increase numInstances to 5

Revert "switch to podman"
This reverts commit 60e7b841a9.
2025-07-11 16:19:35 +02:00 · 2025-07-11 16:19:35 +02:00 · 2025-07-11 16:19:35 +02:00 · 2025-07-11 16:19:35 +02:00 · 2025-07-11 16:19:35 +02:00 · 2025-07-11 16:19:35 +02:00
47 changed files with 871 additions and 522 deletions
--- a/.forgejo/workflows/cd.yaml
+++ b/.forgejo/workflows/cd.yaml
@ -0,0 +1,24 @@
 name: deploy-infra
 on:
  workflow_dispatch: # allows manual triggering
  push:
    branches:
      # - main
 jobs:
  deploy:
    runs-on: native
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up SSH key to access age secrets
        run: |
          env
          mkdir -p ~/.ssh
          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
      - name: Deploy
        run: nix-shell --run 'nixops4 apply default'
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -10,43 +10,43 @@ on:
 jobs:
  check-pre-commit:
-    runs-on: native
+    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix-build -A tests
  check-data-model:
-    runs-on: native
+    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
  check-peertube:
-    runs-on: native
+    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix-build services -A tests.peertube
  check-panel:
-    runs-on: native
+    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix-build panel -A tests
  check-deployment-basic:
-    runs-on: native
+    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix build .#checks.x86_64-linux.deployment-basic -L
  check-deployment-cli:
-    runs-on: native
+    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix build .#checks.x86_64-linux.deployment-cli -L
  check-deployment-panel:
-    runs-on: native
+    runs-on: nix
    steps:
      - uses: actions/checkout@v4
      - run: nix build .#checks.x86_64-linux.deployment-panel -L
--- a/.forgejo/workflows/update.yaml
+++ b/.forgejo/workflows/update.yaml
@ -8,14 +8,14 @@ on:
 jobs:
  lockfile:
-    runs-on: native
+    runs-on: nix
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Update pins
        run: nix-shell --run "npins update"
      - name: Create PR
-        uses: github.com/quentinlegot/gitea-create-pull-request@d1fd3e1f0c98ee7a009c035f9b7ad3f3bdc0f281
+        uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
        with:
          remote-instance-api-version: v1
          token: "${{ secrets.DEPLOY_KEY }}"
--- a/deployment/check/basic/constants.nix
+++ b/deployment/check/basic/constants.nix
@ -0,0 +1,8 @@
 {
  targetMachines = [
    "hello"
    "cowsay"
  ];
  pathToRoot = ../../..;
  pathFromRoot = ./.;
 }
--- a/deployment/check/basic/default.nix
+++ b/deployment/check/basic/default.nix
@ -0,0 +1,14 @@
 {
  runNixOSTest,
  inputs,
  sources,
 }:
 runNixOSTest {
  imports = [
    ../common/nixosTest.nix
    ./nixosTest.nix
  ];
  _module.args = { inherit inputs sources; };
  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
 }
--- a/deployment/check/basic/deployment.nix
+++ b/deployment/check/basic/deployment.nix
@ -0,0 +1,36 @@
 {
  inputs,
  sources,
  lib,
  providers,
  ...
 }:
 let
  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
 in
 {
  providers = {
    inherit (inputs.nixops4.modules.nixops4Provider) local;
  };
  resources = lib.genAttrs targetMachines (nodeName: {
    type = providers.local.exec;
    imports = [
      inputs.nixops4-nixos.modules.nixops4Resource.nixos
      ../common/targetResource.nix
    ];
    _module.args = { inherit inputs sources; };
    inherit nodeName pathToRoot pathFromRoot;
    nixos.module =
      { pkgs, ... }:
      {
        environment.systemPackages = [ pkgs.${nodeName} ];
      };
  });
 }
--- a/deployment/check/basic/flake-part.nix
+++ b/deployment/check/basic/flake-part.nix
@ -1,57 +0,0 @@
 {
  self,
  inputs,
  lib,
  sources,
  ...
 }:
 let
  inherit (lib) genAttrs;
  targetMachines = [
    "hello"
    "cowsay"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
 in
 {
  _class = "flake";
  perSystem =
    { pkgs, ... }:
    {
      checks.deployment-basic = pkgs.testers.runNixOSTest {
        imports = [
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
        _module.args = { inherit inputs sources; };
        inherit targetMachines pathToRoot pathFromRoot;
      };
    };
  nixops4Deployments.check-deployment-basic =
    { providers, ... }:
    {
      providers = {
        inherit (inputs.nixops4.modules.nixops4Provider) local;
      };
      resources = genAttrs targetMachines (nodeName: {
        type = providers.local.exec;
        imports = [
          inputs.nixops4-nixos.modules.nixops4Resource.nixos
          ../common/targetResource.nix
        ];
        _module.args = { inherit inputs sources; };
        inherit nodeName pathToRoot pathFromRoot;
        nixos.module =
          { pkgs, ... }:
          {
            environment.systemPackages = [ pkgs.${nodeName} ];
          };
      });
    };
 }
--- a/deployment/check/basic/flake-under-test.nix
+++ b/deployment/check/basic/flake-under-test.nix
@ -0,0 +1,22 @@
 {
  inputs = {
    nixops4.follows = "nixops4-nixos/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };
  outputs =
    inputs:
    import ./mkFlake.nix inputs (
      { inputs, sources, ... }:
      {
        imports = [
          inputs.nixops4.modules.flake.default
        ];
        nixops4Deployments.check-deployment-basic = {
          imports = [ ./deployment/check/basic/deployment.nix ];
          _module.args = { inherit inputs sources; };
        };
      }
    );
 }
--- a/deployment/check/basic/nixosTest.nix
+++ b/deployment/check/basic/nixosTest.nix
@ -1,10 +1,15 @@
-{ inputs, ... }:
+{ inputs, lib, ... }:
 {
  _class = "nixosTest";
  name = "deployment-basic";
  sourceFileset = lib.fileset.unions [
    ./constants.nix
    ./deployment.nix
  ];
  nodes.deployer =
    { pkgs, ... }:
    {
--- a/deployment/check/cli/constants.nix
+++ b/deployment/check/cli/constants.nix
@ -0,0 +1,11 @@
 {
  targetMachines = [
    "garage"
    "mastodon"
    "peertube"
    "pixelfed"
  ];
  pathToRoot = ../../..;
  pathFromRoot = ./.;
  enableAcme = true;
 }
--- a/deployment/check/cli/default.nix
+++ b/deployment/check/cli/default.nix
@ -0,0 +1,19 @@
 {
  runNixOSTest,
  inputs,
  sources,
 }:
 runNixOSTest {
  imports = [
    ../common/nixosTest.nix
    ./nixosTest.nix
  ];
  _module.args = { inherit inputs sources; };
  inherit (import ./constants.nix)
    targetMachines
    pathToRoot
    pathFromRoot
    enableAcme
    ;
 }
--- a/deployment/check/cli/deployments.nix
+++ b/deployment/check/cli/deployments.nix
@ -0,0 +1,59 @@
 {
  inputs,
  sources,
  lib,
 }:
 let
  inherit (builtins) fromJSON readFile listToAttrs;
  inherit (import ./constants.nix)
    targetMachines
    pathToRoot
    pathFromRoot
    enableAcme
    ;
  makeTargetResource = nodeName: {
    imports = [ ../common/targetResource.nix ];
    _module.args = { inherit inputs sources; };
    inherit
      nodeName
      pathToRoot
      pathFromRoot
      enableAcme
      ;
  };
  ## The deployment function - what we are here to test!
  ##
  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
  ## function calls.
  makeTestDeployment =
    args:
    (import ../..)
      {
        inherit lib;
        inherit (inputs) nixops4 nixops4-nixos;
        fediversity = import ../../../services/fediversity;
      }
      (listToAttrs (
        map (nodeName: {
          name = "${nodeName}ConfigurationResource";
          value = makeTargetResource nodeName;
        }) targetMachines
      ))
      (fromJSON (readFile ../../configuration.sample.json) // args);
 in
 {
  check-deployment-cli-nothing = makeTestDeployment { };
  check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
    mastodon.enable = true;
    pixelfed.enable = true;
  };
  check-deployment-cli-peertube = makeTestDeployment {
    peertube.enable = true;
  };
 }
--- a/deployment/check/cli/flake-part.nix
+++ b/deployment/check/cli/flake-part.nix
@ -1,90 +0,0 @@
 {
  self,
  inputs,
  lib,
  sources,
  ...
 }:
 let
  inherit (builtins) fromJSON readFile listToAttrs;
  targetMachines = [
    "garage"
    "mastodon"
    "peertube"
    "pixelfed"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
  enableAcme = true;
 in
 {
  _class = "flake";
  perSystem =
    { pkgs, ... }:
    {
      checks.deployment-cli = pkgs.testers.runNixOSTest {
        imports = [
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
        _module.args = { inherit inputs sources; };
        inherit
          targetMachines
          pathToRoot
          pathFromRoot
          enableAcme
          ;
      };
    };
  nixops4Deployments =
    let
      makeTargetResource = nodeName: {
        imports = [ ../common/targetResource.nix ];
        _module.args = { inherit inputs sources; };
        inherit
          nodeName
          pathToRoot
          pathFromRoot
          enableAcme
          ;
      };
      ## The deployment function - what we are here to test!
      ##
      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
      ## function calls.
      makeTestDeployment =
        args:
        (import ../..)
          {
            inherit lib;
            inherit (inputs) nixops4 nixops4-nixos;
            fediversity = import ../../../services/fediversity;
          }
          (listToAttrs (
            map (nodeName: {
              name = "${nodeName}ConfigurationResource";
              value = makeTargetResource nodeName;
            }) targetMachines
          ))
          (fromJSON (readFile ../../configuration.sample.json) // args);
    in
    {
      check-deployment-cli-nothing = makeTestDeployment { };
      check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
        mastodon.enable = true;
        pixelfed.enable = true;
      };
      check-deployment-cli-peertube = makeTestDeployment {
        peertube.enable = true;
      };
    };
 }
--- a/deployment/check/cli/flake-under-test.nix
+++ b/deployment/check/cli/flake-under-test.nix
@ -0,0 +1,26 @@
 {
  inputs = {
    nixops4.follows = "nixops4-nixos/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };
  outputs =
    inputs:
    import ./mkFlake.nix inputs (
      {
        inputs,
        sources,
        lib,
        ...
      }:
      {
        imports = [
          inputs.nixops4.modules.flake.default
        ];
        nixops4Deployments = import ./deployment/check/cli/deployments.nix {
          inherit inputs sources lib;
        };
      }
    );
 }
--- a/deployment/check/cli/nixosTest.nix
+++ b/deployment/check/cli/nixosTest.nix
@ -1,4 +1,9 @@
-{ inputs, hostPkgs, ... }:
+{
  inputs,
  hostPkgs,
  lib,
  ...
 }:
 let
  ## Some places need a dummy file that will in fact never be used. We create
@ -11,6 +16,21 @@ in
  name = "deployment-cli";
  sourceFileset = lib.fileset.unions [
    ./constants.nix
    ./deployments.nix
    # REVIEW: I would like to be able to grab all of `/deployment` minus
    # `/deployment/check`, but I can't because there is a bunch of other files
    # in `/deployment`. Maybe we can think of a reorg making things more robust
    # here? (comment also in panel test)
    ../../default.nix
    ../../options.nix
    ../../configuration.sample.json
    ../../../services/fediversity
  ];
  nodes.deployer =
    { pkgs, ... }:
    {
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@ -54,12 +54,13 @@ in
    system.extraDependencies =
      [
        inputs.flake-parts
        inputs.flake-parts.inputs.nixpkgs-lib
        inputs.nixops4
        inputs.nixops4-nixos
        inputs.nixpkgs
        sources.flake-parts
        sources.flake-inputs
        sources.git-hooks
        pkgs.stdenv
        pkgs.stdenvNoCC
--- a/deployment/check/common/nixosTest.nix
+++ b/deployment/check/common/nixosTest.nix
@ -13,6 +13,7 @@ let
    toJSON
    ;
  inherit (lib)
    types
    fileset
    mkOption
    genAttrs
@ -27,14 +28,6 @@ let
  forConcat = xs: f: concatStringsSep "\n" (map f xs);
  ## The whole repository, with the flake at its root.
  ## FIXME: We could probably have fileset be the union of ./. with flake.nix
  ## and flake.lock - I doubt we need anything else.
  src = fileset.toSource {
    fileset = config.pathToRoot;
    root = config.pathToRoot;
  };
  ## We will need to override some inputs by the empty flake, so we make one.
  emptyFlake = runCommandNoCC "empty-flake" { } ''
    mkdir $out
@ -53,9 +46,39 @@ in
    ## FIXME: I wish I could just use `testScript` but with something like
    ## `mkOrder` to put this module's string before something else.
    extraTestScript = mkOption { };
    sourceFileset = mkOption {
      ## REVIEW: Upstream to nixpkgs?
      type = types.mkOptionType {
        name = "fileset";
        description = "fileset";
        descriptionClass = "noun";
        check = (x: (builtins.tryEval (fileset.unions [ x ])).success);
        merge = (_: defs: fileset.unions (map (x: x.value) defs));
      };
      description = ''
        A fileset that will be copied to the deployer node in the current
        working directory. This should contain all the files that are
        necessary to run that particular test, such as the NixOS
        modules necessary to evaluate a deployment.
      '';
    };
  };
  config = {
    sourceFileset = fileset.unions [
      # NOTE: not the flake itself; it will be overridden.
      ../../../mkFlake.nix
      ../../../flake.lock
      ../../../npins
      ./sharedOptions.nix
      ./targetNode.nix
      ./targetResource.nix
      (config.pathToCwd + "/flake-under-test.nix")
    ];
    acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
    nodes =
@ -103,8 +126,16 @@ in
        ${n}.wait_for_unit("multi-user.target")
      '')}
      ## A subset of the repository that is necessary for this test. It will be
      ## copied inside the test. The smaller this set, the faster our CI, because we
      ## won't need to re-run when things change outside of it.
      with subtest("Unpacking"):
-        deployer.succeed("cp -r --no-preserve=mode ${src}/* .")
+        deployer.succeed("cp -r --no-preserve=mode ${
          fileset.toSource {
            root = ../../..;
            fileset = config.sourceFileset;
          }
        }/* .")
      with subtest("Configure the network"):
        ${forConcat config.targetMachines (
@ -134,11 +165,16 @@ in
      ## NOTE: This is super slow. It could probably be optimised in Nix, for
      ## instance by allowing to grab things directly from the host's store.
-      with subtest("Override the lock"):
+      ##
      ## NOTE: We use the repository as-is (cf `src` above), overriding only
      ## `flake.nix` by our `flake-under-test.nix`. We also override the flake
      ## lock file to use locally available inputs, as we cannot download them.
      ##
      with subtest("Override the flake and its lock"):
        deployer.succeed("cp ${config.pathFromRoot}/flake-under-test.nix flake.nix")
        deployer.succeed("""
          nix flake lock --extra-experimental-features 'flakes nix-command' \
            --offline -v \
            --override-input flake-parts ${inputs.flake-parts} \
            --override-input nixops4 ${inputs.nixops4.packages.${system}.flake-in-a-bottle} \
            \
            --override-input nixops4-nixos ${inputs.nixops4-nixos} \
@ -150,9 +186,6 @@ in
              inputs.nixops4-nixos.inputs.nixops4.packages.${system}.flake-in-a-bottle
            } \
            --override-input nixops4-nixos/git-hooks-nix ${emptyFlake} \
            \
            --override-input nixpkgs ${inputs.nixpkgs} \
            --override-input git-hooks ${inputs.git-hooks} \
            ;
        """)
--- a/deployment/check/panel/constants.nix
+++ b/deployment/check/panel/constants.nix
@ -0,0 +1,11 @@
 {
  targetMachines = [
    "garage"
    "mastodon"
    "peertube"
    "pixelfed"
  ];
  pathToRoot = ../../..;
  pathFromRoot = ./.;
  enableAcme = true;
 }
--- a/deployment/check/panel/default.nix
+++ b/deployment/check/panel/default.nix
@ -0,0 +1,19 @@
 {
  runNixOSTest,
  inputs,
  sources,
 }:
 runNixOSTest {
  imports = [
    ../common/nixosTest.nix
    ./nixosTest.nix
  ];
  _module.args = { inherit inputs sources; };
  inherit (import ./constants.nix)
    targetMachines
    pathToRoot
    pathFromRoot
    enableAcme
    ;
 }
--- a/deployment/check/panel/deployment.nix
+++ b/deployment/check/panel/deployment.nix
@ -0,0 +1,58 @@
 {
  inputs,
  sources,
  lib,
 }:
 let
  inherit (builtins) fromJSON listToAttrs;
  inherit (import ./constants.nix)
    targetMachines
    pathToRoot
    pathFromRoot
    enableAcme
    ;
  makeTargetResource = nodeName: {
    imports = [ ../common/targetResource.nix ];
    _module.args = { inherit inputs sources; };
    inherit
      nodeName
      pathToRoot
      pathFromRoot
      enableAcme
      ;
  };
  ## The deployment function - what we are here to test!
  ##
  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
  ## function calls.
  makeTestDeployment =
    args:
    (import ../..)
      {
        inherit lib;
        inherit (inputs) nixops4 nixops4-nixos;
        fediversity = import ../../../services/fediversity;
      }
      (listToAttrs (
        map (nodeName: {
          name = "${nodeName}ConfigurationResource";
          value = makeTargetResource nodeName;
        }) targetMachines
      ))
      args;
 in
 makeTestDeployment (
  fromJSON (
    let
      env = builtins.getEnv "DEPLOYMENT";
    in
    if env == "" then
      throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
    else
      env
  )
 )
--- a/deployment/check/panel/flake-part.nix
+++ b/deployment/check/panel/flake-part.nix
@ -1,94 +0,0 @@
 {
  self,
  inputs,
  lib,
  sources,
  ...
 }:
 let
  inherit (builtins)
    fromJSON
    listToAttrs
    ;
  targetMachines = [
    "garage"
    "mastodon"
    "peertube"
    "pixelfed"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
  enableAcme = true;
 in
 {
  _class = "flake";
  perSystem =
    { pkgs, ... }:
    {
      checks.deployment-panel = pkgs.testers.runNixOSTest {
        imports = [
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
        _module.args = { inherit inputs sources; };
        inherit
          targetMachines
          pathToRoot
          pathFromRoot
          enableAcme
          ;
      };
    };
  nixops4Deployments =
    let
      makeTargetResource = nodeName: {
        imports = [ ../common/targetResource.nix ];
        _module.args = { inherit inputs sources; };
        inherit
          nodeName
          pathToRoot
          pathFromRoot
          enableAcme
          ;
      };
      ## The deployment function - what we are here to test!
      ##
      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
      ## function calls.
      makeTestDeployment =
        args:
        (import ../..)
          {
            inherit lib;
            inherit (inputs) nixops4 nixops4-nixos;
            fediversity = import ../../../services/fediversity;
          }
          (listToAttrs (
            map (nodeName: {
              name = "${nodeName}ConfigurationResource";
              value = makeTargetResource nodeName;
            }) targetMachines
          ))
          args;
    in
    {
      check-deployment-panel = makeTestDeployment (
        fromJSON (
          let
            env = builtins.getEnv "DEPLOYMENT";
          in
          if env == "" then
            throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
          else
            env
        )
      );
    };
 }
--- a/deployment/check/panel/flake-under-test.nix
+++ b/deployment/check/panel/flake-under-test.nix
@ -0,0 +1,26 @@
 {
  inputs = {
    nixops4.follows = "nixops4-nixos/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };
  outputs =
    inputs:
    import ./mkFlake.nix inputs (
      {
        inputs,
        sources,
        lib,
        ...
      }:
      {
        imports = [
          inputs.nixops4.modules.flake.default
        ];
        nixops4Deployments.check-deployment-panel = import ./deployment/check/panel/deployment.nix {
          inherit inputs sources lib;
        };
      }
    );
 }
--- a/deployment/check/panel/nixosTest.nix
+++ b/deployment/check/panel/nixosTest.nix
@ -125,6 +125,20 @@ in
  name = "deployment-panel";
  sourceFileset = lib.fileset.unions [
    ./constants.nix
    ./deployment.nix
    # REVIEW: I would like to be able to grab all of `/deployment` minus
    # `/deployment/check`, but I can't because there is a bunch of other files
    # in `/deployment`. Maybe we can think of a reorg making things more robust
    # here? (comment also in CLI test)
    ../../default.nix
    ../../options.nix
    ../../../services/fediversity
  ];
  ## The panel's module sets `nixpkgs.overlays` which clashes with
  ## `pkgsReadOnly`. We disable it here.
  node.pkgsReadOnly = false;
--- a/deployment/flake-part.nix
+++ b/deployment/flake-part.nix
@ -1,9 +1,26 @@
 { inputs, sources, ... }:
 {
  _class = "flake";
-  imports = [
+  perSystem =
-    ./check/basic/flake-part.nix
+    { pkgs, ... }:
-    ./check/cli/flake-part.nix
+    {
-    ./check/panel/flake-part.nix
+      checks = {
-  ];
+        deployment-basic = import ./check/basic {
          inherit (pkgs.testers) runNixOSTest;
          inherit inputs sources;
        };
        deployment-cli = import ./check/cli {
          inherit (pkgs.testers) runNixOSTest;
          inherit inputs sources;
        };
        deployment-panel = import ./check/panel {
          inherit (pkgs.testers) runNixOSTest;
          inherit inputs sources;
        };
      };
    };
 }
--- a/flake.lock
+++ b/flake.lock
@ -59,22 +59,6 @@
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1733328505,
@ -90,7 +74,7 @@
        "type": "github"
      }
    },
-    "flake-compat_4": {
+    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -143,24 +127,6 @@
      }
    },
    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib_3"
      },
      "locked": {
        "lastModified": 1738453229,
        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-parts_4": {
      "inputs": {
        "nixpkgs-lib": [
          "nixops4-nixos",
@ -201,32 +167,12 @@
        "type": "github"
      }
    },
-    "git-hooks": {
+    "git-hooks-nix": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1742649964,
        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "git-hooks-nix": {
      "inputs": {
        "flake-compat": "flake-compat_2",
        "gitignore": "gitignore_2",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1737465171,
        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
@ -281,27 +227,6 @@
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "gitignore_2": {
      "inputs": {
        "nixpkgs": [
          "nixops4-nixos",
@ -341,8 +266,8 @@
    },
    "nix": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts_4",
+        "flake-parts": "flake-parts_3",
        "git-hooks-nix": "git-hooks-nix_2",
        "nixfmt": "nixfmt",
        "nixpkgs": [
@ -416,10 +341,10 @@
    },
    "nixops4": {
      "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
        "nix": "nix",
        "nix-cargo-integration": "nix-cargo-integration",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-old": "nixpkgs-old"
      },
      "locked": {
@ -438,7 +363,7 @@
    },
    "nixops4-nixos": {
      "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
        "git-hooks-nix": "git-hooks-nix",
        "nixops4": "nixops4",
        "nixops4-nixos": [
@ -520,18 +445,6 @@
        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
      }
    },
    "nixpkgs-lib_3": {
      "locked": {
        "lastModified": 1738452942,
        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
      }
    },
    "nixpkgs-old": {
      "locked": {
        "lastModified": 1735563628,
@ -565,22 +478,6 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1730768919,
        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1738410390,
        "narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=",
@ -621,7 +518,7 @@
    },
    "purescript-overlay": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_3",
        "nixpkgs": [
          "nixops4-nixos",
          "nixops4",
@ -664,8 +561,6 @@
    },
    "root": {
      "inputs": {
        "flake-parts": "flake-parts",
        "git-hooks": "git-hooks",
        "nixops4": [
          "nixops4-nixos",
          "nixops4"
--- a/flake.nix
+++ b/flake.nix
@ -1,52 +1,16 @@
 {
  inputs = {
    flake-parts.url = "github:hercules-ci/flake-parts";
    git-hooks.url = "github:cachix/git-hooks.nix";
    nixops4.follows = "nixops4-nixos/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };
  outputs =
-    inputs@{ self, flake-parts, ... }:
+    inputs:
-    let
+    import ./mkFlake.nix inputs (
-      sources = import ./npins;
+      { inputs, sources, ... }:
      inherit (import sources.flake-inputs) import-flake;
      inherit (sources) git-hooks;
      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
      # XXX - this is just importing a flake
      nixpkgs = import-flake { src = sources.nixpkgs; };
      # XXX - this overrides the inputs attached to `self`
      inputs' = self.inputs // {
        nixpkgs = nixpkgs;
      };
      self' = self // {
        inputs = inputs';
      };
    in
    # XXX - finally we override the overall set of `inputs` -- we need both:
    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
    flake-parts.lib.mkFlake
      {
        inputs = inputs // {
          inherit nixpkgs;
        };
        self = self';
        specialArgs = {
          inherit sources;
        };
      }
      (
        { inputs, ... }:
        {
          systems = [
            "x86_64-linux"
            "aarch64-linux"
            "x86_64-darwin"
            "aarch64-darwin"
          ];
        imports = [
-            "${git-hooks}/flake-module.nix"
+          "${sources.git-hooks}/flake-module.nix"
          inputs.nixops4.modules.flake.default
          ./deployment/flake-part.nix
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@ -1,9 +1,21 @@
-{ modulesPath, ... }:
+let
-
+  # pulling this in manually over from module args resolves an infinite recursion.
  # FIXME: instead untangle `//infra/flake-part.nix` and make it stop passing wild functions.
  # move moving towards a portable-services-like pattern where some things are submodules.
  # Right now those wild functions are for parameterising a bunch of things,
  # and the modular way to do that would be options --
  # obviously you can't use those for `imports`,
  # so one way to decouple fixpoints is to isolate them into submodules.
  # Therefore one approach would be to try to go down the call graph,
  # and see where what's currently a function could be a `submodule` field of something else.
  sources = import ../../npins;
 in
 {
  _class = "nixos";
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  imports = [
    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
  ];
  boot = {
    initrd = {
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -33,6 +33,10 @@ let
          ;
      };
      nixos.module.imports = [
        ./common/proxmox-qemu-vm.nix
      ];
      imports =
        [
          ./common/resource.nix
@ -40,7 +44,6 @@ let
        ++ (
          if isTestVm then
            [
              ./common/proxmox-qemu-vm.nix
              ../machines/operator/${vmName}
              {
                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
--- a/keys/cd-ssh-key.pub
+++ b/keys/cd-ssh-key.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age
--- a/keys/default.nix
+++ b/keys/default.nix
@ -35,4 +35,5 @@ in
  contributors = collectKeys ./contributors;
  systems = collectKeys ./systems;
  panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
  cd = removeTrailingWhitespace (readFile ./cd-ssh-key.pub);
 }
--- a/machines/dev/fedi201/fedipanel.nix
+++ b/machines/dev/fedi201/fedipanel.nix
@ -1,10 +1,10 @@
 {
  config,
  sources,
  ...
 }:
 let
  name = "panel";
  sources = import ../../../npins;
 in
 {
  _class = "nixos";
--- a/machines/dev/forgejo-ci/default.nix
+++ b/machines/dev/forgejo-ci/default.nix
@ -48,7 +48,7 @@ in
      };
      ## NOTE: This is a physical machine, so is not covered by disko
-      fileSystems."/" = {
+      fileSystems."/" = lib.mkForce {
        device = "rpool/root";
        fsType = "zfs";
      };
@ -58,7 +58,7 @@ in
        fsType = "zfs";
      };
-      fileSystems."/boot" = {
+      fileSystems."/boot" = lib.mkForce {
        device = "/dev/disk/by-uuid/50B2-DD3F";
        fsType = "vfat";
        options = [
--- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@ -1,19 +1,78 @@
-{ pkgs, config, ... }:
+{
  pkgs,
  lib,
  config,
  ...
 }:
 let
  system = builtins.currentSystem;
  packages =
    let
      sources = import ../../../npins;
      inherit (import sources.flake-inputs) import-flake;
      inherit ((import-flake { src = ../../..; }).inputs) nixops4;
    in
    [
      pkgs.coreutils
      pkgs.findutils
      pkgs.gnugrep
      pkgs.gawk
      pkgs.git
      pkgs.nix
      pkgs.bash
      pkgs.jq
      pkgs.nodejs
      pkgs.npins
      nixops4.packages.${system}.default
    ];
  storeDeps = pkgs.runCommand "store-deps" { } ''
    mkdir -p $out/bin
    for dir in ${toString packages}; do
      for bin in "$dir"/bin/*; do
        ln -s "$bin" "$out/bin/$(basename "$bin")"
      done
    done
    # Add SSL CA certs
    mkdir -p $out/etc/ssl/certs
    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
  '';
  numInstances = 5;
 in
 {
  _class = "nixos";
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
-
+    instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (_: {
    instances.default = {
      enable = true;
      name = config.networking.fqdn;
      url = "https://git.fediversity.eu";
      tokenFile = config.age.secrets.forgejo-runner-token.path;
-
+      ## This runner supports Docker (with a default Ubuntu image) and native
      ## modes. In native mode, it contains a few default packages.
      labels = [
        "nix:docker://gitea-runner-nix"
        "docker:docker://node:16-bullseye"
        "native:host"
      ];
      hostPackages = with pkgs; [
        bash
        git
        nix
        nodejs
      ];
      settings = {
        container = {
          options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
          # the default network that also respects our dns server settings
          network = "host";
          valid_volumes = [
            "/nix"
            "${storeDeps}/bin"
            "${storeDeps}/etc/ssl"
          ];
        };
        log.level = "info";
        runner = {
          file = ".runner";
@ -25,23 +84,165 @@
          fetch_interval = "2s";
        };
      };
-
+    });
      ## This runner supports Docker (with a default Ubuntu image) and native
      ## modes. In native mode, it contains a few default packages.
      labels = [
        "docker:docker://node:16-bullseye"
        "native:host"
      ];
      hostPackages = with pkgs; [
        bash
        git
        nix
        nodejs
      ];
    };
  };
  users = {
    users.nixuser = {
      group = "nixuser";
      description = "Used for running nix ci jobs";
      home = "/var/empty";
      isSystemUser = true;
    };
    groups.nixuser = { };
  };
  virtualisation = {
    ## For the Docker mode of the runner.
-  virtualisation.docker.enable = true;
+    ## Podman seemed to get stuck on the checkout step
    docker.enable = true;
    containers.containersConf.settings = {
      # podman (at least) seems to not work with systemd-resolved
      containers.dns_servers = [
        "8.8.8.8"
        "8.8.4.4"
      ];
    };
  };
  systemd.services =
    {
      gitea-runner-nix-image = {
        wantedBy = [ "multi-user.target" ];
        after = [ "docker.service" ];
        requires = [ "docker.service" ];
        path = [
          pkgs.docker
          pkgs.gnutar
          pkgs.shadow
          pkgs.getent
        ];
        # we also include etc here because the cleanup job also wants the nixuser to be present
        script = ''
          set -eux -o pipefail
          mkdir -p etc/nix
          # Create an unpriveleged user that we can use also without the run-as-user.sh script
          touch etc/passwd etc/group
          groupid=$(cut -d: -f3 < <(getent group nixuser))
          userid=$(cut -d: -f3 < <(getent passwd nixuser))
          groupadd --prefix $(pwd) --gid "$groupid" nixuser
          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
          cat <<NIX_CONFIG > etc/nix/nix.conf
          accept-flake-config = true
          experimental-features = nix-command flakes
          NIX_CONFIG
          cat <<NSSWITCH > etc/nsswitch.conf
          passwd:    files mymachines systemd
          group:     files mymachines systemd
          shadow:    files
          hosts:     files mymachines dns myhostname
          networks:  files
          ethers:    files
          services:  files
          protocols: files
          rpc:       files
          NSSWITCH
          # list the content as it will be imported into the container
          tar -cv . | tar -tvf -
          tar -cv . | docker import - gitea-runner-nix
        '';
        serviceConfig = {
          RuntimeDirectory = "gitea-runner-nix-image";
          WorkingDirectory = "/run/gitea-runner-nix-image";
          Type = "oneshot";
          RemainAfterExit = true;
        };
      };
    }
    // lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (
      _:
      let
        requires = [ "gitea-runner-nix-image.service" ];
      in
      {
        inherit requires;
        after = requires;
        # TODO: systemd confinement
        serviceConfig = {
          # Hardening (may overlap with DynamicUser=)
          # The following options are only for optimizing output of systemd-analyze
          AmbientCapabilities = "";
          CapabilityBoundingSet = "";
          # ProtectClock= adds DeviceAllow=char-rtc r
          DeviceAllow = "";
          NoNewPrivileges = true;
          PrivateDevices = true;
          PrivateMounts = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectSystem = "strict";
          RemoveIPC = true;
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          UMask = "0066";
          ProtectProc = "invisible";
          SystemCallFilter = [
            "~@clock"
            "~@cpu-emulation"
            "~@module"
            "~@mount"
            "~@obsolete"
            "~@raw-io"
            "~@reboot"
            "~@swap"
            # needed by go?
            #"~@resources"
            "~@privileged"
            "~capset"
            "~setdomainname"
            "~sethostname"
          ];
          SupplementaryGroups = [ "docker" ];
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
            "AF_UNIX"
            "AF_NETLINK"
          ];
          # Needs network access
          PrivateNetwork = false;
          # Cannot be true due to Node
          MemoryDenyWriteExecute = false;
          # The more restrictive "pid" option makes `nix` commands in CI emit
          # "GC Warning: Couldn't read /proc/stat"
          # You may want to set this to "pid" if not using `nix` commands
          ProcSubset = "all";
          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
          # ASLR (address space layout randomization) which requires the
          # `personality` syscall
          # You may want to set this to `true` if not using coverage tooling on
          # compiled code
          LockPersonality = false;
          # Note that this has some interactions with the User setting; so you may
          # want to consult the systemd docs if using both.
          DynamicUser = true;
        };
      }
    );
 }
--- a/machines/dev/vm02116/forgejo.nix
+++ b/machines/dev/vm02116/forgejo.nix
@ -110,4 +110,8 @@ in
      };
    };
  };
  # needed to imperatively run forgejo commands e.g. to generate runner tokens.
  # example: `sudo su - forgejo -c 'nix-shell -p forgejo --run "gitea actions generate-runner-token -C /var/lib/forgejo/custom"'`
  users.users.forgejo.isNormalUser = true;
 }
--- a/mkFlake.nix
+++ b/mkFlake.nix
@ -0,0 +1,54 @@
 ## This file contains a tweak of flake-parts's `mkFlake` function to splice in
 ## sources taken from npins.
 ## NOTE: Much of the logic in this file feels like it should be not super
 ## specific to fediversity. Could it make sense to extract the core of this to
 ## another place it feels closer to in spirit, such as @fricklerhandwerk's
 ## flake-inputs (which this code already depends on anyway, and which already
 ## contained two distinct helpers for migrating away from flakes)? cf
 ## https://git.fediversity.eu/Fediversity/Fediversity/pulls/447#issuecomment-8671
 inputs@{ self, ... }:
 let
  sources = import ./npins;
  inherit (import sources.flake-inputs) import-flake;
  # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
  # XXX - this is just importing a flake
  nixpkgs = import-flake { src = sources.nixpkgs; };
  # XXX - this overrides the inputs attached to `self`
  inputs' = self.inputs // {
    nixpkgs = nixpkgs;
  };
  self' = self // {
    inputs = inputs';
  };
  flake-parts-lib = import "${sources.flake-parts}/lib.nix" { inherit (nixpkgs) lib; };
 in
 flakeModule:
 flake-parts-lib.mkFlake
  {
    # XXX - finally we override the overall set of `inputs` -- we need both:
    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
    inputs = inputs // {
      inherit nixpkgs;
    };
    self = self';
    specialArgs = {
      inherit sources;
    };
  }
  {
    systems = [
      "x86_64-linux"
      "aarch64-linux"
      "x86_64-darwin"
      "aarch64-darwin"
    ];
    imports = [ flakeModule ];
  }
--- a/npins/sources.json
+++ b/npins/sources.json
@ -125,6 +125,22 @@
      "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
      "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
    },
    "nix": {
      "type": "GitRelease",
      "repository": {
        "type": "GitHub",
        "owner": "nixos",
        "repo": "nix"
      },
      "pre_releases": false,
      "version_upper_bound": null,
      "release_prefix": null,
      "submodules": false,
      "version": "2.29.1",
      "revision": "82debf3b591578eb2e7b151d2589626fad1679a2",
      "url": "https://api.github.com/repos/nixos/nix/tarball/2.29.1",
      "hash": "1xj5wawjw99qsyqfm3x02aydcg39rjksphnqg163plknifbzf8mc"
    },
    "nix-unit": {
      "type": "Git",
      "repository": {
--- a/secrets/forgejo-database-password.age
+++ b/secrets/forgejo-database-password.age
@ -1,17 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 Jpc21A 9edPaA2tT4SeYNTPzF0E157daC2o+JH/WQQCT+vLbFg
+-> ssh-ed25519 Jpc21A bBCQmvfRUwJuIXbpVJ092XUBVszGrb6gILGbgV9j9BY
-C48EtLdhB75TTzfEZTw1DypicHiVlSmFzjfbqfO9N/8
+7DEGwhqdfqMs5cxXtlMkSTPjw4qhczBgW0dmoJ6dh6g
-> ssh-ed25519 BAs8QA T+kXpZg1v0XRkub5DWir7vYwO7KaOJLZBNYxxXiBUCw
+-> ssh-ed25519 BAs8QA oiVedFC6UklEFCJUybGr93+XrddyCtV4r4TnE4nhpWI
-zBRwMTDpyI7twEwUGsmJYyYPw9btBx5Kakj1yT+XY8U
+xasnkP4NCl9TuYSE1u0Xi0b/PiwcrfHCz2QMnpTjLcU
-> ssh-ed25519 ofQnlg 4UoEDY/tdKz8LrX1BkBU1/cn+vSaYLUl7xX9YmzANBY
+-> ssh-ed25519 ofQnlg LrMcWdaEUVyIgd/KznwJW/2sucIu5MuxDEcEJAmf8mA
-8CACq1n3AJgD9IyPN23iRvThqsfQFF5+jmkKnhun24U
+p6pQoisuXre2J4r6ArV6C6lKO2J/aNdBFhqLPBoZ2wA
-> ssh-ed25519 COspvA HxcbkqHL+LpVmwb+Fo5JuUU+C+Pxzdxtb0yZHixwuzM
+-> ssh-ed25519 COspvA q2OGeVofPKyGCpr4Mf9VoaRvZCWTRl8n2mvkQOdTnyQ
-7FIhxdbjHJlgQQgjrHHUK5cecqs5aT7X3I8TWf8c2gc
+M+ffAGecJG/94k/Z5DdokltrZppS2IcxkZa8JKHwIMs
-> ssh-ed25519 2XrTgw R6Ia8MVIZKPnNZ0rspZ34EqoY8fOLeB9H7vnvNBLg1g
+-> ssh-ed25519 2XrTgw Bsz/G4QderToPSfMKOR6s5yWb0xCGUlsjGJxJYQNBRc
-55NUqz5Yygt6FKJ3bR5iHxQp8G7S2gyFwrJNX1Pb/2Y
+JYrXZb8qj1Yi9u5bnI/WzuNxy7gyFLCTIUaGNmcOYnk
-> ssh-ed25519 awJeHA hJdTuAScoewVMt7HWiisSkL0zSeClFzYzzKL84G893o
+-> ssh-ed25519 awJeHA KKJMQSt0PvC6P+T/kxQv96tSBdLQLiY2f8q35IwGm28
-ou780VLrW1s4d6L+lEVu3kXaGn4dvtFPA31supwEL50
+p7Cf2HLlPl0qmsO6Hh5zwVgKkEs3A6fdSBndMKsacbk
-> ssh-ed25519 Fa25Dw mJcqnXA3fQeoKrG7RJ7nVeLxPvrxqbj+lJdx6jQ9IR8
+-> ssh-ed25519 Fa25Dw 3m/qyannP4gjXxkUuO0LQRU8Z8HXOg4WReMDd7786y8
-f5Q7mrQSSDsm1Z/uSAnvx66mgnRC3XaBLQrVL9f/Ijs
+dNMyiBGeJDrBScE9TEyZZ7+MGMG6FLuoRTK82EVeX1w
--- W/KmboXTLV12X6WtVQKHNe+ZHvS2q9EHUZwofSgJSE8
+-> ssh-ed25519 i+ecmQ oCs4Ep2K75yjmUOh1ox4F25tGq+O/mZ2/c2E8+IRlEc
-^kûÚ	h©0ÔkÇ ¢¸_Ç·ûQÞm‘’7\òÖ}÷Áë?½qø‚<ÿm
+0Wc9gDxhvHK5tEVM5kJ0mQXc3kp7tJ2JNHg54N0+tJ8
 --- mXrqbcHxjjkS5MrQaCVm4hTsAUEENAWlIYtiYx6rtas
 ž`€úì}öÙ7Ù>iŒbàéëÕî¦®è/&ÉªŠwŽ„ì7àí[ã±Hˆc“
--- a/secrets/forgejo-email-password.age
+++ b/secrets/forgejo-email-password.age
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
--- a/secrets/panel-secret-key.age
+++ b/secrets/panel-secret-key.age
--- a/secrets/panel-ssh-key.age
+++ b/secrets/panel-ssh-key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,11 +7,12 @@ let
  keys = import ../keys;
  contributors = attrValues keys.contributors;
  cd = [ keys.cd ];
 in
 concatMapAttrs
  (name: systems: {
-    "${name}.age".publicKeys = contributors ++ systems;
+    "${name}.age".publicKeys = contributors ++ systems ++ cd;
  })
  (
--- a/secrets/wiki-basicauth-htpasswd.age
+++ b/secrets/wiki-basicauth-htpasswd.age
@ -1,18 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 Jpc21A EuMYAiZX+4A12eu19mIY7u+WYF7NJ9qJosQSVlxR6n8
+-> ssh-ed25519 Jpc21A NStZFZPTHMhVCnQ5Zkbl39vWztrxfsSXok24/e8H7QQ
-bK5CMXAmP23t1p9bgmqoVg4Qcu2qYKGc4t36v8e9eow
+JjHP6Cus76PGYYxpbnc2cSZ79zvdD8LISYDPbvXsnqU
-> ssh-ed25519 BAs8QA IwRyitDNTzUPzQAUbDNEKjFiF8WPD/OyztOZQeoTEzw
+-> ssh-ed25519 BAs8QA iocHfHjWlEUsbtibqEbYDceAqURr2vjxuYapqon9hyU
-OwiTWvk4NmUgExav0uH6HlThDNU5hsKXfR6KHsFOV3I
+ljL+olZdhWtHeV3uh3pOu22+sY13wPn2vKQDduPSqVs
-> ssh-ed25519 ofQnlg 3TcMbLX1JsQL8+Gqy7IFZwykZr2BspvPCuZT1SHtnQQ
+-> ssh-ed25519 ofQnlg 9YVfMKyoP3+xtzg/ok2I9yf3YdIYoBpUJa/3d2N/8lI
-Ci5OeBj2aiC8ut9jIEUMt3qfYH+cJrnVud6AH54Ndn8
+2yUalyj7O3c1YDA2xTb9QNYrFBDHwcyGBX3mydv0ifI
-> ssh-ed25519 COspvA 0t9f3Wu3ILv4QTJhwT619y+7XFrryCLbpIZC6aE+qQI
+-> ssh-ed25519 COspvA cOSNsZXBbhQ/B49fq3KwcY6siVrTz48doTrta/0d/Hw
-oPQP48F6oO/tkqLZDdjkGtIap7KHiAknbpTNL6/yLaU
+jcRtVxA/tVFM9btPAPI6zKk8BwAVlaQlvHC203MpmIQ
-> ssh-ed25519 2XrTgw YOZsaYQH9vMH0QqSXGh8GyhRV4MbcBGPFfFaKpo3Ckk
+-> ssh-ed25519 2XrTgw d3EKtYkxjeJZ8kt3ofIklGmRwUCgTIB/WVVlvxggGRk
-kUShJbADA+6bpx2adxvzlI/0jSM5bIBfZfdSE/7Vm5Y
+IhcrpWN9xFsKRw9iCfYMONPOU7TpTt4kTBNwMDtk7zo
-> ssh-ed25519 awJeHA dF3m0hQWX9c0EezDr56Kt/F4d1Uim7NwvIX6zRws0Eo
+-> ssh-ed25519 awJeHA Ei64e3+FJDM6S8NP+YfEWEg9t72qTXZ0IdZE8dYQPm4
-pst243yrARODwrnyz8cJAzgDxdPOUsRbs7yPZePABFs
+ggRc86sXin06eXJkLbK8CdJFDa1237WMfSgwNd5ngmM
-> ssh-ed25519 dgBsjw PUYHcP/tgNnKyvlIoJRcNcW3zabVV1iHXIWfKqgW9xc
+-> ssh-ed25519 dgBsjw 9etK6tNrFlWVAKTz5U0TitkiGYLKTad3QiRWVpLPrwM
-tXNjSuVH/g/oN5o75FPkFFpviF7SeFSN9kbqURvgMDE
+xHLzFnRtcvpVZYZrxWz5q4uadhHrHVlfqjteOWfIccE
--- wHgBAN9c6F6T5hFJGo8uH8zqDkQDwx3/jVNKUtQ3arE
+-> ssh-ed25519 i+ecmQ SDTnYBLMOaH173B/wqaOifE6a90gSesRqMHmX7/iZFk
-«Ñ¢Á
+kS9tuKnMXCXNUnoZ06DisOOyZHe/mZl4a0JRA+eynE8
-ò@µú¡fÃƒ`m;ÕcæäU²€ùò£Íd…eS’èyfv¿»¡€J?ø `œfj£Äa}lÃó ¿Úxç²BÇt2èfìôm08ÓoÝtRál9˜èx¤¢ŒÅž›æ÷
+--- C0R5WxDDCqQGxyvFoeNX838az0bjp55PGh//1NFG4LE
 ŠÉY—±³<EFBFBD>„ÏKRÇËej±éŒ7xÑíE¹ Óì¾7jÏ-œJý«[ÀF?Ÿ=-w‘XMC~)èÅ›ƒ<E280BA>Éõb«ëƒCÜ4ÌÖÞOwý~–¿š8ñv—ÙÜžèX»ØÆ’ƒí!5¦
--- a/secrets/wiki-password.age
+++ b/secrets/wiki-password.age
--- a/secrets/wiki-smtp-password.age
+++ b/secrets/wiki-smtp-password.age
--- a/services/README.md
+++ b/services/README.md
@ -21,11 +21,11 @@ For those that know it, we could say that the current module is an analogous of
 ## Content of this directory
- [fediversity][./fediversity] contains the definition of the services. Look in
+- [fediversity](./fediversity) contains the definition of the services. Look in
  particular at its `default.nix` that contains the definition of the options.
- [vm][./vm] contains options specific to making the service run in local QEMU
+- [vm](./vm) contains options specific to making the service run in local QEMU
  VMs. These modules will for instance override the defaults to disable SSL, and
  they will add virtualisation options to forward ports, for instance.
- [tests][./tests] contain full NixOS tests of the services.
+- [tests](./tests) contain full NixOS tests of the services.
--- a/services/fediversity/default.nix
+++ b/services/fediversity/default.nix
@ -65,4 +65,16 @@ in
      };
    };
  };
  config = {
    ## FIXME: This should clearly go somewhere else; and we should have a
    ## `staging` vs. `production` setting somewhere.
    security.acme = {
      acceptTerms = true;
      # use a priority more urgent than mkDefault for panel deployment to work,
      # yet looser than default so this will not clash with the setting in tests.
      defaults.email = lib.modules.mkOverride 200 "something@fediversity.net";
      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };
  };
 }
Author	SHA1	Message	Date
Kiara Grouwstra	95873fd960	increase numInstances to 5	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	414d786ee0	Revert "switch to podman" This reverts commit `60e7b841a9`.	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	e757236e48	runs-on: nix	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	774d17aa45	switch to podman	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	af708d05ba	increase numInstances to 3	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	66828d41b1	add note on podman attempt	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	85c5305593	reconciliate old/new runners	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	4631a2398c	explicitly use custom container in CI	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	9c75365609	explicitly allow running command to manually generating tokens from forgejo machine additionally serves to document the needed command, for future automation.	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	824c37c392	set up ci container from clan credit: https://discourse.nixos.org/t/gitea-nix-actions-runner-setup/35279	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	b0ca411ac2	try and recreate the container from icewind see: https://icewind.nl/entry/gitea-actions-nix/#using-nix-to-build-our-nix-image > Error: crun: cannot find `` in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	d566852471	runs-on: docker	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	21eaf8fea7	rm runner file	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	dc47095892	explicitly specify container image	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	45b841526d	add label for new runner	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	3d6730f6f4	try out existing nix container made for gitea actions	2025-07-11 16:19:35 +02:00
Nicolas “Niols” Jeannerod	1a93775661	Switch all CI jobs to `nixos` label	2025-07-11 16:19:35 +02:00
Kiara Grouwstra	aef414ffe8	resolve regressions from recent qemu files (#432 ) - move import to match module classes - manually import sources to resolve infinite recursion closes #431. Reviewed-on: Fediversity/Fediversity#432 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-11 16:09:27 +02:00
Kiara Grouwstra	6d74112518	ditch `sources` arg in fedi201, fixing infinite recursion error (#454 ) c.f. #432. closes #453. Reviewed-on: Fediversity/Fediversity#454 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-11 16:06:15 +02:00
Kiara Grouwstra	2b2fb059fd	fix cd command (#455 ) Reviewed-on: Fediversity/Fediversity#455 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-11 11:07:03 +02:00
Kiara Grouwstra	66ceb66382	add deployment pipeline (#452 ) part of #177 Reviewed-on: Fediversity/Fediversity#452 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-10 16:45:46 +02:00
fricklerhandwerk	ad9c61a3db	docs: fix typos	2025-07-10 00:37:27 +02:00
Nicolas “Niols” Jeannerod	b4e1c5b5b3	Restrict fileset necessary for deployment tests (#450 ) Now that we won't depend on the flake.nix anymore, we won't depend on all the flake-part.nix files (necessary to evaluate flake.nix) and all the files they depend on etc., so the Nix dependencies of the tests will be drastically reduced, and I will be able to leverage that by introducing a more subtle src. This will make the test not need to re-run if only things outside that reduced src changed (and the previous run is in the Nix store). Reviewed-on: Fediversity/Fediversity#450 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 22:57:52 +02:00
Nicolas “Niols” Jeannerod	de38611572	Unflakify deployment tests (#449 ) This PR builds on top of #447 and #448. Since these might be rejected, there will be some changes needed for this PR as well. Let's see how the discussions go in #447. In the meantime, @fricklerhandwerk, would you mind (in)validating the core idea of this PR? You only need to look at `7cf43c4041`, really. Reviewed-on: Fediversity/Fediversity#449 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 15:07:02 +02:00
Nicolas “Niols” Jeannerod	1d40dcfc0e	Grab `git-hooks` from npins (#448 ) This PR builds on top of #447 and will be subject to the same discussion. Let's discuss there whether it makes sense to get rid of the `flake-parts` and `git-hooks` flake inputs. Reviewed-on: Fediversity/Fediversity#448 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 13:21:48 +02:00
Nicolas “Niols” Jeannerod	c3bf158130	Note on extracting `mkFlake` to an external library (#451 ) follow-up on Fediversity/Fediversity#447 (comment) Reviewed-on: Fediversity/Fediversity#451 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 12:34:43 +02:00
Nicolas “Niols” Jeannerod	48c6a1f22b	Extract `mkFlake` to own file - get `flake-parts` from npins (#447 ) The goal is to contain the “`mkFlake` hack” to a file that we can heavily document but otherwise ignore. This also will allow me to reuse it in the “flake under test” of the deployment tests. Reviewed-on: Fediversity/Fediversity#447 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 10:12:47 +02:00
Kiara Grouwstra	8a7984933d	reinstate acme settings needed by applications (#434 ) closes #417 Reviewed-on: Fediversity/Fediversity#434 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-08 10:02:13 +02:00
Kiara Grouwstra	5520fa721b	gitea PR unpruned (#445 ) see #65 Reviewed-on: Fediversity/Fediversity#445 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 13:38:09 +02:00
Kiara Grouwstra	eabfc228c5	updater: try the first upstream commit without `git remote prune` (#444 ) Reviewed-on: Fediversity/Fediversity#444 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 13:23:08 +02:00
Kiara Grouwstra	3f923532a2	updater: fully qualify github domain in `uses` (#443 ) part of #65. succeeds #442. Reviewed-on: Fediversity/Fediversity#443 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 12:50:55 +02:00
Kiara Grouwstra	37d4fc5a42	un-qualify github.com domain in updater `uses`, which resolved to data.forgejo.org/github.com (#442 ) attempt to address https://git.fediversity.eu/Fediversity/Fediversity/actions/runs/920. part of #65. Reviewed-on: Fediversity/Fediversity#442 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 12:47:06 +02:00
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age`