir/${vm_name}_host_key.pub /mnt/etc/ssh/ssh_host_ed25519_key.pub
                   # chmod 644 /mnt/etc/ssh/ssh_host_ed25519_key.pub
 
+                  # .qcow2 is around half the size of .raw, on top of supporting backups - be it apparently at the cost of performance
+                  qemu-img convert -f raw -O qcow2 -C "${machine.config.system.build.image}/${name}.raw" /tmp/${name}.qcow2
+
                   env ${toString (lib.mapAttrsToList (k: v: "TF_VAR_${k}=\"${toBash v}\"") environment)} \
+                  TF_VAR_image=/tmp/${name}.qcow2 \
                   tf_env=${tf-env} bash ./deployment/run/tf-proxmox/run.sh
                 '';
           };

deployment/run/tf-proxmox/main.tf

@@ -8,7 +8,7 @@ terraform {
 }
 
 locals {
-  dump_name = "qemu-nixos-fediversity-${var.category}.raw"
+  dump_name = "qemu-nixos-fediversity-${var.category}.qcow2"
 }
 
 # https://registry.terraform.io/providers/bpg/proxmox/latest/docs
@@ -124,7 +124,7 @@ resource "proxmox_virtual_environment_vm" "nix_vm" {
   disk {
     # datastore_id = "linstor_storage"
     datastore_id = "local"
-    file_format  = "raw"
+    file_format  = "qcow2"
     interface    = "scsi0"
     discard      = "on"
     iothread     = true
@@ -142,7 +142,7 @@ resource "proxmox_virtual_environment_vm" "nix_vm" {
   efi_disk {
     # datastore_id = "linstor_storage"
     datastore_id = "local"
-    file_format  = "raw"
+    file_format  = "qcow2"
     type         = "4m"
   }
 

deployment/run/tf-proxmox/variables.tf

@@ -10,7 +10,11 @@ variable "ssh_user" {
 }
 
 variable "proxmox_user" {
-  description = "the ProxmoX user to use"
+  description = <<EOT
+    the ProxmoX user to use. needs privileges:
+    - `VM.Monitor`
+    - ...
+  EOT
   type = string
   default = "root@pam"
 }