manually use cache in ci

rm unused dep nix-templating

fix imports

.forgejo/workflows/cd.yaml

@@ -0,0 +1,24 @@
+name: deploy-infra
+
+on:
+  workflow_dispatch: # allows manual triggering
+  push:
+    branches:
+      # - main
+
+jobs:
+  deploy:
+    runs-on: native
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up SSH key to access age secrets
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+      - name: Deploy
+        run: nix-shell --run 'nixops4 apply default'

.forgejo/workflows/ci.yaml

@@ -10,43 +10,43 @@ on:
 
 jobs:
   check-pre-commit:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix-build -A tests
 
   check-data-model:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
 
   check-peertube:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
-      - run: nix-build services -A tests.peertube
+      - run: attic login fediversity http://attic.fediversity.net:8080 ${{ secrets.ATTIC_PULL_KEY }} && attic use demo && nix-build services -A tests.peertube
 
   check-panel:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix-build panel -A tests
 
   check-deployment-basic:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-basic -L
 
   check-deployment-cli:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-cli -L
 
   check-deployment-panel:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-panel -L

.forgejo/workflows/update.yaml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   lockfile:
-    runs-on: native
+    runs-on: nix
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

default.nix

@@ -58,12 +58,14 @@ in
       in
       [
         pkgs.npins
+        pkgs.attic-client
         pkgs.nil
         (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
         pkgs.openssh
         pkgs.httpie
         pkgs.jq
         pkgs.nix-unit
+        pkgs.attic-client
         test-loop
         nixops4.packages.${system}.default
       ];

deployment/check/basic/constants.nix

@@ -0,0 +1,8 @@
+{
+  targetMachines = [
+    "hello"
+    "cowsay"
+  ];
+  pathToRoot = ../../..;
+  pathFromRoot = ./.;
+}

deployment/check/basic/default.nix

@@ -0,0 +1,14 @@
+{
+  runNixOSTest,
+  inputs,
+  sources,
+}:
+
+runNixOSTest {
+  imports = [
+    ../common/nixosTest.nix
+    ./nixosTest.nix
+  ];
+  _module.args = { inherit inputs sources; };
+  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
+}

deployment/check/basic/deployment.nix

@@ -0,0 +1,36 @@
+{
+  inputs,
+  sources,
+  lib,
+  providers,
+  ...
+}:
+
+let
+  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
+in
+
+{
+  providers = {
+    inherit (inputs.nixops4.modules.nixops4Provider) local;
+  };
+
+  resources = lib.genAttrs targetMachines (nodeName: {
+    type = providers.local.exec;
+
+    imports = [
+      inputs.nixops4-nixos.modules.nixops4Resource.nixos
+      ../common/targetResource.nix
+    ];
+
+    _module.args = { inherit inputs sources; };
+
+    inherit nodeName pathToRoot pathFromRoot;
+
+    nixos.module =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = [ pkgs.${nodeName} ];
+      };
+  });
+}

deployment/check/basic/flake-part.nix

@@ -1,57 +0,0 @@
-{
-  self,
-  inputs,
-  lib,
-  sources,
-  ...
-}:
-
-let
-  inherit (lib) genAttrs;
-
-  targetMachines = [
-    "hello"
-    "cowsay"
-  ];
-  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
-  pathFromRoot = ./.;
-
-in
-{
-  _class = "flake";
-
-  perSystem =
-    { pkgs, ... }:
-    {
-      checks.deployment-basic = pkgs.testers.runNixOSTest {
-        imports = [
-          ../common/nixosTest.nix
-          ./nixosTest.nix
-        ];
-        _module.args = { inherit inputs sources; };
-        inherit targetMachines pathToRoot pathFromRoot;
-      };
-    };
-
-  nixops4Deployments.check-deployment-basic =
-    { providers, ... }:
-    {
-      providers = {
-        inherit (inputs.nixops4.modules.nixops4Provider) local;
-      };
-      resources = genAttrs targetMachines (nodeName: {
-        type = providers.local.exec;
-        imports = [
-          inputs.nixops4-nixos.modules.nixops4Resource.nixos
-          ../common/targetResource.nix
-        ];
-        _module.args = { inherit inputs sources; };
-        inherit nodeName pathToRoot pathFromRoot;
-        nixos.module =
-          { pkgs, ... }:
-          {
-            environment.systemPackages = [ pkgs.${nodeName} ];
-          };
-      });
-    };
-}

deployment/check/basic/flake-under-test.nix

@@ -0,0 +1,22 @@
+{
+  inputs = {
+    nixops4.follows = "nixops4-nixos/nixops4";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
+  };
+
+  outputs =
+    inputs:
+    import ./mkFlake.nix inputs (
+      { inputs, sources, ... }:
+      {
+        imports = [
+          inputs.nixops4.modules.flake.default
+        ];
+
+        nixops4Deployments.check-deployment-basic = {
+          imports = [ ./deployment/check/basic/deployment.nix ];
+          _module.args = { inherit inputs sources; };
+        };
+      }
+    );
+}

deployment/check/basic/nixosTest.nix

@@ -1,10 +1,15 @@
-{ inputs, ... }:
+{ inputs, lib, ... }:
 
 {
   _class = "nixosTest";
 
   name = "deployment-basic";
 
+  sourceFileset = lib.fileset.unions [
+    ./constants.nix
+    ./deployment.nix
+  ];
+
   nodes.deployer =
     { pkgs, ... }:
     {

deployment/check/cli/constants.nix

@@ -0,0 +1,12 @@
+{
+  targetMachines = [
+    "garage"
+    "mastodon"
+    "peertube"
+    "pixelfed"
+    "attic"
+  ];
+  pathToRoot = ../../..;
+  pathFromRoot = ./.;
+  enableAcme = true;
+}

deployment/check/cli/default.nix

@@ -0,0 +1,19 @@
+{
+  runNixOSTest,
+  inputs,
+  sources,
+}:
+
+runNixOSTest {
+  imports = [
+    ../common/nixosTest.nix
+    ./nixosTest.nix
+  ];
+  _module.args = { inherit inputs sources; };
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+}

deployment/check/cli/deployments.nix

@@ -0,0 +1,59 @@
+{
+  inputs,
+  sources,
+  lib,
+}:
+
+let
+  inherit (builtins) fromJSON readFile listToAttrs;
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+
+  makeTargetResource = nodeName: {
+    imports = [ ../common/targetResource.nix ];
+    _module.args = { inherit inputs sources; };
+    inherit
+      nodeName
+      pathToRoot
+      pathFromRoot
+      enableAcme
+      ;
+  };
+
+  ## The deployment function - what we are here to test!
+  ##
+  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
+  ## function calls.
+  makeTestDeployment =
+    args:
+    (import ../..)
+      {
+        inherit lib;
+        inherit (inputs) nixops4 nixops4-nixos;
+        fediversity = import ../../../services/fediversity;
+      }
+      (listToAttrs (
+        map (nodeName: {
+          name = "${nodeName}ConfigurationResource";
+          value = makeTargetResource nodeName;
+        }) targetMachines
+      ))
+      (fromJSON (readFile ../../configuration.sample.json) // args);
+
+in
+{
+  check-deployment-cli-nothing = makeTestDeployment { };
+
+  check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
+    mastodon.enable = true;
+    pixelfed.enable = true;
+  };
+
+  check-deployment-cli-peertube = makeTestDeployment {
+    peertube.enable = true;
+  };
+}

deployment/check/cli/flake-part.nix

@@ -14,6 +14,7 @@ let
     "mastodon"
     "peertube"
     "pixelfed"
+    "attic"
   ];
   pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
   pathFromRoot = ./.;

deployment/check/cli/flake-under-test.nix

@@ -0,0 +1,26 @@
+{
+  inputs = {
+    nixops4.follows = "nixops4-nixos/nixops4";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
+  };
+
+  outputs =
+    inputs:
+    import ./mkFlake.nix inputs (
+      {
+        inputs,
+        sources,
+        lib,
+        ...
+      }:
+      {
+        imports = [
+          inputs.nixops4.modules.flake.default
+        ];
+
+        nixops4Deployments = import ./deployment/check/cli/deployments.nix {
+          inherit inputs sources lib;
+        };
+      }
+    );
+}

deployment/check/cli/nixosTest.nix

@@ -1,4 +1,9 @@
-{ inputs, hostPkgs, ... }:
+{
+  inputs,
+  hostPkgs,
+  lib,
+  ...
+}:
 
 let
   ## Some places need a dummy file that will in fact never be used. We create
@@ -11,6 +16,21 @@ in
 
   name = "deployment-cli";
 
+  sourceFileset = lib.fileset.unions [
+    ./constants.nix
+    ./deployments.nix
+
+    # REVIEW: I would like to be able to grab all of `/deployment` minus
+    # `/deployment/check`, but I can't because there is a bunch of other files
+    # in `/deployment`. Maybe we can think of a reorg making things more robust
+    # here? (comment also in panel test)
+    ../../default.nix
+    ../../options.nix
+    ../../configuration.sample.json
+
+    ../../../services/fediversity
+  ];
+
   nodes.deployer =
     { pkgs, ... }:
     {
@@ -25,6 +45,8 @@ in
         peertube.inputDerivation
         gixy
         gixy.inputDerivation
+        shellcheck
+        shellcheck.inputDerivation
       ];
 
       system.extraDependenciesFromModule = {
@@ -48,6 +70,11 @@ in
             s3AccessKeyFile = dummyFile;
             s3SecretKeyFile = dummyFile;
           };
+          attic = {
+            enable = true;
+            s3AccessKeyFile = dummyFile;
+            s3SecretKeyFile = dummyFile;
+          };
           temp.cores = 1;
           temp.initialUser = {
             username = "dummy";
@@ -72,6 +99,7 @@ in
   nodes.mastodon.virtualisation.memorySize = 4 * 1024;
   nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
   nodes.peertube.virtualisation.memorySize = 5 * 1024;
+  nodes.attic.virtualisation.memorySize = 2 * 1024;
 
   ## FIXME: The test of presence of the services are very simple: we only
   ## check that there is a systemd service of the expected name on the
@@ -86,6 +114,7 @@ in
       mastodon.fail("systemctl status mastodon-web.service")
       peertube.fail("systemctl status peertube.service")
       pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
 
     with subtest("Run deployment with no services enabled"):
       deployer.succeed("nixops4 apply check-deployment-cli-nothing --show-trace --no-interactive 1>&2")
@@ -95,6 +124,7 @@ in
       mastodon.fail("systemctl status mastodon-web.service")
       peertube.fail("systemctl status peertube.service")
       pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
 
     with subtest("Run deployment with Mastodon and Pixelfed enabled"):
       deployer.succeed("nixops4 apply check-deployment-cli-mastodon-pixelfed --show-trace --no-interactive 1>&2")
@@ -104,6 +134,7 @@ in
       mastodon.succeed("systemctl status mastodon-web.service")
       peertube.fail("systemctl status peertube.service")
       pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
 
     with subtest("Run deployment with only Peertube enabled"):
       deployer.succeed("nixops4 apply check-deployment-cli-peertube --show-trace --no-interactive 1>&2")
@@ -113,5 +144,6 @@ in
       mastodon.fail("systemctl status mastodon-web.service")
       peertube.succeed("systemctl status peertube.service")
       pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
   '';
 }

deployment/check/common/deployerNode.nix

@@ -40,7 +40,7 @@ in
       ## default. These values have been trimmed down to the gigabyte.
       ## Memory use is expected to be dominated by the NixOS evaluation,
       ## which happens on the deployer.
-      memorySize = 4 * 1024;
+      memorySize = 5 * 1024;
       diskSize = 4 * 1024;
       cores = 2;
     };
@@ -54,12 +54,15 @@ in
 
     system.extraDependencies =
       [
-        inputs.flake-parts
-        inputs.flake-parts.inputs.nixpkgs-lib
         inputs.nixops4
         inputs.nixops4-nixos
         inputs.nixpkgs
+
+        sources.flake-parts
+        sources.nixpkgs
         sources.flake-inputs
+        sources.git-hooks
+        sources.vars
 
         pkgs.stdenv
         pkgs.stdenvNoCC

deployment/check/common/nixosTest.nix

@@ -13,6 +13,7 @@ let
     toJSON
     ;
   inherit (lib)
+    types
     fileset
     mkOption
     genAttrs
@@ -27,14 +28,6 @@ let
 
   forConcat = xs: f: concatStringsSep "\n" (map f xs);
 
-  ## The whole repository, with the flake at its root.
-  ## FIXME: We could probably have fileset be the union of ./. with flake.nix
-  ## and flake.lock - I doubt we need anything else.
-  src = fileset.toSource {
-    fileset = config.pathToRoot;
-    root = config.pathToRoot;
-  };
-
   ## We will need to override some inputs by the empty flake, so we make one.
   emptyFlake = runCommandNoCC "empty-flake" { } ''
     mkdir $out
@@ -53,9 +46,39 @@ in
     ## FIXME: I wish I could just use `testScript` but with something like
     ## `mkOrder` to put this module's string before something else.
     extraTestScript = mkOption { };
+
+    sourceFileset = mkOption {
+      ## REVIEW: Upstream to nixpkgs?
+      type = types.mkOptionType {
+        name = "fileset";
+        description = "fileset";
+        descriptionClass = "noun";
+        check = (x: (builtins.tryEval (fileset.unions [ x ])).success);
+        merge = (_: defs: fileset.unions (map (x: x.value) defs));
+      };
+      description = ''
+        A fileset that will be copied to the deployer node in the current
+        working directory. This should contain all the files that are
+        necessary to run that particular test, such as the NixOS
+        modules necessary to evaluate a deployment.
+      '';
+    };
   };
 
   config = {
+    sourceFileset = fileset.unions [
+      # NOTE: not the flake itself; it will be overridden.
+      ../../../mkFlake.nix
+      ../../../flake.lock
+      ../../../npins
+
+      ./sharedOptions.nix
+      ./targetNode.nix
+      ./targetResource.nix
+
+      (config.pathToCwd + "/flake-under-test.nix")
+    ];
+
     acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
 
     nodes =
@@ -103,8 +126,16 @@ in
         ${n}.wait_for_unit("multi-user.target")
       '')}
 
+      ## A subset of the repository that is necessary for this test. It will be
+      ## copied inside the test. The smaller this set, the faster our CI, because we
+      ## won't need to re-run when things change outside of it.
       with subtest("Unpacking"):
-        deployer.succeed("cp -r --no-preserve=mode ${src}/* .")
+        deployer.succeed("cp -r --no-preserve=mode ${
+          fileset.toSource {
+            root = ../../..;
+            fileset = config.sourceFileset;
+          }
+        }/* .")
 
       with subtest("Configure the network"):
         ${forConcat config.targetMachines (
@@ -134,11 +165,16 @@ in
 
       ## NOTE: This is super slow. It could probably be optimised in Nix, for
       ## instance by allowing to grab things directly from the host's store.
-      with subtest("Override the lock"):
+      ##
+      ## NOTE: We use the repository as-is (cf `src` above), overriding only
+      ## `flake.nix` by our `flake-under-test.nix`. We also override the flake
+      ## lock file to use locally available inputs, as we cannot download them.
+      ##
+      with subtest("Override the flake and its lock"):
+        deployer.succeed("cp ${config.pathFromRoot}/flake-under-test.nix flake.nix")
         deployer.succeed("""
           nix flake lock --extra-experimental-features 'flakes nix-command' \
             --offline -v \
-            --override-input flake-parts ${inputs.flake-parts} \
             --override-input nixops4 ${inputs.nixops4.packages.${system}.flake-in-a-bottle} \
             \
             --override-input nixops4-nixos ${inputs.nixops4-nixos} \
@@ -150,9 +186,6 @@ in
               inputs.nixops4-nixos.inputs.nixops4.packages.${system}.flake-in-a-bottle
             } \
             --override-input nixops4-nixos/git-hooks-nix ${emptyFlake} \
-            \
-            --override-input nixpkgs ${inputs.nixpkgs} \
-            --override-input git-hooks ${inputs.git-hooks} \
             ;
         """)
 

deployment/check/panel/constants.nix

@@ -0,0 +1,12 @@
+{
+  targetMachines = [
+    "garage"
+    "mastodon"
+    "peertube"
+    "pixelfed"
+    "attic"
+  ];
+  pathToRoot = ../../..;
+  pathFromRoot = ./.;
+  enableAcme = true;
+}

deployment/check/panel/default.nix

@@ -0,0 +1,19 @@
+{
+  runNixOSTest,
+  inputs,
+  sources,
+}:
+
+runNixOSTest {
+  imports = [
+    ../common/nixosTest.nix
+    ./nixosTest.nix
+  ];
+  _module.args = { inherit inputs sources; };
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+}

deployment/check/panel/deployment.nix

@@ -0,0 +1,58 @@
+{
+  inputs,
+  sources,
+  lib,
+}:
+
+let
+  inherit (builtins) fromJSON listToAttrs;
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+
+  makeTargetResource = nodeName: {
+    imports = [ ../common/targetResource.nix ];
+    _module.args = { inherit inputs sources; };
+    inherit
+      nodeName
+      pathToRoot
+      pathFromRoot
+      enableAcme
+      ;
+  };
+
+  ## The deployment function - what we are here to test!
+  ##
+  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
+  ## function calls.
+  makeTestDeployment =
+    args:
+    (import ../..)
+      {
+        inherit lib;
+        inherit (inputs) nixops4 nixops4-nixos;
+        fediversity = import ../../../services/fediversity;
+      }
+      (listToAttrs (
+        map (nodeName: {
+          name = "${nodeName}ConfigurationResource";
+          value = makeTargetResource nodeName;
+        }) targetMachines
+      ))
+      args;
+
+in
+makeTestDeployment (
+  fromJSON (
+    let
+      env = builtins.getEnv "DEPLOYMENT";
+    in
+    if env == "" then
+      throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
+    else
+      env
+  )
+)

deployment/check/panel/flake-part.nix

@@ -1,94 +0,0 @@
-{
-  self,
-  inputs,
-  lib,
-  sources,
-  ...
-}:
-
-let
-  inherit (builtins)
-    fromJSON
-    listToAttrs
-    ;
-
-  targetMachines = [
-    "garage"
-    "mastodon"
-    "peertube"
-    "pixelfed"
-  ];
-  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
-  pathFromRoot = ./.;
-  enableAcme = true;
-
-in
-{
-  _class = "flake";
-
-  perSystem =
-    { pkgs, ... }:
-    {
-      checks.deployment-panel = pkgs.testers.runNixOSTest {
-        imports = [
-          ../common/nixosTest.nix
-          ./nixosTest.nix
-        ];
-        _module.args = { inherit inputs sources; };
-        inherit
-          targetMachines
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-    };
-
-  nixops4Deployments =
-    let
-      makeTargetResource = nodeName: {
-        imports = [ ../common/targetResource.nix ];
-        _module.args = { inherit inputs sources; };
-        inherit
-          nodeName
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-
-      ## The deployment function - what we are here to test!
-      ##
-      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
-      ## function calls.
-      makeTestDeployment =
-        args:
-        (import ../..)
-          {
-            inherit lib;
-            inherit (inputs) nixops4 nixops4-nixos;
-            fediversity = import ../../../services/fediversity;
-          }
-          (listToAttrs (
-            map (nodeName: {
-              name = "${nodeName}ConfigurationResource";
-              value = makeTargetResource nodeName;
-            }) targetMachines
-          ))
-          args;
-
-    in
-    {
-      check-deployment-panel = makeTestDeployment (
-        fromJSON (
-          let
-            env = builtins.getEnv "DEPLOYMENT";
-          in
-          if env == "" then
-            throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
-          else
-            env
-        )
-      );
-    };
-}

deployment/check/panel/flake-under-test.nix

@@ -0,0 +1,26 @@
+{
+  inputs = {
+    nixops4.follows = "nixops4-nixos/nixops4";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
+  };
+
+  outputs =
+    inputs:
+    import ./mkFlake.nix inputs (
+      {
+        inputs,
+        sources,
+        lib,
+        ...
+      }:
+      {
+        imports = [
+          inputs.nixops4.modules.flake.default
+        ];
+
+        nixops4Deployments.check-deployment-panel = import ./deployment/check/panel/deployment.nix {
+          inherit inputs sources lib;
+        };
+      }
+    );
+}

deployment/check/panel/nixosTest.nix

@@ -33,6 +33,7 @@ let
       enableMastodon,
       enablePeertube,
       enablePixelfed,
+      enableAttic,
     }:
     hostPkgs.writers.writePython3Bin "interact-with-panel"
       {
@@ -94,6 +95,7 @@ let
         checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'mastodon.enable']"), ${toPythonBool enableMastodon})
         checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'peertube.enable']"), ${toPythonBool enablePeertube})
         checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'pixelfed.enable']"), ${toPythonBool enablePixelfed})
+        checkbox_set(driver.find_element(By.XPATH, "//input[@name = 'attic.enable']"), ${toPythonBool enableAttic})
 
         print("Start deployment...")
         driver.find_element(By.XPATH, "//button[@id = 'deploy-button']").click()
@@ -125,6 +127,20 @@ in
 
   name = "deployment-panel";
 
+  sourceFileset = lib.fileset.unions [
+    ./constants.nix
+    ./deployment.nix
+
+    # REVIEW: I would like to be able to grab all of `/deployment` minus
+    # `/deployment/check`, but I can't because there is a bunch of other files
+    # in `/deployment`. Maybe we can think of a reorg making things more robust
+    # here? (comment also in CLI test)
+    ../../default.nix
+    ../../options.nix
+
+    ../../../services/fediversity
+  ];
+
   ## The panel's module sets `nixpkgs.overlays` which clashes with
   ## `pkgsReadOnly`. We disable it here.
   node.pkgsReadOnly = false;
@@ -194,6 +210,11 @@ in
             s3AccessKeyFile = dummyFile;
             s3SecretKeyFile = dummyFile;
           };
+          attic = {
+            enable = true;
+            s3AccessKeyFile = dummyFile;
+            s3SecretKeyFile = dummyFile;
+          };
           temp.cores = 1;
           temp.initialUser = {
             username = "dummy";
@@ -239,6 +260,7 @@ in
   nodes.mastodon.virtualisation.memorySize = 4 * 1024;
   nodes.pixelfed.virtualisation.memorySize = 4 * 1024;
   nodes.peertube.virtualisation.memorySize = 5 * 1024;
+  nodes.attic.virtualisation.memorySize = 4 * 1024;
 
   ## FIXME: The test of presence of the services are very simple: we only
   ## check that there is a systemd service of the expected name on the
@@ -311,6 +333,7 @@ in
       mastodon.fail("systemctl status mastodon-web.service")
       peertube.fail("systemctl status peertube.service")
       pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
 
     with subtest("Run deployment with no services enabled"):
       client.succeed("${
@@ -319,6 +342,7 @@ in
           enableMastodon = false;
           enablePeertube = false;
           enablePixelfed = false;
+          enableAttic = false;
         }
       }/bin/interact-with-panel >&2")
 
@@ -327,6 +351,7 @@ in
       mastodon.fail("systemctl status mastodon-web.service")
       peertube.fail("systemctl status peertube.service")
       pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
 
     with subtest("Run deployment with Mastodon and Pixelfed enabled"):
       client.succeed("${
@@ -335,6 +360,7 @@ in
           enableMastodon = true;
           enablePeertube = false;
           enablePixelfed = true;
+          enableAttic = false;
         }
       }/bin/interact-with-panel >&2")
 
@@ -343,6 +369,7 @@ in
       mastodon.succeed("systemctl status mastodon-web.service")
       peertube.fail("systemctl status peertube.service")
       pixelfed.succeed("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
 
     with subtest("Run deployment with only Peertube enabled"):
       client.succeed("${
@@ -351,6 +378,7 @@ in
           enableMastodon = false;
           enablePeertube = true;
           enablePixelfed = false;
+          enableAttic = false;
         }
       }/bin/interact-with-panel >&2")
 
@@ -359,5 +387,6 @@ in
       mastodon.fail("systemctl status mastodon-web.service")
       peertube.succeed("systemctl status peertube.service")
       pixelfed.fail("systemctl status phpfpm-pixelfed.service")
+      attic.fail("systemctl status atticd.service")
   '';
 }

deployment/configuration.sample.json

@@ -3,6 +3,7 @@
   "mastodon": { "enable": false },
   "peertube": { "enable": false },
   "pixelfed": { "enable": false },
+  "attic": { "enable": false },
   "initialUser": {
     "displayName": "Testy McTestface",
     "username": "test",

deployment/default.nix

@@ -24,6 +24,7 @@
   mastodonConfigurationResource,
   peertubeConfigurationResource,
   pixelfedConfigurationResource,
+  atticConfigurationResource,
 }:
 
 ## From the hosting provider's perspective, the function is meant to be
@@ -55,6 +56,7 @@ let
     mastodon = nonNull panelConfigNullable.mastodon { enable = false; };
     peertube = nonNull panelConfigNullable.peertube { enable = false; };
     pixelfed = nonNull panelConfigNullable.pixelfed { enable = false; };
+    attic = nonNull panelConfigNullable.attic { enable = false; };
   };
 in
 
@@ -107,6 +109,13 @@ in
             s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
             s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
           };
+        atticS3KeyConfig =
+          { pkgs, ... }:
+          {
+            # REVIEW: how were these generated above? how do i add one?
+            s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKaaaaaaaaaaaaaaaaaaaaaaaa";
+            s3SecretKeyFile = pkgs.writeText "s3SecretKey" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+          };
 
         makeConfigurationResource = resourceModule: config: {
           type = providers.local.exec;
@@ -140,13 +149,14 @@ in
       {
         garage-configuration = makeConfigurationResource garageConfigurationResource (
           { pkgs, ... }:
-          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable) {
+          mkIf (cfg.mastodon.enable || cfg.peertube.enable || cfg.pixelfed.enable || cfg.attic.enable) {
             fediversity = {
               inherit (cfg) domain;
               garage.enable = true;
               pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
               mastodon = mastodonS3KeyConfig { inherit pkgs; };
               peertube = peertubeS3KeyConfig { inherit pkgs; };
+              attic = atticS3KeyConfig { inherit pkgs; };
             };
           }
         );
@@ -213,6 +223,25 @@ in
             };
           }
         );
+
+        attic-configuration = makeConfigurationResource atticConfigurationResource (
+          { pkgs, ... }:
+          mkIf cfg.attic.enable {
+            fediversity = {
+              inherit (cfg) domain;
+              temp.initialUser = {
+                inherit (cfg.initialUser) username email displayName;
+                # FIXME: disgusting, but nvm, this is going to be replaced by
+                # proper central authentication at some point
+                passwordFile = pkgs.writeText "password" cfg.initialUser.password;
+              };
+
+              attic = atticS3KeyConfig { inherit pkgs; } // {
+                enable = true;
+              };
+            };
+          }
+        );
       };
   };
 }

deployment/flake-part.nix

@@ -1,9 +1,26 @@
+{ inputs, sources, ... }:
+
 {
   _class = "flake";
 
-  imports = [
-    ./check/basic/flake-part.nix
-    ./check/cli/flake-part.nix
-    ./check/panel/flake-part.nix
-  ];
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks = {
+        deployment-basic = import ./check/basic {
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
+        };
+
+        deployment-cli = import ./check/cli {
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
+        };
+
+        deployment-panel = import ./check/panel {
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
+        };
+      };
+    };
 }

deployment/options.nix

@@ -71,6 +71,19 @@ in
         });
       default = null;
     };
+    attic = mkOption {
+      description = ''
+        Configuration for the Attic service
+      '';
+      type =
+        with types;
+        nullOr (submodule {
+          options = {
+            enable = lib.mkEnableOption "Attic";
+          };
+        });
+      default = null;
+    };
     initialUser = mkOption {
       description = ''
         Some services require an initial user to access them.

flake.lock

@@ -59,22 +59,6 @@
       }
     },
     "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1733328505,
@@ -90,7 +74,7 @@
         "type": "github"
       }
     },
-    "flake-compat_4": {
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1696426674,
@@ -143,24 +127,6 @@
       }
     },
     "flake-parts_3": {
-      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib_3"
-      },
-      "locked": {
-        "lastModified": 1738453229,
-        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_4": {
       "inputs": {
         "nixpkgs-lib": [
           "nixops4-nixos",
@@ -201,32 +167,12 @@
         "type": "github"
       }
     },
-    "git-hooks": {
+    "git-hooks-nix": {
       "inputs": {
         "flake-compat": "flake-compat",
         "gitignore": "gitignore",
         "nixpkgs": "nixpkgs"
       },
-      "locked": {
-        "lastModified": 1742649964,
-        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
-    "git-hooks-nix": {
-      "inputs": {
-        "flake-compat": "flake-compat_2",
-        "gitignore": "gitignore_2",
-        "nixpkgs": "nixpkgs_2"
-      },
       "locked": {
         "lastModified": 1737465171,
         "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
@@ -281,27 +227,6 @@
       }
     },
     "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
-    "gitignore_2": {
       "inputs": {
         "nixpkgs": [
           "nixops4-nixos",
@@ -341,8 +266,8 @@
     },
     "nix": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
-        "flake-parts": "flake-parts_4",
+        "flake-compat": "flake-compat_2",
+        "flake-parts": "flake-parts_3",
         "git-hooks-nix": "git-hooks-nix_2",
         "nixfmt": "nixfmt",
         "nixpkgs": [
@@ -416,10 +341,10 @@
     },
     "nixops4": {
       "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
         "nix": "nix",
         "nix-cargo-integration": "nix-cargo-integration",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-old": "nixpkgs-old"
       },
       "locked": {
@@ -438,7 +363,7 @@
     },
     "nixops4-nixos": {
       "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
         "git-hooks-nix": "git-hooks-nix",
         "nixops4": "nixops4",
         "nixops4-nixos": [
@@ -520,18 +445,6 @@
         "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
       }
     },
-    "nixpkgs-lib_3": {
-      "locked": {
-        "lastModified": 1738452942,
-        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
-      }
-    },
     "nixpkgs-old": {
       "locked": {
         "lastModified": 1735563628,
@@ -565,22 +478,6 @@
       }
     },
     "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1730768919,
-        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
       "locked": {
         "lastModified": 1738410390,
         "narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=",
@@ -621,7 +518,7 @@
     },
     "purescript-overlay": {
       "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_3",
         "nixpkgs": [
           "nixops4-nixos",
           "nixops4",
@@ -664,8 +561,6 @@
     },
     "root": {
       "inputs": {
-        "flake-parts": "flake-parts",
-        "git-hooks": "git-hooks",
         "nixops4": [
           "nixops4-nixos",
           "nixops4"

flake.nix

@@ -1,83 +1,47 @@
 {
   inputs = {
-    flake-parts.url = "github:hercules-ci/flake-parts";
-    git-hooks.url = "github:cachix/git-hooks.nix";
     nixops4.follows = "nixops4-nixos/nixops4";
     nixops4-nixos.url = "github:nixops4/nixops4-nixos";
   };
 
   outputs =
-    inputs@{ self, flake-parts, ... }:
-    let
-      sources = import ./npins;
-      inherit (import sources.flake-inputs) import-flake;
-      inherit (sources) git-hooks;
-      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
-      # XXX - this is just importing a flake
-      nixpkgs = import-flake { src = sources.nixpkgs; };
-      # XXX - this overrides the inputs attached to `self`
-      inputs' = self.inputs // {
-        nixpkgs = nixpkgs;
-      };
-      self' = self // {
-        inputs = inputs';
-      };
-    in
-    # XXX - finally we override the overall set of `inputs` -- we need both:
-    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
-    flake-parts.lib.mkFlake
+    inputs:
+    import ./mkFlake.nix inputs (
+      { inputs, sources, ... }:
       {
-        inputs = inputs // {
-          inherit nixpkgs;
-        };
-        self = self';
-        specialArgs = {
-          inherit sources;
-        };
+        imports = [
+          "${sources.git-hooks}/flake-module.nix"
+          inputs.nixops4.modules.flake.default
+
+          ./deployment/flake-part.nix
+          ./infra/flake-part.nix
+          ./keys/flake-part.nix
+          ./secrets/flake-part.nix
+        ];
+
+        perSystem =
+          {
+            pkgs,
+            lib,
+            ...
+          }:
+          {
+            formatter = pkgs.nixfmt-rfc-style;
+
+            pre-commit.settings.hooks =
+              let
+                ## Add a directory here if pre-commit hooks shouldn't apply to it.
+                optout = [ "npins" ];
+                excludes = map (dir: "^${dir}/") optout;
+                addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
+              in
+              addExcludes {
+                nixfmt-rfc-style.enable = true;
+                deadnix.enable = true;
+                trim-trailing-whitespace.enable = true;
+                shellcheck.enable = true;
+              };
+          };
       }
-      (
-        { inputs, ... }:
-        {
-          systems = [
-            "x86_64-linux"
-            "aarch64-linux"
-            "x86_64-darwin"
-            "aarch64-darwin"
-          ];
-
-          imports = [
-            "${git-hooks}/flake-module.nix"
-            inputs.nixops4.modules.flake.default
-
-            ./deployment/flake-part.nix
-            ./infra/flake-part.nix
-            ./keys/flake-part.nix
-            ./secrets/flake-part.nix
-          ];
-
-          perSystem =
-            {
-              pkgs,
-              lib,
-              ...
-            }:
-            {
-              formatter = pkgs.nixfmt-rfc-style;
-
-              pre-commit.settings.hooks =
-                let
-                  ## Add a directory here if pre-commit hooks shouldn't apply to it.
-                  optout = [ "npins" ];
-                  excludes = map (dir: "^${dir}/") optout;
-                  addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
-                in
-                addExcludes {
-                  nixfmt-rfc-style.enable = true;
-                  deadnix.enable = true;
-                  trim-trailing-whitespace.enable = true;
-                  shellcheck.enable = true;
-                };
-            };
-        }
-      );
+    );
 }

infra/common/nixos/default.nix

@@ -24,6 +24,14 @@ in
     experimental-features = nix-command flakes
   '';
 
+  nix.settings = {
+    substituters = [
+      "http://attic.fediversity.net/demo"
+    ];
+    trusted-public-keys = [
+      "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM="
+    ];
+  };
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;

infra/common/nixos/nftables-ruleset.nft

@@ -43,7 +43,8 @@ table inet filter {
         ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
 
         # open tcp ports: sshd (22)
-        tcp dport {ssh} accept
+        # 8080: used in atticd
+        tcp dport {ssh,8080} accept
 
         # open tcp ports: snmp (161)
         ip saddr $snmp_allow udp dport {snmp} accept

infra/common/proxmox-qemu-vm.nix

@@ -1,9 +1,13 @@
-{ modulesPath, ... }:
-
+let
+  # pulling this in manually over from module args resolves an infinite recursion
+  sources = import ../../npins;
+in
 {
   _class = "nixos";
 
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  imports = [
+    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+  ];
 
   boot = {
     initrd = {

infra/common/resource.nix

@@ -32,9 +32,11 @@ in
   ## options that really need to be injected from the resource. Everything else
   ## should go into the `./nixos` subdirectory.
   nixos.module = {
-    imports = [
-      "${sources.agenix}/modules/age.nix"
-      "${sources.disko}/module.nix"
+    imports = with sources; [
+      "${agenix}/modules/age.nix"
+      "${disko}/module.nix"
+      "${vars}/options.nix"
+      "${vars}/backends/on-machine.nix"
       ./options.nix
       ./nixos
     ];

infra/flake-part.nix

@@ -33,6 +33,10 @@ let
           ;
       };
 
+      nixos.module.imports = [
+        ./common/proxmox-qemu-vm.nix
+      ];
+
       imports =
         [
           ./common/resource.nix
@@ -40,7 +44,6 @@ let
         ++ (
           if isTestVm then
             [
-              ./common/proxmox-qemu-vm.nix
               ../machines/operator/${vmName}
               {
                 nixos.module.users.users.root.openssh.authorizedKeys.keys = [
@@ -104,6 +107,10 @@ let
           vmName = "test04";
           isTestVm = true;
         };
+        atticConfigurationResource = makeResourceModule {
+          vmName = "test12";
+          isTestVm = true;
+        };
       };
 
   nixops4ResourceNixosMockOptions = {

keys/cd-ssh-key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age

keys/default.nix

@@ -35,4 +35,5 @@ in
   contributors = collectKeys ./contributors;
   systems = collectKeys ./systems;
   panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
+  cd = removeTrailingWhitespace (readFile ./cd-ssh-key.pub);
 }

machines/dev/fedi200/default.nix

@@ -16,10 +16,4 @@
       gateway = "2a00:51c0:13:1305::1";
     };
   };
-
-  nixos.module = {
-    imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
-    ];
-  };
 }

machines/dev/forgejo-ci/default.nix

@@ -48,7 +48,7 @@ in
       };
 
       ## NOTE: This is a physical machine, so is not covered by disko
-      fileSystems."/" = {
+      fileSystems."/" = lib.mkForce {
         device = "rpool/root";
         fsType = "zfs";
       };
@@ -58,7 +58,7 @@ in
         fsType = "zfs";
       };
 
-      fileSystems."/boot" = {
+      fileSystems."/boot" = lib.mkForce {
         device = "/dev/disk/by-uuid/50B2-DD3F";
         fsType = "vfat";
         options = [

machines/dev/forgejo-ci/forgejo-actions-runner.nix

@@ -1,19 +1,122 @@
-{ pkgs, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  system = builtins.currentSystem;
+  sources = import ../../../npins;
+  packages =
+    let
+      inherit (import sources.flake-inputs) import-flake;
+      inherit ((import-flake { src = ../../..; }).inputs) nixops4;
+    in
+    [
+      pkgs.coreutils
+      pkgs.findutils
+      pkgs.gnugrep
+      pkgs.gawk
+      pkgs.git
+      pkgs.nix
+      pkgs.bash
+      pkgs.jq
+      pkgs.nodejs
+      pkgs.npins
+      nixops4.packages.${system}.default
+    ];
+  storeDeps = pkgs.runCommand "store-deps" { } ''
+    mkdir -p $out/bin
+    for dir in ${toString packages}; do
+      for bin in "$dir"/bin/*; do
+        ln -s "$bin" "$out/bin/$(basename "$bin")"
+      done
+    done
+    # Add SSL CA certs
+    mkdir -p $out/etc/ssl/certs
+    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+  '';
+  numInstances = 5;
+in
 
+let
+  user = "gitea-runner";
+in
 {
   _class = "nixos";
 
+  imports = with sources; [
+    "${home-manager}/nixos"
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
+  vars.settings.on-machine.enable = true;
+  vars.generators."templates" = rec {
+    dependencies = [ "attic" ];
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.gnused
+    ];
+    script = lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (template: _: ''
+        cp "$templates/${template}" "$out/${template}"
+        echo "filling placeholders in template ${template}..."
+        sed -i "s/${placeholder}/$(cat "${config.age.secrets.wiki-password.path}")/g" "$out/${template}"
+      '') files
+    );
+
+    files."attic.toml" = {
+      secret = true;
+      template = pkgs.writeText "attic.toml" ''
+        default-server = "fediversity"
+
+        [servers.fediversity]
+        endpoint = "http://localhost:8080"
+        token = "${config.vars.generators.attic.files.token.placeholder}"
+      '';
+    };
+  };
+
+  home-manager = {
+    users.${user}.home = {
+      stateVersion = "25.05";
+      file.".config/attic/config.toml".source =
+        config.vars.generators."templates".files."attic.toml".path;
+    };
+  };
+
   services.gitea-actions-runner = {
     package = pkgs.forgejo-actions-runner;
-
-    instances.default = {
+    instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (_: {
       enable = true;
-
       name = config.networking.fqdn;
       url = "https://git.fediversity.eu";
       tokenFile = config.age.secrets.forgejo-runner-token.path;
-
+      ## This runner supports Docker (with a default Ubuntu image) and native
+      ## modes. In native mode, it contains a few default packages.
+      labels = [
+        "nix:docker://gitea-runner-nix"
+        "docker:docker://node:16-bullseye"
+        "native:host"
+      ];
+      hostPackages = with pkgs; [
+        bash
+        git
+        nix
+        nodejs
+      ];
       settings = {
+        container = {
+          options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+          # the default network that also respects our dns server settings
+          network = "host";
+          valid_volumes = [
+            "/nix"
+            "${storeDeps}/bin"
+            "${storeDeps}/etc/ssl"
+          ];
+        };
         log.level = "info";
         runner = {
           file = ".runner";
@@ -25,23 +128,165 @@
           fetch_interval = "2s";
         };
       };
+    });
+  };
 
-      ## This runner supports Docker (with a default Ubuntu image) and native
-      ## modes. In native mode, it contains a few default packages.
-      labels = [
-        "docker:docker://node:16-bullseye"
-        "native:host"
-      ];
-
-      hostPackages = with pkgs; [
-        bash
-        git
-        nix
-        nodejs
+  users = {
+    users.nixuser = {
+      group = "nixuser";
+      description = "Used for running nix ci jobs";
+      home = "/var/empty";
+      isSystemUser = true;
+    };
+    groups.nixuser = { };
+  };
+  virtualisation = {
+    ## For the Docker mode of the runner.
+    ## Podman seemed to get stuck on the checkout step
+    docker.enable = true;
+    containers.containersConf.settings = {
+      # podman (at least) seems to not work with systemd-resolved
+      containers.dns_servers = [
+        "8.8.8.8"
+        "8.8.4.4"
       ];
     };
   };
+  systemd.services =
+    {
+      gitea-runner-nix-image = {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "docker.service" ];
+        requires = [ "docker.service" ];
+        path = [
+          pkgs.docker
+          pkgs.gnutar
+          pkgs.shadow
+          pkgs.getent
+        ];
+        # we also include etc here because the cleanup job also wants the nixuser to be present
+        script = ''
+          set -eux -o pipefail
+          mkdir -p etc/nix
 
-  ## For the Docker mode of the runner.
-  virtualisation.docker.enable = true;
+          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+          touch etc/passwd etc/group
+          groupid=$(cut -d: -f3 < <(getent group nixuser))
+          userid=$(cut -d: -f3 < <(getent passwd nixuser))
+          groupadd --prefix $(pwd) --gid "$groupid" nixuser
+          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
+          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
+
+          cat <<NIX_CONFIG > etc/nix/nix.conf
+          accept-flake-config = true
+          experimental-features = nix-command flakes
+          NIX_CONFIG
+
+          cat <<NSSWITCH > etc/nsswitch.conf
+          passwd:    files mymachines systemd
+          group:     files mymachines systemd
+          shadow:    files
+
+          hosts:     files mymachines dns myhostname
+          networks:  files
+
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+          NSSWITCH
+
+          # list the content as it will be imported into the container
+          tar -cv . | tar -tvf -
+          tar -cv . | docker import - gitea-runner-nix
+        '';
+        serviceConfig = {
+          RuntimeDirectory = "gitea-runner-nix-image";
+          WorkingDirectory = "/run/gitea-runner-nix-image";
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+    }
+    // lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (
+      _:
+      let
+        requires = [ "gitea-runner-nix-image.service" ];
+      in
+      {
+        inherit requires;
+        after = requires;
+        # TODO: systemd confinement
+        serviceConfig = {
+          # Hardening (may overlap with DynamicUser=)
+          # The following options are only for optimizing output of systemd-analyze
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = "";
+          # ProtectClock= adds DeviceAllow=char-rtc r
+          DeviceAllow = "";
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          UMask = "0066";
+          ProtectProc = "invisible";
+          SystemCallFilter = [
+            "~@clock"
+            "~@cpu-emulation"
+            "~@module"
+            "~@mount"
+            "~@obsolete"
+            "~@raw-io"
+            "~@reboot"
+            "~@swap"
+            # needed by go?
+            #"~@resources"
+            "~@privileged"
+            "~capset"
+            "~setdomainname"
+            "~sethostname"
+          ];
+          SupplementaryGroups = [ "docker" ];
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+            "AF_NETLINK"
+          ];
+
+          # Needs network access
+          PrivateNetwork = false;
+          # Cannot be true due to Node
+          MemoryDenyWriteExecute = false;
+
+          # The more restrictive "pid" option makes `nix` commands in CI emit
+          # "GC Warning: Couldn't read /proc/stat"
+          # You may want to set this to "pid" if not using `nix` commands
+          ProcSubset = "all";
+          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
+          # ASLR (address space layout randomization) which requires the
+          # `personality` syscall
+          # You may want to set this to `true` if not using coverage tooling on
+          # compiled code
+          LockPersonality = false;
+
+          # Note that this has some interactions with the User setting; so you may
+          # want to consult the systemd docs if using both.
+          DynamicUser = true;
+        };
+      }
+    );
 }

machines/dev/vm02116/forgejo.nix

@@ -110,4 +110,8 @@ in
       };
     };
   };
+
+  # needed to imperatively run forgejo commands e.g. to generate runner tokens.
+  # example: `sudo su - forgejo -c 'nix-shell -p forgejo --run "gitea actions generate-runner-token -C /var/lib/forgejo/custom"'`
+  users.users.forgejo.isNormalUser = true;
 }

machines/operator/test12/default.nix

@@ -18,4 +18,11 @@
       gateway = "2a00:51c0:13:1305::1";
     };
   };
+
+  nixos.module = {
+    imports = [
+      ../../../infra/common/proxmox-qemu-vm.nix
+      ../../../services/fediversity/attic
+    ];
+  };
 }

mkFlake.nix

@@ -0,0 +1,54 @@
+## This file contains a tweak of flake-parts's `mkFlake` function to splice in
+## sources taken from npins.
+
+## NOTE: Much of the logic in this file feels like it should be not super
+## specific to fediversity. Could it make sense to extract the core of this to
+## another place it feels closer to in spirit, such as @fricklerhandwerk's
+## flake-inputs (which this code already depends on anyway, and which already
+## contained two distinct helpers for migrating away from flakes)? cf
+## https://git.fediversity.eu/Fediversity/Fediversity/pulls/447#issuecomment-8671
+
+inputs@{ self, ... }:
+
+let
+  sources = import ./npins;
+  inherit (import sources.flake-inputs) import-flake;
+
+  # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
+  # XXX - this is just importing a flake
+  nixpkgs = import-flake { src = sources.nixpkgs; };
+
+  # XXX - this overrides the inputs attached to `self`
+  inputs' = self.inputs // {
+    nixpkgs = nixpkgs;
+  };
+  self' = self // {
+    inputs = inputs';
+  };
+
+  flake-parts-lib = import "${sources.flake-parts}/lib.nix" { inherit (nixpkgs) lib; };
+in
+
+flakeModule:
+
+flake-parts-lib.mkFlake
+  {
+    # XXX - finally we override the overall set of `inputs` -- we need both:
+    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
+    inputs = inputs // {
+      inherit nixpkgs;
+    };
+    self = self';
+    specialArgs = {
+      inherit sources;
+    };
+  }
+  {
+    systems = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ];
+    imports = [ flakeModule ];
+  }

npins/sources.json

@@ -150,6 +150,19 @@
       "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921",
       "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz",
       "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj"
+    },
+    "vars": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "kiaragrouwstra",
+        "repo": "vars"
+      },
+      "branch": "templates",
+      "submodules": false,
+      "revision": "6ff942bf2b514edaa1022a92edb6552ac32a09d1",
+      "url": "https://github.com/kiaragrouwstra/vars/archive/6ff942bf2b514edaa1022a92edb6552ac32a09d1.tar.gz",
+      "hash": "1h1q3l1l1c1j4ak5lcj2yh85jwqww74ildiak2dkd4h1js9v6cvw"
     }
   },
   "version": 5

secrets/forgejo-database-password.age

@@ -1,17 +1,19 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A 9edPaA2tT4SeYNTPzF0E157daC2o+JH/WQQCT+vLbFg
-C48EtLdhB75TTzfEZTw1DypicHiVlSmFzjfbqfO9N/8
--> ssh-ed25519 BAs8QA T+kXpZg1v0XRkub5DWir7vYwO7KaOJLZBNYxxXiBUCw
-zBRwMTDpyI7twEwUGsmJYyYPw9btBx5Kakj1yT+XY8U
--> ssh-ed25519 ofQnlg 4UoEDY/tdKz8LrX1BkBU1/cn+vSaYLUl7xX9YmzANBY
-8CACq1n3AJgD9IyPN23iRvThqsfQFF5+jmkKnhun24U
--> ssh-ed25519 COspvA HxcbkqHL+LpVmwb+Fo5JuUU+C+Pxzdxtb0yZHixwuzM
-7FIhxdbjHJlgQQgjrHHUK5cecqs5aT7X3I8TWf8c2gc
--> ssh-ed25519 2XrTgw R6Ia8MVIZKPnNZ0rspZ34EqoY8fOLeB9H7vnvNBLg1g
-55NUqz5Yygt6FKJ3bR5iHxQp8G7S2gyFwrJNX1Pb/2Y
--> ssh-ed25519 awJeHA hJdTuAScoewVMt7HWiisSkL0zSeClFzYzzKL84G893o
-ou780VLrW1s4d6L+lEVu3kXaGn4dvtFPA31supwEL50
--> ssh-ed25519 Fa25Dw mJcqnXA3fQeoKrG7RJ7nVeLxPvrxqbj+lJdx6jQ9IR8
-f5Q7mrQSSDsm1Z/uSAnvx66mgnRC3XaBLQrVL9f/Ijs
---- W/KmboXTLV12X6WtVQKHNe+ZHvS2q9EHUZwofSgJSE8
-^kûÚ	h©0ÔkÇ ¢¸_Ç·ûQÞm‘’7\òÖ}÷Áë?½qø‚<ÿm
+-> ssh-ed25519 Jpc21A bBCQmvfRUwJuIXbpVJ092XUBVszGrb6gILGbgV9j9BY
+7DEGwhqdfqMs5cxXtlMkSTPjw4qhczBgW0dmoJ6dh6g
+-> ssh-ed25519 BAs8QA oiVedFC6UklEFCJUybGr93+XrddyCtV4r4TnE4nhpWI
+xasnkP4NCl9TuYSE1u0Xi0b/PiwcrfHCz2QMnpTjLcU
+-> ssh-ed25519 ofQnlg LrMcWdaEUVyIgd/KznwJW/2sucIu5MuxDEcEJAmf8mA
+p6pQoisuXre2J4r6ArV6C6lKO2J/aNdBFhqLPBoZ2wA
+-> ssh-ed25519 COspvA q2OGeVofPKyGCpr4Mf9VoaRvZCWTRl8n2mvkQOdTnyQ
+M+ffAGecJG/94k/Z5DdokltrZppS2IcxkZa8JKHwIMs
+-> ssh-ed25519 2XrTgw Bsz/G4QderToPSfMKOR6s5yWb0xCGUlsjGJxJYQNBRc
+JYrXZb8qj1Yi9u5bnI/WzuNxy7gyFLCTIUaGNmcOYnk
+-> ssh-ed25519 awJeHA KKJMQSt0PvC6P+T/kxQv96tSBdLQLiY2f8q35IwGm28
+p7Cf2HLlPl0qmsO6Hh5zwVgKkEs3A6fdSBndMKsacbk
+-> ssh-ed25519 Fa25Dw 3m/qyannP4gjXxkUuO0LQRU8Z8HXOg4WReMDd7786y8
+dNMyiBGeJDrBScE9TEyZZ7+MGMG6FLuoRTK82EVeX1w
+-> ssh-ed25519 i+ecmQ oCs4Ep2K75yjmUOh1ox4F25tGq+O/mZ2/c2E8+IRlEc
+0Wc9gDxhvHK5tEVM5kJ0mQXc3kp7tJ2JNHg54N0+tJ8
+--- mXrqbcHxjjkS5MrQaCVm4hTsAUEENAWlIYtiYx6rtas
+ž`€úì}öÙ7Ù>­iŒbàéëÕè/&ɪŠwŽ„ì7àí[ã±Hˆc“

secrets/secrets.nix

@@ -7,11 +7,12 @@ let
 
   keys = import ../keys;
   contributors = attrValues keys.contributors;
+  cd = [ keys.cd ];
 in
 
 concatMapAttrs
   (name: systems: {
-    "${name}.age".publicKeys = contributors ++ systems;
+    "${name}.age".publicKeys = contributors ++ systems ++ cd;
   })
 
   (
@@ -24,6 +25,7 @@ concatMapAttrs
     ## are able to decrypt them.
 
     {
+      attic-ci-token = [ forgejo-ci ];
       forgejo-database-password = [ vm02116 ];
       forgejo-email-password = [ vm02116 ];
       forgejo-runner-token = [ forgejo-ci ];

secrets/wiki-basicauth-htpasswd.age

@@ -1,18 +1,19 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A EuMYAiZX+4A12eu19mIY7u+WYF7NJ9qJosQSVlxR6n8
-bK5CMXAmP23t1p9bgmqoVg4Qcu2qYKGc4t36v8e9eow
--> ssh-ed25519 BAs8QA IwRyitDNTzUPzQAUbDNEKjFiF8WPD/OyztOZQeoTEzw
-OwiTWvk4NmUgExav0uH6HlThDNU5hsKXfR6KHsFOV3I
--> ssh-ed25519 ofQnlg 3TcMbLX1JsQL8+Gqy7IFZwykZr2BspvPCuZT1SHtnQQ
-Ci5OeBj2aiC8ut9jIEUMt3qfYH+cJrnVud6AH54Ndn8
--> ssh-ed25519 COspvA 0t9f3Wu3ILv4QTJhwT619y+7XFrryCLbpIZC6aE+qQI
-oPQP48F6oO/tkqLZDdjkGtIap7KHiAknbpTNL6/yLaU
--> ssh-ed25519 2XrTgw YOZsaYQH9vMH0QqSXGh8GyhRV4MbcBGPFfFaKpo3Ckk
-kUShJbADA+6bpx2adxvzlI/0jSM5bIBfZfdSE/7Vm5Y
--> ssh-ed25519 awJeHA dF3m0hQWX9c0EezDr56Kt/F4d1Uim7NwvIX6zRws0Eo
-pst243yrARODwrnyz8cJAzgDxdPOUsRbs7yPZePABFs
--> ssh-ed25519 dgBsjw PUYHcP/tgNnKyvlIoJRcNcW3zabVV1iHXIWfKqgW9xc
-tXNjSuVH/g/oN5o75FPkFFpviF7SeFSN9kbqURvgMDE
---- wHgBAN9c6F6T5hFJGo8uH8zqDkQDwx3/jVNKUtQ3arE
-«Ñ¢Á
-ò@µú¡fÃ`m;ÕcæäU²€ùò£Íd…eS’èyfv¿»¡€J?ø `œfj£Äa}lÃó ¿Úxç²BÇt2èfìôm08ÓoÝtRál9˜èx¤¢ŒÅž›æ÷
+-> ssh-ed25519 Jpc21A NStZFZPTHMhVCnQ5Zkbl39vWztrxfsSXok24/e8H7QQ
+JjHP6Cus76PGYYxpbnc2cSZ79zvdD8LISYDPbvXsnqU
+-> ssh-ed25519 BAs8QA iocHfHjWlEUsbtibqEbYDceAqURr2vjxuYapqon9hyU
+ljL+olZdhWtHeV3uh3pOu22+sY13wPn2vKQDduPSqVs
+-> ssh-ed25519 ofQnlg 9YVfMKyoP3+xtzg/ok2I9yf3YdIYoBpUJa/3d2N/8lI
+2yUalyj7O3c1YDA2xTb9QNYrFBDHwcyGBX3mydv0ifI
+-> ssh-ed25519 COspvA cOSNsZXBbhQ/B49fq3KwcY6siVrTz48doTrta/0d/Hw
+jcRtVxA/tVFM9btPAPI6zKk8BwAVlaQlvHC203MpmIQ
+-> ssh-ed25519 2XrTgw d3EKtYkxjeJZ8kt3ofIklGmRwUCgTIB/WVVlvxggGRk
+IhcrpWN9xFsKRw9iCfYMONPOU7TpTt4kTBNwMDtk7zo
+-> ssh-ed25519 awJeHA Ei64e3+FJDM6S8NP+YfEWEg9t72qTXZ0IdZE8dYQPm4
+ggRc86sXin06eXJkLbK8CdJFDa1237WMfSgwNd5ngmM
+-> ssh-ed25519 dgBsjw 9etK6tNrFlWVAKTz5U0TitkiGYLKTad3QiRWVpLPrwM
+xHLzFnRtcvpVZYZrxWz5q4uadhHrHVlfqjteOWfIccE
+-> ssh-ed25519 i+ecmQ SDTnYBLMOaH173B/wqaOifE6a90gSesRqMHmX7/iZFk
+kS9tuKnMXCXNUnoZ06DisOOyZHe/mZl4a0JRA+eynE8
+--- C0R5WxDDCqQGxyvFoeNX838az0bjp55PGh//1NFG4LE
+ŠÉY—±³<EFBFBD>„ÏKRÇËej±éŒ7xÑíE¹ Óì¾7jÏ
-œJý«[ÀF?Ÿ=-w‘XMC~)èÅ›ƒ<E280BA>Éõb«ëƒCÜ4ÌÖÞOwý~–¿š8ñv—ÙÜžèX»ØÆ’ƒí!5¦

services/README.md

@@ -21,11 +21,11 @@ For those that know it, we could say that the current module is an analogous of
 
 ## Content of this directory
 
-- [fediversity][./fediversity] contains the definition of the services. Look in
+- [fediversity](./fediversity) contains the definition of the services. Look in
   particular at its `default.nix` that contains the definition of the options.
 
-- [vm][./vm] contains options specific to making the service run in local QEMU
+- [vm](./vm) contains options specific to making the service run in local QEMU
   VMs. These modules will for instance override the defaults to disable SSL, and
   they will add virtualisation options to forward ports, for instance.
 
-- [tests][./tests] contain full NixOS tests of the services.
+- [tests](./tests) contain full NixOS tests of the services.

services/fediversity/attic/default.nix

@@ -0,0 +1,326 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkIf mkMerge;
+  sources = import ../../../npins;
+in
+{
+  imports = with sources; [
+    ./options.nix
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
+  config = mkMerge [
+    (mkIf
+      (
+        config.fediversity.garage.enable
+        && config.fediversity.attic.s3AccessKeyFile != null
+        && config.fediversity.attic.s3SecretKeyFile != null
+      )
+      {
+        fediversity.garage = {
+          ensureBuckets = {
+            attic = {
+              website = true;
+              # TODO: these are too broad, after getting everything to work narrow it down to the domain we actually want
+              corsRules = {
+                enable = true;
+                allowedHeaders = [ "*" ];
+                allowedMethods = [ "GET" ];
+                allowedOrigins = [ "*" ];
+              };
+            };
+          };
+          ensureKeys = {
+            attic = {
+              inherit (config.fediversity.attic) s3AccessKeyFile s3SecretKeyFile;
+              ensureAccess = {
+                attic = {
+                  read = true;
+                  write = true;
+                  owner = true;
+                };
+              };
+            };
+          };
+        };
+      }
+    )
+    (mkIf config.fediversity.attic.enable {
+
+      services.postgresql = {
+        enable = true;
+        authentication = lib.mkForce ''
+          local all all trust
+        '';
+        ensureDatabases = [
+          "atticd"
+        ];
+        ensureUsers = [
+          {
+            name = "atticd";
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+
+      # open up access to the mastodon web interface. 80 is necessary if only for ACME
+      networking.firewall.allowedTCPPorts = [
+        80
+        443
+        8080
+        9000
+      ];
+
+      vars.settings.on-machine.enable = true;
+      vars.generators."templates" = rec {
+        dependencies = [ "attic" ];
+        runtimeInputs = [
+          pkgs.coreutils
+          pkgs.gnused
+        ];
+        script = lib.concatStringsSep "\n" (
+          lib.mapAttrsToList (template: _: ''
+            cp "$templates/${template}" "$out/${template}"
+            echo "filling placeholders in template ${template}..."
+            ${lib.concatStringsSep "\n" (
+              lib.mapAttrsToList (
+                parent:
+                { placeholder, ... }:
+                ''
+                  sed -i "s/${placeholder}/$(cat "$in/attic/${parent}")/g" "$out/${template}"
+                  echo "- substituted ${parent}"
+                ''
+              ) config.vars.generators."attic".files
+            )}
+          '') files
+        );
+
+        files."attic.env" = {
+          secret = true;
+          template = pkgs.writeText "attic.env" ''
+            ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="${config.vars.generators.attic.files.token.placeholder}"
+            AWS_ACCESS_KEY_ID="$(cat ${config.fediversity.attic.s3AccessKeyFile})"
+            AWS_SECRET_ACCESS_KEY="$(cat ${config.fediversity.attic.s3SecretKeyFile})"
+          '';
+        };
+      };
+
+      vars.generators.attic = {
+        runtimeInputs = [
+          pkgs.coreutils
+          pkgs.openssl
+        ];
+        files.token.secret = true;
+        script = ''
+          openssl genrsa -traditional 4096 | base64 -w0 > "$out"/token
+        '';
+      };
+
+      services.atticd = {
+        enable = true;
+        # one `monolithic` and any number of `api-server` nodes
+        mode = "monolithic";
+
+        environmentFile = config.vars.generators."templates".files."attic.env".path;
+
+        # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
+        settings = {
+          # Socket address to listen on
+          # listen = "[::]:8080";
+          listen = "0.0.0.0:8080";
+          # listen = "127.0.0.1:8080";
+
+          # Allowed `Host` headers
+          #
+          # This _must_ be configured for production use. If unconfigured or the
+          # list is empty, all `Host` headers are allowed.
+          allowed-hosts = [ ];
+
+          # The canonical API endpoint of this server
+          #
+          # This is the endpoint exposed to clients in `cache-config` responses.
+          #
+          # This _must_ be configured for production use. If not configured, the
+          # API endpoint is synthesized from the client's `Host` header which may
+          # be insecure.
+          #
+          # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
+          # not `https://domain.tld/attic`).
+          api-endpoint = "http://${config.fediversity.attic.domain}/";
+
+          # Whether to soft-delete caches
+          #
+          # If this is enabled, caches are soft-deleted instead of actually
+          # removed from the database. Note that soft-deleted caches cannot
+          # have their names reused as long as the original database records
+          # are there.
+          #soft-delete-caches = false;
+
+          # Whether to require fully uploading a NAR if it exists in the global cache.
+          #
+          # If set to false, simply knowing the NAR hash is enough for
+          # an uploader to gain access to an existing NAR in the global
+          # cache.
+          #require-proof-of-possession = true;
+
+          # Database connection
+          database = {
+            # Connection URL
+            #
+            # For production use it's recommended to use PostgreSQL.
+            # url = "postgresql:///atticd:password@127.0.0.1:5432/atticd";
+            url = "postgresql:///atticd?host=/run/postgresql";
+
+            # Whether to enable sending on periodic heartbeat queries
+            #
+            # If enabled, a heartbeat query will be sent every minute
+            #heartbeat = false;
+          };
+
+          # File storage configuration
+          storage = {
+            # Storage type
+            #
+            # Can be "local" or "s3".
+            type = "s3";
+
+            # ## Local storage
+
+            # The directory to store all files under
+            # path = "%storage_path%";
+
+            # ## S3 Storage (set type to "s3" and uncomment below)
+
+            # The AWS region
+            region = "garage";
+
+            # The name of the bucket
+            bucket = "attic";
+
+            # Custom S3 endpoint
+            #
+            # Set this if you are using an S3-compatible object storage (e.g., Minio).
+            endpoint = config.fediversity.garage.api.url;
+
+            # Credentials
+            #
+            # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
+            # `AWS_SECRET_ACCESS_KEY` environment variables.
+            # storage.credentials = {
+            #   access_key_id = "";
+            #   secret_access_key = "";
+            # };
+          };
+
+          # Data chunking
+          #
+          # Warning: If you change any of the values here, it will be
+          # difficult to reuse existing chunks for newly-uploaded NARs
+          # since the cutpoints will be different. As a result, the
+          # deduplication ratio will suffer for a while after the change.
+          chunking = {
+            # The minimum NAR size to trigger chunking
+            #
+            # If 0, chunking is disabled entirely for newly-uploaded NARs.
+            # If 1, all NARs are chunked.
+            nar-size-threshold = 65536; # chunk files that are 64 KiB or larger
+
+            # The preferred minimum size of a chunk, in bytes
+            min-size = 16384; # 16 KiB
+
+            # The preferred average size of a chunk, in bytes
+            avg-size = 65536; # 64 KiB
+
+            # The preferred maximum size of a chunk, in bytes
+            max-size = 262144; # 256 KiB
+          };
+
+          # Compression
+          compression = {
+            # Compression type
+            #
+            # Can be "none", "brotli", "zstd", or "xz"
+            type = "zstd";
+
+            # Compression level
+            #level = 8;
+          };
+
+          # Garbage collection
+          garbage-collection = {
+            # The frequency to run garbage collection at
+            #
+            # By default it's 12 hours. You can use natural language
+            # to specify the interval, like "1 day".
+            #
+            # If zero, automatic garbage collection is disabled, but
+            # it can still be run manually with `atticd --mode garbage-collector-once`.
+            interval = "12 hours";
+
+            # Default retention period
+            #
+            # Zero (default) means time-based garbage-collection is
+            # disabled by default. You can enable it on a per-cache basis.
+            #default-retention-period = "6 months";
+          };
+
+          # jwt = {
+          # WARNING: Changing _anything_ in this section will break any existing
+          # tokens. If you need to regenerate them, ensure that you use the the
+          # correct secret and include the `iss` and `aud` claims.
+
+          # JWT `iss` claim
+          #
+          # Set this to the JWT issuer that you want to validate.
+          # If this is set, all received JWTs will validate that the `iss` claim
+          # matches this value.
+          #token-bound-issuer = "some-issuer";
+
+          # JWT `aud` claim
+          #
+          # Set this to the JWT audience(s) that you want to validate.
+          # If this is set, all received JWTs will validate that the `aud` claim
+          # contains at least one of these values.
+          #token-bound-audiences = ["some-audience1", "some-audience2"];
+          # };
+
+          # jwt.signing = {
+          # You must configure JWT signing and verification inside your TOML configuration by setting one of the following options in the [jwt.signing] block:
+          # * token-rs256-pubkey-base64
+          # * token-rs256-secret-base64
+          # * token-hs256-secret-base64
+          # or by setting one of the following environment variables:
+          # * ATTIC_SERVER_TOKEN_RS256_PUBKEY_BASE64
+          # * ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64
+          # * ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
+          # Options will be tried in that same order (configuration options first, then environment options if none of the configuration options were set, starting with the respective RSA pubkey option, the RSA secret option, and finally the HMAC secret option). The first option that is found will be used.
+          # If an RS256 pubkey (asymmetric RSA PEM PKCS1 public key) is provided, it will only be possible to verify received JWTs, and not sign new JWTs.
+          # If an RS256 secret (asymmetric RSA PEM PKCS1 private key) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+          # If an HS256 secret (symmetric HMAC secret) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+
+          # JWT RS256 secret key
+          #
+          # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
+          # TODO
+          # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
+          # environment variable.
+          # token-rs256-secret-base64 = "%token_rs256_secret_base64%";
+
+          # JWT HS256 secret key
+          #
+          # Set this to the base64-encoded HMAC secret key.
+          # You can also set it via the `ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64`
+          # environment variable.
+          #token-hs256-secret-base64 = "";
+          # };
+        };
+      };
+    })
+  ];
+}

services/fediversity/attic/options.nix

@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+
+{
+  options.fediversity.attic =
+    (import ../sharedOptions.nix {
+      inherit config lib;
+      serviceName = "attic";
+      serviceDocName = "Attic Nix Cache server";
+    })
+    //
+
+    {
+    };
+}

services/fediversity/default.nix

@@ -13,6 +13,7 @@ in
     ./mastodon
     ./pixelfed
     ./peertube
+    ./attic
   ];
 
   options = {
@@ -65,4 +66,16 @@ in
       };
     };
   };
+
+  config = {
+    ## FIXME: This should clearly go somewhere else; and we should have a
+    ## `staging` vs. `production` setting somewhere.
+    security.acme = {
+      acceptTerms = true;
+      # use a priority more urgent than mkDefault for panel deployment to work,
+      # yet looser than default so this will not clash with the setting in tests.
+      defaults.email = lib.modules.mkOverride 200 "something@fediversity.net";
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+  };
 }