make substituters trusted

Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>
use branches that include license
2025-10-30 20:26:30 +01:00 · 2025-08-21 10:14:32 +02:00 · 2025-08-15 13:22:20 +02:00 · 2025-08-13 12:57:01 +02:00 · 2025-08-13 12:57:01 +02:00 · 2025-08-13 12:57:01 +02:00
84 changed files with 1513 additions and 722 deletions
--- a/.forgejo/workflows/cache.yaml
+++ b/.forgejo/workflows/cache.yaml
@ -0,0 +1,25 @@
+name: cache-build
+
+on:
+  workflow_dispatch: # allows manual triggering
+  push:
+    branches:
+      # - main
+
+jobs:
+  deploy:
+    runs-on: native
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Cache
+        run: |
+          nix-shell --run "attic login fediversity https://attic.fediversity.net '${{ secrets.ATTIC_PUSH_KEY }}' && attic use demo"
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          cat ~/.config/attic/config.toml
+          cat ~/.config/nix/nix.conf
+          nix-shell --run "attic push demo $(nix-build)"
--- a/.forgejo/workflows/cd.yaml
+++ b/.forgejo/workflows/cd.yaml
@ -0,0 +1,24 @@
+name: deploy-infra
+
+on:
+  workflow_dispatch: # allows manual triggering
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    runs-on: native
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up SSH key for age secrets and SSH
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+      - name: Deploy
+        run: nix-shell --run 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519 && SHELL=$(which bash) nixops4 apply -v default'
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -21,17 +21,36 @@ jobs:
      - uses: actions/checkout@v4
      - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'

+      - name: Cache
+        run: |
+          nix-shell --run "attic login fediversity https://attic.fediversity.net '${{ secrets.ATTIC_PUSH_KEY }}' && attic use demo"
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          cat ~/.config/attic/config.toml
+          cat ~/.config/nix/nix.conf
+          echo "RUNNER_DEBUG: ${{ secrets.RUNNER_DEBUG }}"
+          echo "GIT_TRACE: ${{ secrets.GIT_TRACE }}"
+          nix-shell --run "attic push demo $(nix-build)"
+
+  check-mastodon:
+    runs-on: native
+    steps:
+      - uses: actions/checkout@v4
+      - run: nix build .#checks.x86_64-linux.test-mastodon-service -L
+
  check-peertube:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
-      - run: nix-build services -A tests.peertube
+      - run: nix build .#checks.x86_64-linux.test-peertube-service -L

  check-panel:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
-      - run: nix-build panel -A tests
+      - run: nix-build -A tests.panel

  check-deployment-basic:
    runs-on: native
@ -50,3 +69,29 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - run: nix build .#checks.x86_64-linux.deployment-panel -L
+
+  ## NOTE: NixOps4 does not provide a good “dry run” mode, so we instead check
+  ## proxies for resources, namely whether their `.#vmOptions.<machine>` and
+  ## `.#nixosConfigurations.<machine>` outputs evaluate and build correctly, and
+  ## whether we can dry run `infra/proxmox-*.sh` on them. This will not catch
+  ## everything, and in particular not issues in how NixOps4 wires up the
+  ## resources, but that is still something.
+  check-resources:
+    runs-on: native
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          set -euC
+          echo ==================== [ VM Options ] ====================
+          machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).vmOptions)')
+          for machine in $machines; do
+            echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
+            nix build .#checks.x86_64-linux.vmOptions-$machine
+          done
+          echo
+          echo ==================== [ NixOS Configurations ] ====================
+          machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).nixosConfigurations)')
+          for machine in $machines; do
+            echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
+            nix build .#checks.x86_64-linux.nixosConfigurations-$machine
+          done
--- a/.forgejo/workflows/update.yaml
+++ b/.forgejo/workflows/update.yaml
@ -13,10 +13,11 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Update pins
-        run: nix-shell --run "npins update"
+        run: nix-shell --run "npins --verbose update"
      - name: Create PR
-        uses: peter-evans/create-pull-request@v7
+        uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
        with:
+          remote-instance-api-version: v1
          token: "${{ secrets.DEPLOY_KEY }}"
          branch: npins-update
          commit-message: "npins: update sources"
--- a/default.nix
+++ b/default.nix
@ -12,6 +12,7 @@ let
  inherit (pkgs) lib;
  inherit (import sources.flake-inputs) import-flake;
  inherit ((import-flake { src = ./.; }).inputs) nixops4;
+  panel = import ./panel { inherit sources system; };
  pre-commit-check =
    (import "${git-hooks}/nix" {
      inherit nixpkgs system;
@ -64,6 +65,7 @@ in
        pkgs.httpie
        pkgs.jq
        pkgs.nix-unit
+        pkgs.attic-client
        test-loop
        nixops4.packages.${system}.default
      ];
@ -71,6 +73,7 @@ in

  tests = {
    inherit pre-commit-check;
+    panel = panel.tests;
  };

  # re-export inputs so they can be overridden granularly
--- a/deployment/check/basic/constants.nix
+++ b/deployment/check/basic/constants.nix
@ -0,0 +1,8 @@
+{
+  targetMachines = [
+    "hello"
+    "cowsay"
+  ];
+  pathToRoot = ../../..;
+  pathFromRoot = ./.;
+}
--- a/deployment/check/basic/default.nix
+++ b/deployment/check/basic/default.nix
@ -0,0 +1,14 @@
+{
+  runNixOSTest,
+  inputs,
+  sources,
+}:
+
+runNixOSTest {
+  imports = [
+    ../common/nixosTest.nix
+    ./nixosTest.nix
+  ];
+  _module.args = { inherit inputs sources; };
+  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
+}
--- a/deployment/check/basic/deployment.nix
+++ b/deployment/check/basic/deployment.nix
@ -0,0 +1,36 @@
+{
+  inputs,
+  sources,
+  lib,
+  providers,
+  ...
+}:
+
+let
+  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
+in
+
+{
+  providers = {
+    inherit (inputs.nixops4.modules.nixops4Provider) local;
+  };
+
+  resources = lib.genAttrs targetMachines (nodeName: {
+    type = providers.local.exec;
+
+    imports = [
+      inputs.nixops4-nixos.modules.nixops4Resource.nixos
+      ../common/targetResource.nix
+    ];
+
+    _module.args = { inherit inputs sources; };
+
+    inherit nodeName pathToRoot pathFromRoot;
+
+    nixos.module =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = [ pkgs.${nodeName} ];
+      };
+  });
+}
--- a/deployment/check/basic/flake-part.nix
+++ b/deployment/check/basic/flake-part.nix
@ -1,57 +0,0 @@
-{
-  self,
-  inputs,
-  lib,
-  sources,
-  ...
-}:
-
-let
-  inherit (lib) genAttrs;
-
-  targetMachines = [
-    "hello"
-    "cowsay"
-  ];
-  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
-  pathFromRoot = ./.;
-
-in
-{
-  _class = "flake";
-
-  perSystem =
-    { pkgs, ... }:
-    {
-      checks.deployment-basic = pkgs.testers.runNixOSTest {
-        imports = [
-          ../common/nixosTest.nix
-          ./nixosTest.nix
-        ];
-        _module.args = { inherit inputs sources; };
-        inherit targetMachines pathToRoot pathFromRoot;
-      };
-    };
-
-  nixops4Deployments.check-deployment-basic =
-    { providers, ... }:
-    {
-      providers = {
-        inherit (inputs.nixops4.modules.nixops4Provider) local;
-      };
-      resources = genAttrs targetMachines (nodeName: {
-        type = providers.local.exec;
-        imports = [
-          inputs.nixops4-nixos.modules.nixops4Resource.nixos
-          ../common/targetResource.nix
-        ];
-        _module.args = { inherit inputs sources; };
-        inherit nodeName pathToRoot pathFromRoot;
-        nixos.module =
-          { pkgs, ... }:
-          {
-            environment.systemPackages = [ pkgs.${nodeName} ];
-          };
-      });
-    };
-}
--- a/deployment/check/basic/flake-under-test.nix
+++ b/deployment/check/basic/flake-under-test.nix
@ -0,0 +1,22 @@
+{
+  inputs = {
+    nixops4.follows = "nixops4-nixos/nixops4";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
+  };
+
+  outputs =
+    inputs:
+    import ./mkFlake.nix inputs (
+      { inputs, sources, ... }:
+      {
+        imports = [
+          inputs.nixops4.modules.flake.default
+        ];
+
+        nixops4Deployments.check-deployment-basic = {
+          imports = [ ./deployment/check/basic/deployment.nix ];
+          _module.args = { inherit inputs sources; };
+        };
+      }
+    );
+}
--- a/deployment/check/basic/nixosTest.nix
+++ b/deployment/check/basic/nixosTest.nix
@ -1,10 +1,15 @@
-{ inputs, ... }:
+{ inputs, lib, ... }:

 {
  _class = "nixosTest";

  name = "deployment-basic";

+  sourceFileset = lib.fileset.unions [
+    ./constants.nix
+    ./deployment.nix
+  ];
+
  nodes.deployer =
    { pkgs, ... }:
    {
--- a/deployment/check/cli/constants.nix
+++ b/deployment/check/cli/constants.nix
@ -0,0 +1,12 @@
+{
+  targetMachines = [
+    "garage"
+    "mastodon"
+    "peertube"
+    "pixelfed"
+    "attic"
+  ];
+  pathToRoot = ../../..;
+  pathFromRoot = ./.;
+  enableAcme = true;
+}
--- a/deployment/check/cli/default.nix
+++ b/deployment/check/cli/default.nix
@ -0,0 +1,19 @@
+{
+  runNixOSTest,
+  inputs,
+  sources,
+}:
+
+runNixOSTest {
+  imports = [
+    ../common/nixosTest.nix
+    ./nixosTest.nix
+  ];
+  _module.args = { inherit inputs sources; };
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+}
--- a/deployment/check/cli/deployments.nix
+++ b/deployment/check/cli/deployments.nix
@ -0,0 +1,59 @@
+{
+  inputs,
+  sources,
+  lib,
+}:
+
+let
+  inherit (builtins) fromJSON readFile listToAttrs;
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+
+  makeTargetResource = nodeName: {
+    imports = [ ../common/targetResource.nix ];
+    _module.args = { inherit inputs sources; };
+    inherit
+      nodeName
+      pathToRoot
+      pathFromRoot
+      enableAcme
+      ;
+  };
+
+  ## The deployment function - what we are here to test!
+  ##
+  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
+  ## function calls.
+  makeTestDeployment =
+    args:
+    (import ../..)
+      {
+        inherit lib;
+        inherit (inputs) nixops4 nixops4-nixos;
+        fediversity = import ../../../services/fediversity;
+      }
+      (listToAttrs (
+        map (nodeName: {
+          name = "${nodeName}ConfigurationResource";
+          value = makeTargetResource nodeName;
+        }) targetMachines
+      ))
+      (fromJSON (readFile ../../configuration.sample.json) // args);
+
+in
+{
+  check-deployment-cli-nothing = makeTestDeployment { };
+
+  check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
+    mastodon.enable = true;
+    pixelfed.enable = true;
+  };
+
+  check-deployment-cli-peertube = makeTestDeployment {
+    peertube.enable = true;
+  };
+}
--- a/deployment/check/cli/flake-part.nix
+++ b/deployment/check/cli/flake-part.nix
@ -1,90 +0,0 @@
-{
-  self,
-  inputs,
-  lib,
-  sources,
-  ...
-}:
-
-let
-  inherit (builtins) fromJSON readFile listToAttrs;
-
-  targetMachines = [
-    "garage"
-    "mastodon"
-    "peertube"
-    "pixelfed"
-  ];
-  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
-  pathFromRoot = ./.;
-  enableAcme = true;
-
-in
-{
-  _class = "flake";
-
-  perSystem =
-    { pkgs, ... }:
-    {
-      checks.deployment-cli = pkgs.testers.runNixOSTest {
-        imports = [
-          ../common/nixosTest.nix
-          ./nixosTest.nix
-        ];
-        _module.args = { inherit inputs sources; };
-        inherit
-          targetMachines
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-    };
-
-  nixops4Deployments =
-    let
-      makeTargetResource = nodeName: {
-        imports = [ ../common/targetResource.nix ];
-        _module.args = { inherit inputs sources; };
-        inherit
-          nodeName
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-
-      ## The deployment function - what we are here to test!
-      ##
-      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
-      ## function calls.
-      makeTestDeployment =
-        args:
-        (import ../..)
-          {
-            inherit lib;
-            inherit (inputs) nixops4 nixops4-nixos;
-            fediversity = import ../../../services/fediversity;
-          }
-          (listToAttrs (
-            map (nodeName: {
-              name = "${nodeName}ConfigurationResource";
-              value = makeTargetResource nodeName;
-            }) targetMachines
-          ))
-          (fromJSON (readFile ../../configuration.sample.json) // args);
-
-    in
-    {
-      check-deployment-cli-nothing = makeTestDeployment { };
-
-      check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
-        mastodon.enable = true;
-        pixelfed.enable = true;
-      };
-
-      check-deployment-cli-peertube = makeTestDeployment {
-        peertube.enable = true;
-      };
-    };
-}
--- a/deployment/check/cli/flake-under-test.nix
+++ b/deployment/check/cli/flake-under-test.nix
@ -0,0 +1,26 @@
+{
+  inputs = {
+    nixops4.follows = "nixops4-nixos/nixops4";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
+  };
+
+  outputs =
+    inputs:
+    import ./mkFlake.nix inputs (
+      {
+        inputs,
+        sources,
+        lib,
+        ...
+      }:
+      {
+        imports = [
+          inputs.nixops4.modules.flake.default
+        ];
+
+        nixops4Deployments = import ./deployment/check/cli/deployments.nix {
+          inherit inputs sources lib;
+        };
+      }
+    );
+}
--- a/deployment/check/cli/nixosTest.nix
+++ b/deployment/check/cli/nixosTest.nix
@ -1,4 +1,9 @@
-{ inputs, hostPkgs, ... }:
+{
+  inputs,
+  hostPkgs,
+  lib,
+  ...
+}:

 let
  ## Some places need a dummy file that will in fact never be used. We create
@ -11,6 +16,21 @@ in

  name = "deployment-cli";

+  sourceFileset = lib.fileset.unions [
+    ./constants.nix
+    ./deployments.nix
+
+    # REVIEW: I would like to be able to grab all of `/deployment` minus
+    # `/deployment/check`, but I can't because there is a bunch of other files
+    # in `/deployment`. Maybe we can think of a reorg making things more robust
+    # here? (comment also in panel test)
+    ../../default.nix
+    ../../options.nix
+    ../../configuration.sample.json
+
+    ../../../services/fediversity
+  ];
+
  nodes.deployer =
    { pkgs, ... }:
    {
@ -25,6 +45,8 @@ in
        peertube.inputDerivation
        gixy
        gixy.inputDerivation
+        shellcheck
+        shellcheck.inputDerivation
      ];

      system.extraDependenciesFromModule = {
@ -48,6 +70,11 @@ in
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
+          attic = {
+            enable = true;
+            s3AccessKeyFile = dummyFile;
+            s3SecretKeyFile = dummyFile;
+          };
          temp.cores = 1;
          temp.initialUser = {
            username = "dummy";
@ -72,6 +99,7 @@ in
  nodes.mastodon.virtualisation.memorySize = 4 * 1024;
  nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
  nodes.peertube.virtualisation.memorySize = 5 * 1024;
+  nodes.attic.virtualisation.memorySize = 2 * 1024;

  ## FIXME: The test of presence of the services are very simple: we only
  ## check that there is a systemd service of the expected name on the
@ -86,6 +114,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with no services enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-nothing --show-trace --no-interactive 1>&2")
@ -95,6 +124,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with Mastodon and Pixelfed enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-mastodon-pixelfed --show-trace --no-interactive 1>&2")
@ -104,6 +134,7 @@ in
      mastodon.succeed("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with only Peertube enabled"):
      deployer.succeed("nixops4 apply check-deployment-cli-peertube --show-trace --no-interactive 1>&2")
@ -113,5 +144,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.succeed("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
  '';
 }
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@ -40,7 +40,7 @@ in
      ## default. These values have been trimmed down to the gigabyte.
      ## Memory use is expected to be dominated by the NixOS evaluation,
      ## which happens on the deployer.
-      memorySize = 4 * 1024;
+      memorySize = 5 * 1024;
      diskSize = 4 * 1024;
      cores = 2;
    };
@ -54,13 +54,16 @@ in

    system.extraDependencies =
      [
-        "${inputs.flake-parts}"
-        "${inputs.flake-parts.inputs.nixpkgs-lib}"
-        "${inputs.nixops4}"
-        "${inputs.nixops4-nixos}"
-        "${inputs.nixpkgs}"
+        inputs.nixops4
+        inputs.nixops4-nixos
+        inputs.nixpkgs

-        "${sources.flake-inputs}"
+        sources.flake-parts
+        sources.nixpkgs
+        sources.flake-inputs
+        sources.git-hooks
+        sources.vars
+        sources.nix-templating

        pkgs.stdenv
        pkgs.stdenvNoCC
--- a/deployment/check/common/nixosTest.nix
+++ b/deployment/check/common/nixosTest.nix
@ -13,6 +13,7 @@ let
    toJSON
    ;
  inherit (lib)
+    types
    fileset
    mkOption
    genAttrs
@ -27,14 +28,6 @@ let

  forConcat = xs: f: concatStringsSep "\n" (map f xs);

-  ## The whole repository, with the flake at its root.
-  ## FIXME: We could probably have fileset be the union of ./. with flake.nix
-  ## and flake.lock - I doubt we need anything else.
-  src = fileset.toSource {
-    fileset = config.pathToRoot;
-    root = config.pathToRoot;
-  };
-
  ## We will need to override some inputs by the empty flake, so we make one.
  emptyFlake = runCommandNoCC "empty-flake" { } ''
    mkdir $out
@ -53,9 +46,40 @@ in
    ## FIXME: I wish I could just use `testScript` but with something like
    ## `mkOrder` to put this module's string before something else.
    extraTestScript = mkOption { };
+
+    sourceFileset = mkOption {
+      ## FIXME: grab `lib.types.fileset` from NixOS, once upstreaming PR
+      ## https://github.com/NixOS/nixpkgs/pull/428293 lands.
+      type = types.mkOptionType {
+        name = "fileset";
+        description = "fileset";
+        descriptionClass = "noun";
+        check = (x: (builtins.tryEval (fileset.unions [ x ])).success);
+        merge = (_: defs: fileset.unions (map (x: x.value) defs));
+      };
+      description = ''
+        A fileset that will be copied to the deployer node in the current
+        working directory. This should contain all the files that are
+        necessary to run that particular test, such as the NixOS
+        modules necessary to evaluate a deployment.
+      '';
+    };
  };

  config = {
+    sourceFileset = fileset.unions [
+      # NOTE: not the flake itself; it will be overridden.
+      ../../../mkFlake.nix
+      ../../../flake.lock
+      ../../../npins
+
+      ./sharedOptions.nix
+      ./targetNode.nix
+      ./targetResource.nix
+
+      (config.pathToCwd + "/flake-under-test.nix")
+    ];
+
    acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;

    nodes =
@ -103,8 +127,16 @@ in
        ${n}.wait_for_unit("multi-user.target")
      '')}

+      ## A subset of the repository that is necessary for this test. It will be
+      ## copied inside the test. The smaller this set, the faster our CI, because we
+      ## won't need to re-run when things change outside of it.
      with subtest("Unpacking"):
-        deployer.succeed("cp -r --no-preserve=mode ${src}/* .")
+        deployer.succeed("cp -r --no-preserve=mode ${
+          fileset.toSource {
+            root = ../../..;
+            fileset = config.sourceFileset;
+          }
+        }/* .")

      with subtest("Configure the network"):
        ${forConcat config.targetMachines (
@ -134,11 +166,16 @@ in

      ## NOTE: This is super slow. It could probably be optimised in Nix, for
      ## instance by allowing to grab things directly from the host's store.
-      with subtest("Override the lock"):
+      ##
+      ## NOTE: We use the repository as-is (cf `src` above), overriding only
+      ## `flake.nix` by our `flake-under-test.nix`. We also override the flake
+      ## lock file to use locally available inputs, as we cannot download them.
+      ##
+      with subtest("Override the flake and its lock"):
+        deployer.succeed("cp ${config.pathFromRoot}/flake-under-test.nix flake.nix")
        deployer.succeed("""
          nix flake lock --extra-experimental-features 'flakes nix-command' \
            --offline -v \
-            --override-input flake-parts ${inputs.flake-parts} \
            --override-input nixops4 ${inputs.nixops4.packages.${system}.flake-in-a-bottle} \
            \
            --override-input nixops4-nixos ${inputs.nixops4-nixos} \
@ -150,9 +187,6 @@ in
              inputs.nixops4-nixos.inputs.nixops4.packages.${system}.flake-in-a-bottle
            } \
            --override-input nixops4-nixos/git-hooks-nix ${emptyFlake} \
-            \
-            --override-input nixpkgs ${inputs.nixpkgs} \
-            --override-input git-hooks ${inputs.git-hooks} \
            ;
        """)

--- a/deployment/check/panel/constants.nix
+++ b/deployment/check/panel/constants.nix
@ -0,0 +1,12 @@
+{
+  targetMachines = [
+    "garage"
+    "mastodon"
+    "peertube"
+    "pixelfed"
+    "attic"
+  ];
+  pathToRoot = ../../..;
+  pathFromRoot = ./.;
+  enableAcme = true;
+}
--- a/deployment/check/panel/default.nix
+++ b/deployment/check/panel/default.nix
@ -0,0 +1,19 @@
+{
+  runNixOSTest,
+  inputs,
+  sources,
+}:
+
+runNixOSTest {
+  imports = [
+    ../common/nixosTest.nix
+    ./nixosTest.nix
+  ];
+  _module.args = { inherit inputs sources; };
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+}
--- a/deployment/check/panel/deployment.nix
+++ b/deployment/check/panel/deployment.nix
@ -0,0 +1,58 @@
+{
+  inputs,
+  sources,
+  lib,
+}:
+
+let
+  inherit (builtins) fromJSON listToAttrs;
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+
+  makeTargetResource = nodeName: {
+    imports = [ ../common/targetResource.nix ];
+    _module.args = { inherit inputs sources; };
+    inherit
+      nodeName
+      pathToRoot
+      pathFromRoot
+      enableAcme
+      ;
+  };
+
+  ## The deployment function - what we are here to test!
+  ##
+  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
+  ## function calls.
+  makeTestDeployment =
+    args:
+    (import ../..)
+      {
+        inherit lib;
+        inherit (inputs) nixops4 nixops4-nixos;
+        fediversity = import ../../../services/fediversity;
+      }
+      (listToAttrs (
+        map (nodeName: {
+          name = "${nodeName}ConfigurationResource";
+          value = makeTargetResource nodeName;
+        }) targetMachines
+      ))
+      args;
+
+in
+makeTestDeployment (
+  fromJSON (
+    let
+      env = builtins.getEnv "DEPLOYMENT";
+    in
+    if env == "" then
+      throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
+    else
+      env
+  )
+)
--- a/deployment/check/panel/flake-part.nix
+++ b/deployment/check/panel/flake-part.nix
@ -1,94 +0,0 @@
-{
-  self,
-  inputs,
-  lib,
-  sources,
-  ...
-}:
-
-let
-  inherit (builtins)
-    fromJSON
-    listToAttrs
-    ;
-
-  targetMachines = [
-    "garage"
-    "mastodon"
-    "peertube"
-    "pixelfed"
-  ];
-  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
-  pathFromRoot = ./.;
-  enableAcme = true;
-
-in
-{
-  _class = "flake";
-
-  perSystem =
-    { pkgs, ... }:
-    {
-      checks.deployment-panel = pkgs.testers.runNixOSTest {
-        imports = [
-          ../common/nixosTest.nix
-          ./nixosTest.nix
-        ];
-        _module.args = { inherit inputs sources; };
-        inherit
-          targetMachines
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-    };
-
-  nixops4Deployments =
-    let
-      makeTargetResource = nodeName: {
-        imports = [ ../common/targetResource.nix ];
-        _module.args = { inherit inputs sources; };
-        inherit
-          nodeName
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-
-      ## The deployment function - what we are here to test!
-      ##
-      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
-      ## function calls.
-      makeTestDeployment =
-        args:
-        (import ../..)
-          {
-            inherit lib;
-            inherit (inputs) nixops4 nixops4-nixos;
-            fediversity = import ../../../services/fediversity;
-          }
-          (listToAttrs (
-            map (nodeName: {
-              name = "${nodeName}ConfigurationResource";
-              value = makeTargetResource nodeName;
-            }) targetMachines
-          ))
-          args;
-
-    in
-    {
-      check-deployment-panel = makeTestDeployment (
-        fromJSON (
-          let
-            env = builtins.getEnv "DEPLOYMENT";
-          in
-          if env == "" then
-            throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
-          else
-            env
-        )
-      );
-    };
-}
--- a/deployment/check/panel/flake-under-test.nix
+++ b/deployment/check/panel/flake-under-test.nix
@ -0,0 +1,26 @@
+{
+  inputs = {
+    nixops4.follows = "nixops4-nixos/nixops4";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
+  };
+
+  outputs =
+    inputs:
+    import ./mkFlake.nix inputs (
+      {
+        inputs,
+        sources,
+        lib,
+        ...
+      }:
+      {
+        imports = [
+          inputs.nixops4.modules.flake.default
+        ];
+
+        nixops4Deployments.check-deployment-panel = import ./deployment/check/panel/deployment.nix {
+          inherit inputs sources lib;
+        };
+      }
+    );
+}
--- a/deployment/check/panel/nixosTest.nix
+++ b/deployment/check/panel/nixosTest.nix
@ -33,6 +33,7 @@ let
      enableMastodon,
      enablePeertube,
      enablePixelfed,
+      enableAttic,
    }:
    hostPkgs.writers.writePython3Bin "interact-with-panel"
      {
@ -94,6 +95,7 @@ let
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'mastodon.enable']"), ${toPythonBool enableMastodon})
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'peertube.enable']"), ${toPythonBool enablePeertube})
        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'pixelfed.enable']"), ${toPythonBool enablePixelfed})
+        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'attic.enable']"), ${toPythonBool enableAttic})

        print("Start deployment...")
        driver.find_element(By.XPATH, "//button[@id = 'deploy-button']").click()
@ -125,6 +127,20 @@ in

  name = "deployment-panel";

+  sourceFileset = lib.fileset.unions [
+    ./constants.nix
+    ./deployment.nix
+
+    # REVIEW: I would like to be able to grab all of `/deployment` minus
+    # `/deployment/check`, but I can't because there is a bunch of other files
+    # in `/deployment`. Maybe we can think of a reorg making things more robust
+    # here? (comment also in CLI test)
+    ../../default.nix
+    ../../options.nix
+
+    ../../../services/fediversity
+  ];
+
  ## The panel's module sets `nixpkgs.overlays` which clashes with
  ## `pkgsReadOnly`. We disable it here.
  node.pkgsReadOnly = false;
@ -194,6 +210,11 @@ in
            s3AccessKeyFile = dummyFile;
            s3SecretKeyFile = dummyFile;
          };
+          attic = {
+            enable = true;
+            s3AccessKeyFile = dummyFile;
+            s3SecretKeyFile = dummyFile;
+          };
          temp.cores = 1;
          temp.initialUser = {
            username = "dummy";
@ -239,6 +260,7 @@ in
  nodes.mastodon.virtualisation.memorySize = 4 * 1024;
  nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
  nodes.peertube.virtualisation.memorySize = 5 * 1024;
+  nodes.attic.virtualisation.memorySize = 4 * 1024;

  ## FIXME: The test of presence of the services are very simple: we only
  ## check that there is a systemd service of the expected name on the
@ -311,6 +333,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with no services enabled"):
      client.succeed("${
@ -319,6 +342,7 @@ in
          enableMastodon = false;
          enablePeertube = false;
          enablePixelfed = false;
+          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")

@ -327,6 +351,7 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with Mastodon and Pixelfed enabled"):
      client.succeed("${
@ -335,6 +360,7 @@ in
          enableMastodon = true;
          enablePeertube = false;
          enablePixelfed = true;
+          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")

@ -343,6 +369,7 @@ in
      mastodon.succeed("systemctl status mastodon-web.service")
      peertube.fail("systemctl status peertube.service")
      pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")

    with subtest("Run deployment with only Peertube enabled"):
      client.succeed("${
@ -351,6 +378,7 @@ in
          enableMastodon = false;
          enablePeertube = true;
          enablePixelfed = false;
+          enableAttic = false;
        }
      }/bin/interact-with-panel >&2")

@ -359,5 +387,6 @@ in
      mastodon.fail("systemctl status mastodon-web.service")
      peertube.succeed("systemctl status peertube.service")
      pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
  '';
 }
--- a/deployment/configuration.sample.json
+++ b/deployment/configuration.sample.json
@ -3,6 +3,7 @@
  "mastodon": { "enable": false },
  "peertube": { "enable": false },
  "pixelfed": { "enable": false },
+  "attic": { "enable": false },
  "initialUser": {
    "displayName": "Testy McTestface",
    "username": "test",
--- a/deployment/data-model-test.nix
+++ b/deployment/data-model-test.nix
@ -1,9 +1,13 @@
 let
-  inherit (import ../default.nix { }) pkgs;
+  inherit (import ../default.nix { }) pkgs inputs;
  inherit (pkgs) lib;
+  inherit (lib) mkOption;
  eval =
    module:
    (lib.evalModules {
+      specialArgs = {
+        inherit inputs;
+      };
      modules = [
        module
        ./data-model.nix
@ -16,32 +20,51 @@ in
  test-eval = {
    expr =
      let
-        example = eval {
-          runtime-environments.bar.nixos = {
+        fediversity = eval (
+          { config, ... }:
+          {
+            config = {
+              applications.hello =
+                { ... }:
+                {
+                  description = ''Command-line tool that will print "Hello, world!" on the terminal'';
                  module =
                    { ... }:
                    {
-                system.stateVersion = "25.05";
+                      options = {
+                        enable = lib.mkEnableOption "Hello in the shell";
                      };
                    };
-          applications.foo = {
-            module =
-              { pkgs, ... }:
-              {
-                environment.systemPackages = [
-                  pkgs.hello
-                ];
+                  implementation =
+                    cfg:
+                    lib.optionalAttrs cfg.enable {
+                      dummy.login-shell.packages.hello = pkgs.hello;
                    };
                };
            };
+            options = {
+              example-configuration = mkOption {
+                type = config.configuration;
+                readOnly = true;
+                default = {
+                  enable = true;
+                  applications.hello.enable = true;
+                };
+              };
+            };
+          }
+        );
      in
      {
-        has-runtime = lib.isAttrs example.runtime-environments.bar.nixos.module;
-        has-application = lib.isAttrs example.applications.foo.module;
+        inherit (fediversity)
+          example-configuration
+          ;
      };
    expected = {
-      has-runtime = true;
-      has-application = true;
+      example-configuration = {
+        enable = true;
+        applications.hello.enable = true;
+      };
    };
  };
 }
--- a/deployment/data-model.nix
+++ b/deployment/data-model.nix
@ -1,45 +1,89 @@
 {
  lib,
+  config,
  ...
 }:
 let
-  inherit (lib) types mkOption;
+  inherit (lib) mkOption types;
+  inherit (lib.types)
+    attrsOf
+    attrTag
+    deferredModuleWith
+    submodule
+    optionType
+    functionTo
+    ;
+
+  functionType = import ./function.nix;
+  application-resources = {
+    options.resources = mkOption {
+      # TODO: maybe transpose, and group the resources by type instead
+      type = attrsOf (
+        attrTag (lib.mapAttrs (_name: resource: mkOption { type = resource.request; }) config.resources)
+      );
+    };
+  };
 in
-with types;
 {
  _class = "nixops4Deployment";

  options = {
-    runtime-environments = mkOption {
-      description = "Collection of runtime environments into which applications can be deployed";
-      type = attrsOf (attrTag {
-        nixos = mkOption {
-          description = "A single NixOS machine";
-          type = submodule {
-            options = {
-              module = mkOption {
-                description = "The NixOS module describing the base configuration for that machine";
-                type = deferredModule;
-              };
-            };
-          };
-        };
-      });
-    };
    applications = mkOption {
      description = "Collection of Fediversity applications";
-      type = attrsOf (submoduleWith {
-        modules = [
-          {
+      type = attrsOf (
+        submodule (application: {
+          _class = "fediversity-application";
          options = {
+            description = mkOption {
+              description = "Description to be shown in the application overview";
+              type = types.str;
+            };
            module = mkOption {
-                description = "The NixOS module for that application, for configuring that application";
-                type = deferredModule;
+              description = "Operator-facing configuration options for the application";
+              type = deferredModuleWith { staticModules = [ { _class = "fediversity-application-config"; } ]; };
+            };
+            implementation = mkOption {
+              description = "Mapping of application configuration to deployment resources, a description of what an application needs to run";
+              type = application.config.config-mapping.function-type;
+            };
+            resources = mkOption {
+              description = "Compute resources required by an application";
+              type = functionTo application.config.config-mapping.output-type;
+              readOnly = true;
+              default = input: (application.config.implementation input).output;
+            };
+            config-mapping = mkOption {
+              description = "Function type for the mapping from application configuration to required resources";
+              type = submodule functionType;
+              readOnly = true;
+              default = {
+                input-type = application.config.module;
+                output-type = application-resources;
              };
            };
+          };
+        })
+      );
+    };
+    configuration = mkOption {
+      description = "Configuration type declaring options to be set by operators";
+      type = optionType;
+      readOnly = true;
+      default = submodule {
+        options = {
+          enable = lib.mkEnableOption {
+            description = "your Fediversity configuration";
+          };
+          applications = lib.mapAttrs (
+            _name: application:
+            mkOption {
+              description = application.description;
+              type = submodule application.module;
+              default = { };
            }
-        ];
-      });
+          ) config.applications;
+        };
+      };
    };
  };
 }
--- a/deployment/default.nix
+++ b/deployment/default.nix
@ -24,6 +24,7 @@
  mastodonConfigurationResource,
  peertubeConfigurationResource,
  pixelfedConfigurationResource,
+  atticConfigurationResource,
 }:

 ## From the hosting provider's perspective, the function is meant to be
@ -55,6 +56,7 @@ let
    mastodon = nonNull panelConfigNullable.mastodon { enable = false; };
    peertube = nonNull panelConfigNullable.peertube { enable = false; };
    pixelfed = nonNull panelConfigNullable.pixelfed { enable = false; };
+    attic = nonNull panelConfigNullable.attic { enable = false; };
  };
 in

@ -107,6 +109,13 @@ in
            s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
            s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
          };
+        atticS3KeyConfig =
+          { pkgs, ... }:
+          {
+            # REVIEW: how were these generated above? how do i add one?
+            s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKaaaaaaaaaaaaaaaaaaaaaaaa";
+            s3SecretKeyFile = pkgs.writeText "s3SecretKey" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+          };

        makeConfigurationResource = resourceModule: config: {
          type = providers.local.exec;
@ -140,13 +149,14 @@ in
      {
        garage-configuration = makeConfigurationResource garageConfigurationResource (
          { pkgs, ... }:
-          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable) {
+          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable || cfg.attic.enable) {
            fediversity = {
              inherit (cfg) domain;
              garage.enable = true;
              pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
              mastodon = mastodonS3KeyConfig { inherit pkgs; };
              peertube = peertubeS3KeyConfig { inherit pkgs; };
+              attic = atticS3KeyConfig { inherit pkgs; };
            };
          }
        );
@ -213,6 +223,25 @@ in
            };
          }
        );
+
+        attic-configuration = makeConfigurationResource atticConfigurationResource (
+          { pkgs, ... }:
+          mkIf cfg.attic.enable {
+            fediversity = {
+              inherit (cfg) domain;
+              temp.initialUser = {
+                inherit (cfg.initialUser) username email displayName;
+                # FIXME: disgusting, but nvm, this is going to be replaced by
+                # proper central authentication at some point
+                passwordFile = pkgs.writeText "password" cfg.initialUser.password;
+              };
+
+              attic = atticS3KeyConfig { inherit pkgs; } // {
+                enable = true;
+              };
+            };
+          }
+        );
      };
  };
 }
--- a/deployment/flake-part.nix
+++ b/deployment/flake-part.nix
@ -1,9 +1,26 @@
+{ inputs, sources, ... }:
+
 {
  _class = "flake";

-  imports = [
-    ./check/basic/flake-part.nix
-    ./check/cli/flake-part.nix
-    ./check/panel/flake-part.nix
-  ];
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks = {
+        deployment-basic = import ./check/basic {
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
+        };
+
+        deployment-cli = import ./check/cli {
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
+        };
+
+        deployment-panel = import ./check/panel {
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
+        };
+      };
+    };
 }
--- a/deployment/function.nix
+++ b/deployment/function.nix
@ -0,0 +1,37 @@
+/**
+  Modular function type
+*/
+{ config, lib, ... }:
+let
+  inherit (lib) mkOption types;
+  inherit (types)
+    deferredModule
+    submodule
+    functionTo
+    optionType
+    ;
+in
+{
+  options = {
+    input-type = mkOption {
+      type = deferredModule;
+    };
+    output-type = mkOption {
+      type = deferredModule;
+    };
+    function-type = mkOption {
+      type = optionType;
+      readOnly = true;
+      default = functionTo (submodule {
+        options = {
+          input = mkOption {
+            type = submodule config.input-type;
+          };
+          output = mkOption {
+            type = submodule config.output-type;
+          };
+        };
+      });
+    };
+  };
+}
--- a/deployment/options.nix
+++ b/deployment/options.nix
@ -71,6 +71,19 @@ in
        });
      default = null;
    };
+    attic = mkOption {
+      description = ''
+        Configuration for the Attic service
+      '';
+      type =
+        with types;
+        nullOr (submodule {
+          options = {
+            enable = lib.mkEnableOption "Attic";
+          };
+        });
+      default = null;
+    };
    initialUser = mkOption {
      description = ''
        Some services require an initial user to access them.
--- a/flake.lock
+++ b/flake.lock
@ -59,22 +59,6 @@
      }
    },
    "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1733328505,
@ -90,7 +74,7 @@
        "type": "github"
      }
    },
-    "flake-compat_4": {
+    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -143,24 +127,6 @@
      }
    },
    "flake-parts_3": {
-      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib_3"
-      },
-      "locked": {
-        "lastModified": 1738453229,
-        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_4": {
      "inputs": {
        "nixpkgs-lib": [
          "nixops4-nixos",
@ -201,32 +167,12 @@
        "type": "github"
      }
    },
-    "git-hooks": {
+    "git-hooks-nix": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": "nixpkgs"
      },
-      "locked": {
-        "lastModified": 1742649964,
-        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
-    "git-hooks-nix": {
-      "inputs": {
-        "flake-compat": "flake-compat_2",
-        "gitignore": "gitignore_2",
-        "nixpkgs": "nixpkgs_2"
-      },
      "locked": {
        "lastModified": 1737465171,
        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
@ -281,27 +227,6 @@
      }
    },
    "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
-    "gitignore_2": {
      "inputs": {
        "nixpkgs": [
          "nixops4-nixos",
@ -341,8 +266,8 @@
    },
    "nix": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
-        "flake-parts": "flake-parts_4",
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts_3",
        "git-hooks-nix": "git-hooks-nix_2",
        "nixfmt": "nixfmt",
        "nixpkgs": [
@ -416,10 +341,10 @@
    },
    "nixops4": {
      "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
        "nix": "nix",
        "nix-cargo-integration": "nix-cargo-integration",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-old": "nixpkgs-old"
      },
      "locked": {
@ -438,7 +363,7 @@
    },
    "nixops4-nixos": {
      "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
        "git-hooks-nix": "git-hooks-nix",
        "nixops4": "nixops4",
        "nixops4-nixos": [
@ -520,18 +445,6 @@
        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
      }
    },
-    "nixpkgs-lib_3": {
-      "locked": {
-        "lastModified": 1738452942,
-        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
-      }
-    },
    "nixpkgs-old": {
      "locked": {
        "lastModified": 1735563628,
@ -565,22 +478,6 @@
      }
    },
    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1730768919,
-        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
      "locked": {
        "lastModified": 1738410390,
        "narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=",
@ -621,7 +518,7 @@
    },
    "purescript-overlay": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_3",
        "nixpkgs": [
          "nixops4-nixos",
          "nixops4",
@ -664,8 +561,6 @@
    },
    "root": {
      "inputs": {
-        "flake-parts": "flake-parts",
-        "git-hooks": "git-hooks",
        "nixops4": [
          "nixops4-nixos",
          "nixops4"
--- a/flake.nix
+++ b/flake.nix
@ -1,67 +1,36 @@
 {
  inputs = {
-    flake-parts.url = "github:hercules-ci/flake-parts";
-    git-hooks.url = "github:cachix/git-hooks.nix";
    nixops4.follows = "nixops4-nixos/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };

  outputs =
-    inputs@{ self, flake-parts, ... }:
-    let
-      sources = import ./npins;
-      inherit (import sources.flake-inputs) import-flake;
-      inherit (sources) git-hooks;
-      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
-      # XXX - this is just importing a flake
-      nixpkgs = import-flake { src = sources.nixpkgs; };
-      # XXX - this overrides the inputs attached to `self`
-      inputs' = self.inputs // {
-        nixpkgs = nixpkgs;
-      };
-      self' = self // {
-        inputs = inputs';
-      };
-    in
-    # XXX - finally we override the overall set of `inputs` -- we need both:
-    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
-    flake-parts.lib.mkFlake
+    inputs:
+    import ./mkFlake.nix inputs (
+      { inputs, sources, ... }:
      {
-        inputs = inputs // {
-          inherit nixpkgs;
-        };
-        self = self';
-        specialArgs = {
-          inherit sources;
-        };
-      }
-      (
-        { inputs, ... }:
-        {
-          systems = [
-            "x86_64-linux"
-            "aarch64-linux"
-            "x86_64-darwin"
-            "aarch64-darwin"
-          ];
-
        imports = [
-            "${git-hooks}/flake-module.nix"
+          "${sources.git-hooks}/flake-module.nix"
          inputs.nixops4.modules.flake.default

          ./deployment/flake-part.nix
          ./infra/flake-part.nix
          ./keys/flake-part.nix
          ./secrets/flake-part.nix
+          ./services/tests/flake-part.nix
        ];

        perSystem =
          {
            pkgs,
            lib,
+            system,
            ...
          }:
          {
+            checks = {
+              panel = (import ./. { inherit sources system; }).tests.panel.basic;
+            };
            formatter = pkgs.nixfmt-rfc-style;

            pre-commit.settings.hooks =
--- a/infra/README.md
+++ b/infra/README.md
@ -1,14 +1,13 @@
 # Infra

-This directory contains the definition of [the VMs](machines.md) that host our
+This directory contains the definition of [the VMs](../machines/machines.md) that host our
 infrastructure.

 ## Provisioning VMs with an initial configuration

-NOTE[Niols]: This is very manual and clunky. Two things will happen. In the near
-future, I will improve the provisioning script to make this a bit less clunky.
-In the far future, NixOps4 will be able to communicate with Proxmox directly and
-everything will become much cleaner.
+> NOTE[Niols]: This is still very manual and clunky. Two things will happen:
+> 1. In the near future, I will improve the provisioning script to make this a bit less clunky.
+> 2. In the far future, NixOps4 will be able to communicate with Proxmox directly and everything will become much cleaner.

 1. Choose names for your VMs. It is recommended to choose `fediXXX`, with `XXX`
   above 100. For instance, `fedi117`.
@ -25,8 +24,7 @@ everything will become much cleaner.
   Those files need to exist during provisioning, but their content matters only
   when updating the machines' configuration.

-   FIXME: Remove this step by making the provisioning script not fail with the
-   public key does not exist yet.
+   > FIXME: Remove this step by making the provisioning script not fail with the public key does not exist yet.

 3. Run the provisioning script:
   ```
@ -44,7 +42,7 @@ everything will become much cleaner.
   ssh fedi117.abundos.eu 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' > keys/systems/fedi117.pub
   ```

-   FIXME: Make the provisioning script do that for us.
+   > FIXME: Make the provisioning script do that for us.

 7. Regenerate the list of machines:
   ```
@ -56,7 +54,7 @@ everything will become much cleaner.
   just enough for it to boot and be reachable. Go on to the next section to
   update the machine and put an actual configuration.

-   FIXME: Figure out why the full configuration isn't on the machine at this
+   > FIXME: Figure out why the full configuration isn't on the machine at this
   point and fix it.

 ## Updating existing VM configurations
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@ -24,6 +24,14 @@ in
    experimental-features = nix-command flakes
  '';

+  nix.settings = {
+    trusted-substituters = [
+      "https://attic.fediversity.net/demo"
+    ];
+    trusted-public-keys = [
+      "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM="
+    ];
+  };
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
--- a/infra/common/nixos/users.nix
+++ b/infra/common/nixos/users.nix
@ -1,7 +1,13 @@
+{
+  config,
+  ...
+}:
 {
  _class = "nixos";

  users.users = {
+    root.openssh.authorizedKeys.keys = config.users.users.procolix.openssh.authorizedKeys.keys;
+
    procolix = {
      isNormalUser = true;
      extraGroups = [ "wheel" ];
--- a/infra/common/options.nix
+++ b/infra/common/options.nix
@ -20,16 +20,13 @@ in
      '';
    };

-    proxmox = mkOption {
-      type = types.nullOr (
-        types.enum [
-          "procolix"
-          "fediversity"
-        ]
-      );
+    isFediversityVm = mkOption {
+      type = types.bool;
      description = ''
-        The Proxmox instance. This is used for provisioning only and should be
-        set to `null` if the machine is not a VM.
+        Whether the machine is a Fediversity VM or not. This is used to
+        determine whether the machine should be provisioned via Proxmox or not.
+        Machines that are _not_ Fediversity VM could be physical machines, or
+        VMs that live outside Fediversity, eg. on Procolix's Proxmox.
      '';
    };

--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@ -1,9 +1,14 @@
-{ modulesPath, ... }:
+{ ... }:

 {
  _class = "nixos";

-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  ## FIXME: It would be nice, but the following leads to infinite recursion
+  ## in the way we currently plug `sources` in.
+  ##
+  # imports = [
+  #   "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+  # ];

  boot = {
    initrd = {
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -2,7 +2,6 @@
  inputs,
  lib,
  config,
-  sources,
  keys,
  secrets,
  ...
@ -33,10 +32,9 @@ in
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
-      "${sources.agenix}/modules/age.nix"
-      "${sources.disko}/module.nix"
      ./options.nix
      ./nixos
+      ./proxmox-qemu-vm.nix
    ];

    ## Inject the shared options from the resource's `config` into the NixOS
@ -48,9 +46,9 @@ in
    ## the secret's file.
    age.secrets = concatMapAttrs (
      name: secret:
-      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
+      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
        ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
-      })
+      }
    ) secrets.mapping;

    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
@ -58,6 +56,8 @@ in
    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
      # allow our panel vm access to the test machines
      keys.panel
+      # allow continuous deployment access
+      keys.cd
    ];

  };
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -14,47 +14,40 @@ let
    mkOption
    evalModules
    filterAttrs
+    mapAttrs'
+    deepSeq
    ;
  inherit (lib.attrsets) genAttrs;

-  ## Given a machine's name and whether it is a test VM, make a resource module,
-  ## except for its missing provider. (Depending on the use of that resource, we
-  ## will provide a different one.)
-  makeResourceModule =
-    { vmName, isTestVm }:
-    {
-      # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
+  commonResourceModule = {
+    # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch
+    # flake-parts and have our own data model for how the project is organised
+    # internally
    _module.args = {
      inherit
        inputs
-          sources
        keys
        secrets
+        sources
        ;
    };

-      imports =
-        [
-          ./common/resource.nix
-        ]
-        ++ (
-          if isTestVm then
-            [
-              ./common/proxmox-qemu-vm.nix
-              ../machines/operator/${vmName}
-              {
-                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
-                  # allow our panel vm access to the test machines
-                  keys.panel
+    ## FIXME: It would be preferrable to have those `sources`-related imports in
+    ## the modules that use them. However, doing so triggers infinite recursions
+    ## because of the way we propagate `sources`. `sources` must be propagated by
+    ## means of `specialArgs`, but this requires a bigger change.
+    nixos.module.imports = [
+      "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+      "${sources.agenix}/modules/age.nix"
+      "${sources.disko}/module.nix"
+      "${sources.home-manager}/nixos"
+      "${sources.vars}/options.nix"
+      "${sources.vars}/backends/on-machine.nix"
+    ];
+
+    imports = [
+      ./common/resource.nix
    ];
-              }
-            ]
-          else
-            [
-              ../machines/dev/${vmName}
-            ]
-        );
-      fediversityVm.name = vmName;
  };

  ## Given a list of machine names, make a deployment with those machines'
@ -68,10 +61,8 @@ let
        type = providers.local.exec;
        imports = [
          inputs.nixops4-nixos.modules.nixops4Resource.nixos
-          (makeResourceModule {
-            inherit vmName;
-            isTestVm = false;
-          })
+          commonResourceModule
+          ../machines/dev/${vmName}
        ];
      });
    };
@ -88,21 +79,35 @@ let
        fediversity = import ../services/fediversity;
      }
      {
-        garageConfigurationResource = makeResourceModule {
-          vmName = "test01";
-          isTestVm = true;
+        garageConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test01
+          ];
        };
-        mastodonConfigurationResource = makeResourceModule {
-          vmName = "test06"; # somehow `test02` has a problem - use test06 instead
-          isTestVm = true;
+        mastodonConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test06 # somehow `test02` has a problem - use test06 instead
+          ];
        };
-        peertubeConfigurationResource = makeResourceModule {
-          vmName = "test05";
-          isTestVm = true;
+        peertubeConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test05
+          ];
        };
-        pixelfedConfigurationResource = makeResourceModule {
-          vmName = "test04";
-          isTestVm = true;
+        pixelfedConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test04
+          ];
+        };
+        atticConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test12
+          ];
        };
      };

@ -115,54 +120,63 @@ let
    ## this is only needed to expose NixOS configurations for provisioning
    ## purposes, and eventually all of this should be handled by NixOps4.
    options = {
-      nixos.module = mkOption { }; # NOTE: not just `nixos` otherwise merging will go wrong
+      nixos.module = mkOption { type = lib.types.deferredModule; }; # NOTE: not just `nixos` otherwise merging will go wrong
      nixpkgs = mkOption { };
      ssh = mkOption { };
    };
  };

  makeResourceConfig =
-    vm:
+    { vmName, isTestVm }:
    (evalModules {
      modules = [
        nixops4ResourceNixosMockOptions
-        (makeResourceModule vm)
+        commonResourceModule
+        (if isTestVm then ../machines/operator/${vmName} else ../machines/dev/${vmName})
      ];
    }).config;

  ## Given a VM name, make a NixOS configuration for this machine.
  makeConfiguration =
    isTestVm: vmName:
-    let
-      inherit (sources) nixpkgs;
-    in
-    import "${nixpkgs}/nixos" {
-      modules = [
-        (makeResourceConfig { inherit vmName isTestVm; }).nixos.module
-      ];
+    import "${sources.nixpkgs}/nixos" {
+      configuration = (makeResourceConfig { inherit vmName isTestVm; }).nixos.module;
+      system = "x86_64-linux";
    };

-  makeVmOptions = isTestVm: vmName: {
-    inherit ((makeResourceConfig { inherit vmName isTestVm; }).fediversityVm)
-      proxmox
+  makeVmOptions =
+    isTestVm: vmName:
+    let
+      config = (makeResourceConfig { inherit vmName isTestVm; }).fediversityVm;
+    in
+    if config.isFediversityVm then
+      {
+        inherit (config)
          vmId
          description
-
          sockets
          cores
          memory
          diskSize
-
          hostPublicKey
          unsafeHostPrivateKey
          ;
-  };
+      }
+    else
+      null;

  listSubdirectories = path: attrNames (filterAttrs (_: type: type == "directory") (readDir path));

  machines = listSubdirectories ../machines/dev;
  testMachines = listSubdirectories ../machines/operator;

+  nixosConfigurations =
+    genAttrs machines (makeConfiguration false)
+    // genAttrs testMachines (makeConfiguration true);
+  vmOptions =
+    filterAttrs (_: value: value != null) # Filter out non-Fediversity VMs
+      (genAttrs machines (makeVmOptions false) // genAttrs testMachines (makeVmOptions true));
+
 in
 {
  _class = "flake";
@ -186,10 +200,23 @@ in
      )
    );
  };
-  flake.nixosConfigurations =
-    genAttrs machines (makeConfiguration false)
-    // genAttrs testMachines (makeConfiguration true);
-  flake.vmOptions =
-    genAttrs machines (makeVmOptions false)
-    // genAttrs testMachines (makeVmOptions true);
+  flake = { inherit nixosConfigurations vmOptions; };
+
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks =
+        mapAttrs' (name: nixosConfiguration: {
+          name = "nixosConfigurations-${name}";
+          value = nixosConfiguration.config.system.build.toplevel;
+        }) nixosConfigurations
+        // mapAttrs' (name: vmOptions: {
+          name = "vmOptions-${name}";
+          ## Check that VM options builds/evaluates correctly. `deepSeq e1
+          ## e2` evaluates `e1` strictly in depth before returning `e2`. We
+          ## use this trick because checks need to be derivations, which VM
+          ## options are not.
+          value = deepSeq vmOptions pkgs.hello;
+        }) vmOptions;
+    };
 }
--- a/infra/makeInstallerIso.nix
+++ b/infra/makeInstallerIso.nix
@ -15,7 +15,6 @@ let

  installer =
    {
-      config,
      pkgs,
      lib,
      ...
--- a/infra/proxmox-provision.sh
+++ b/infra/proxmox-provision.sh
@ -179,15 +179,9 @@ grab_vm_options () {
    --log-format raw --quiet
  )

-  proxmox=$(echo "$options" | jq -r .proxmox)
  vm_id=$(echo "$options" | jq -r .vmId)
  description=$(echo "$options" | jq -r .description)

-  if [ "$proxmox" != fediversity ]; then
-    die "I do not know how to provision things that are not Fediversity VMs,
-but I got proxmox = '%s' for VM %s." "$proxmox" "$vm_name"
-  fi
-
  sockets=$(echo "$options" | jq -r .sockets)
  cores=$(echo "$options" | jq -r .cores)
  memory=$(echo "$options" | jq -r .memory)
--- a/infra/proxmox-remove.sh
+++ b/infra/proxmox-remove.sh
@ -167,16 +167,10 @@ grab_vm_options () {
      --log-format raw --quiet
    )

-    proxmox=$(echo "$options" | jq -r .proxmox)
    vm_id=$(echo "$options" | jq -r .vmId)

-    if [ "$proxmox" != fediversity ]; then
-      die "I do not know how to remove things that are not Fediversity VMs,
-  but I got proxmox = '%s' for VM %s." "$proxmox" "$vm_name"
-    fi
-
-    printf 'done grabing VM options for VM %s. Found VM %d on %s Proxmox.\n' \
-      "$vm_name" "$vm_id" "$proxmox"
+    printf 'done grabing VM options for VM %s. Got id: %d.\n' \
+      "$vm_name" "$vm_id"
  fi
 }

--- a/keys/cd-ssh-key.pub
+++ b/keys/cd-ssh-key.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age
--- a/keys/default.nix
+++ b/keys/default.nix
@ -35,4 +35,5 @@ in
  contributors = collectKeys ./contributors;
  systems = collectKeys ./systems;
  panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
+  cd = removeTrailingWhitespace (readFile ./cd-ssh-key.pub);
 }
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "fedi200";
+    isFediversityVm = true;
    vmId = 200;
-    proxmox = "fediversity";
    description = "Testing machine for Hans";

    domain = "abundos.eu";
@ -16,10 +17,4 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
-
-  nixos.module = {
-    imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
-    ];
-  };
 }
--- a/machines/dev/fedi201/default.nix
+++ b/machines/dev/fedi201/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "fedi201";
+    isFediversityVm = true;
    vmId = 201;
-    proxmox = "fediversity";
    description = "FediPanel";

    domain = "abundos.eu";
@ -19,7 +20,6 @@

  nixos.module = {
    imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
      ./fedipanel.nix
    ];
  };
--- a/machines/dev/fedi201/fedipanel.nix
+++ b/machines/dev/fedi201/fedipanel.nix
@ -1,6 +1,5 @@
 {
  config,
-  sources,
  ...
 }:
 let
@ -11,7 +10,6 @@ in

  imports = [
    (import ../../../panel { }).module
-    (import "${sources.home-manager}/nixos")
  ];

  security.acme = {
--- a/machines/dev/forgejo-ci/default.nix
+++ b/machines/dev/forgejo-ci/default.nix
@ -20,7 +20,9 @@ in
  ssh.host = mkForce "forgejo-ci";

  fediversityVm = {
+    name = "forgejo-ci";
    domain = "procolix.com";
+    isFediversityVm = false;

    ipv4 = {
      interface = "enp1s0f0";
@ -48,7 +50,7 @@ in
      };

      ## NOTE: This is a physical machine, so is not covered by disko
-      fileSystems."/" = {
+      fileSystems."/" = lib.mkForce {
        device = "rpool/root";
        fsType = "zfs";
      };
@ -58,7 +60,7 @@ in
        fsType = "zfs";
      };

-      fileSystems."/boot" = {
+      fileSystems."/boot" = lib.mkForce {
        device = "/dev/disk/by-uuid/50B2-DD3F";
        fsType = "vfat";
        options = [
--- a/machines/dev/vm02116/default.nix
+++ b/machines/dev/vm02116/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "vm02116";
+    isFediversityVm = false;
    vmId = 2116;
-    proxmox = "procolix";
    description = "Forgejo";

    ipv4.address = "185.206.232.34";
@ -14,7 +15,6 @@
    { lib, ... }:
    {
      imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
        ./forgejo.nix
      ];

--- a/machines/dev/vm02187/default.nix
+++ b/machines/dev/vm02187/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "vm02187";
+    isFediversityVm = false;
    vmId = 2187;
-    proxmox = "procolix";
    description = "Wiki";

    ipv4.address = "185.206.232.187";
@ -14,7 +15,6 @@
    { lib, ... }:
    {
      imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
        ./wiki.nix
      ];

--- a/machines/operator/test01/default.nix
+++ b/machines/operator/test01/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test01";
+    isFediversityVm = true;
    vmId = 7001;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test02/default.nix
+++ b/machines/operator/test02/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test02";
+    isFediversityVm = true;
    vmId = 7002;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test03/default.nix
+++ b/machines/operator/test03/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test03";
+    isFediversityVm = true;
    vmId = 7003;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test04/default.nix
+++ b/machines/operator/test04/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test04";
+    isFediversityVm = true;
    vmId = 7004;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test05/default.nix
+++ b/machines/operator/test05/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test05";
+    isFediversityVm = true;
    vmId = 7005;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test06/default.nix
+++ b/machines/operator/test06/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test06";
+    isFediversityVm = true;
    vmId = 7006;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test11/default.nix
+++ b/machines/operator/test11/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test11";
+    isFediversityVm = true;
    vmId = 7011;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test12/default.nix
+++ b/machines/operator/test12/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test12";
+    isFediversityVm = true;
    vmId = 7012;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test13/default.nix
+++ b/machines/operator/test13/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test13";
+    isFediversityVm = true;
    vmId = 7013;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/machines/operator/test14/default.nix
+++ b/machines/operator/test14/default.nix
@ -2,8 +2,9 @@
  _class = "nixops4Resource";

  fediversityVm = {
+    name = "test14";
+    isFediversityVm = true;
    vmId = 7014;
-    proxmox = "fediversity";

    hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
    unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;
--- a/mkFlake.nix
+++ b/mkFlake.nix
@ -0,0 +1,54 @@
+## This file contains a tweak of flake-parts's `mkFlake` function to splice in
+## sources taken from npins.
+
+## NOTE: Much of the logic in this file feels like it should be not super
+## specific to fediversity. Could it make sense to extract the core of this to
+## another place it feels closer to in spirit, such as @fricklerhandwerk's
+## flake-inputs (which this code already depends on anyway, and which already
+## contained two distinct helpers for migrating away from flakes)? cf
+## https://git.fediversity.eu/Fediversity/Fediversity/pulls/447#issuecomment-8671
+
+inputs@{ self, ... }:
+
+let
+  sources = import ./npins;
+  inherit (import sources.flake-inputs) import-flake;
+
+  # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
+  # XXX - this is just importing a flake
+  nixpkgs = import-flake { src = sources.nixpkgs; };
+
+  # XXX - this overrides the inputs attached to `self`
+  inputs' = self.inputs // {
+    nixpkgs = nixpkgs;
+  };
+  self' = self // {
+    inputs = inputs';
+  };
+
+  flake-parts-lib = import "${sources.flake-parts}/lib.nix" { inherit (nixpkgs) lib; };
+in
+
+flakeModule:
+
+flake-parts-lib.mkFlake
+  {
+    # XXX - finally we override the overall set of `inputs` -- we need both:
+    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
+    inputs = inputs // {
+      inherit nixpkgs;
+    };
+    self = self';
+    specialArgs = {
+      inherit sources;
+    };
+  }
+  {
+    systems = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ];
+    imports = [ flakeModule ];
+  }
--- a/npins/sources.json
+++ b/npins/sources.json
@ -125,6 +125,19 @@
      "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
      "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
    },
+    "nix-templating": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "KiaraGrouwstra",
+        "repo": "nix-templating"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "1a0873296232e804a982e6613e88dc180afeca79",
+      "url": "https://github.com/KiaraGrouwstra/nix-templating/archive/1a0873296232e804a982e6613e88dc180afeca79.tar.gz",
+      "hash": "0cfi03cjfk3y7ilyfx797v6dljb1jvva0gan6qjwlrfi5sz9x0sp"
+    },
    "nix-unit": {
      "type": "Git",
      "repository": {
@ -150,6 +163,19 @@
      "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921",
      "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz",
      "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj"
+    },
+    "vars": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "KiaraGrouwstra",
+        "repo": "vars"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "626d5d05e9450294054b1304ea4159e8b70fc0a0",
+      "url": "https://github.com/KiaraGrouwstra/vars/archive/626d5d05e9450294054b1304ea4159e8b70fc0a0.tar.gz",
+      "hash": "13c4hp4gzyvrvlmzpqnb6dzjgb9wc66rk5n4s54kd67mcc76ry3s"
    }
  },
  "version": 5
--- a/panel/default.nix
+++ b/panel/default.nix
@ -45,7 +45,7 @@ in
    '';
  };

-  module = import ./nix/configuration.nix;
+  module = ./nix/configuration.nix;
  tests = pkgs.callPackage ./nix/tests.nix { };

  # re-export inputs so they can be overridden granularly
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -202,11 +202,8 @@ in
      };
    };

-    users.users.${name} = {
-      # TODO[Niols]: change to system user or document why we specifically
-      # need a normal user.
-      isNormalUser = true;
-    };
+    # needed to place a config file with home-manager
+    users.users.${name}.isNormalUser = true;

    users.groups.${name} = { };
    systemd.services.${name} = {
--- a/secrets/attic-ci-token.age
+++ b/secrets/attic-ci-token.age
--- a/secrets/forgejo-database-password.age
+++ b/secrets/forgejo-database-password.age
@ -1,17 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 Jpc21A 9edPaA2tT4SeYNTPzF0E157daC2o+JH/WQQCT+vLbFg
-C48EtLdhB75TTzfEZTw1DypicHiVlSmFzjfbqfO9N/8
-> ssh-ed25519 BAs8QA T+kXpZg1v0XRkub5DWir7vYwO7KaOJLZBNYxxXiBUCw
-zBRwMTDpyI7twEwUGsmJYyYPw9btBx5Kakj1yT+XY8U
-> ssh-ed25519 ofQnlg 4UoEDY/tdKz8LrX1BkBU1/cn+vSaYLUl7xX9YmzANBY
-8CACq1n3AJgD9IyPN23iRvThqsfQFF5+jmkKnhun24U
-> ssh-ed25519 COspvA HxcbkqHL+LpVmwb+Fo5JuUU+C+Pxzdxtb0yZHixwuzM
-7FIhxdbjHJlgQQgjrHHUK5cecqs5aT7X3I8TWf8c2gc
-> ssh-ed25519 2XrTgw R6Ia8MVIZKPnNZ0rspZ34EqoY8fOLeB9H7vnvNBLg1g
-55NUqz5Yygt6FKJ3bR5iHxQp8G7S2gyFwrJNX1Pb/2Y
-> ssh-ed25519 awJeHA hJdTuAScoewVMt7HWiisSkL0zSeClFzYzzKL84G893o
-ou780VLrW1s4d6L+lEVu3kXaGn4dvtFPA31supwEL50
-> ssh-ed25519 Fa25Dw mJcqnXA3fQeoKrG7RJ7nVeLxPvrxqbj+lJdx6jQ9IR8
-f5Q7mrQSSDsm1Z/uSAnvx66mgnRC3XaBLQrVL9f/Ijs
--- W/KmboXTLV12X6WtVQKHNe+ZHvS2q9EHUZwofSgJSE8
-^kûÚ	h©0ÔkÇ ¢¸_Ç·ûQÞm‘’7\òÖ}÷Áë?½qø‚<ÿm
+-> ssh-ed25519 Jpc21A bBCQmvfRUwJuIXbpVJ092XUBVszGrb6gILGbgV9j9BY
+7DEGwhqdfqMs5cxXtlMkSTPjw4qhczBgW0dmoJ6dh6g
+-> ssh-ed25519 BAs8QA oiVedFC6UklEFCJUybGr93+XrddyCtV4r4TnE4nhpWI
+xasnkP4NCl9TuYSE1u0Xi0b/PiwcrfHCz2QMnpTjLcU
+-> ssh-ed25519 ofQnlg LrMcWdaEUVyIgd/KznwJW/2sucIu5MuxDEcEJAmf8mA
+p6pQoisuXre2J4r6ArV6C6lKO2J/aNdBFhqLPBoZ2wA
+-> ssh-ed25519 COspvA q2OGeVofPKyGCpr4Mf9VoaRvZCWTRl8n2mvkQOdTnyQ
+M+ffAGecJG/94k/Z5DdokltrZppS2IcxkZa8JKHwIMs
+-> ssh-ed25519 2XrTgw Bsz/G4QderToPSfMKOR6s5yWb0xCGUlsjGJxJYQNBRc
+JYrXZb8qj1Yi9u5bnI/WzuNxy7gyFLCTIUaGNmcOYnk
+-> ssh-ed25519 awJeHA KKJMQSt0PvC6P+T/kxQv96tSBdLQLiY2f8q35IwGm28
+p7Cf2HLlPl0qmsO6Hh5zwVgKkEs3A6fdSBndMKsacbk
+-> ssh-ed25519 Fa25Dw 3m/qyannP4gjXxkUuO0LQRU8Z8HXOg4WReMDd7786y8
+dNMyiBGeJDrBScE9TEyZZ7+MGMG6FLuoRTK82EVeX1w
+-> ssh-ed25519 i+ecmQ oCs4Ep2K75yjmUOh1ox4F25tGq+O/mZ2/c2E8+IRlEc
+0Wc9gDxhvHK5tEVM5kJ0mQXc3kp7tJ2JNHg54N0+tJ8
+--- mXrqbcHxjjkS5MrQaCVm4hTsAUEENAWlIYtiYx6rtas
+ž`€úì}öÙ7Ù>iŒbàéëÕî¦®è/&ÉªŠwŽ„ì7àí[ã±Hˆc“
--- a/secrets/forgejo-email-password.age
+++ b/secrets/forgejo-email-password.age
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
--- a/secrets/panel-secret-key.age
+++ b/secrets/panel-secret-key.age
--- a/secrets/panel-ssh-key.age
+++ b/secrets/panel-ssh-key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,11 +7,12 @@ let

  keys = import ../keys;
  contributors = attrValues keys.contributors;
+  cd = [ keys.cd ];
 in

 concatMapAttrs
  (name: systems: {
-    "${name}.age".publicKeys = contributors ++ systems;
+    "${name}.age".publicKeys = contributors ++ systems ++ cd;
  })

  (
@ -24,6 +25,7 @@ concatMapAttrs
    ## are able to decrypt them.

    {
+      attic-ci-token = [ forgejo-ci ];
      forgejo-database-password = [ vm02116 ];
      forgejo-email-password = [ vm02116 ];
      forgejo-runner-token = [ forgejo-ci ];
--- a/secrets/wiki-basicauth-htpasswd.age
+++ b/secrets/wiki-basicauth-htpasswd.age
@ -1,18 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 Jpc21A EuMYAiZX+4A12eu19mIY7u+WYF7NJ9qJosQSVlxR6n8
-bK5CMXAmP23t1p9bgmqoVg4Qcu2qYKGc4t36v8e9eow
-> ssh-ed25519 BAs8QA IwRyitDNTzUPzQAUbDNEKjFiF8WPD/OyztOZQeoTEzw
-OwiTWvk4NmUgExav0uH6HlThDNU5hsKXfR6KHsFOV3I
-> ssh-ed25519 ofQnlg 3TcMbLX1JsQL8+Gqy7IFZwykZr2BspvPCuZT1SHtnQQ
-Ci5OeBj2aiC8ut9jIEUMt3qfYH+cJrnVud6AH54Ndn8
-> ssh-ed25519 COspvA 0t9f3Wu3ILv4QTJhwT619y+7XFrryCLbpIZC6aE+qQI
-oPQP48F6oO/tkqLZDdjkGtIap7KHiAknbpTNL6/yLaU
-> ssh-ed25519 2XrTgw YOZsaYQH9vMH0QqSXGh8GyhRV4MbcBGPFfFaKpo3Ckk
-kUShJbADA+6bpx2adxvzlI/0jSM5bIBfZfdSE/7Vm5Y
-> ssh-ed25519 awJeHA dF3m0hQWX9c0EezDr56Kt/F4d1Uim7NwvIX6zRws0Eo
-pst243yrARODwrnyz8cJAzgDxdPOUsRbs7yPZePABFs
-> ssh-ed25519 dgBsjw PUYHcP/tgNnKyvlIoJRcNcW3zabVV1iHXIWfKqgW9xc
-tXNjSuVH/g/oN5o75FPkFFpviF7SeFSN9kbqURvgMDE
--- wHgBAN9c6F6T5hFJGo8uH8zqDkQDwx3/jVNKUtQ3arE
-«Ñ¢Á
-ò@µú¡fÃƒ`m;ÕcæäU²€ùò£Íd…eS’èyfv¿»¡€J?ø `œfj£Äa}lÃó ¿Úxç²BÇt2èfìôm08ÓoÝtRál9˜èx¤¢ŒÅž›æ÷
+-> ssh-ed25519 Jpc21A NStZFZPTHMhVCnQ5Zkbl39vWztrxfsSXok24/e8H7QQ
+JjHP6Cus76PGYYxpbnc2cSZ79zvdD8LISYDPbvXsnqU
+-> ssh-ed25519 BAs8QA iocHfHjWlEUsbtibqEbYDceAqURr2vjxuYapqon9hyU
+ljL+olZdhWtHeV3uh3pOu22+sY13wPn2vKQDduPSqVs
+-> ssh-ed25519 ofQnlg 9YVfMKyoP3+xtzg/ok2I9yf3YdIYoBpUJa/3d2N/8lI
+2yUalyj7O3c1YDA2xTb9QNYrFBDHwcyGBX3mydv0ifI
+-> ssh-ed25519 COspvA cOSNsZXBbhQ/B49fq3KwcY6siVrTz48doTrta/0d/Hw
+jcRtVxA/tVFM9btPAPI6zKk8BwAVlaQlvHC203MpmIQ
+-> ssh-ed25519 2XrTgw d3EKtYkxjeJZ8kt3ofIklGmRwUCgTIB/WVVlvxggGRk
+IhcrpWN9xFsKRw9iCfYMONPOU7TpTt4kTBNwMDtk7zo
+-> ssh-ed25519 awJeHA Ei64e3+FJDM6S8NP+YfEWEg9t72qTXZ0IdZE8dYQPm4
+ggRc86sXin06eXJkLbK8CdJFDa1237WMfSgwNd5ngmM
+-> ssh-ed25519 dgBsjw 9etK6tNrFlWVAKTz5U0TitkiGYLKTad3QiRWVpLPrwM
+xHLzFnRtcvpVZYZrxWz5q4uadhHrHVlfqjteOWfIccE
+-> ssh-ed25519 i+ecmQ SDTnYBLMOaH173B/wqaOifE6a90gSesRqMHmX7/iZFk
+kS9tuKnMXCXNUnoZ06DisOOyZHe/mZl4a0JRA+eynE8
+--- C0R5WxDDCqQGxyvFoeNX838az0bjp55PGh//1NFG4LE
+ŠÉY—±³<EFBFBD>„ÏKRÇËej±éŒ7xÑíE¹ Óì¾7jÏ-œJý«[ÀF?Ÿ=-w‘XMC~)èÅ›ƒ<E280BA>Éõb«ëƒCÜ4ÌÖÞOwý~–¿š8ñv—ÙÜžèX»ØÆ’ƒí!5¦
--- a/secrets/wiki-password.age
+++ b/secrets/wiki-password.age
--- a/secrets/wiki-smtp-password.age
+++ b/secrets/wiki-smtp-password.age
--- a/services/README.md
+++ b/services/README.md
@ -21,11 +21,11 @@ For those that know it, we could say that the current module is an analogous of

 ## Content of this directory

- [fediversity][./fediversity] contains the definition of the services. Look in
+- [fediversity](./fediversity) contains the definition of the services. Look in
  particular at its `default.nix` that contains the definition of the options.

- [vm][./vm] contains options specific to making the service run in local QEMU
+- [vm](./vm) contains options specific to making the service run in local QEMU
  VMs. These modules will for instance override the defaults to disable SSL, and
  they will add virtualisation options to forward ports, for instance.

- [tests][./tests] contain full NixOS tests of the services.
+- [tests](./tests) contain full NixOS tests of the services.
--- a/services/default.nix
+++ b/services/default.nix
@ -1,13 +0,0 @@
-{
-  system ? builtins.currentSystem,
-  sources ? import ../npins,
-  pkgs ? import sources.nixpkgs { inherit system; },
-  ...
-}:
-{
-  tests = {
-    mastodon = pkgs.nixosTest ./tests/mastodon.nix;
-    pixelfed-garage = pkgs.nixosTest ./tests/pixelfed-garage.nix;
-    peertube = pkgs.nixosTest ./tests/peertube.nix;
-  };
-}
--- a/services/fediversity/attic/default.nix
+++ b/services/fediversity/attic/default.nix
@ -0,0 +1,332 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkIf mkMerge;
+  sources = import ../../../npins;
+  inherit (import "${sources.nix-templating}/lib.nix" { inherit pkgs; }) fileContents template_text;
+in
+{
+  imports = with sources; [
+    ./options.nix
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
+  config = mkMerge [
+    (mkIf
+      (
+        config.fediversity.garage.enable
+        && config.fediversity.attic.s3AccessKeyFile != null
+        && config.fediversity.attic.s3SecretKeyFile != null
+      )
+      {
+        fediversity.garage = {
+          ensureBuckets = {
+            attic = {
+              website = true;
+              # TODO: these are too broad, after getting everything to work narrow it down to the domain we actually want
+              corsRules = {
+                enable = true;
+                allowedHeaders = [ "*" ];
+                allowedMethods = [ "GET" ];
+                allowedOrigins = [ "*" ];
+              };
+            };
+          };
+          ensureKeys = {
+            attic = {
+              inherit (config.fediversity.attic) s3AccessKeyFile s3SecretKeyFile;
+              ensureAccess = {
+                attic = {
+                  read = true;
+                  write = true;
+                  owner = true;
+                };
+              };
+            };
+          };
+        };
+      }
+    )
+    (mkIf config.fediversity.attic.enable {
+
+      services.postgresql = {
+        enable = true;
+        authentication = lib.mkForce ''
+          local all all trust
+        '';
+        ensureDatabases = [
+          "atticd"
+        ];
+        ensureUsers = [
+          {
+            name = "atticd";
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+
+      # open up access. 80 is necessary if only for ACME
+      networking.firewall.allowedTCPPorts = [
+        80
+        443
+        8080
+        9000
+      ];
+
+      # https://wiki.nixos.org/wiki/Nginx#TLS_reverse_proxy
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        virtualHosts."attic.${config.fediversity.domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:8080";
+            proxyWebsockets = true; # needed if you need to use WebSocket
+            extraConfig =
+              # required when the target is also TLS server with multiple hosts
+              "proxy_ssl_server_name on;"
+              +
+                # required when the server wants to use HTTP Authentication
+                "proxy_pass_header Authorization;";
+          };
+        };
+      };
+
+      vars.settings.on-machine.enable = true;
+
+      vars.generators.attic = {
+        runtimeInputs = [
+          pkgs.coreutils
+          pkgs.openssl
+        ];
+        files.token = {
+          secret = true;
+          owner = "atticd";
+        };
+        script = ''
+          openssl genrsa -traditional 4096 | base64 -w0 > "$out"/token
+        '';
+      };
+
+      systemd.services.atticd.serviceConfig = {
+        EnvironmentFile = lib.mkForce "-/tmp/attic.env";
+        ExecStartPre = "${
+          template_text {
+            # FIXME find a place not public
+            outPath = "/tmp/attic.env";
+            text = ''
+              ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="${fileContents config.vars.generators.attic.files.token.path}"
+              AWS_ACCESS_KEY_ID="${fileContents config.fediversity.attic.s3AccessKeyFile}"
+              AWS_SECRET_ACCESS_KEY="${fileContents config.fediversity.attic.s3SecretKeyFile}"
+            '';
+            name = "write";
+          }
+        }/bin/write";
+      };
+
+      services.atticd = {
+        enable = true;
+        environmentFile = "/dev/null"; # set dummy to overwrite
+        # one `monolithic` and any number of `api-server` nodes
+        mode = "monolithic";
+
+        # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
+        settings = {
+          # Socket address to listen on
+          listen = "127.0.0.1:8080";
+
+          # Allowed `Host` headers
+          #
+          # This _must_ be configured for production use. If unconfigured or the
+          # list is empty, all `Host` headers are allowed.
+          allowed-hosts = [ ];
+
+          # The canonical API endpoint of this server
+          #
+          # This is the endpoint exposed to clients in `cache-config` responses.
+          #
+          # This _must_ be configured for production use. If not configured, the
+          # API endpoint is synthesized from the client's `Host` header which may
+          # be insecure.
+          #
+          # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
+          # not `https://domain.tld/attic`).
+          api-endpoint = "https://${config.fediversity.attic.domain}/";
+
+          # Whether to soft-delete caches
+          #
+          # If this is enabled, caches are soft-deleted instead of actually
+          # removed from the database. Note that soft-deleted caches cannot
+          # have their names reused as long as the original database records
+          # are there.
+          #soft-delete-caches = false;
+
+          # Whether to require fully uploading a NAR if it exists in the global cache.
+          #
+          # If set to false, simply knowing the NAR hash is enough for
+          # an uploader to gain access to an existing NAR in the global
+          # cache.
+          #require-proof-of-possession = true;
+
+          # Database connection
+          database = {
+            # Connection URL
+            #
+            # For production use it's recommended to use PostgreSQL.
+            # url = "postgresql:///atticd:password@127.0.0.1:5432/atticd";
+            url = "postgresql:///atticd?host=/run/postgresql";
+
+            # Whether to enable sending on periodic heartbeat queries
+            #
+            # If enabled, a heartbeat query will be sent every minute
+            #heartbeat = false;
+          };
+
+          # File storage configuration
+          storage = {
+            # Storage type
+            #
+            # Can be "local" or "s3".
+            type = "s3";
+
+            # ## Local storage
+
+            # The directory to store all files under
+            # path = "%storage_path%";
+
+            # ## S3 Storage (set type to "s3" and uncomment below)
+
+            # The AWS region
+            region = "garage";
+
+            # The name of the bucket
+            bucket = "attic";
+
+            # Custom S3 endpoint
+            #
+            # Set this if you are using an S3-compatible object storage (e.g., Minio).
+            endpoint = config.fediversity.garage.api.url;
+
+            # Credentials
+            #
+            # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
+            # `AWS_SECRET_ACCESS_KEY` environment variables.
+            # storage.credentials = {
+            #   access_key_id = "";
+            #   secret_access_key = "";
+            # };
+          };
+
+          # Data chunking
+          #
+          # Warning: If you change any of the values here, it will be
+          # difficult to reuse existing chunks for newly-uploaded NARs
+          # since the cutpoints will be different. As a result, the
+          # deduplication ratio will suffer for a while after the change.
+          chunking = {
+            # The minimum NAR size to trigger chunking
+            #
+            # If 0, chunking is disabled entirely for newly-uploaded NARs.
+            # If 1, all NARs are chunked.
+            nar-size-threshold = 65536; # chunk files that are 64 KiB or larger
+
+            # The preferred minimum size of a chunk, in bytes
+            min-size = 16384; # 16 KiB
+
+            # The preferred average size of a chunk, in bytes
+            avg-size = 65536; # 64 KiB
+
+            # The preferred maximum size of a chunk, in bytes
+            max-size = 262144; # 256 KiB
+          };
+
+          # Compression
+          compression = {
+            # Compression type
+            #
+            # Can be "none", "brotli", "zstd", or "xz"
+            type = "zstd";
+
+            # Compression level
+            #level = 8;
+          };
+
+          # Garbage collection
+          garbage-collection = {
+            # The frequency to run garbage collection at
+            #
+            # By default it's 12 hours. You can use natural language
+            # to specify the interval, like "1 day".
+            #
+            # If zero, automatic garbage collection is disabled, but
+            # it can still be run manually with `atticd --mode garbage-collector-once`.
+            interval = "12 hours";
+
+            # Default retention period
+            #
+            # Zero (default) means time-based garbage-collection is
+            # disabled by default. You can enable it on a per-cache basis.
+            #default-retention-period = "6 months";
+          };
+
+          # jwt = {
+          # WARNING: Changing _anything_ in this section will break any existing
+          # tokens. If you need to regenerate them, ensure that you use the the
+          # correct secret and include the `iss` and `aud` claims.
+
+          # JWT `iss` claim
+          #
+          # Set this to the JWT issuer that you want to validate.
+          # If this is set, all received JWTs will validate that the `iss` claim
+          # matches this value.
+          #token-bound-issuer = "some-issuer";
+
+          # JWT `aud` claim
+          #
+          # Set this to the JWT audience(s) that you want to validate.
+          # If this is set, all received JWTs will validate that the `aud` claim
+          # contains at least one of these values.
+          #token-bound-audiences = ["some-audience1", "some-audience2"];
+          # };
+
+          # jwt.signing = {
+          # You must configure JWT signing and verification inside your TOML configuration by setting one of the following options in the [jwt.signing] block:
+          # * token-rs256-pubkey-base64
+          # * token-rs256-secret-base64
+          # * token-hs256-secret-base64
+          # or by setting one of the following environment variables:
+          # * ATTIC_SERVER_TOKEN_RS256_PUBKEY_BASE64
+          # * ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64
+          # * ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
+          # Options will be tried in that same order (configuration options first, then environment options if none of the configuration options were set, starting with the respective RSA pubkey option, the RSA secret option, and finally the HMAC secret option). The first option that is found will be used.
+          # If an RS256 pubkey (asymmetric RSA PEM PKCS1 public key) is provided, it will only be possible to verify received JWTs, and not sign new JWTs.
+          # If an RS256 secret (asymmetric RSA PEM PKCS1 private key) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+          # If an HS256 secret (symmetric HMAC secret) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+
+          # JWT RS256 secret key
+          #
+          # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
+          # TODO
+          # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
+          # environment variable.
+          # token-rs256-secret-base64 = "%token_rs256_secret_base64%";
+
+          # JWT HS256 secret key
+          #
+          # Set this to the base64-encoded HMAC secret key.
+          # You can also set it via the `ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64`
+          # environment variable.
+          #token-hs256-secret-base64 = "";
+          # };
+        };
+      };
+    })
+  ];
+}
--- a/services/fediversity/attic/options.nix
+++ b/services/fediversity/attic/options.nix
@ -0,0 +1,14 @@
+{ config, lib, ... }:
+
+{
+  options.fediversity.attic =
+    (import ../sharedOptions.nix {
+      inherit config lib;
+      serviceName = "attic";
+      serviceDocName = "Attic Nix Cache server";
+    })
+    //
+
+    {
+    };
+}
--- a/services/fediversity/default.nix
+++ b/services/fediversity/default.nix
@ -13,6 +13,7 @@ in
    ./mastodon
    ./pixelfed
    ./peertube
+    ./attic
  ];

  options = {
@ -49,7 +50,7 @@ in
              displayName = mkOption {
                type = types.str;
                description = "Name of the initial user, for humans";
-                default = config.fediversity.temp.initialUser.name;
+                default = config.fediversity.temp.initialUser.username;
              };
              email = mkOption {
                type = types.str;
@ -65,4 +66,16 @@ in
      };
    };
  };
+
+  config = {
+    ## FIXME: This should clearly go somewhere else; and we should have a
+    ## `staging` vs. `production` setting somewhere.
+    security.acme = {
+      acceptTerms = true;
+      # use a priority more urgent than mkDefault for panel deployment to work,
+      # yet looser than default so this will not clash with the setting in tests.
+      defaults.email = lib.modules.mkOverride 200 "something@fediversity.net";
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+  };
 }
--- a/services/tests/flake-part.nix
+++ b/services/tests/flake-part.nix
@ -0,0 +1,14 @@
+{ ... }:
+{
+  _class = "flake";
+
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks = {
+        test-mastodon-service = pkgs.testers.runNixOSTest ./mastodon.nix;
+        test-pixelfed-garage-service = pkgs.testers.runNixOSTest ./pixelfed-garage.nix;
+        test-peertube-service = pkgs.testers.runNixOSTest ./peertube.nix;
+      };
+    };
+}
--- a/services/tests/mastodon.nix
+++ b/services/tests/mastodon.nix
@ -6,7 +6,7 @@
 { pkgs, ... }:

 let
-  lib = pkgs.lib;
+  inherit (pkgs) lib writeText;

  ## FIXME: this binding was not used, but maybe we want a side-effect or something?
  # rebuildableTest = import ./rebuildableTest.nix pkgs;
@ -69,9 +69,17 @@ in
          expect
        ];
        environment.variables = {
-          AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.mastodon.id;
-          AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.mastodon.secret;
+          AWS_ACCESS_KEY_ID = "$(cat ${config.fediversity.mastodon.s3AccessKeyFile})";
+          AWS_SECRET_ACCESS_KEY = "$(cat ${config.fediversity.mastodon.s3SecretKeyFile})";
        };
+        services.mastodon.extraEnvFiles = [
+          # generate as: cd ${pkgs.mastodon}; IGNORE_ALREADY_SET_SECRETS=true RAILS_ENV=development ${pkgs.mastodon}/bin/rails db:encryption:init
+          (writeText "rest" ''
+            ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=naGoEzeyjUmwIlmgZZmGQDWJrlWud5eX
+            ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=A0tE1VJ7S3cjaOQ58mNkhrVFY7o5NKDB
+            ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=tGHhd5Os7hLxa8QTzWwjyVLrvsj5VsCw
+          '')
+        ];
      };
  };

--- a/services/tests/pixelfed-garage.nix
+++ b/services/tests/pixelfed-garage.nix
@ -113,6 +113,7 @@ let

        ${seleniumQuit}'';

+  dummyFile = pkgs.writeText "dummy" "dummy";
 in
 {
  name = "test-pixelfed-garage";
@ -161,8 +162,8 @@ in
        ];
        environment.variables = {
          POST_MEDIA = ./fediversity.png;
-          AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.pixelfed.id;
-          AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.pixelfed.secret;
+          AWS_ACCESS_KEY_ID = "$(cat ${config.fediversity.pixelfed.s3AccessKeyFile})";
+          AWS_SECRET_ACCESS_KEY = "$(cat ${config.fediversity.pixelfed.s3SecretKeyFile})";
          ## without this we get frivolous errors in the logs
          MC_REGION = "garage";
        };
@ -170,6 +171,12 @@ in
        users.users.selenium = {
          isNormalUser = true;
        };
+        fediversity.temp.initialUser = {
+          username = "dummy";
+          displayName = "dummy";
+          email = "dummy";
+          passwordFile = dummyFile;
+        };
      };
  };
Author	SHA1	Message	Date
Kiara Grouwstra	0e90e9ce59	make substituters trusted Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>	2025-10-30 20:26:30 +01:00
Kiara Grouwstra	ac842d320a	use branches that include license	2025-08-21 10:14:32 +02:00
Kiara Grouwstra	57eaae6bed	automatically generate secrets	2025-08-15 13:22:20 +02:00
Kiara Grouwstra	784a65930a	debug secrets	2025-08-13 12:57:01 +02:00
Kiara Grouwstra	5e29b5a507	print whole file	2025-08-13 12:57:01 +02:00
Kiara Grouwstra	4c7aec0c1d	quotes	2025-08-13 12:57:01 +02:00
Kiara Grouwstra	443d509ae6	cat files	2025-08-13 12:57:01 +02:00
Kiara Grouwstra	d35b2b0d9d	rekey	2025-08-13 12:57:01 +02:00
Kiara Grouwstra	63638373b7	squish	2025-08-13 12:57:01 +02:00
Kiara Grouwstra	ba0d3f351e	fix steps	2025-08-13 12:57:01 +02:00
Kiara Grouwstra	8be1aa02c4	fix step	2025-08-13 12:57:01 +02:00
Kiara Grouwstra	4fa0a84215	temp test ci	2025-08-13 12:57:01 +02:00
Kiara Grouwstra	bf8ccd16bd	use proper templating	2025-08-13 12:56:58 +02:00
Kiara Grouwstra	2f46224f4a	add attic cache	2025-08-07 20:10:29 +02:00
Nicolas “Niols” Jeannerod	1f99a4c6c3	`listToAttrs` o `map` o `attrsToList` → `mapAttrs'` (#489 ) Reviewed-on: Fediversity/Fediversity#489 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-08-01 13:09:26 +02:00
Nicolas “Niols” Jeannerod	588bb77a94	Infra: expose and use checks for vmOptions and nixosConfigurations (#488 ) Following Fediversity/Fediversity#478 (comment), here is a PR that plugs the infra's `vmOptions` and `nixosConfigurations` outputs into flake checks, instead of calling random Nix commands from the CI. There is still a bit of magic in the CI, but that's because we don't have yet a Nix-aware CI that exposes one job per flake check. Reviewed-on: Fediversity/Fediversity#488 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-31 15:41:02 +02:00
Nicolas “Niols” Jeannerod	df3a070fa4	Infra: get rid of `makeResourceModule` (#485 ) Reviewed-on: Fediversity/Fediversity#485 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-31 00:49:00 +02:00
Nicolas “Niols” Jeannerod	be72b82875	Link to upstreaming PR for `lib.types.fileset` (#487 ) Reviewed-on: Fediversity/Fediversity#487 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-30 13:25:22 +02:00
Nicolas “Niols” Jeannerod	1b66028f32	Fix infra and add more tests (#478 ) This PR contains a bunch of small fixes having to do with infra code. The goal is not to fix everything as that would require a full rewrite. Instead, we fix just what is necessary to get some testing going on. Once that is available, we will be able to work on a full refactor with more guarantees. Something of note is that most of the difficulty was to find code that would make both `nixops4 apply` _and_ `nix build .#nixosConfigurations.<machine>` happy. The takeaway is that the tests that we are adding now will not catch a whole class of tests having to do with how NixOps4 wires up the resources. Still, this is probably less significant as we are supposed to use NixOps4 every now and then. The commits should be read separately. Reviewed-on: Fediversity/Fediversity#478 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-30 12:31:03 +02:00
Kiara Grouwstra	4509d277d3	move arguments from `_module.args` to `specialArgs` (#469 ) Reviewed-on: Fediversity/Fediversity#469 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-23 18:12:55 +02:00
Kiara Grouwstra	e488230d7b	updater: make npins command verbose (#477 ) Reviewed-on: Fediversity/Fediversity#477 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-19 13:00:33 +02:00
Kiara Grouwstra	765183cd0d	fix typo in users (#475 ) Reviewed-on: Fediversity/Fediversity#475 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-17 19:02:14 +02:00
Kiara Grouwstra	6cf1d87f0b	get parity in authorized keys between procolix and root for nixops4 ssh to non-VMs (#474 ) Reviewed-on: Fediversity/Fediversity#474 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-17 18:59:31 +02:00
Kiara Grouwstra	8253288f8a	remove pixelfed from CI until fixed (#472 ) this test is still borked as per #33. the intent would be to get this test on a feature branch pertaining to that issue - the point being we should be able to rely on CI's boolean result for detecting (newly induced) regressions. Reviewed-on: Fediversity/Fediversity#472 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-17 15:25:17 +02:00
Kiara Grouwstra	67f50f08de	enable continuous deployment (#471 ) closes #177 Reviewed-on: Fediversity/Fediversity#471 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-17 10:01:51 +02:00
Kiara Grouwstra	5402178e7b	reinstate import statement for panel module, fixes error deploying fedi201 (#468 ) resolves error on CI run https://git.fediversity.eu/Fediversity/Fediversity/actions/runs/1026: ``` 123456 error: attempt to call something which is not a function but a path: /nix/store/93yyf22vw60l1j3l6h02c99p93lp55q5-source/panel at /nix/store/93yyf22vw60l1j3l6h02c99p93lp55q5-source/machines/dev/fedi201/fedipanel.nix:13:6: 12\| imports = [ 13\| (../../../panel { }).module \| ^ 14\| "${sources.home-manager}/nixos"``` ``` Reviewed-on: Fediversity/Fediversity#468	2025-07-16 20:51:23 +02:00
Kiara Grouwstra	e627815399	pass `SHELL` env var in CD (#466 ) see #177 Reviewed-on: Fediversity/Fediversity#466	2025-07-16 18:18:16 +02:00
Kiara Grouwstra	354dba260a	verbose CD (#465 ) debugging effort part of #177 Reviewed-on: Fediversity/Fediversity#465	2025-07-16 14:14:06 +02:00
Valentin Gagarin	b791bd515d	pass `sources` via `specialArgs` (#464 ) this gets rid of ugly in-place imports and upward paths Reviewed-on: Fediversity/Fediversity#464 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-committed-by: Valentin Gagarin <valentin.gagarin@tweag.io>	2025-07-16 10:53:36 +02:00
Kiara Grouwstra	f2017aaeb4	CD: lump SSH commands into a single shell invocation (#462 ) Reviewed-on: Fediversity/Fediversity#462 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 13:00:47 +02:00
Kiara Grouwstra	980a994f83	run ssh commands thru the shell (which has openssh) (#461 ) Reviewed-on: Fediversity/Fediversity#461 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 12:26:16 +02:00
Kiara Grouwstra	b9b13df04e	allow SSH access from continuous deployment (#460 ) Reviewed-on: Fediversity/Fediversity#460 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 11:56:22 +02:00
Kiara Grouwstra	159e4107b8	fix Pixelfed test eval failure (#458 ) Reviewed-on: Fediversity/Fediversity#458 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 10:38:10 +02:00
fricklerhandwerk	86305a6a2e	fix link; readability	2025-07-15 09:04:56 +02:00
Valentin Gagarin	e62f14d9be	expose panel tests in flake	2025-07-15 08:54:48 +02:00
Kiara Grouwstra	82f83eea0d	fix mastodon test (#457 ) closes #34. Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Reviewed-on: Fediversity/Fediversity#457 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 08:54:20 +02:00
Kiara Grouwstra	aef414ffe8	resolve regressions from recent qemu files (#432 ) - move import to match module classes - manually import sources to resolve infinite recursion closes #431. Reviewed-on: Fediversity/Fediversity#432 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-11 16:09:27 +02:00
Kiara Grouwstra	6d74112518	ditch `sources` arg in fedi201, fixing infinite recursion error (#454 ) c.f. #432. closes #453. Reviewed-on: Fediversity/Fediversity#454 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-11 16:06:15 +02:00
Kiara Grouwstra	2b2fb059fd	fix cd command (#455 ) Reviewed-on: Fediversity/Fediversity#455 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-11 11:07:03 +02:00
Kiara Grouwstra	66ceb66382	add deployment pipeline (#452 ) part of #177 Reviewed-on: Fediversity/Fediversity#452 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-10 16:45:46 +02:00
fricklerhandwerk	ad9c61a3db	docs: fix typos	2025-07-10 00:37:27 +02:00
Nicolas “Niols” Jeannerod	b4e1c5b5b3	Restrict fileset necessary for deployment tests (#450 ) Now that we won't depend on the flake.nix anymore, we won't depend on all the flake-part.nix files (necessary to evaluate flake.nix) and all the files they depend on etc., so the Nix dependencies of the tests will be drastically reduced, and I will be able to leverage that by introducing a more subtle src. This will make the test not need to re-run if only things outside that reduced src changed (and the previous run is in the Nix store). Reviewed-on: Fediversity/Fediversity#450 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 22:57:52 +02:00
Nicolas “Niols” Jeannerod	de38611572	Unflakify deployment tests (#449 ) This PR builds on top of #447 and #448. Since these might be rejected, there will be some changes needed for this PR as well. Let's see how the discussions go in #447. In the meantime, @fricklerhandwerk, would you mind (in)validating the core idea of this PR? You only need to look at `7cf43c4041`, really. Reviewed-on: Fediversity/Fediversity#449 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 15:07:02 +02:00
Nicolas “Niols” Jeannerod	1d40dcfc0e	Grab `git-hooks` from npins (#448 ) This PR builds on top of #447 and will be subject to the same discussion. Let's discuss there whether it makes sense to get rid of the `flake-parts` and `git-hooks` flake inputs. Reviewed-on: Fediversity/Fediversity#448 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 13:21:48 +02:00
Nicolas “Niols” Jeannerod	c3bf158130	Note on extracting `mkFlake` to an external library (#451 ) follow-up on Fediversity/Fediversity#447 (comment) Reviewed-on: Fediversity/Fediversity#451 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 12:34:43 +02:00
Nicolas “Niols” Jeannerod	48c6a1f22b	Extract `mkFlake` to own file - get `flake-parts` from npins (#447 ) The goal is to contain the “`mkFlake` hack” to a file that we can heavily document but otherwise ignore. This also will allow me to reuse it in the “flake under test” of the deployment tests. Reviewed-on: Fediversity/Fediversity#447 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 10:12:47 +02:00
Kiara Grouwstra	8a7984933d	reinstate acme settings needed by applications (#434 ) closes #417 Reviewed-on: Fediversity/Fediversity#434 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-08 10:02:13 +02:00
Kiara Grouwstra	5520fa721b	gitea PR unpruned (#445 ) see #65 Reviewed-on: Fediversity/Fediversity#445 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 13:38:09 +02:00
Kiara Grouwstra	eabfc228c5	updater: try the first upstream commit without `git remote prune` (#444 ) Reviewed-on: Fediversity/Fediversity#444 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 13:23:08 +02:00
Kiara Grouwstra	3f923532a2	updater: fully qualify github domain in `uses` (#443 ) part of #65. succeeds #442. Reviewed-on: Fediversity/Fediversity#443 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 12:50:55 +02:00
Kiara Grouwstra	37d4fc5a42	un-qualify github.com domain in updater `uses`, which resolved to data.forgejo.org/github.com (#442 ) attempt to address https://git.fediversity.eu/Fediversity/Fediversity/actions/runs/920. part of #65. Reviewed-on: Fediversity/Fediversity#442 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 12:47:06 +02:00
Kiara Grouwstra	c7b05bb473	deduplicate `import-flake`, fixing test regression from git merge (#441 ) Reviewed-on: Fediversity/Fediversity#441 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 10:58:10 +02:00
Kiara Grouwstra	5345860006	data model: add run-time configuration (#437 ) based on @fricklerhandwerk's work at https://git.fediversity.eu/fricklerhandwerk/Fediversity/compare/main...data-model-as-diagram part of #103. supersedes #402. on the application model, feedback on a [sample implementation](#2) welcome as well. Reviewed-on: Fediversity/Fediversity#437 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-06 21:42:25 +02:00
Kiara Grouwstra	fbb0806072	in `update` workflow use PR action actually meant for gitea (#438 ) see #65 Reviewed-on: Fediversity/Fediversity#438 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-06 21:39:26 +02:00
Kiara Grouwstra	b0848727fd	clarify the use of isNormalUser (#436 ) Reviewed-on: Fediversity/Fediversity#436 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-06 09:09:43 +02:00
Kiara Grouwstra	a882de0b8e	address linter gripes in nix files (#430 ) Reviewed-on: Fediversity/Fediversity#430 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-03 15:56:16 +02:00
Kiara Grouwstra	05572ff69e	remove string interpolation from imports (#429 ) Reviewed-on: Fediversity/Fediversity#429 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-03 15:55:39 +02:00
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age`