fix rebase

see 318 about the regression breaking the peertube test

.envrc

@@ -3,8 +3,8 @@
 
 # shellcheck shell=bash
 if type -P lorri &>/dev/null; then
-  eval "$(lorri direnv --flake .)"
+  eval "$(lorri direnv)"
 else
   echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
-  use flake
+  use_nix
 fi

.forgejo/workflows/ci.yaml

@@ -13,16 +13,22 @@ jobs:
     runs-on: native
     steps:
       - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.pre-commit -L
+      - run: nix-build -A tests
 
-  check-peertube:
+  check-services:
     runs-on: native
     steps:
       - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.peertube -L
+      - run: cd services && nix-build -A tests.peertube
 
   check-panel:
     runs-on: native
     steps:
       - uses: actions/checkout@v4
       - run: cd panel && nix-build -A tests
+
+  check-infra:
+    runs-on: native
+    steps:
+      - uses: actions/checkout@v4
+      - run: cd infra && nix-build -A tests

.gitignore

@@ -1,3 +1,9 @@
+.npins.json
+.terraform/
+.terraform.lock.hcl
+.terraform.tfstate.lock.info
+terraform.tfstate*
+.auto.tfvars.json
 .DS_Store
 .idea
 *.log

README.md

@@ -1,8 +1,7 @@
 # The Fediversity project
 
 This repository contains all the code and code-related files having to do with
-[the Fediversity project](https://fediversity.eu/), with the notable exception
-of [NixOps4 that is hosted on GitHub](https://github.com/nixops4/nixops4).
+[the Fediversity project](https://fediversity.eu/).
 
 ## Goals
 
@@ -81,27 +80,15 @@ Not everyone has the expertise and time to run their own server.
   The software includes technical configuration that links software components.
   Most user-facing configuration remains untouched by the deployment process.
 
-  > Example: NixOps4 is used to deploy [Pixelfed](https://pixelfed.org).
+  > Example: OpenTofu is used to deploy [Pixelfed](https://pixelfed.org).
 
 - Migrate
 
   Move service configurations and user data to a different hosting provider.
 
-- [NixOps4](https://github.com/nixops4/nixops4)
+- [OpenTofu](https://opentofu.org/)
 
-  A tool for deploying and managing resources through the Nix language.
-  NixOps4 development is supported by the Fediversity project
-
-- Resource
-
-  A [resource for NixOps4](https://nixops.dev/manual/development/concept/resource.html) is any external entity that can be declared with NixOps4 expressions and manipulated with NixOps4, such as a virtual machine, an active NixOS configuration, a DNS entry, or customer database.
-
-- Resource provider
-
-  A resource provider for NixOps4 is an executable that communicates between a resource and NixOps4 using a standardised protocol, allowing [CRUD operations](https://en.wikipedia.org/wiki/Create,_read,_update_and_delete) on the resources to be performed by NixOps4.
-  Refer to the [NixOps4 manual](https://nixops.dev/manual/development/resource-provider/index.html) for details.
-
-  > Example: We need a resource provider for obtaining deployment secrets from a database.
+  An infrastructure-as-code tool, and open-source (MPL 2.0) fork of Terraform.
 
 ## Development
 
@@ -118,9 +105,6 @@ Contact the project team if you have questions or suggestions, or if you're inte
 Most of the directories in this repository have their own README going into more
 details as to what they are for. As an overview:
 
-- [`deployment/`](./deployment) contains work to generate a full Fediversity
-  deployment from a minimal configuration.
-
 - [`infra/`](./infra) contains the configurations for the various VMs that are
   in production for the project, for instance the Git instances or the Wiki, as
   well as means to provision and set up new ones.
@@ -128,14 +112,8 @@ details as to what they are for. As an overview:
 - [`keys/`](./keys) contains the public keys of the contributors to this project
   as well as the systems that we administrate.
 
-- [`matrix/`](./matrix) contains everything having to do with setting up a
-  fully-featured Matrix server.
-
 - [`secrets/`](./secrets) contains the secrets that need to get injected into
   machine configurations.
 
 - [`services/`](./services) contains our effort to make Fediverse applications
   work seemlessly together in our specific setting.
-
-- [`website/`](./website) contains the framework and the content of [the
-  Fediversity website](https://fediversity.eu/)

default.nix

@@ -0,0 +1,57 @@
+{
+  system ? builtins.currentSystem,
+  sources ? import ./npins,
+  pkgs ? import sources.nixpkgs { inherit system; },
+}:
+let
+  inherit (sources) nixpkgs git-hooks gitignore;
+  inherit (pkgs) lib;
+  pre-commit-check =
+    (import "${git-hooks}/nix" {
+      inherit nixpkgs system;
+      gitignore-nix-src = {
+        lib = import gitignore { inherit lib; };
+      };
+    }).run
+      {
+        src = ./.;
+        hooks =
+          let
+            ## Add a directory here if pre-commit hooks shouldn't apply to it.
+            optout = [
+              "npins"
+              ".terraform"
+            ];
+            excludes = map (dir: "^${dir}/") optout;
+            addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
+          in
+          addExcludes {
+            nixfmt-rfc-style.enable = true;
+            deadnix.enable = true;
+            trim-trailing-whitespace.enable = true;
+            shellcheck.enable = true;
+          };
+      };
+in
+{
+  # shell for testing TF directly
+  shell = pkgs.mkShellNoCC {
+    inherit (pre-commit-check) shellHook;
+    buildInputs = pre-commit-check.enabledPackages;
+    packages = [
+      pkgs.nixfmt-rfc-style
+    ];
+  };
+
+  tests = {
+    inherit pre-commit-check;
+  };
+
+  # re-export inputs so they can be overridden granularly
+  # (they can't be accessed from the outside any other way)
+  inherit
+    sources
+    system
+    pkgs
+    ;
+}

deployment/README.md

@@ -1,6 +0,0 @@
-# Deployment
-
-This repository contains work to generate a full Fediversity deployment from a
-minimal configuration. This is different from [`../services/`](../services) that
-focuses on one machine, providing a polished and unified interface to different
-Fediverse services.

deployment/default.nix

@@ -1,181 +0,0 @@
-## `makeMakeDeployment` -- Function to help hosting providers make a
-## `makeDeployment` function.
-##
-## https://factoryfactoryfactory.net/
-
-## Generic utilities used in this function, eg. nixpkgs, NixOps4 providers, etc.
-## REVIEW: We should maybe be more specific than just `inputs`.
-{
-  lib,
-  nixops4,
-  nixops4-nixos,
-  fediversity,
-}:
-
-## Information on the hosting provider's infrastructure. This is where we inform
-## this function of where it can find eg. Proxmox.
-{
-  ## Four NixOS configuration resource modules for four services. Those are VMs
-  ## that are already deployed and on which we will push our configurations.
-  ##
-  ## - Ultimately, we just want a pool of VMs, or even just a Proxmox.
-  ## - Each machine is flagged for a certain use case until we control DNS.
-  garageConfigurationResource,
-  mastodonConfigurationResource,
-  peertubeConfigurationResource,
-  pixelfedConfigurationResource,
-}:
-
-## From the hosting provider's perspective, the function is meant to be
-## partially applied only until here.
-
-## Information on the specific deployment that we request. This is the
-## information coming from the FediPanel.
-##
-## FIXME: lock step the interface with the definitions in the FediPanel
-panelConfig:
-
-let
-  inherit (lib) mkIf;
-
-in
-
-## Regular arguments of a NixOps4 deployment module.
-{ providers, ... }:
-
-{
-  providers = { inherit (nixops4.modules.nixops4Provider) local; };
-
-  resources =
-    let
-      ## NOTE: All of these secrets are publicly available in this source file
-      ## and will end up in the Nix store. We don't care as they are only ever
-      ## used for testing anyway.
-      ##
-      ## FIXME: Generate and store in NixOps4's state.
-      mastodonS3KeyConfig =
-        { pkgs, ... }:
-        {
-          s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
-          s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
-        };
-      peertubeS3KeyConfig =
-        { pkgs, ... }:
-        {
-          s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
-          s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
-        };
-      pixelfedS3KeyConfig =
-        { pkgs, ... }:
-        {
-          s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
-          s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
-        };
-
-      makeConfigurationResource = resourceModule: config: {
-        type = providers.local.exec;
-        imports = [
-          nixops4-nixos.modules.nixops4Resource.nixos
-          resourceModule
-
-          {
-            ## NOTE: With NixOps4, there are several levels and all of them live
-            ## in the NixOS module system:
-            ##
-            ##   1. Each NixOps4 deployment is a module.
-            ##   2. Each NixOps4 resource is a module. This very comment is
-            ##      inside an attrset imported as a module in a resource.
-            ##   3. Each NixOps4 'configuration' resource contains an attribute
-            ##      'nixos.module', itself a NixOS configuration module.
-            nixos.module =
-              { ... }:
-              {
-                imports = [
-                  config
-                  fediversity
-                ];
-              };
-          }
-        ];
-      };
-
-    in
-
-    {
-      garage-configuration = makeConfigurationResource garageConfigurationResource (
-        { pkgs, ... }:
-        mkIf (panelConfig.mastodon.enable || panelConfig.peertube.enable || panelConfig.pixelfed.enable) {
-          fediversity = {
-            inherit (panelConfig) domain;
-            garage.enable = true;
-            pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
-            mastodon = mastodonS3KeyConfig { inherit pkgs; };
-            peertube = peertubeS3KeyConfig { inherit pkgs; };
-          };
-        }
-      );
-
-      mastodon-configuration = makeConfigurationResource mastodonConfigurationResource (
-        { pkgs, ... }:
-        mkIf panelConfig.mastodon.enable {
-          fediversity = {
-            inherit (panelConfig) domain;
-            temp.initialUser = {
-              inherit (panelConfig.initialUser) username email displayName;
-              # FIXME: disgusting, but nvm, this is going to be replaced by
-              # proper central authentication at some point
-              passwordFile = pkgs.writeText "password" panelConfig.initialUser.password;
-            };
-
-            mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
-              enable = true;
-            };
-
-            temp.cores = 1; # FIXME: should come from NixOps4 eventually
-          };
-        }
-      );
-
-      peertube-configuration = makeConfigurationResource peertubeConfigurationResource (
-        { pkgs, ... }:
-        mkIf panelConfig.peertube.enable {
-          fediversity = {
-            inherit (panelConfig) domain;
-            temp.initialUser = {
-              inherit (panelConfig.initialUser) username email displayName;
-              # FIXME: disgusting, but nvm, this is going to be replaced by
-              # proper central authentication at some point
-              passwordFile = pkgs.writeText "password" panelConfig.initialUser.password;
-            };
-
-            peertube = peertubeS3KeyConfig { inherit pkgs; } // {
-              enable = true;
-              ## NOTE: Only ever used for testing anyway.
-              ##
-              ## FIXME: Generate and store in NixOps4's state.
-              secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
-            };
-          };
-        }
-      );
-
-      pixelfed-configuration = makeConfigurationResource pixelfedConfigurationResource (
-        { pkgs, ... }:
-        mkIf panelConfig.pixelfed.enable {
-          fediversity = {
-            inherit (panelConfig) domain;
-            temp.initialUser = {
-              inherit (panelConfig.initialUser) username email displayName;
-              # FIXME: disgusting, but nvm, this is going to be replaced by
-              # proper central authentication at some point
-              passwordFile = pkgs.writeText "password" panelConfig.initialUser.password;
-            };
-
-            pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
-              enable = true;
-            };
-          };
-        }
-      );
-    };
-}

flake.nix

@@ -1,73 +0,0 @@
-{
-  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
-    flake-parts.url = "github:hercules-ci/flake-parts";
-    git-hooks.url = "github:cachix/git-hooks.nix";
-    agenix.url = "github:ryantm/agenix";
-
-    disko.url = "github:nix-community/disko";
-
-    nixops4.url = "github:nixops4/nixops4";
-    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
-  };
-
-  outputs =
-    inputs@{ flake-parts, ... }:
-    flake-parts.lib.mkFlake { inherit inputs; } {
-      systems = [
-        "x86_64-linux"
-        "aarch64-linux"
-        "x86_64-darwin"
-        "aarch64-darwin"
-      ];
-
-      imports = [
-        inputs.git-hooks.flakeModule
-        inputs.nixops4.modules.flake.default
-
-        ./infra/flake-part.nix
-        ./services/flake-part.nix
-      ];
-
-      perSystem =
-        {
-          config,
-          pkgs,
-          lib,
-          inputs',
-          ...
-        }:
-        {
-          formatter = pkgs.nixfmt-rfc-style;
-
-          pre-commit.settings.hooks =
-            let
-              ## Add a directory here if pre-commit hooks shouldn't apply to it.
-              optout = [ "npins" ];
-              excludes = map (dir: "^${dir}/") optout;
-              addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
-            in
-            addExcludes {
-              nixfmt-rfc-style.enable = true;
-              deadnix.enable = true;
-              trim-trailing-whitespace.enable = true;
-              shellcheck.enable = true;
-            };
-
-          devShells.default = pkgs.mkShell {
-            packages = [
-              pkgs.nil
-              inputs'.agenix.packages.default
-              pkgs.openssh
-              pkgs.httpie
-              pkgs.jq
-              # exposing this env var as a hack to pass info in from form
-              (inputs'.nixops4.packages.default.overrideAttrs {
-                impureEnvVars = [ "DEPLOYMENT" ];
-              })
-            ];
-            shellHook = config.pre-commit.installationScript;
-          };
-        };
-    };
-}

infra/.envrc

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+
+# shellcheck shell=bash
+if type -P lorri &>/dev/null; then
+  eval "$(lorri direnv)"
+else
+  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
+  use_nix
+fi

infra/.terraform.lock.hcl

@@ -0,0 +1,16 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:HfVaWMC7Tz+tRfoWZtGCX2MATcgX3HsexoirWdi/voo=",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/null" {
+  version = "3.2.3"
+  hashes = [
+    "h1:qTlGDGC3RmXIPLgwsIh4LHG/DrAR6T6L+Wn6egnQnwE=",
+  ]
+}

infra/README.md

@@ -1,98 +1,30 @@
-# Infra
+# service deployment
 
-This directory contains the definition of [the VMs](machines.md) that host our
-infrastructure.
+deploys [NixOS](https://nixos.org/) templates using [OpenTofu](https://opentofu.org/).
 
-## Provisioning VMs with an initial configuration
+## requirements
 
-NOTE[Niols]: This is very manual and clunky. Two things will happen. In the near
-future, I will improve the provisioning script to make this a bit less clunky.
-In the far future, NixOps4 will be able to communicate with Proxmox directly and
-everything will become much cleaner.
+- [nix](https://nix.dev/)
 
-1. Choose names for your VMs. It is recommended to choose `fediXXX`, with `XXX`
-   above 100. For instance, `fedi117`.
+## usage
 
-2. Add a basic configuration for the machine. These typically go in
-   `infra/machines/<name>/default.nix`. You can look at other `fediXXX` VMs to
-   find inspiration. You probably do not need a `nixos.module` option at this
-   point.
+### development
 
-2. Add a file for each of those VM's public keys, eg.
-   ```
-   touch keys/systems/fedi117.pub
-   ```
-   Those files need to exist during provisioning, but their content matters only
-   when updating the machines' configuration.
-
-   FIXME: Remove this step by making the provisioning script not fail with the
-   public key does not exist yet.
-
-3. Run the provisioning script:
-   ```
-   sh infra/proxmox-provision.sh fedi117
-   ```
-   The script can take several ids at the same time. It requires some
-   authentication options and provides several more. See `--help`.
-
-4. (Optional) Add a DNS entry for the machine; for instance `fedi117.abundos.eu
-   A 95.215.187.117`.
-
-5. Grab the public host keys for the machines in question, and add it to the
-   repository. For instance:
-   ```
-   ssh fedi117.abundos.eu 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' > keys/systems/fedi117.pub
-   ```
-
-   FIXME: Make the provisioning script do that for us.
-
-7. Regenerate the list of machines:
-   ```
-   sh infra/machines.md.sh
-   ```
-   Commit it with the machine's configuration, public key, etc.
-
-8. At this point, the machine contains a very basic configuration that contains
-   just enough for it to boot and be reachable. Go on to the next section to
-   update the machine and put an actual configuration.
-
-   FIXME: Figure out why the full configuration isn't on the machine at this
-   point and fix it.
-
-## Updating existing VM configurations
-
-Their configuration can be updated via NixOps4. Run
+before using other commands, if not using direnv:
 
 ```sh
-nixops4 deployments list
+nix-shell
 ```
 
-to see the available deployments.
-This should be done from the root of the repository,
-otherwise NixOps4 will fail with something like:
-
-```
-    nixops4 error: evaluation: error:
-           … while calling the 'getFlake' builtin
-
-           error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist, evaluation: error:
-           … while calling the 'getFlake' builtin
-
-           error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist
-```
-
-Then, given a deployment (eg. `fedi200`), run
+then to initialize, or after updating pins or TF providers:
 
 ```sh
-nixops4 apply <deployment>
+setup
 ```
 
-Alternatively, to run the `default` deployment, which contains all the VMs, run
+then, one can use the `tofu` CLI in the sub-folders.
 
-```sh
-nixops4 apply
-```
+## implementing
 
-## Removing an existing VM
-
-See `infra/proxmox-remove.sh --help`.
+proper documentation TODO.
+until then, a reference implementation may be found in [`panel/`](https://git.fediversity.eu/Fediversity/Fediversity/src/branch/main/panel).

infra/common/nixos/default.nix

@@ -2,7 +2,6 @@
 
 let
   inherit (lib) mkDefault;
-
 in
 {
   imports = [

infra/common/options.nix

@@ -93,7 +93,7 @@ in
         description = ''
           The IP address of the machine, version 4. It will be injected as a
           value in `networking.interfaces.eth0`, but it will also be used to
-          communicate with the machine via NixOps4.
+          communicate with the machine.
         '';
       };
 
@@ -118,7 +118,7 @@ in
         description = ''
           The IP address of the machine, version 6. It will be injected as a
           value in `networking.interfaces.eth0`, but it will also be used to
-          communicate with the machine via NixOps4.
+          communicate with the machine.
         '';
       };
 
@@ -141,7 +141,7 @@ in
     hostPublicKey = mkOption {
       description = ''
         The ed25519 host public key of the machine. It is used to filter Age
-        secrets and only keep the relevant ones, and to feed to NixOps4.
+        secrets and only keep the relevant ones, and to feed to TF.
       '';
     };
 

infra/common/resource.nix

@@ -1,5 +1,4 @@
 {
-  inputs,
   lib,
   config,
   ...
@@ -16,48 +15,27 @@ let
 
 in
 {
-  imports = [ ./options.nix ];
-
   fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
 
-  ssh = {
-    host = config.fediversityVm.ipv4.address;
-    hostPublicKey = config.fediversityVm.hostPublicKey;
-  };
-
-  nixpkgs = inputs.nixpkgs;
-
   ## The configuration of the machine. We strive to keep in this file only the
   ## options that really need to be injected from the resource. Everything else
   ## should go into the `./nixos` subdirectory.
-  nixos.module = {
-    imports = [
-      inputs.agenix.nixosModules.default
-      inputs.disko.nixosModules.default
-      ./options.nix
-      ./nixos
-    ];
+  imports = [
+    ./options.nix
+    ./nixos
+  ];
 
-    ## Inject the shared options from the resource's `config` into the NixOS
-    ## configuration.
-    fediversityVm = config.fediversityVm;
+  ## Read all the secrets, filter the ones that are supposed to be readable
+  ## with this host's public key, and add them correctly to the configuration
+  ## as `age.secrets.<name>.file`.
+  age.secrets = concatMapAttrs (
+    name: secret:
+    optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
+      ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+    }
+  ) secrets;
 
-    ## Read all the secrets, filter the ones that are supposed to be readable
-    ## with this host's public key, and add them correctly to the configuration
-    ## as `age.secrets.<name>.file`.
-    age.secrets = concatMapAttrs (
-      name: secret:
-      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
-        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
-      })
-    ) secrets;
-
-    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
-    ## supports users with password-less sudo.
-    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
-      # allow our panel vm access to the test machines
-      keys.panel
-    ];
-
-  };
+  ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
+  ## supports users with password-less sudo.
+  users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
 }

infra/common/shared.nix

@@ -0,0 +1,26 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (config.terraform) hostname domain initialUser;
+in
+{
+  imports = [
+    <disko/module.nix>
+    <agenix/modules/age.nix>
+    ../../services/fediversity
+    ./resource.nix
+  ];
+  fediversityVm.name = hostname;
+  fediversity = {
+    inherit domain;
+    temp.initialUser = {
+      inherit (initialUser) username email displayName;
+      # FIXME: disgusting, but nvm, this is going to be replaced by
+      # proper central authentication at some point
+      passwordFile = pkgs.writeText "password" initialUser.password;
+    };
+  };
+}

infra/default.nix

@@ -0,0 +1,29 @@
+{
+  system ? builtins.currentSystem,
+  sources ? import ../npins,
+  pkgs ? import sources.nixpkgs { inherit system; },
+}:
+let
+  inherit (pkgs) lib;
+  setup = import ./setup.nix { inherit lib pkgs sources; };
+in
+{
+  # shell for testing TF directly
+  shell = pkgs.mkShellNoCC {
+    packages = [
+      (import ./tf.nix { inherit lib pkgs; })
+      pkgs.jaq
+      setup
+    ];
+  };
+
+  tests = pkgs.callPackage ./tests.nix { };
+
+  # re-export inputs so they can be overridden granularly
+  # (they can't be accessed from the outside any other way)
+  inherit
+    sources
+    system
+    pkgs
+    ;
+}

infra/dev/.terraform.lock.hcl

@@ -0,0 +1,9 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:hBFp4dEKKevoZEsMW32ralBqrO7cTxTPYdWPqc4Ff+s=",
+  ]
+}

infra/dev/.terraform/modules/modules.json

@@ -0,0 +1 @@
+{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"nixos","Source":"../sync-nix","Dir":"../sync-nix"}]}

infra/dev/.terraform/plugin_path

@@ -0,0 +1,3 @@
+[
+  "/nix/store/zbjjm6vgdj1p2v21qshd9np3ajdnhniy-opentofu-1.9.0/libexec/terraform-providers"
+]

infra/dev/.terraform/providers/registry.opentofu.org/hashicorp/external/2.3.4/linux_amd64

@@ -0,0 +1 @@
+/nix/store/zbjjm6vgdj1p2v21qshd9np3ajdnhniy-opentofu-1.9.0/libexec/terraform-providers/registry.opentofu.org/hashicorp/external/2.3.4/linux_amd64

infra/dev/main.tf

@@ -0,0 +1,44 @@
+locals {
+  vm_domain = "abundos.eu"
+}
+
+module "nixos" {
+  source = "../sync-nix"
+
+  vm_domain = local.vm_domain
+  hostname = each.value.hostname
+  config_nix = each.value.config_nix
+  config_tf = each.value.config_tf
+
+  for_each = { for name, inst in {
+    # wiki = "vm02187" # does not resolve
+    # forgejo = "vm02116" # does not resolve
+    # TODO: move these to a separate `host` dir
+    dns = "fedi200"
+    fedipanel = "fedi201"
+  } : name => {
+      hostname = inst
+      config_tf = {
+        terraform = {
+          domain = local.vm_domain
+          hostname = inst
+        }
+      }
+      config_nix = <<-EOF
+        {
+          # note interpolations here TF ones
+          imports = [
+            # shared NixOS config
+            ${path.root}/../common/shared.nix
+            # FIXME: separate template options by service
+            ${path.root}/options.nix
+            # for service `forgejo` import `forgejo.nix`
+            ${path.root}/../../machines/dev/${inst}/${name}.nix
+            # FIXME: get VM details from TF
+            ${path.root}/../../machines/dev/${inst}
+          ];
+        }
+      EOF
+    }
+  }
+}

infra/dev/options.nix

@@ -0,0 +1,28 @@
+# TODO: could (part of) this be generated somehow? c.f #275
+{
+  lib,
+  ...
+}:
+let
+  inherit (lib) types mkOption;
+  inherit (types) str enum;
+in
+{
+  options.terraform = {
+    domain = mkOption {
+      type = enum [
+        "fediversity.net"
+      ];
+      description = ''
+        Apex domain under which the services will be deployed.
+      '';
+      default = "fediversity.net";
+    };
+    hostname = mkOption {
+      type = str;
+      description = ''
+        Internal name of the host, e.g. test01
+      '';
+    };
+  };
+}

infra/dev/variables.tf

@@ -0,0 +1 @@
+

infra/flake-part.nix

@@ -1,180 +0,0 @@
-{
-  self,
-  inputs,
-  lib,
-  ...
-}:
-
-let
-  inherit (builtins) readDir readFile fromJSON;
-  inherit (lib)
-    attrNames
-    mkOption
-    evalModules
-    filterAttrs
-    ;
-  inherit (lib.attrsets) genAttrs;
-
-  ## Given a machine's name and whether it is a test VM, make a resource module,
-  ## except for its missing provider. (Depending on the use of that resource, we
-  ## will provide a different one.)
-  makeResourceModule =
-    { vmName, isTestVm }:
-    {
-      _module.args = { inherit inputs; };
-      imports =
-        [
-          ./common/resource.nix
-        ]
-        ++ (
-          if isTestVm then
-            [
-              ./test-machines/${vmName}
-              {
-                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
-                  # allow our panel vm access to the test machines
-                  (import ../keys).panel
-                ];
-              }
-            ]
-          else
-            [
-              ./machines/${vmName}
-            ]
-        );
-      fediversityVm.name = vmName;
-    };
-
-  ## Given a list of machine names, make a deployment with those machines'
-  ## configurations as resources.
-  makeDeployment =
-    vmNames:
-    { providers, ... }:
-    {
-      providers.local = inputs.nixops4.modules.nixops4Provider.local;
-      resources = genAttrs vmNames (vmName: {
-        type = providers.local.exec;
-        imports = [
-          inputs.nixops4-nixos.modules.nixops4Resource.nixos
-          (makeResourceModule {
-            inherit vmName;
-            isTestVm = false;
-          })
-        ];
-      });
-    };
-  makeDeployment' = vmName: makeDeployment [ vmName ];
-
-  ## Given an attrset of test configurations (key = test machine name, value =
-  ## NixOS configuration module), make a deployment with those machines'
-  ## configurations as resources.
-  makeTestDeployment =
-    (import ../deployment)
-      {
-        inherit lib;
-        inherit (inputs) nixops4 nixops4-nixos;
-        inherit (self.nixosModules) fediversity;
-      }
-      {
-        garageConfigurationResource = makeResourceModule {
-          vmName = "test01";
-          isTestVm = true;
-        };
-        mastodonConfigurationResource = makeResourceModule {
-          vmName = "test06"; # somehow `test02` has a problem - use test06 instead
-          isTestVm = true;
-        };
-        peertubeConfigurationResource = makeResourceModule {
-          vmName = "test05";
-          isTestVm = true;
-        };
-        pixelfedConfigurationResource = makeResourceModule {
-          vmName = "test04";
-          isTestVm = true;
-        };
-      };
-
-  nixops4ResourceNixosMockOptions = {
-    ## NOTE: We allow the use of a few options from
-    ## `inputs.nixops4-nixos.modules.nixops4Resource.nixos` such that we can
-    ## reuse modules that make use of them.
-    ##
-    ## REVIEW: We can probably do much better and cleaner. On the other hand,
-    ## this is only needed to expose NixOS configurations for provisioning
-    ## purposes, and eventually all of this should be handled by NixOps4.
-    options = {
-      nixos.module = mkOption { }; # NOTE: not just `nixos` otherwise merging will go wrong
-      nixpkgs = mkOption { };
-      ssh = mkOption { };
-    };
-  };
-
-  makeResourceConfig =
-    vm:
-    (evalModules {
-      modules = [
-        nixops4ResourceNixosMockOptions
-        (makeResourceModule vm)
-      ];
-    }).config;
-
-  ## Given a VM name, make a NixOS configuration for this machine.
-  makeConfiguration =
-    isTestVm: vmName:
-    inputs.nixpkgs.lib.nixosSystem {
-      modules = [
-        (makeResourceConfig { inherit vmName isTestVm; }).nixos.module
-      ];
-    };
-
-  makeVmOptions = isTestVm: vmName: {
-    inherit ((makeResourceConfig { inherit vmName isTestVm; }).fediversityVm)
-      proxmox
-      vmId
-      description
-
-      sockets
-      cores
-      memory
-      diskSize
-
-      hostPublicKey
-      unsafeHostPrivateKey
-      ;
-  };
-
-  listSubdirectories = path: attrNames (filterAttrs (_: type: type == "directory") (readDir path));
-
-  machines = listSubdirectories ./machines;
-  testMachines = listSubdirectories ./test-machines;
-
-in
-{
-  flake.lib.makeInstallerIso = import ./makeInstallerIso.nix;
-
-  ## - Each normal or test machine gets a NixOS configuration.
-  ## - Each normal or test machine gets a VM options entry.
-  ## - Each normal machine gets a deployment.
-  ## - We add a “default” deployment with all normal machines.
-  ## - We add a “test” deployment with all test machines.
-  nixops4Deployments = genAttrs machines makeDeployment' // {
-    default = makeDeployment machines;
-    test = makeTestDeployment (
-      fromJSON (
-        let
-          env = builtins.getEnv "DEPLOYMENT";
-        in
-        if env != "" then
-          env
-        else
-          builtins.trace "env var DEPLOYMENT not set, falling back to ./test-machines/configuration.json!" (readFile ./test-machines/configuration.json)
-      )
-    );
-  };
-  flake.nixosConfigurations =
-    genAttrs machines (makeConfiguration false)
-    // genAttrs testMachines (makeConfiguration true);
-  flake.vmOptions =
-    genAttrs machines (makeVmOptions false)
-    // genAttrs testMachines (makeVmOptions true);
-}

infra/machines.md

@@ -1,15 +0,0 @@
-<!-- This file is auto-generated by `machines.md.sh` from the machines'
-     configuration. -->
-
-# Machines
-
-Currently, this repository keeps track of the following VMs:
-
-Machine | Proxmox | Description
---------|---------|-------------
-[`fedi200`](./fedi200) | fediversity | Testing machine for Hans
-[`fedi201`](./fedi201) | fediversity | FediPanel
-[`vm02116`](./vm02116) | procolix | Forgejo
-[`vm02187`](./vm02187) | procolix | Wiki
-
-This table excludes all machines with names starting with `test`.

infra/machines.md.sh

@@ -1,43 +0,0 @@
-#!/usr/bin/env sh
-set -euC
-
-cd "$(dirname "$0")"
-
-{
-cat <<\EOF
-<!-- This file is auto-generated by `machines.md.sh` from the machines'
-     configuration. -->
-
-# Machines
-
-Currently, this repository keeps track of the following VMs:
-
-Machine | Proxmox | Description
---------|---------|-------------
-EOF
-
-vmOptions=$(
-  cd ..
-  nix eval \
-    --impure --raw --expr "
-      builtins.toJSON (builtins.getFlake (builtins.toString ./.)).vmOptions
-    " \
-    --log-format raw --quiet
-)
-
-## NOTE: `jq`'s `keys` is alphabetically sorted, just what we want here.
-for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
-  if [ "${machine#test}" = "$machine" ]; then
-    proxmox=$(echo "$vmOptions" | jq -r ".$machine.proxmox")
-    description=$(echo "$vmOptions" | jq -r ".$machine.description" | head -n 1)
-
-    # shellcheck disable=SC2016
-    printf '[`%s`](./%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
-  fi
-done
-
-cat <<\EOF
-
-This table excludes all machines with names starting with `test`.
-EOF
-} >| machines.md

infra/machines/vm02116/default.nix

@@ -1,38 +0,0 @@
-{
-  fediversityVm = {
-    vmId = 2116;
-    proxmox = "procolix";
-    description = "Forgejo";
-
-    ipv4.address = "185.206.232.34";
-    ipv6.address = "2a00:51c0:12:1201::20";
-  };
-
-  nixos.module =
-    { lib, ... }:
-    {
-      imports = [
-        ./forgejo.nix
-      ];
-
-      ## vm02116 is running on old hardware based on a Xen VM environment, so it
-      ## needs these extra options. Once the VM gets moved to a newer node, these
-      ## two options can safely be removed.
-      boot.initrd.availableKernelModules = [ "xen_blkfront" ];
-      services.xe-guest-utilities.enable = true;
-
-      ## NOTE: This VM was created manually, which requires us to override the
-      ## default disko-based `fileSystems` definition.
-      fileSystems = lib.mkForce {
-        "/" = {
-          device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
-          fsType = "ext4";
-        };
-
-        "/boot" = {
-          device = "/dev/disk/by-uuid/2CE2-1173";
-          fsType = "vfat";
-        };
-      };
-    };
-}

infra/machines/vm02187/default.nix

@@ -1,36 +0,0 @@
-{
-  fediversityVm = {
-    vmId = 2187;
-    proxmox = "procolix";
-    description = "Wiki";
-
-    ipv4.address = "185.206.232.187";
-    ipv6.address = "2a00:51c0:12:1201::187";
-  };
-
-  nixos.module =
-    { lib, ... }:
-    {
-      imports = [
-        ./wiki.nix
-      ];
-
-      ## NOTE: This VM was created manually, which requires us to override the
-      ## default disko-based `fileSystems` definition.
-      fileSystems = lib.mkForce {
-        "/" = {
-          device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
-          fsType = "ext4";
-        };
-
-        "/boot" = {
-          device = "/dev/disk/by-uuid/6AB5-4FA8";
-          fsType = "vfat";
-          options = [
-            "fmask=0022"
-            "dmask=0022"
-          ];
-        };
-      };
-    };
-}

infra/operator/.terraform.lock.hcl

@@ -0,0 +1,9 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:hBFp4dEKKevoZEsMW32ralBqrO7cTxTPYdWPqc4Ff+s=",
+  ]
+}

infra/operator/.terraform/modules/modules.json

@@ -0,0 +1 @@
+{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"nixos","Source":"../sync-nix","Dir":"../sync-nix"}]}

infra/operator/.terraform/plugin_path

@@ -0,0 +1,3 @@
+[
+  "/nix/store/zbjjm6vgdj1p2v21qshd9np3ajdnhniy-opentofu-1.9.0/libexec/terraform-providers"
+]

infra/operator/.terraform/providers/registry.opentofu.org/hashicorp/external/2.3.4/linux_amd64

@@ -0,0 +1 @@
+/nix/store/zbjjm6vgdj1p2v21qshd9np3ajdnhniy-opentofu-1.9.0/libexec/terraform-providers/registry.opentofu.org/hashicorp/external/2.3.4/linux_amd64

infra/operator/main.tf

@@ -0,0 +1,74 @@
+locals {
+  vm_domain = "abundos.eu"
+  # user-facing applications
+  application_configs = {
+    # FIXME: wrap applications at the interface to grab them in one go?
+    mastodon = {
+      cfg = var.mastodon
+      hostname = "test06"
+    }
+    pixelfed = {
+      cfg = var.pixelfed
+      hostname = "test04"
+    }
+    peertube = {
+      cfg = var.peertube
+      hostname = "test05"
+    }
+  }
+  # services shared between applications
+  peripherals = { for name, inst in {
+    garage = "test01"
+  } : name => {
+      hostname = inst
+      cfg = {
+        # enable if any user applications are enabled
+        enable = anytrue([for _, app in local.application_configs: app.cfg.enable])
+      }
+    }
+  }
+}
+
+module "nixos" {
+  source = "../sync-nix"
+
+  vm_domain = local.vm_domain
+  hostname = each.value.hostname
+  config_nix = each.value.config_nix
+  config_tf = each.value.config_tf
+
+  for_each = {for name, inst in merge(
+    local.peripherals,
+    local.application_configs,
+  ) : name => merge(inst, {
+    config_tf = {
+      terraform = {
+        domain = var.domain
+        hostname = inst.hostname
+        initialUser = var.initialUser
+      }
+    }
+    config_nix = <<-EOF
+      {
+        # note interpolations here TF ones
+        imports = [
+          # shared NixOS config
+          ${path.root}/../common/shared.nix
+          # FIXME: separate template options by service
+          ${path.root}/options.nix
+          # for service `mastodon` import `mastodon.nix`
+          ${path.root}/../../machines/operator/${inst.hostname}/${name}.nix
+          # FIXME: get VM details from TF
+          ${path.root}/../../machines/operator/${inst.hostname}
+        ];
+        ## FIXME: switch root authentication to users with password-less sudo, see #24
+        users.users.root.openssh.authorizedKeys.keys = let
+          keys = import ../../keys;
+        in [
+          # allow our panel vm access to the test machines
+          keys.panel
+        ];
+      }
+    EOF
+  }) if inst.cfg.enable}
+}

infra/operator/options.nix

@@ -0,0 +1,54 @@
+# TODO: could (part of) this be generated somehow? c.f #275
+{
+  lib,
+  ...
+}:
+let
+  inherit (lib) types mkOption;
+  inherit (types) str enum submodule;
+in
+{
+  options.terraform = {
+    domain = mkOption {
+      type = enum [
+        "fediversity.net"
+      ];
+      description = ''
+        Apex domain under which the services will be deployed.
+      '';
+      default = "fediversity.net";
+    };
+    hostname = mkOption {
+      type = str;
+      description = ''
+        Internal name of the host, e.g. test01
+      '';
+    };
+    initialUser = mkOption {
+      description = ''
+        Some services require an initial user to access them.
+        This option sets the credentials for such an initial user.
+      '';
+      type = submodule {
+        options = {
+          displayName = mkOption {
+            type = str;
+            description = "Display name of the user";
+          };
+          username = mkOption {
+            type = str;
+            description = "Username for login";
+          };
+          email = mkOption {
+            type = str;
+            description = "User's email address";
+          };
+          password = mkOption {
+            type = str;
+            description = "Password for login";
+          };
+        };
+      };
+    };
+  };
+}

infra/operator/variables.tf

@@ -0,0 +1,51 @@
+# TODO: (partially) generate, say from nix modules, c.f. #275
+
+variable "domain" {
+  type = string
+  default = "fediversity.net"
+}
+
+variable "mastodon" {
+  type = object({
+    enable = bool
+  })
+  default = {
+    enable = false
+  }
+}
+
+variable "pixelfed" {
+  type = object({
+    enable = bool
+  })
+  default = {
+    enable = false
+  }
+}
+
+variable "peertube" {
+  type = object({
+    enable = bool
+  })
+  default = {
+    enable = false
+  }
+}
+
+variable "initialUser" {
+  type = object({
+    displayName = string
+    username = string
+    email = string
+    # TODO: mark (nested) credentials as sensitive
+    # https://discuss.hashicorp.com/t/is-it-possible-to-mark-an-attribute-of-an-object-as-sensitive/24649/2
+    password = string
+  })
+  # FIXME: remove default when the form provides this value, see #285
+  default = {
+    displayName = "Testy McTestface"
+    username = "test"
+    email = "test@test.com"
+    password = "testtest"
+  }
+}

infra/pass-ssh-key.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+export host="$host"
+
+mkdir -p etc/ssh
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+for keyname in ssh_host_ed25519_key ssh_host_ed25519_key.pub; do
+  if [[ $keyname == *.pub ]]; then
+    umask 0133
+  else
+    umask 0177
+  fi
+  cp "$SCRIPT_DIR/../infra/test-machines/${host}/${keyname}" ./etc/ssh/${keyname}
+done

infra/setup.nix

@@ -0,0 +1,20 @@
+{
+  pkgs,
+  lib,
+  sources,
+  ...
+}:
+pkgs.writeScriptBin "setup" ''
+  # calculated pins
+  echo '${lib.strings.toJSON sources}' > sync-nix/.npins.json
+  # generate TF lock for nix's TF providers
+  for category in dev operator; do
+    pushd "$category"
+    rm -rf .terraform/
+    rm -f .terraform.lock.hcl
+    # suppress warning on architecture-specific generated lock file:
+    # `Warning: Incomplete lock file information for providers`.
+    tofu init -input=false 1>/dev/null
+    popd
+  done
+''

infra/shell.nix

@@ -0,0 +1 @@
+(import ./. { }).shell

infra/sync-nix/.npins.json

@@ -0,0 +1 @@
+{"agenix":"/nix/store/glsqq1xn5al7d528hvlbm4hl3ladxmka-source","disko":"/nix/store/7wf9q0mb1i43x9dr1qlyfaraq15n6sii-source","flake-inputs":"/nix/store/fqln0bcp6mp75k4sl0cav2f0np60lwhj-source","git-hooks":"/nix/store/8bh3jgq1riy3jxm07vy4xxzvk9xd74pc-source","gitignore":"/nix/store/g5v3sgqy6a0fsmas7mnapc196flrplix-source","home-manager":"/nix/store/cq3b3cx5rv9d0zj57kch9wmxzc2rm8dc-source","htmx":"/nix/store/mwqqk0qmldzvv4xj9kq2lbah2flhc44z-source","nix-unit":"/nix/store/4g1vvy7bhwh16cyd2r8ibq7n6ygk1wvk-source","nixpkgs":"/nix/store/g1bajdwbkcmms8cqd9s8zbq8zxhkyx91-source"}

infra/sync-nix/.terraform.lock.hcl

@@ -0,0 +1,9 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/external" {
+  version = "2.3.4"
+  hashes = [
+    "h1:hBFp4dEKKevoZEsMW32ralBqrO7cTxTPYdWPqc4Ff+s=",
+  ]
+}

infra/sync-nix/.terraform/plugin_path

@@ -0,0 +1,3 @@
+[
+  "/nix/store/zbjjm6vgdj1p2v21qshd9np3ajdnhniy-opentofu-1.9.0/libexec/terraform-providers"
+]

infra/sync-nix/.terraform/providers/registry.opentofu.org/hashicorp/external/2.3.4/linux_amd64

@@ -0,0 +1 @@
+/nix/store/zbjjm6vgdj1p2v21qshd9np3ajdnhniy-opentofu-1.9.0/libexec/terraform-providers/registry.opentofu.org/hashicorp/external/2.3.4/linux_amd64

infra/sync-nix/main.tf

@@ -0,0 +1,102 @@
+locals {
+  system = "x86_64-linux"
+  # dependency paths pre-calculated from npins
+  pins = jsondecode(file("${path.module}/.npins.json"))
+  # nix path: expose pins, use nixpkgs in flake commands (`nix run`)
+  nix_path = "${join(":", [for name, dir in local.pins : "${name}=${dir}"])}:flake=${local.pins["nixpkgs"]}:flake"
+}
+
+# hash of our code directory, used to trigger re-deploy
+# FIXME calculate separately to reduce false positives
+data "external" "hash" {
+  program = ["sh", "-c", "echo \"{\\\"hash\\\":\\\"$(nix-hash ..)\\\"}\""]
+}
+
+# TF resource to build and deploy NixOS instances.
+resource "terraform_data" "nixos" {
+
+  # trigger rebuild/deploy if (FIXME?) any potentially used config/code changed,
+  # preventing these (20+s, build being bottleneck) when nothing changed.
+  # terraform-nixos separates these to only deploy if instantiate changed,
+  # yet building even then - which may be not as bad using deploy on remote.
+  # having build/deploy one resource reflects wanting to prevent no-op rebuilds
+  # over preventing (with less false positives) no-op deployments,
+  # as i could not find a way to do prevent no-op rebuilds without merging them:
+  # - generic resources cannot have outputs, while we want info from the instantiation (unless built on host?).
+  # - `data` always runs, which is slow for deploy and especially build.
+  triggers_replace = [
+    data.external.hash.result,
+    var.hostname,
+    var.config_nix,
+    var.config_tf,
+  ]
+
+  provisioner "local-exec" {
+    # directory to run the script from. we use the TF project root dir,
+    # here as a path relative from where TF is run from,
+    # matching calling modules' expectations on config_nix locations.
+    # note that absolute paths can cause false positives in triggers,
+    # so are generally discouraged in TF.
+    working_dir = path.root
+    environment = {
+      # nix path used on build, lets us refer to e.g. nixpkgs like `<nixpkgs>`
+      NIX_PATH = local.nix_path
+    }
+    # TODO: refactor back to command="ignoreme" interpreter=concat([]) to protect sensitive data from error logs?
+    # TODO: build on target?
+    command = <<-EOF
+      set -euo pipefail
+
+      # INSTANTIATE
+      command=(
+        nix-instantiate
+        --expr
+        'let
+          os = import <nixpkgs/nixos> {
+            system = "${local.system}";
+            configuration =
+              ${var.config_nix} //
+              # template parameters passed in from TF thru json
+              builtins.fromJSON "${replace(jsonencode(var.config_tf), "\"", "\\\"")}" //
+              {
+                # nix path for debugging
+                nix.nixPath = [ "${local.nix_path}" ];
+              };
+          };
+        in
+        # info we want to get back out
+        {
+          substituters = builtins.concatStringsSep " " os.config.nix.settings.substituters;
+          trusted_public_keys = builtins.concatStringsSep " " os.config.nix.settings.trusted-public-keys;
+          drv_path = os.config.system.build.toplevel.drvPath;
+          out_path = os.config.system.build.toplevel;
+        }'
+      )
+      # instantiate the config in /nix/store
+      "$${command[@]}" -A out_path
+      # get the other info
+      json="$("$${command[@]}" --eval --strict --json)"
+
+      # DEPLOY
+      declare substituters trusted_public_keys drv_path
+      # set our variables using the json object
+      eval "export $(echo $json | jaq -r 'to_entries | map("\(.key)=\(.value)") | @sh')"
+      host="root@${var.hostname}.${var.vm_domain}" # FIXME: #24
+      buildArgs=(
+        --option extra-binary-caches https://cache.nixos.org/
+        --option substituters $substituters
+        --option trusted-public-keys $trusted_public_keys
+      )
+      sshOpts=(
+        -o BatchMode=yes
+        -o StrictHostKeyChecking=no
+      )
+      # get the realized derivation to deploy
+      outPath=$(nix-store --realize "$drv_path" "$${buildArgs[@]}")
+      # deploy the config by nix-copy-closure
+      NIX_SSHOPTS="$${sshOpts[*]}" nix-copy-closure --to "$host" "$outPath" --gzip --use-substitutes
+      # switch the remote host to the config
+      ssh "$${sshOpts[@]}" "$host" "nix-env --profile /nix/var/nix/profiles/system --set $outPath; $outPath/bin/switch-to-configuration switch"
+    EOF
+  }
+}

infra/sync-nix/variables.tf

@@ -0,0 +1,17 @@
+variable "vm_domain" {
+  type = string
+}
+
+variable "hostname" {
+  type = string
+}
+
+variable "config_nix" {
+  type = string
+  default = "{}"
+}
+
+variable "config_tf" {
+  type = map(any)
+  default = {}
+}

infra/tests.nix

@@ -0,0 +1,37 @@
+{ lib, pkgs }:
+let
+  defaults = {
+    virtualisation = {
+      memorySize = 2048;
+      cores = 2;
+    };
+  };
+  tf = pkgs.callPackage ./tf.nix {
+    inherit lib pkgs;
+  };
+  tfEnv = pkgs.callPackage ./tf-env.nix { };
+  nodes = {
+    server = {
+      environment.systemPackages = [
+        tf
+        tfEnv
+      ];
+    };
+  };
+in
+lib.mapAttrs (name: test: pkgs.testers.runNixOSTest (test // { inherit name; })) {
+  tf-validate-dev = {
+    inherit defaults nodes;
+    testScript = ''
+      server.wait_for_unit("multi-user.target")
+      server.succeed("${lib.getExe tf} -chdir='${tfEnv}/infra/dev' validate")
+    '';
+  };
+  tf-validate-operator = {
+    inherit defaults nodes;
+    testScript = ''
+      server.wait_for_unit("multi-user.target")
+      server.succeed("${lib.getExe tf} -chdir='${tfEnv}/infra/operator' validate")
+    '';
+  };
+}

infra/tf-env.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  pkgs,
+  sources ? import ../npins,
+  ...
+}:
+pkgs.stdenv.mkDerivation {
+  name = "tf-repo";
+  src =
+    with lib.fileset;
+    toSource {
+      root = ../.;
+      # don't copy ignored files
+      fileset = intersection (gitTracked ../.) ../.;
+    };
+  buildInputs = [
+    (import ./tf.nix { inherit lib pkgs; })
+    (import ./setup.nix { inherit lib pkgs sources; })
+  ];
+  buildPhase = ''
+    runHook preBuild
+    pushd infra
+    setup
+    popd
+    runHook postBuild
+  '';
+  installPhase = ''
+    runHook preInstall
+    cp -r . $out
+    runHook postInstall
+  '';
+}

infra/tf.nix

@@ -0,0 +1,24 @@
+# FIXME: use overlays so this gets imported just once?
+{
+  lib,
+  pkgs,
+  ...
+}:
+let
+  tofuProvider =
+    provider:
+    provider.override (oldArgs: {
+      provider-source-address =
+        lib.replaceStrings [ "https://registry.terraform.io/providers" ] [ "registry.opentofu.org" ]
+          oldArgs.homepage;
+    });
+  tf = pkgs.opentofu;
+  tfPlugins = (
+    p: [
+      p.external
+    ]
+  );
+in
+# tf.withPlugins tfPlugins
+# https://github.com/NixOS/nixpkgs/pull/358522
+tf.withPlugins (p: pkgs.lib.lists.map tofuProvider (tfPlugins p))

keys/README.md

@@ -14,7 +14,7 @@ overwrite a secret without knowing its contents.)
 In infra management, the systems' keys are used for security reasons; they
 identify the machine that we are talking to. The contributor keys are used to
 give access to the `root` user on these machines, which allows, among other
-things, to deploy their configurations with NixOps4.
+things, to deploy their configurations.
 
 ## Adding a contributor
 

keys/contributors/niols

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY niols@wallace
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICJj4L5Yt9ABdQeEkJI6VuJEyUSVbCHMxYLdvVcB/pXh niols@wallace/fediversity

machines/README.md

@@ -0,0 +1,4 @@
+# Machines
+
+This directory contains the definition of [the VMs](machines.md) that host our
+infrastructure.

machines/dev/fedi200/dns.nix

@@ -0,0 +1,2 @@
+_: {
+}

machines/dev/fedi201/default.nix

@@ -14,10 +14,4 @@
       gateway = "2a00:51c0:13:1305::1";
     };
   };
-
-  nixos.module = {
-    imports = [
-      ./fedipanel.nix
-    ];
-  };
 }

machines/dev/fedi201/fedipanel.nix

@@ -7,12 +7,12 @@ let
 in
 {
   imports = [
+    <home-manager/nixos>
     (import ../../../panel { }).module
   ];
 
   security.acme = {
     acceptTerms = true;
-    defaults.email = "beheer@procolix.com";
   };
 
   age.secrets.panel-ssh-key = {
@@ -37,6 +37,24 @@ in
     enable = true;
     production = true;
     domain = "demo.fediversity.eu";
+    # FIXME: make it work without this duplication
+    settings =
+      let
+        cfg = config.services.${name};
+      in
+      {
+        STATIC_ROOT = "/var/lib/${name}/static";
+        DEBUG = false;
+        ALLOWED_HOSTS = [
+          cfg.domain
+          cfg.host
+          "localhost"
+          "[::1]"
+        ];
+        CSRF_TRUSTED_ORIGINS = [ "https://${cfg.domain}" ];
+        COMPRESS_OFFLINE = true;
+        LIBSASS_OUTPUT_STYLE = "compressed";
+      };
     secrets = {
       SECRET_KEY = config.age.secrets.panel-secret-key.path;
     };

machines/dev/vm02116/default.nix

@@ -0,0 +1,31 @@
+{ lib, ... }:
+{
+  fediversityVm = {
+    vmId = 2116;
+    proxmox = "procolix";
+    description = "Forgejo";
+
+    ipv4.address = "185.206.232.34";
+    ipv6.address = "2a00:51c0:12:1201::20";
+  };
+
+  ## vm02116 is running on old hardware based on a Xen VM environment, so it
+  ## needs these extra options. Once the VM gets moved to a newer node, these
+  ## two options can safely be removed.
+  boot.initrd.availableKernelModules = [ "xen_blkfront" ];
+  services.xe-guest-utilities.enable = true;
+
+  ## NOTE: This VM was created manually, which requires us to override the
+  ## default disko-based `fileSystems` definition.
+  fileSystems = lib.mkForce {
+    "/" = {
+      device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/2CE2-1173";
+      fsType = "vfat";
+    };
+  };
+}

machines/dev/vm02187/default.nix

@@ -0,0 +1,29 @@
+{ lib, ... }:
+{
+  fediversityVm = {
+    vmId = 2187;
+    proxmox = "procolix";
+    description = "Wiki";
+
+    ipv4.address = "185.206.232.187";
+    ipv6.address = "2a00:51c0:12:1201::187";
+  };
+
+  ## NOTE: This VM was created manually, which requires us to override the
+  ## default disko-based `fileSystems` definition.
+  fileSystems = lib.mkForce {
+    "/" = {
+      device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/6AB5-4FA8";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+  };
+}

machines/operator/test01/garage.nix

@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+let
+  ## NOTE: All of these secrets are publicly available in this source file
+  ## and will end up in the Nix store. We don't care as they are only ever
+  ## used for testing anyway.
+  ##
+  ## FIXME: Generate and store in state.
+  mastodonS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+    };
+  peertubeS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
+    };
+  pixelfedS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
+    };
+in
+{
+  fediversity = {
+    garage.enable = true;
+    pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
+    mastodon = mastodonS3KeyConfig { inherit pkgs; };
+    peertube = peertubeS3KeyConfig { inherit pkgs; };
+  };
+}

machines/operator/test04/pixelfed.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+let
+  pixelfedS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
+    };
+in
+{
+  fediversity = {
+    pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
+      enable = true;
+    };
+  };
+}

machines/operator/test05/peertube.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+let
+  peertubeS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
+    };
+in
+{
+  fediversity = {
+    peertube = peertubeS3KeyConfig { inherit pkgs; } // {
+      enable = true;
+      ## NOTE: Only ever used for testing anyway.
+      ##
+      ## FIXME: Generate and store in state.
+      secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
+    };
+  };
+}

machines/operator/test06/mastodon.nix

@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+let
+  mastodonS3KeyConfig =
+    { pkgs, ... }:
+    {
+      s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
+      s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
+    };
+in
+{
+  fediversity = {
+    mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
+      enable = true;
+    };
+    temp.cores = 1; # FIXME: should come from TF eventually
+  };
+}

npins/sources.json

@@ -1,5 +1,86 @@
 {
   "pins": {
+    "agenix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "ryantm",
+        "repo": "agenix"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+      "url": "https://github.com/ryantm/agenix/archive/e600439ec4c273cf11e06fe4d9d906fb98fa097c.tar.gz",
+      "hash": "006ngydiykjgqs85cl19h9klq8kaqm5zs0ng51dnwy7nzgqxzsdr"
+    },
+    "disko": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "disko"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "submodules": false,
+      "version": "v1.11.0",
+      "revision": "cdf8deded8813edfa6e65544f69fdd3a59fa2bb4",
+      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.11.0",
+      "hash": "13brimg7z7k9y36n4jc1pssqyw94nd8qvgfjv53z66lv4xkhin92"
+    },
+    "flake-inputs": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "fricklerhandwerk",
+        "repo": "flake-inputs"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "559574c9cbb8af262f3944b67d60fbf0f6ad03c3",
+      "url": "https://github.com/fricklerhandwerk/flake-inputs/archive/559574c9cbb8af262f3944b67d60fbf0f6ad03c3.tar.gz",
+      "hash": "0gbhmp6x2vdzvfnsvqzal3g8f8hx2ia6r73aibc78kazf78m67x6"
+    },
+    "git-hooks": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "cachix",
+        "repo": "git-hooks.nix"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/dcf5072734cb576d2b0c59b2ac44f5050b5eac82.tar.gz",
+      "hash": "1jmdxmx29xghjiaks6f5amnxld8w3kmxb2zv8lk2yzpgp6kr60qg"
+    },
+    "gitignore": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "637db329424fd7e46cf4185293b9cc8c88c95394",
+      "url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
+      "hash": "02wxkdpbhlm3yk5mhkhsp3kwakc16xpmsf2baw57nz1dg459qv8w"
+    },
+    "home-manager": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "home-manager"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "22b326b42bf42973d5e4fe1044591fb459e6aeac",
+      "url": "https://github.com/nix-community/home-manager/archive/22b326b42bf42973d5e4fe1044591fb459e6aeac.tar.gz",
+      "hash": "0hwllnym5mrrxinjsq0p9zn39i110c1xixp4x64svl7jjm5zb4c4"
+    },
     "htmx": {
       "type": "GitRelease",
       "repository": {
@@ -30,10 +111,17 @@
       "hash": "1wms0wxwvxac1r1daihj5wsx1nghfk5hwdvy5cpgq481bp9x4cjn"
     },
     "nixpkgs": {
-      "type": "Channel",
-      "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre782598.18dd725c2960/nixexprs.tar.xz",
-      "hash": "1p7kgyph7xkj57p19nbxpycmbchc6d9gwdznsmxhymrzyzi3if21"
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nixos",
+        "repo": "nixpkgs"
+      },
+      "branch": "nixpkgs-unstable",
+      "submodules": false,
+      "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921",
+      "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz",
+      "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj"
     }
   },
   "version": 5

panel/default.nix

@@ -12,21 +12,32 @@ let
   manage = pkgs.writeScriptBin "manage" ''
     exec ${pkgs.lib.getExe pkgs.python3} ${toString ./src/manage.py} $@
   '';
+  package = pkgs.callPackage ./nix/package.nix { };
 in
 {
   shell = pkgs.mkShellNoCC {
-    inputsFrom = [ (pkgs.callPackage ./nix/package.nix { }) ];
+    inputsFrom = [ package ];
     packages = [
       pkgs.npins
       manage
     ];
-    env = import ./env.nix { inherit lib pkgs; } // {
-      NPINS_DIRECTORY = toString ../npins;
-      CREDENTIALS_DIRECTORY = toString ./.credentials;
-      DATABASE_URL = "sqlite:///${toString ./src}/db.sqlite3";
-    };
+    env =
+      let
+        inherit (builtins) toString;
+      in
+      import ./env.nix { inherit lib pkgs; }
+      // {
+        NPINS_DIRECTORY = toString ../npins;
+        CREDENTIALS_DIRECTORY = toString ./.credentials;
+        DATABASE_URL = "sqlite:///${toString ./src}/db.sqlite3";
+        # locally: use a fixed relative reference, so we can use our newest files without copying to the store
+        REPO_DIR = toString ../.;
+      };
     shellHook = ''
-      ln -sf ${sources.htmx}/dist/htmx.js src/panel/static/htmx.min.js
+      ${lib.concatStringsSep "\n" (
+        map (file: "ln -sf ${file.from} ${toString ./src/${file.to}}") package.generated
+      )}
+
       # in production, secrets are passed via CREDENTIALS_DIRECTORY by systemd.
       # use this directory for testing with local secrets
       mkdir -p $CREDENTIALS_DIRECTORY

panel/env.nix

@@ -3,16 +3,15 @@
   pkgs,
   ...
 }:
-let
-  inherit (builtins) toString;
-in
 {
-  REPO_DIR = toString ../.;
-  # explicitly use nix, as e.g. lix does not have configurable-impure-env
   BIN_PATH = lib.makeBinPath [
-    # explicitly use nix, as e.g. lix does not have configurable-impure-env
-    pkgs.nix
-    # nixops error maybe due to our flake git hook: executing 'git': No such file or directory
+    pkgs.lix
+    pkgs.bash
+    pkgs.coreutils
+    pkgs.openssh
     pkgs.git
+    pkgs.jaq # tf
+    (import ../infra/tf.nix { inherit lib pkgs; })
   ];
+  SSH_PRIVATE_KEY_FILE = "";
 }

panel/nix/configuration.nix

@@ -29,6 +29,9 @@ let
       ((pkgs.formats.pythonVars { }).generate "settings.py" cfg.settings)
       (builtins.toFile "extra-settings.py" cfg.extra-settings)
     ];
+    REPO_DIR = import ../../infra/tf-env.nix {
+      inherit lib pkgs;
+    };
   };
 
   python-environment = pkgs.python3.withPackages (
@@ -157,9 +160,7 @@ in
       };
     };
 
-    users.users.${name} = {
-      isNormalUser = true;
-    };
+    users.users.${name}.isNormalUser = true;
 
     users.groups.${name} = { };
     systemd.services.${name} = {
@@ -167,6 +168,7 @@ in
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       path = [
+        pkgs.openssh
         python-environment
         manage-service
       ];

panel/nix/package.nix

@@ -1,5 +1,6 @@
 {
   lib,
+  pkgs,
   sqlite,
   python3,
   sources ? import ../../npins,
@@ -11,7 +12,7 @@ let
       root = ../src;
       fileset = intersection (gitTracked ../../.) ../src;
     };
-  pyproject = with lib; fromTOML pyproject-toml;
+  pyproject = fromTOML pyproject-toml;
   # TODO: define this globally
   name = "panel";
   # TODO: we may want this in a file so it's easier to read statically
@@ -25,6 +26,12 @@ let
     packages = [ "${name}" ]
     include-package-data = true
   '';
+  generated = [
+    {
+      from = "${sources.htmx}/dist/htmx.min.js";
+      to = "./panel/static/htmx.min.js";
+    }
+  ];
 in
 python3.pkgs.buildPythonPackage {
   pname = name;
@@ -54,11 +61,23 @@ python3.pkgs.buildPythonPackage {
     ]
     ++ pythonPackages;
 
+  passthru = {
+    inherit generated;
+  };
+
   postInstall = ''
     mkdir -p $out/bin
     cp -v ${src}/manage.py $out/bin/manage.py
     chmod +x $out/bin/manage.py
-    wrapProgram $out/bin/manage.py --prefix PYTHONPATH : "$PYTHONPATH"
-    cp ${sources.htmx}/dist/htmx.min.js* $out/${python3.sitePackages}/panel/static/
+    wrapProgram $out/bin/manage.py \
+      --set REPO_DIR "${
+        import ../../infra/tf-env.nix {
+          inherit lib pkgs;
+        }
+      }" \
+      --prefix PYTHONPATH : "$PYTHONPATH"
+    ${lib.concatStringsSep "\n" (
+      map (file: "cp ${file.from} $out/${python3.sitePackages}/${file.to}") generated
+    )}
   '';
 }