update fedi203

This reverts commit 101717899e.

.forgejo/workflows/cd.yaml

@@ -1,24 +0,0 @@
-name: deploy-infra
-
-on:
-  workflow_dispatch: # allows manual triggering
-  push:
-    branches:
-      - main
-
-jobs:
-  deploy:
-    runs-on: native
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Set up SSH key for age secrets and SSH
-        run: |
-          env
-          mkdir -p ~/.ssh
-          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-
-      - name: Deploy
-        run: nix-shell --run 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519 && SHELL=$(which bash) nixops4 apply -v default'

.forgejo/workflows/ci.yaml

@@ -1,58 +0,0 @@
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-  push:
-    branches:
-      - main
-
-jobs:
-  check-pre-commit:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix-build -A tests
-
-  check-data-model:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
-
-  check-mastodon:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.test-mastodon-service -L
-
-  check-peertube:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.test-peertube-service -L
-
-  check-panel:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix-build -A tests.panel
-
-  check-deployment-basic:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.deployment-basic -L
-
-  check-deployment-cli:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.deployment-cli -L
-
-  check-deployment-panel:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.deployment-panel -L

.forgejo/workflows/update.yaml

@@ -1,24 +0,0 @@
-name: update-dependencies
-
-on:
-  workflow_dispatch: # allows manual triggering
-  # FIXME: re-enable when manual run works
-  # schedule:
-  #   - cron: '0 0 1 * *' # monthly
-
-jobs:
-  lockfile:
-    runs-on: native
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Update pins
-        run: nix-shell --run "npins --verbose update"
-      - name: Create PR
-        uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
-        with:
-          remote-instance-api-version: v1
-          token: "${{ secrets.DEPLOY_KEY }}"
-          branch: npins-update
-          commit-message: "npins: update sources"
-          title: "npins: update sources"

.woodpecker/cd.yaml

@@ -0,0 +1,27 @@
+when:
+  - event: manual
+  - event: push
+    branch: main
+
+steps:
+  - name: build
+    image: nixos/nix
+    commands:
+      - whoami
+      - pwd
+      - ls
+      - env
+      - |
+        mkdir -p ~/.ssh
+        echo "$CD_SSH_KEY" > ~/.ssh/id_ed25519
+        ls -l ~/.ssh/id_ed25519
+        chmod 600 ~/.ssh/id_ed25519
+      - bash -c "strace -f -o ssh-agent.log ssh-agent -s"
+      - cat ssh-agent.log
+      - |
+        eval "$(ssh-agent -s)"
+        ssh-add ~/.ssh/id_ed25519
+      - nix-shell --run 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519 && ssh-agent -s && SHELL=$(which bash) nixops4 apply -v default'
+    environment:
+      CD_SSH_KEY:
+        from_secret: cd_ssh_key

.woodpecker/check-data-model.yaml

@@ -0,0 +1,11 @@
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-data-model
+    image: nixos/nix
+    commands:
+      - nix-shell --run 'nix-unit ./deployment/data-model-test.nix'

.woodpecker/check-deployment-basic.yaml

@@ -0,0 +1,11 @@
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-deployment-basic
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.deployment-basic -L

.woodpecker/check-deployment-cli.yaml

@@ -0,0 +1,11 @@
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-deployment-cli
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.deployment-cli -L

.woodpecker/check-deployment-panel.yaml

@@ -0,0 +1,11 @@
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-deployment-panel
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.deployment-panel -L

.woodpecker/check-mastodon.yaml

@@ -0,0 +1,11 @@
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-mastodon
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.test-mastodon-service -L

.woodpecker/check-panel.yaml

@@ -0,0 +1,11 @@
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-panel
+    image: nixos/nix
+    commands:
+      - nix-build -A tests.panel

.woodpecker/check-peertube.yaml

@@ -0,0 +1,11 @@
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-peertube
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.test-peertube-service -L

.woodpecker/check-pre-commit.yaml

@@ -0,0 +1,11 @@
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-pre-commit
+    image: nixos/nix
+    commands:
+      - nix-build -A tests

.woodpecker/check-resources.yaml

@@ -0,0 +1,30 @@
+when:
+  - event: manual
+  - event: push
+    branch: main
+
+## NOTE: NixOps4 does not provide a good “dry run” mode, so we instead check
+## proxies for resources, namely whether their `.#vmOptions.<machine>` and
+## `.#nixosConfigurations.<machine>` outputs evaluate and build correctly, and
+## whether we can dry run `infra/proxmox-*.sh` on them. This will not catch
+## everything, and in particular not issues in how NixOps4 wires up the
+## resources, but that is still something.
+steps:
+  - name: check-resources
+    image: nixos/nix
+    commands:
+    - run: |
+        set -euC
+        echo ==================== [ VM Options ] ====================
+        machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).vmOptions)')
+        for machine in $machines; do
+          echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
+          nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.vmOptions-$machine
+        done
+        echo
+        echo ==================== [ NixOS Configurations ] ====================
+        machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).nixosConfigurations)')
+        for machine in $machines; do
+          echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
+          nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.nixosConfigurations-$machine
+        done

.woodpecker/update.yaml

@@ -0,0 +1,22 @@
+when:
+  - event: manual
+  # - event: cron
+  #   cron: updater
+
+steps:
+  - name: lockfile
+    image: nixos/nix
+    # image: nixos/nix
+    commands:
+      - nix-shell --run "npins --verbose update"
+      # - name: Create PR
+      #   uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
+      #   with:
+      #     remote-instance-api-version: v1
+      #     token: "$DEPLOY_KEY"
+      #     branch: npins-update
+      #     commit-message: "npins: update sources"
+      #     title: "npins: update sources"
+    environment:
+      DEPLOY_KEY:
+        from_secret: deploy_key

deployment/check/common/deployerNode.nix

@@ -61,6 +61,7 @@ in
         sources.flake-parts
         sources.flake-inputs
         sources.git-hooks
+        sources.vars
 
         pkgs.stdenv
         pkgs.stdenvNoCC

deployment/check/common/nixosTest.nix

@@ -48,7 +48,8 @@ in
     extraTestScript = mkOption { };
 
     sourceFileset = mkOption {
-      ## REVIEW: Upstream to nixpkgs?
+      ## FIXME: grab `lib.types.fileset` from NixOS, once upstreaming PR
+      ## https://github.com/NixOS/nixpkgs/pull/428293 lands.
       type = types.mkOptionType {
         name = "fileset";
         description = "fileset";

infra/common/options.nix

@@ -20,16 +20,13 @@ in
       '';
     };
 
-    proxmox = mkOption {
-      type = types.nullOr (
-        types.enum [
-          "procolix"
-          "fediversity"
-        ]
-      );
+    isFediversityVm = mkOption {
+      type = types.bool;
       description = ''
-        The Proxmox instance. This is used for provisioning only and should be
-        set to `null` if the machine is not a VM.
+        Whether the machine is a Fediversity VM or not. This is used to
+        determine whether the machine should be provisioned via Proxmox or not.
+        Machines that are _not_ Fediversity VM could be physical machines, or
+        VMs that live outside Fediversity, eg. on Procolix's Proxmox.
       '';
     };
 

infra/common/proxmox-qemu-vm.nix

@@ -1,10 +1,14 @@
-{ sources, ... }:
+{ ... }:
+
 {
   _class = "nixos";
 
-  imports = [
-    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
-  ];
+  ## FIXME: It would be nice, but the following leads to infinite recursion
+  ## in the way we currently plug `sources` in.
+  ##
+  # imports = [
+  #   "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+  # ];
 
   boot = {
     initrd = {

infra/common/resource.nix

@@ -2,7 +2,6 @@
   inputs,
   lib,
   config,
-  sources,
   keys,
   secrets,
   ...
@@ -33,10 +32,9 @@ in
   ## should go into the `./nixos` subdirectory.
   nixos.module = {
     imports = [
-      "${sources.agenix}/modules/age.nix"
-      "${sources.disko}/module.nix"
       ./options.nix
       ./nixos
+      ./proxmox-qemu-vm.nix
     ];
 
     ## Inject the shared options from the resource's `config` into the NixOS

infra/flake-part.nix

@@ -14,90 +14,57 @@ let
     mkOption
     evalModules
     filterAttrs
+    mapAttrs'
+    deepSeq
     ;
   inherit (lib.attrsets) genAttrs;
 
-  ## Given a machine's name and whether it is a test VM, make a resource module,
-  ## except for its missing provider. (Depending on the use of that resource, we
-  ## will provide a different one.)
-  makeResourceModule =
-    { vmName, isTestVm }:
-    {
-      nixos.module.imports = [
-        ./common/proxmox-qemu-vm.nix
-      ];
-
-      nixos.specialArgs = {
-        inherit
-          sources
-          inputs
-          keys
-          secrets
-          ;
-      };
-
-      imports =
-        [
-          ./common/resource.nix
-        ]
-        ++ (
-          if isTestVm then
-            [
-              ../machines/operator/${vmName}
-              {
-                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
-                  # allow our panel vm access to the test machines
-                  keys.panel
-                ];
-              }
-            ]
-          else
-            [
-              ../machines/dev/${vmName}
-            ]
-        );
-      fediversityVm.name = vmName;
+  commonResourceModule = {
+    # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch
+    # flake-parts and have our own data model for how the project is organised
+    # internally
+    _module.args = {
+      inherit
+        inputs
+        keys
+        secrets
+        sources
+        ;
     };
 
+    ## FIXME: It would be preferrable to have those `sources`-related imports in
+    ## the modules that use them. However, doing so triggers infinite recursions
+    ## because of the way we propagate `sources`. `sources` must be propagated by
+    ## means of `specialArgs`, but this requires a bigger change.
+    nixos.module.imports = [
+      "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+      "${sources.agenix}/modules/age.nix"
+      "${sources.disko}/module.nix"
+      "${sources.home-manager}/nixos"
+      "${sources.vars}/options.nix"
+      "${sources.vars}/backends/on-machine.nix"
+    ];
+
+    imports = [
+      ./common/resource.nix
+    ];
+  };
+
   ## Given a list of machine names, make a deployment with those machines'
   ## configurations as resources.
   makeDeployment =
     vmNames:
     { providers, ... }:
     {
-      # XXX: this type merge is for adding `specialArgs` to resource modules
-      options.resources = mkOption {
-        type =
-          with lib.types;
-          lazyAttrsOf (submoduleWith {
-            class = "nixops4Resource";
-            modules = [ ];
-            # TODO(@fricklerhandwerk): we may want to pass through all of `specialArgs`
-            # once we're sure it's sane. leaving it here for better control during refactoring.
-            specialArgs = {
-              inherit
-                sources
-                inputs
-                keys
-                secrets
-
-                ;
-            };
-          });
-      };
-      config = {
-        providers.local = inputs.nixops4.modules.nixops4Provider.local;
-        resources = genAttrs vmNames (vmName: {
-          type = providers.local.exec;
-          imports = [
-            inputs.nixops4-nixos.modules.nixops4Resource.nixos
-            (makeResourceModule {
-              inherit vmName;
-              isTestVm = false;
-            })
-          ];
-        });
-      };
+      providers.local = inputs.nixops4.modules.nixops4Provider.local;
+      resources = genAttrs vmNames (vmName: {
+        type = providers.local.exec;
+        imports = [
+          inputs.nixops4-nixos.modules.nixops4Resource.nixos
+          commonResourceModule
+          ../machines/dev/${vmName}
+        ];
+      });
     };
   makeDeployment' = vmName: makeDeployment [ vmName ];
 
@@ -112,21 +79,29 @@ let
         fediversity = import ../services/fediversity;
       }
       {
-        garageConfigurationResource = makeResourceModule {
-          vmName = "test01";
-          isTestVm = true;
+        garageConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test01
+          ];
         };
-        mastodonConfigurationResource = makeResourceModule {
-          vmName = "test06"; # somehow `test02` has a problem - use test06 instead
-          isTestVm = true;
+        mastodonConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test06 # somehow `test02` has a problem - use test06 instead
+          ];
         };
-        peertubeConfigurationResource = makeResourceModule {
-          vmName = "test05";
-          isTestVm = true;
+        peertubeConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test05
+          ];
         };
-        pixelfedConfigurationResource = makeResourceModule {
-          vmName = "test04";
-          isTestVm = true;
+        pixelfedConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test04
+          ];
         };
       };
 
@@ -139,54 +114,63 @@ let
     ## this is only needed to expose NixOS configurations for provisioning
     ## purposes, and eventually all of this should be handled by NixOps4.
     options = {
-      nixos.module = mkOption { }; # NOTE: not just `nixos` otherwise merging will go wrong
+      nixos.module = mkOption { type = lib.types.deferredModule; }; # NOTE: not just `nixos` otherwise merging will go wrong
       nixpkgs = mkOption { };
       ssh = mkOption { };
     };
   };
 
   makeResourceConfig =
-    vm:
+    { vmName, isTestVm }:
     (evalModules {
       modules = [
         nixops4ResourceNixosMockOptions
-        (makeResourceModule vm)
+        commonResourceModule
+        (if isTestVm then ../machines/operator/${vmName} else ../machines/dev/${vmName})
       ];
     }).config;
 
   ## Given a VM name, make a NixOS configuration for this machine.
   makeConfiguration =
     isTestVm: vmName:
-    let
-      inherit (sources) nixpkgs;
-    in
-    import "${nixpkgs}/nixos" {
-      modules = [
-        (makeResourceConfig { inherit vmName isTestVm; }).nixos.module
-      ];
+    import "${sources.nixpkgs}/nixos" {
+      configuration = (makeResourceConfig { inherit vmName isTestVm; }).nixos.module;
+      system = "x86_64-linux";
     };
 
-  makeVmOptions = isTestVm: vmName: {
-    inherit ((makeResourceConfig { inherit vmName isTestVm; }).fediversityVm)
-      proxmox
-      vmId
-      description
-
-      sockets
-      cores
-      memory
-      diskSize
-
-      hostPublicKey
-      unsafeHostPrivateKey
-      ;
-  };
+  makeVmOptions =
+    isTestVm: vmName:
+    let
+      config = (makeResourceConfig { inherit vmName isTestVm; }).fediversityVm;
+    in
+    if config.isFediversityVm then
+      {
+        inherit (config)
+          vmId
+          description
+          sockets
+          cores
+          memory
+          diskSize
+          hostPublicKey
+          unsafeHostPrivateKey
+          ;
+      }
+    else
+      null;
 
   listSubdirectories = path: attrNames (filterAttrs (_: type: type == "directory") (readDir path));
 
   machines = listSubdirectories ../machines/dev;
   testMachines = listSubdirectories ../machines/operator;
 
+  nixosConfigurations =
+    genAttrs machines (makeConfiguration false)
+    // genAttrs testMachines (makeConfiguration true);
+  vmOptions =
+    filterAttrs (_: value: value != null) # Filter out non-Fediversity VMs
+      (genAttrs machines (makeVmOptions false) // genAttrs testMachines (makeVmOptions true));
+
 in
 {
   _class = "flake";
@@ -210,10 +194,23 @@ in
       )
     );
   };
-  flake.nixosConfigurations =
-    genAttrs machines (makeConfiguration false)
-    // genAttrs testMachines (makeConfiguration true);
-  flake.vmOptions =
-    genAttrs machines (makeVmOptions false)
-    // genAttrs testMachines (makeVmOptions true);
+  flake = { inherit nixosConfigurations vmOptions; };
+
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks =
+        mapAttrs' (name: nixosConfiguration: {
+          name = "nixosConfigurations-${name}";
+          value = nixosConfiguration.config.system.build.toplevel;
+        }) nixosConfigurations
+        // mapAttrs' (name: vmOptions: {
+          name = "vmOptions-${name}";
+          ## Check that VM options builds/evaluates correctly. `deepSeq e1
+          ## e2` evaluates `e1` strictly in depth before returning `e2`. We
+          ## use this trick because checks need to be derivations, which VM
+          ## options are not.
+          value = deepSeq vmOptions pkgs.hello;
+        }) vmOptions;
+    };
 }

infra/proxmox-provision.sh

@@ -179,15 +179,9 @@ grab_vm_options () {
     --log-format raw --quiet
   )
 
-  proxmox=$(echo "$options" | jq -r .proxmox)
   vm_id=$(echo "$options" | jq -r .vmId)
   description=$(echo "$options" | jq -r .description)
 
-  if [ "$proxmox" != fediversity ]; then
-    die "I do not know how to provision things that are not Fediversity VMs,
-but I got proxmox = '%s' for VM %s." "$proxmox" "$vm_name"
-  fi
-
   sockets=$(echo "$options" | jq -r .sockets)
   cores=$(echo "$options" | jq -r .cores)
   memory=$(echo "$options" | jq -r .memory)

infra/proxmox-remove.sh

@@ -167,16 +167,10 @@ grab_vm_options () {
       --log-format raw --quiet
     )
 
-    proxmox=$(echo "$options" | jq -r .proxmox)
     vm_id=$(echo "$options" | jq -r .vmId)
 
-    if [ "$proxmox" != fediversity ]; then
-      die "I do not know how to remove things that are not Fediversity VMs,
-  but I got proxmox = '%s' for VM %s." "$proxmox" "$vm_name"
-    fi
-
-    printf 'done grabing VM options for VM %s. Found VM %d on %s Proxmox.\n' \
-      "$vm_name" "$vm_id" "$proxmox"
+    printf 'done grabing VM options for VM %s. Got id: %d.\n' \
+      "$vm_name" "$vm_id"
   fi
 }
 

keys/systems/fedi203.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXsmZn4UykrnH5+ivq6+zqHeXa+Cgz3RjbDvE+689Hn root@fedi203

machines/dev/fedi200/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "fedi200";
+    isFediversityVm = true;
     vmId = 200;
-    proxmox = "fediversity";
     description = "Testing machine for Hans";
 
     domain = "abundos.eu";
@@ -16,10 +17,4 @@
       gateway = "2a00:51c0:13:1305::1";
     };
   };
-
-  nixos.module = {
-    imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
-    ];
-  };
 }

machines/dev/fedi201/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "fedi201";
+    isFediversityVm = true;
     vmId = 201;
-    proxmox = "fediversity";
     description = "FediPanel";
 
     domain = "abundos.eu";
@@ -19,7 +20,6 @@
 
   nixos.module = {
     imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
       ./fedipanel.nix
     ];
   };

machines/dev/fedi201/fedipanel.nix

@@ -1,6 +1,5 @@
 {
   config,
-  sources,
   ...
 }:
 let
@@ -11,7 +10,6 @@ in
 
   imports = [
     (import ../../../panel { }).module
-    "${sources.home-manager}/nixos"
   ];
 
   security.acme = {

machines/dev/fedi203/default.nix

@@ -0,0 +1,26 @@
+{
+  _class = "nixops4Resource";
+
+  fediversityVm = {
+    name = "fedi203";
+    isFediversityVm = true;
+    vmId = 203;
+    description = "woodpecker";
+
+    domain = "abundos.eu";
+    ipv4 = {
+      address = "95.215.187.203";
+      gateway = "95.215.187.1";
+    };
+    ipv6 = {
+      address = "2a00:51c0:13:1305::203";
+      gateway = "2a00:51c0:13:1305::1";
+    };
+  };
+
+  nixos.module = {
+    imports = [
+      ./woodpecker.nix
+    ];
+  };
+}

machines/dev/fedi203/woodpecker.nix

@@ -0,0 +1,242 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "something@fediversity.eu";
+  };
+
+  users.groups.woodpecker-agent-docker = { };
+
+  age.secrets =
+    lib.mapAttrs
+      (_: group: {
+        owner = "root";
+        inherit group;
+        mode = "440";
+      })
+      {
+        woodpecker-gitea-client = "woodpecker-server";
+        woodpecker-gitea-secret = "woodpecker-server";
+        woodpecker-agent-container = "woodpecker-agent-docker";
+      };
+
+  # needs `sudo generate-vars`
+  vars.settings.on-machine.enable = true;
+
+  vars.generators.woodpecker-agent-secret = {
+    runtimeInputs = [ pkgs.openssl ];
+    files.my-secret.secret = true;
+    script = ''
+      openssl rand -hex 32 > "$out"/my-secret
+    '';
+  };
+  vars.generators.woodpecker-rpc-secret = {
+    runtimeInputs = with pkgs; [
+      coreutils
+      bash
+    ];
+    files.rpc-secret.secret = true;
+    # wrap in bash command to prevent `vars`' pipefail aborting half-way
+    script = ''
+      bash -c "tr -dc 'A-Za-z0-9\!?%=' < /dev/urandom | head -c 32 > $out/rpc-secret"
+    '';
+  };
+
+  vars.generators.woodpecker =
+    let
+      fileNames = [
+        "woodpecker-gitea-client"
+        "woodpecker-gitea-secret"
+        "woodpecker-agent-container"
+      ];
+    in
+    {
+      runtimeInputs = [
+        pkgs.coreutils
+        pkgs.openssl
+      ];
+      files = lib.genAttrs fileNames (_: {
+        secret = true;
+      });
+      script = ''
+        ${lib.concatStringsSep "\n" (
+          lib.lists.map (file: ''cp ${config.age.secrets.${file}.path} "$out/"'') fileNames
+        )}
+      '';
+    };
+
+  # FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates:
+  # `woodpecker-agents.agents.docker.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-docker.path;`
+  vars.generators."templates" = rec {
+    dependencies = [
+      "woodpecker"
+      "woodpecker-agent-secret"
+      "woodpecker-rpc-secret"
+    ];
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.gnused
+    ];
+    script = lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (template: _: ''
+        cp "$templates/${template}" "$out/${template}"
+        echo "filling placeholders in template ${template}..."
+        ${lib.concatStringsSep "\n" (
+          lib.lists.map (dependency: ''
+            echo "filling placeholders in template ${template} from generator ${dependency}..."
+            ${lib.concatStringsSep "\n" (
+              lib.mapAttrsToList (
+                parent:
+                { placeholder, ... }:
+                ''
+                  sed -i "s/${placeholder}/$(cat "$in/${dependency}/${parent}")/g" "$out/${template}"
+                  echo "- substituted ${parent}"
+                ''
+              ) config.vars.generators.${dependency}.files
+            )}
+          '') dependencies
+        )}
+      '') files
+    );
+
+    files =
+      let
+        # https://woodpecker-ci.org/docs/administration/configuration/agent
+        shared = ''
+          WOODPECKER_SERVER=localhost:9000
+          WOODPECKER_USERNAME=x-oauth-basic
+          WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu
+          WOODPECKER_MAX_WORKFLOWS=4
+          WOODPECKER_LOG_LEVEL=info
+          WOODPECKER_DEBUG_PRETTY=false
+          WOODPECKER_DEBUG_NOCOLOR=true
+          WOODPECKER_HEALTHCHECK=false
+          WOODPECKER_GRPC_VERIFY=false
+          # TODO: fix
+          WOODPECKER_GRPC_SECURE=false
+        '';
+      in
+      {
+        # https://woodpecker-ci.org/docs/administration/configuration/server
+        "woodpecker-server.conf" = {
+          secret = true;
+          template = pkgs.writeText "woodpecker-server.conf" ''
+            WOODPECKER_DATABASE_DRIVER=sqlite3
+            WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
+            WOODPECKER_OPEN=false
+            WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
+            WOODPECKER_HOST=https://woodpecker.fediversity.eu
+            WOODPECKER_GITEA=true
+            WOODPECKER_GITEA_URL=https://git.fediversity.eu
+            WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
+            WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
+            WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
+            WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
+            WOODPECKER_LOG_LEVEL=info
+            WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
+            WOODPECKER_SERVER_ADDR=:8000
+            WOODPECKER_GRPC_ADDR=:9000
+          '';
+        };
+        # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
+        "woodpecker-agent-podman.conf" = {
+          secret = true;
+          template = pkgs.writeText "woodpecker-agent-podman.conf" (
+            lib.concatStringsSep "\n" [
+              shared
+              ''
+                WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder}
+                WOODPECKER_BACKEND=docker
+                WOODPECKER_AGENT_LABELS=type=docker
+                DOCKER_HOST=unix:///run/podman/podman.sock
+              ''
+            ]
+          );
+        };
+      };
+  };
+
+  # enable git-lfs
+  programs.git = {
+    enable = true;
+    lfs.enable = true;
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      virtualHosts."woodpecker.fediversity.eu" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          recommendedProxySettings = true;
+          proxyPass = "http://127.0.0.1:8000";
+        };
+      };
+    };
+
+    woodpecker-server = {
+      enable = true;
+      environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path;
+    };
+
+    # https://woodpecker-ci.org/docs/administration/configuration/agent
+    woodpecker-agents.agents = {
+      docker = {
+        enable = true;
+        environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
+        extraGroups = [
+          "podman"
+          "woodpecker-agent-docker"
+        ];
+      };
+    };
+  };
+
+  networking = {
+    nftables.enable = lib.mkForce false;
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    22
+    80
+    443
+  ];
+
+  # This is needed for podman to be able to talk over dns
+  networking.firewall.interfaces."podman0" = {
+    allowedUDPPorts = [ 53 ];
+    allowedTCPPorts = [ 53 ];
+  };
+
+  virtualisation.podman = {
+    enable = true;
+    autoPrune = {
+      enable = true;
+      dates = "weekly";
+    };
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      ipv6_enabled = true;
+      dns = "95.215.185.6";
+    };
+  };
+
+  systemd.services = {
+    woodpecker-agent-docker = lib.mkIf config.services.woodpecker-agents.agents.docker.enable {
+      wants = [ "podman.socket" ];
+      after = [ "podman.socket" ];
+      serviceConfig = {
+        SupplementaryGroups = [ "podman" ];
+      };
+    };
+  };
+}

machines/dev/forgejo-ci/default.nix

@@ -20,7 +20,9 @@ in
   ssh.host = mkForce "forgejo-ci";
 
   fediversityVm = {
+    name = "forgejo-ci";
     domain = "procolix.com";
+    isFediversityVm = false;
 
     ipv4 = {
       interface = "enp1s0f0";

machines/dev/vm02116/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "vm02116";
+    isFediversityVm = false;
     vmId = 2116;
-    proxmox = "procolix";
     description = "Forgejo";
 
     ipv4.address = "185.206.232.34";
@@ -14,7 +15,6 @@
     { lib, ... }:
     {
       imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
         ./forgejo.nix
       ];
 

machines/dev/vm02187/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "vm02187";
+    isFediversityVm = false;
     vmId = 2187;
-    proxmox = "procolix";
     description = "Wiki";
 
     ipv4.address = "185.206.232.187";
@@ -14,7 +15,6 @@
     { lib, ... }:
     {
       imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
         ./wiki.nix
       ];
 

machines/operator/test01/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test01";
+    isFediversityVm = true;
     vmId = 7001;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test02/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test02";
+    isFediversityVm = true;
     vmId = 7002;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test03/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test03";
+    isFediversityVm = true;
     vmId = 7003;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test04/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test04";
+    isFediversityVm = true;
     vmId = 7004;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test05/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test05";
+    isFediversityVm = true;
     vmId = 7005;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test06/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test06";
+    isFediversityVm = true;
     vmId = 7006;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test11/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test11";
+    isFediversityVm = true;
     vmId = 7011;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test12/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test12";
+    isFediversityVm = true;
     vmId = 7012;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test13/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test13";
+    isFediversityVm = true;
     vmId = 7013;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test14/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test14";
+    isFediversityVm = true;
     vmId = 7014;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

npins/sources.json

@@ -150,6 +150,19 @@
       "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921",
       "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz",
       "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj"
+    },
+    "vars": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "kiaragrouwstra",
+        "repo": "vars"
+      },
+      "branch": "templates",
+      "submodules": false,
+      "revision": "2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b",
+      "url": "https://github.com/kiaragrouwstra/vars/archive/2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b.tar.gz",
+      "hash": "0rpxh85fizmmh7v2qvhp9jzrvcyv1yhl58zd1dk0hx33s77da84x"
     }
   },
   "version": 5

secrets/secrets.nix

@@ -33,5 +33,8 @@ concatMapAttrs
       wiki-basicauth-htpasswd = [ vm02187 ];
       wiki-password = [ vm02187 ];
       wiki-smtp-password = [ vm02187 ];
+      woodpecker-gitea-client = [ fedi203 ];
+      woodpecker-gitea-secret = [ fedi203 ];
+      woodpecker-agent-container = [ fedi203 ];
     }
   )

secrets/woodpecker-agent-container.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 Jpc21A dmuwKZGPiV0w63FiPsrzxuz/1y4aELf+jyuGb9TgIGE
+jdjfB3PjnVSj7jMeHERUR5+5E/uE0vru2LNlcvoVbiI
+-> ssh-ed25519 BAs8QA 6ilWMbEKJpuUW4jeICOp6+HL8aGZNbZJKS4YZQPy8Qs
+WaBuM8AoTyEsP8tLVCC1ydzqra30owTNiLzW/NmkGnA
+-> ssh-ed25519 ofQnlg hvehgQJismUqdvijHb8nRBgwG+h2wDOMUcA5yMxkrm0
+YO4HMM/sdu+Ivod9Xdlp7/K5BJNGXn1kodMidvi4uBs
+-> ssh-ed25519 COspvA wnbcBB4eFWyn8fNhozukx0v91UFZjJ2ZkYxpv1IIDVE
+bSRztMyqhKOZWdMZ1xENrbpjy0xzFcmO2H0nnXsEaL4
+-> ssh-ed25519 2XrTgw nsZ+enHBMnwwDxdHmz24F0sZuygD3B+qcBWxevW+QiA
+JHD7nELVQ+1Wdb6K7Vb9sjjnhpzA4A/wsYndNcXuI3I
+-> ssh-ed25519 awJeHA CbO98cwZcQ3mbxdgyP5qciSOyiSZQGYDcJ8J63lSCwM
+mvT1YGmh2L69nC+3GX4XHDR6iMm+jcYa+XEObK9ns+s
+-> ssh-ed25519 S1E+mw cccPtYgWJBNgHwGQu3vzEgMn5v0EvzJlOlv86fl0fVw
+DN9gV3vrBg0UfInnGPY6Cl85hO2vHgF47jh9Nb8lSOw
+-> ssh-ed25519 i+ecmQ tpm0UDCaQxW3TLOg7SfE+UGWV27jkG7ULx5bGdrvKhM
+83X2o9uq9zWd31+E/VNbJ/4kPtTitI8ztCTSBXr75uA
+--- 3Yqn1vV91q02NO8NejPOBCPiV2389IaIrHviJl7IJIc
+„vƒYôw6
+½NXôž}NϤüP“DÀ‰’)Ǧô@¶ñ˜zA<7A>qN<71>ê@/œ¢–Ç{PÄ<ioG¦^‚ôÅ{£rÇ1mdîÒ6Câ·]²û&¼“ô}

secrets/woodpecker-gitea-client.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 Jpc21A +2jGhw/HXWckSc1vT4AZYf9kZPEPWHGJHk8aK/V95jY
+ooChrKsMiKw3a2QtXLAo74QjfDUse5GIbGnU5amq4x4
+-> ssh-ed25519 BAs8QA grbmk79K2OHLeRTNsSuPkmrs043GcMzW/oMf7/c5Jgc
+TJkHc1z3BpeI56xvYRivlLXhKlwmk0N83Pvv6GkY93g
+-> ssh-ed25519 ofQnlg nd11vactc/RTWY1tn11/kUEUEKnR+ukVMJHPH4HFpXc
+qH2g8PywQ652yWIRQdtItcXctyH4DmssJXWLXFdmQ0Q
+-> ssh-ed25519 COspvA 2yPT7BROYippOA/3X6N6AHFR4UXPStP3ru7mDAyyLkQ
+RpxOwYEOMnxxgKbra6iFpNzDTKkqeUiSA1rS59HzIh8
+-> ssh-ed25519 2XrTgw r5FdURbodhFBW0R23xVZyKlTFeDNJdhywYd9JKsJWAw
+XEiBPmT9o8CreZMyZBRnJqofFeb41L7i2gQuHi4mZYM
+-> ssh-ed25519 awJeHA NZsGoEXgw3Bd3hV0F3QxGF5E3DrvtH/vdLiGWPnqD0M
+iS5GPLDMthTLXcQQvaYqdfn1Ad8rZFAOkLHC1FUSRDw
+-> ssh-ed25519 S1E+mw T2efFAUeRiw+0nNiisNV8vmREtmMc0I11gLu/BhW320
+o39//l1VAU2rumRTw/H7a3mR6BooeC6PKwAvIVIDFX0
+-> ssh-ed25519 i+ecmQ OwOx6QjNCrjtMPJZHQ+AKBnJ1q7VICRRGFknOXH38Ss
+AHccP13joz8TPa3RlbU5vBbKnW2w6QEVKhDk6KJUooM
+--- LlMd7GEC/5yZCCypJFV+RfqqxVDhOxxHW6ZSBuV6/Zc
+NUùœÔo¤vZXÅ À¾0¡²JõÂ{bxt…‡°2U
+¬zàå0<C3A5>ìi}ÚÙ¼7„<f<>ÓÞF$Î !YŠÂJ

secrets/woodpecker-gitea-secret.age

@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 Jpc21A uEHtXoqInG0yc2UU09lDAmdaeWBlv6BfgP9ZC6bk/wE
+DLlXPhpRkBB5ir2Euh6bkxblAlyqA3CFNv5UFJXrPkM
+-> ssh-ed25519 BAs8QA yAbCqNKzzu02vjKqYVl46NRfc1u6w03wdv/uYImmBSA
+0+Le8eWSWkF9aSdhk7mpFN+D87kUaBRwbjO4uS+Zz1k
+-> ssh-ed25519 ofQnlg cpdWhJg6pB09hL/x59WgAblk8JShLMrbVRGAGDnoXUo
+pBnnIq989tqbMVnsqyrzFiYsMIwZzi1cg2N86KqRXt4
+-> ssh-ed25519 COspvA A7PWv0kGnmPDtLtKpNSy040AmqphAVaKjaimHbwR2S0
+vG1lSVE3Q2dMfKik50MRhIE29opMVqXUOBjcCWQH/Ck
+-> ssh-ed25519 2XrTgw bwxzUgEXNCPiW8lxOhqUofilGlq+3U05OfO92Y5Zun0
+P6TGcQUHOdYR7G6dojakBGFkFOP7FVnwmZXY7B+sn3w
+-> ssh-ed25519 awJeHA 7rlWcUOwiMFy0gjUQqxSoAWSFkghQG92mo9VUa++PRs
+UPvki4hox5mNrIhE6KQQo5WlVl+8XL4hgVUwE9es3mg
+-> ssh-ed25519 S1E+mw yVifWiLDiFZfjljd5AZmD+rpxMzxVwUGa4Cg9qrIgTk
+M7Nk1Q+bX54RJysTm5uuaxNcf+OI5LaxkeaF4MsNXXk
+-> ssh-ed25519 i+ecmQ K/c0kqipp5Fl4BzMi0G6Fe8ItSvhGLMHQLQZ7kETZ0o
+oHzo/sWjA5aR07dAK6jAz43HEjCDAjCRY5n2zDe7UE8
+--- GEvB7FWwJeWa6i4J/pGvooeAhT2mgWovOViKoMLuSbw
+ã÷â<14>‡¶ÈØŒóÀȃ’…að®Á,§‚üÞýÀp­CY ¬‘3è#(â,ÝžÏ

<0A>?$%‚lÁ6”"ÅYµhý…üÉW…ÌϤmCß‚VZsªž]FÝ<46>õ