fix typo

Reviewed-on: Fediversity/Fediversity#474
Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-authored-by: Kiara Grouwstra <kiara@procolix.eu>
Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>

.forgejo/workflows/cd.yaml

@@ -0,0 +1,24 @@
+name: deploy-infra
+
+on:
+  workflow_dispatch: # allows manual triggering
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    runs-on: native
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up SSH key for age secrets and SSH
+        run: |
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+
+      - name: Deploy
+        run: nix-shell --run 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519 && SHELL=$(which bash) nixops4 apply -v default'

.forgejo/workflows/ci.yaml

@@ -21,17 +21,23 @@ jobs:
       - uses: actions/checkout@v4
       - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
 
+  check-mastodon:
+    runs-on: native
+    steps:
+      - uses: actions/checkout@v4
+      - run: nix build .#checks.x86_64-linux.test-mastodon-service -L
+
   check-peertube:
     runs-on: native
     steps:
       - uses: actions/checkout@v4
-      - run: cd services && nix-build -A tests.peertube
+      - run: nix build .#checks.x86_64-linux.test-peertube-service -L
 
   check-panel:
     runs-on: native
     steps:
       - uses: actions/checkout@v4
-      - run: cd panel && nix-build -A tests
+      - run: nix-build -A tests.panel
 
   check-deployment-basic:
     runs-on: native

.forgejo/workflows/update.yaml

@@ -2,8 +2,9 @@ name: update-dependencies
 
 on:
   workflow_dispatch: # allows manual triggering
-  schedule:
+  # FIXME: re-enable when manual run works
-    - cron: '0 0 1 * *' # monthly
+  # schedule:
+  #   - cron: '0 0 1 * *' # monthly
 
 jobs:
   lockfile:
@@ -11,11 +12,12 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - name: Install npins
+      - name: Update pins
         run: nix-shell --run "npins update"
       - name: Create PR
-        uses: peter-evans/create-pull-request@v7
+        uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
         with:
+          remote-instance-api-version: v1
           token: "${{ secrets.DEPLOY_KEY }}"
           branch: npins-update
           commit-message: "npins: update sources"

default.nix

@@ -10,6 +10,9 @@ let
     gitignore
     ;
   inherit (pkgs) lib;
+  inherit (import sources.flake-inputs) import-flake;
+  inherit ((import-flake { src = ./.; }).inputs) nixops4;
+  panel = import ./panel { inherit sources system; };
   pre-commit-check =
     (import "${git-hooks}/nix" {
       inherit nixpkgs system;
@@ -55,13 +58,21 @@ in
         };
       in
       [
+        pkgs.npins
+        pkgs.nil
+        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
+        pkgs.openssh
+        pkgs.httpie
+        pkgs.jq
         pkgs.nix-unit
         test-loop
+        nixops4.packages.${system}.default
       ];
   };
 
   tests = {
     inherit pre-commit-check;
+    panel = panel.tests;
   };
 
   # re-export inputs so they can be overridden granularly

deployment/check/basic/constants.nix

@@ -0,0 +1,8 @@
+{
+  targetMachines = [
+    "hello"
+    "cowsay"
+  ];
+  pathToRoot = ../../..;
+  pathFromRoot = ./.;
+}

deployment/check/basic/default.nix

@@ -0,0 +1,14 @@
+{
+  runNixOSTest,
+  inputs,
+  sources,
+}:
+
+runNixOSTest {
+  imports = [
+    ../common/nixosTest.nix
+    ./nixosTest.nix
+  ];
+  _module.args = { inherit inputs sources; };
+  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
+}

deployment/check/basic/deployment.nix

@@ -0,0 +1,36 @@
+{
+  inputs,
+  sources,
+  lib,
+  providers,
+  ...
+}:
+
+let
+  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
+in
+
+{
+  providers = {
+    inherit (inputs.nixops4.modules.nixops4Provider) local;
+  };
+
+  resources = lib.genAttrs targetMachines (nodeName: {
+    type = providers.local.exec;
+
+    imports = [
+      inputs.nixops4-nixos.modules.nixops4Resource.nixos
+      ../common/targetResource.nix
+    ];
+
+    _module.args = { inherit inputs sources; };
+
+    inherit nodeName pathToRoot pathFromRoot;
+
+    nixos.module =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = [ pkgs.${nodeName} ];
+      };
+  });
+}

deployment/check/basic/flake-part.nix

@@ -1,54 +0,0 @@
-{
-  self,
-  inputs,
-  lib,
-  ...
-}:
-
-let
-  inherit (lib) genAttrs;
-
-  targetMachines = [
-    "hello"
-    "cowsay"
-  ];
-  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
-  pathFromRoot = ./.;
-
-in
-{
-  perSystem =
-    { pkgs, ... }:
-    {
-      checks.deployment-basic = pkgs.testers.runNixOSTest {
-        imports = [
-          ../common/nixosTest.nix
-          ./nixosTest.nix
-        ];
-        _module.args.inputs = inputs;
-        inherit targetMachines pathToRoot pathFromRoot;
-      };
-    };
-
-  nixops4Deployments.check-deployment-basic =
-    { providers, ... }:
-    {
-      providers = {
-        inherit (inputs.nixops4.modules.nixops4Provider) local;
-      };
-      resources = genAttrs targetMachines (nodeName: {
-        type = providers.local.exec;
-        imports = [
-          inputs.nixops4-nixos.modules.nixops4Resource.nixos
-          ../common/targetResource.nix
-        ];
-        _module.args.inputs = inputs;
-        inherit nodeName pathToRoot pathFromRoot;
-        nixos.module =
-          { pkgs, ... }:
-          {
-            environment.systemPackages = [ pkgs.${nodeName} ];
-          };
-      });
-    };
-}

deployment/check/basic/flake-under-test.nix

@@ -0,0 +1,22 @@
+{
+  inputs = {
+    nixops4.follows = "nixops4-nixos/nixops4";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
+  };
+
+  outputs =
+    inputs:
+    import ./mkFlake.nix inputs (
+      { inputs, sources, ... }:
+      {
+        imports = [
+          inputs.nixops4.modules.flake.default
+        ];
+
+        nixops4Deployments.check-deployment-basic = {
+          imports = [ ./deployment/check/basic/deployment.nix ];
+          _module.args = { inherit inputs sources; };
+        };
+      }
+    );
+}

deployment/check/basic/nixosTest.nix

@@ -1,8 +1,15 @@
-{ inputs, ... }:
+{ inputs, lib, ... }:
 
 {
+  _class = "nixosTest";
+
   name = "deployment-basic";
 
+  sourceFileset = lib.fileset.unions [
+    ./constants.nix
+    ./deployment.nix
+  ];
+
   nodes.deployer =
     { pkgs, ... }:
     {

deployment/check/cli/constants.nix

@@ -0,0 +1,11 @@
+{
+  targetMachines = [
+    "garage"
+    "mastodon"
+    "peertube"
+    "pixelfed"
+  ];
+  pathToRoot = ../../..;
+  pathFromRoot = ./.;
+  enableAcme = true;
+}

deployment/check/cli/default.nix

@@ -0,0 +1,19 @@
+{
+  runNixOSTest,
+  inputs,
+  sources,
+}:
+
+runNixOSTest {
+  imports = [
+    ../common/nixosTest.nix
+    ./nixosTest.nix
+  ];
+  _module.args = { inherit inputs sources; };
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+}

deployment/check/cli/deployments.nix

@@ -0,0 +1,59 @@
+{
+  inputs,
+  sources,
+  lib,
+}:
+
+let
+  inherit (builtins) fromJSON readFile listToAttrs;
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+
+  makeTargetResource = nodeName: {
+    imports = [ ../common/targetResource.nix ];
+    _module.args = { inherit inputs sources; };
+    inherit
+      nodeName
+      pathToRoot
+      pathFromRoot
+      enableAcme
+      ;
+  };
+
+  ## The deployment function - what we are here to test!
+  ##
+  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
+  ## function calls.
+  makeTestDeployment =
+    args:
+    (import ../..)
+      {
+        inherit lib;
+        inherit (inputs) nixops4 nixops4-nixos;
+        fediversity = import ../../../services/fediversity;
+      }
+      (listToAttrs (
+        map (nodeName: {
+          name = "${nodeName}ConfigurationResource";
+          value = makeTargetResource nodeName;
+        }) targetMachines
+      ))
+      (fromJSON (readFile ../../configuration.sample.json) // args);
+
+in
+{
+  check-deployment-cli-nothing = makeTestDeployment { };
+
+  check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
+    mastodon.enable = true;
+    pixelfed.enable = true;
+  };
+
+  check-deployment-cli-peertube = makeTestDeployment {
+    peertube.enable = true;
+  };
+}

deployment/check/cli/flake-part.nix

@@ -1,87 +0,0 @@
-{
-  self,
-  inputs,
-  lib,
-  ...
-}:
-
-let
-  inherit (builtins) fromJSON readFile listToAttrs;
-
-  targetMachines = [
-    "garage"
-    "mastodon"
-    "peertube"
-    "pixelfed"
-  ];
-  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
-  pathFromRoot = ./.;
-  enableAcme = true;
-
-in
-{
-  perSystem =
-    { pkgs, ... }:
-    {
-      checks.deployment-cli = pkgs.testers.runNixOSTest {
-        imports = [
-          ../common/nixosTest.nix
-          ./nixosTest.nix
-        ];
-        _module.args.inputs = inputs;
-        inherit
-          targetMachines
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-    };
-
-  nixops4Deployments =
-    let
-      makeTargetResource = nodeName: {
-        imports = [ ../common/targetResource.nix ];
-        _module.args.inputs = inputs;
-        inherit
-          nodeName
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-
-      ## The deployment function - what we are here to test!
-      ##
-      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
-      ## function calls.
-      makeTestDeployment =
-        args:
-        (import ../..)
-          {
-            inherit lib;
-            inherit (inputs) nixops4 nixops4-nixos;
-            fediversity = import ../../../services/fediversity;
-          }
-          (listToAttrs (
-            map (nodeName: {
-              name = "${nodeName}ConfigurationResource";
-              value = makeTargetResource nodeName;
-            }) targetMachines
-          ))
-          (fromJSON (readFile ../../configuration.sample.json) // args);
-
-    in
-    {
-      check-deployment-cli-nothing = makeTestDeployment { };
-
-      check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
-        mastodon.enable = true;
-        pixelfed.enable = true;
-      };
-
-      check-deployment-cli-peertube = makeTestDeployment {
-        peertube.enable = true;
-      };
-    };
-}

deployment/check/cli/flake-under-test.nix

@@ -0,0 +1,26 @@
+{
+  inputs = {
+    nixops4.follows = "nixops4-nixos/nixops4";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
+  };
+
+  outputs =
+    inputs:
+    import ./mkFlake.nix inputs (
+      {
+        inputs,
+        sources,
+        lib,
+        ...
+      }:
+      {
+        imports = [
+          inputs.nixops4.modules.flake.default
+        ];
+
+        nixops4Deployments = import ./deployment/check/cli/deployments.nix {
+          inherit inputs sources lib;
+        };
+      }
+    );
+}

deployment/check/cli/nixosTest.nix

@@ -1,4 +1,9 @@
-{ inputs, hostPkgs, ... }:
+{
+  inputs,
+  hostPkgs,
+  lib,
+  ...
+}:
 
 let
   ## Some places need a dummy file that will in fact never be used. We create
@@ -7,8 +12,25 @@ let
 in
 
 {
+  _class = "nixosTest";
+
   name = "deployment-cli";
 
+  sourceFileset = lib.fileset.unions [
+    ./constants.nix
+    ./deployments.nix
+
+    # REVIEW: I would like to be able to grab all of `/deployment` minus
+    # `/deployment/check`, but I can't because there is a bunch of other files
+    # in `/deployment`. Maybe we can think of a reorg making things more robust
+    # here? (comment also in panel test)
+    ../../default.nix
+    ../../options.nix
+    ../../configuration.sample.json
+
+    ../../../services/fediversity
+  ];
+
   nodes.deployer =
     { pkgs, ... }:
     {

deployment/check/common/deployerNode.nix

@@ -3,6 +3,7 @@
   lib,
   pkgs,
   config,
+  sources,
   ...
 }:
 
@@ -14,10 +15,10 @@ let
     types
     ;
 
-  sources = import ../../../npins;
-
 in
 {
+  _class = "nixos";
+
   imports = [ ./sharedOptions.nix ];
 
   options.system.extraDependenciesFromModule = mkOption {
@@ -53,13 +54,13 @@ in
 
     system.extraDependencies =
       [
-        "${inputs.flake-parts}"
+        inputs.nixops4
-        "${inputs.flake-parts.inputs.nixpkgs-lib}"
+        inputs.nixops4-nixos
-        "${inputs.nixops4}"
+        inputs.nixpkgs
-        "${inputs.nixops4-nixos}"
-        "${inputs.nixpkgs}"
 
-        "${sources.flake-inputs}"
+        sources.flake-parts
+        sources.flake-inputs
+        sources.git-hooks
 
         pkgs.stdenv
         pkgs.stdenvNoCC
@@ -76,7 +77,7 @@ in
               config.system.extraDependenciesFromModule
               {
                 nixpkgs.hostPlatform = "x86_64-linux";
-                _module.args.inputs = inputs;
+                _module.args = { inherit inputs sources; };
                 enableAcme = config.enableAcme;
                 acmeNodeIP = config.acmeNodeIP;
               }

deployment/check/common/nixosTest.nix

@@ -3,6 +3,7 @@
   lib,
   config,
   hostPkgs,
+  sources,
   ...
 }:
 
@@ -12,6 +13,7 @@ let
     toJSON
     ;
   inherit (lib)
+    types
     fileset
     mkOption
     genAttrs
@@ -26,14 +28,6 @@ let
 
   forConcat = xs: f: concatStringsSep "\n" (map f xs);
 
-  ## The whole repository, with the flake at its root.
-  ## FIXME: We could probably have fileset be the union of ./. with flake.nix
-  ## and flake.lock - I doubt we need anything else.
-  src = fileset.toSource {
-    fileset = config.pathToRoot;
-    root = config.pathToRoot;
-  };
-
   ## We will need to override some inputs by the empty flake, so we make one.
   emptyFlake = runCommandNoCC "empty-flake" { } ''
     mkdir $out
@@ -42,6 +36,8 @@ let
 
 in
 {
+  _class = "nixosTest";
+
   imports = [
     ./sharedOptions.nix
   ];
@@ -50,16 +46,46 @@ in
     ## FIXME: I wish I could just use `testScript` but with something like
     ## `mkOrder` to put this module's string before something else.
     extraTestScript = mkOption { };
+
+    sourceFileset = mkOption {
+      ## REVIEW: Upstream to nixpkgs?
+      type = types.mkOptionType {
+        name = "fileset";
+        description = "fileset";
+        descriptionClass = "noun";
+        check = (x: (builtins.tryEval (fileset.unions [ x ])).success);
+        merge = (_: defs: fileset.unions (map (x: x.value) defs));
+      };
+      description = ''
+        A fileset that will be copied to the deployer node in the current
+        working directory. This should contain all the files that are
+        necessary to run that particular test, such as the NixOS
+        modules necessary to evaluate a deployment.
+      '';
+    };
   };
 
   config = {
+    sourceFileset = fileset.unions [
+      # NOTE: not the flake itself; it will be overridden.
+      ../../../mkFlake.nix
+      ../../../flake.lock
+      ../../../npins
+
+      ./sharedOptions.nix
+      ./targetNode.nix
+      ./targetResource.nix
+
+      (config.pathToCwd + "/flake-under-test.nix")
+    ];
+
     acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
 
     nodes =
       {
         deployer = {
           imports = [ ./deployerNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
           enableAcme = config.enableAcme;
           acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
         };
@@ -86,7 +112,7 @@ in
 
         genAttrs config.targetMachines (_: {
           imports = [ ./targetNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
           enableAcme = config.enableAcme;
           acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
         });
@@ -100,8 +126,16 @@ in
         ${n}.wait_for_unit("multi-user.target")
       '')}
 
+      ## A subset of the repository that is necessary for this test. It will be
+      ## copied inside the test. The smaller this set, the faster our CI, because we
+      ## won't need to re-run when things change outside of it.
       with subtest("Unpacking"):
-        deployer.succeed("cp -r --no-preserve=mode ${src}/* .")
+        deployer.succeed("cp -r --no-preserve=mode ${
+          fileset.toSource {
+            root = ../../..;
+            fileset = config.sourceFileset;
+          }
+        }/* .")
 
       with subtest("Configure the network"):
         ${forConcat config.targetMachines (
@@ -131,11 +165,16 @@ in
 
       ## NOTE: This is super slow. It could probably be optimised in Nix, for
       ## instance by allowing to grab things directly from the host's store.
-      with subtest("Override the lock"):
+      ##
+      ## NOTE: We use the repository as-is (cf `src` above), overriding only
+      ## `flake.nix` by our `flake-under-test.nix`. We also override the flake
+      ## lock file to use locally available inputs, as we cannot download them.
+      ##
+      with subtest("Override the flake and its lock"):
+        deployer.succeed("cp ${config.pathFromRoot}/flake-under-test.nix flake.nix")
         deployer.succeed("""
           nix flake lock --extra-experimental-features 'flakes nix-command' \
             --offline -v \
-            --override-input flake-parts ${inputs.flake-parts} \
             --override-input nixops4 ${inputs.nixops4.packages.${system}.flake-in-a-bottle} \
             \
             --override-input nixops4-nixos ${inputs.nixops4-nixos} \
@@ -147,9 +186,6 @@ in
               inputs.nixops4-nixos.inputs.nixops4.packages.${system}.flake-in-a-bottle
             } \
             --override-input nixops4-nixos/git-hooks-nix ${emptyFlake} \
-            \
-            --override-input nixpkgs ${inputs.nixpkgs} \
-            --override-input git-hooks ${inputs.git-hooks} \
             ;
         """)
 

deployment/check/common/sharedOptions.nix

@@ -11,6 +11,7 @@ let
   inherit (lib) mkOption types;
 
 in
+# `config` not set and imported from multiple places: no fixed module class
 {
   options = {
     targetMachines = mkOption {

deployment/check/common/targetNode.nix

@@ -12,6 +12,8 @@ let
 
 in
 {
+  _class = "nixos";
+
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
     (modulesPath + "/../lib/testing/nixos-test-base.nix")

deployment/check/common/targetResource.nix

@@ -2,6 +2,7 @@
   inputs,
   lib,
   config,
+  sources,
   ...
 }:
 
@@ -12,6 +13,8 @@ let
 in
 
 {
+  _class = "nixops4Resource";
+
   imports = [ ./sharedOptions.nix ];
 
   options = {
@@ -38,7 +41,7 @@ in
         (lib.modules.importJSON (config.pathToCwd + "/${config.nodeName}-network.json"))
       ];
 
-      _module.args.inputs = inputs;
+      _module.args = { inherit inputs sources; };
       enableAcme = config.enableAcme;
       acmeNodeIP = trim (readFile (config.pathToCwd + "/acme_server_ip"));
 

deployment/check/panel/constants.nix

@@ -0,0 +1,11 @@
+{
+  targetMachines = [
+    "garage"
+    "mastodon"
+    "peertube"
+    "pixelfed"
+  ];
+  pathToRoot = ../../..;
+  pathFromRoot = ./.;
+  enableAcme = true;
+}

deployment/check/panel/default.nix

@@ -0,0 +1,19 @@
+{
+  runNixOSTest,
+  inputs,
+  sources,
+}:
+
+runNixOSTest {
+  imports = [
+    ../common/nixosTest.nix
+    ./nixosTest.nix
+  ];
+  _module.args = { inherit inputs sources; };
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+}

deployment/check/panel/deployment.nix

@@ -0,0 +1,58 @@
+{
+  inputs,
+  sources,
+  lib,
+}:
+
+let
+  inherit (builtins) fromJSON listToAttrs;
+  inherit (import ./constants.nix)
+    targetMachines
+    pathToRoot
+    pathFromRoot
+    enableAcme
+    ;
+
+  makeTargetResource = nodeName: {
+    imports = [ ../common/targetResource.nix ];
+    _module.args = { inherit inputs sources; };
+    inherit
+      nodeName
+      pathToRoot
+      pathFromRoot
+      enableAcme
+      ;
+  };
+
+  ## The deployment function - what we are here to test!
+  ##
+  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
+  ## function calls.
+  makeTestDeployment =
+    args:
+    (import ../..)
+      {
+        inherit lib;
+        inherit (inputs) nixops4 nixops4-nixos;
+        fediversity = import ../../../services/fediversity;
+      }
+      (listToAttrs (
+        map (nodeName: {
+          name = "${nodeName}ConfigurationResource";
+          value = makeTargetResource nodeName;
+        }) targetMachines
+      ))
+      args;
+
+in
+makeTestDeployment (
+  fromJSON (
+    let
+      env = builtins.getEnv "DEPLOYMENT";
+    in
+    if env == "" then
+      throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
+    else
+      env
+  )
+)

deployment/check/panel/flake-part.nix

@@ -1,91 +0,0 @@
-{
-  self,
-  inputs,
-  lib,
-  ...
-}:
-
-let
-  inherit (builtins)
-    fromJSON
-    listToAttrs
-    ;
-
-  targetMachines = [
-    "garage"
-    "mastodon"
-    "peertube"
-    "pixelfed"
-  ];
-  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
-  pathFromRoot = ./.;
-  enableAcme = true;
-
-in
-{
-  perSystem =
-    { pkgs, ... }:
-    {
-      checks.deployment-panel = pkgs.testers.runNixOSTest {
-        imports = [
-          ../common/nixosTest.nix
-          ./nixosTest.nix
-        ];
-        _module.args.inputs = inputs;
-        inherit
-          targetMachines
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-    };
-
-  nixops4Deployments =
-    let
-      makeTargetResource = nodeName: {
-        imports = [ ../common/targetResource.nix ];
-        _module.args.inputs = inputs;
-        inherit
-          nodeName
-          pathToRoot
-          pathFromRoot
-          enableAcme
-          ;
-      };
-
-      ## The deployment function - what we are here to test!
-      ##
-      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
-      ## function calls.
-      makeTestDeployment =
-        args:
-        (import ../..)
-          {
-            inherit lib;
-            inherit (inputs) nixops4 nixops4-nixos;
-            fediversity = import ../../../services/fediversity;
-          }
-          (listToAttrs (
-            map (nodeName: {
-              name = "${nodeName}ConfigurationResource";
-              value = makeTargetResource nodeName;
-            }) targetMachines
-          ))
-          args;
-
-    in
-    {
-      check-deployment-panel = makeTestDeployment (
-        fromJSON (
-          let
-            env = builtins.getEnv "DEPLOYMENT";
-          in
-          if env == "" then
-            throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
-          else
-            env
-        )
-      );
-    };
-}

deployment/check/panel/flake-under-test.nix

@@ -0,0 +1,26 @@
+{
+  inputs = {
+    nixops4.follows = "nixops4-nixos/nixops4";
+    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
+  };
+
+  outputs =
+    inputs:
+    import ./mkFlake.nix inputs (
+      {
+        inputs,
+        sources,
+        lib,
+        ...
+      }:
+      {
+        imports = [
+          inputs.nixops4.modules.flake.default
+        ];
+
+        nixops4Deployments.check-deployment-panel = import ./deployment/check/panel/deployment.nix {
+          inherit inputs sources lib;
+        };
+      }
+    );
+}

deployment/check/panel/nixosTest.nix

@@ -121,8 +121,24 @@ let
 in
 
 {
+  _class = "nixosTest";
+
   name = "deployment-panel";
 
+  sourceFileset = lib.fileset.unions [
+    ./constants.nix
+    ./deployment.nix
+
+    # REVIEW: I would like to be able to grab all of `/deployment` minus
+    # `/deployment/check`, but I can't because there is a bunch of other files
+    # in `/deployment`. Maybe we can think of a reorg making things more robust
+    # here? (comment also in CLI test)
+    ../../default.nix
+    ../../options.nix
+
+    ../../../services/fediversity
+  ];
+
   ## The panel's module sets `nixpkgs.overlays` which clashes with
   ## `pkgsReadOnly`. We disable it here.
   node.pkgsReadOnly = false;
@@ -153,7 +169,6 @@ in
           SECRET_KEY = dummyFile;
         };
         port = panelPort;
-        nixops4Package = inputs.nixops4.packages.${pkgs.system}.default;
 
         deployment = {
           flake = "/run/fedipanel/flake";

deployment/data-model-test.nix

@@ -1,9 +1,13 @@
 let
-  inherit (import ../default.nix { }) pkgs;
+  inherit (import ../default.nix { }) pkgs inputs;
   inherit (pkgs) lib;
+  inherit (lib) mkOption;
   eval =
     module:
     (lib.evalModules {
+      specialArgs = {
+        inherit inputs;
+      };
       modules = [
         module
         ./data-model.nix
@@ -11,35 +15,56 @@ let
     }).config;
 in
 {
+  _class = "nix-unit";
+
   test-eval = {
     expr =
       let
-        example = eval {
+        fediversity = eval (
-          runtime-environments.bar.nixos = {
+          { config, ... }:
-            module =
+          {
-              { ... }:
+            config = {
-              {
+              applications.hello =
-                system.stateVersion = "25.05";
+                { ... }:
+                {
+                  description = ''Command-line tool that will print "Hello, world!" on the terminal'';
+                  module =
+                    { ... }:
+                    {
+                      options = {
+                        enable = lib.mkEnableOption "Hello in the shell";
+                      };
+                    };
+                  implementation =
+                    cfg:
+                    lib.optionalAttrs cfg.enable {
+                      dummy.login-shell.packages.hello = pkgs.hello;
+                    };
+                };
+            };
+            options = {
+              example-configuration = mkOption {
+                type = config.configuration;
+                readOnly = true;
+                default = {
+                  enable = true;
+                  applications.hello.enable = true;
+                };
               };
-          };
+            };
-          applications.foo = {
+          }
-            module =
+        );
-              { pkgs, ... }:
-              {
-                environment.systemPackages = [
-                  pkgs.hello
-                ];
-              };
-          };
-        };
       in
       {
-        has-runtime = lib.isAttrs example.runtime-environments.bar.nixos.module;
+        inherit (fediversity)
-        has-application = lib.isAttrs example.applications.foo.module;
+          example-configuration
+          ;
       };
     expected = {
-      has-runtime = true;
+      example-configuration = {
-      has-application = true;
+        enable = true;
+        applications.hello.enable = true;
+      };
     };
   };
 }

deployment/data-model.nix

@@ -1,43 +1,89 @@
 {
   lib,
+  config,
   ...
 }:
 let
-  inherit (lib) types mkOption;
+  inherit (lib) mkOption types;
+  inherit (lib.types)
+    attrsOf
+    attrTag
+    deferredModuleWith
+    submodule
+    optionType
+    functionTo
+    ;
+
+  functionType = import ./function.nix;
+  application-resources = {
+    options.resources = mkOption {
+      # TODO: maybe transpose, and group the resources by type instead
+      type = attrsOf (
+        attrTag (lib.mapAttrs (_name: resource: mkOption { type = resource.request; }) config.resources)
+      );
+    };
+  };
 in
-with types;
 {
+  _class = "nixops4Deployment";
+
   options = {
-    runtime-environments = mkOption {
+    applications = mkOption {
-      description = "Collection of runtime environments into which applications can be deployed";
+      description = "Collection of Fediversity applications";
-      type = attrsOf (attrTag {
+      type = attrsOf (
-        nixos = mkOption {
+        submodule (application: {
-          description = "A single NixOS machine";
+          _class = "fediversity-application";
-          type = submodule {
+          options = {
-            options = {
+            description = mkOption {
-              module = mkOption {
+              description = "Description to be shown in the application overview";
-                description = "The NixOS module describing the base configuration for that machine";
+              type = types.str;
-                type = deferredModule;
+            };
+            module = mkOption {
+              description = "Operator-facing configuration options for the application";
+              type = deferredModuleWith { staticModules = [ { _class = "fediversity-application-config"; } ]; };
+            };
+            implementation = mkOption {
+              description = "Mapping of application configuration to deployment resources, a description of what an application needs to run";
+              type = application.config.config-mapping.function-type;
+            };
+            resources = mkOption {
+              description = "Compute resources required by an application";
+              type = functionTo application.config.config-mapping.output-type;
+              readOnly = true;
+              default = input: (application.config.implementation input).output;
+            };
+            config-mapping = mkOption {
+              description = "Function type for the mapping from application configuration to required resources";
+              type = submodule functionType;
+              readOnly = true;
+              default = {
+                input-type = application.config.module;
+                output-type = application-resources;
               };
             };
           };
-        };
+        })
-      });
+      );
     };
-    applications = mkOption {
+    configuration = mkOption {
-      description = "Collection of Fediversity applications";
+      description = "Configuration type declaring options to be set by operators";
-      type = attrsOf (submoduleWith {
+      type = optionType;
-        modules = [
+      readOnly = true;
-          {
+      default = submodule {
-            options = {
+        options = {
-              module = mkOption {
+          enable = lib.mkEnableOption {
-                description = "The NixOS module for that application, for configuring that application";
+            description = "your Fediversity configuration";
-                type = deferredModule;
+          };
-              };
+          applications = lib.mapAttrs (
-            };
+            _name: application:
-          }
+            mkOption {
-        ];
+              description = application.description;
-      });
+              type = submodule application.module;
+              default = { };
+            }
+          ) config.applications;
+        };
+      };
     };
   };
 }

deployment/default.nix

@@ -65,6 +65,8 @@ let
   cfg = config.deployment;
 in
 {
+  _class = "nixops4Deployment";
+
   options = {
     deployment = lib.mkOption {
       description = ''

deployment/flake-part.nix

@@ -1,7 +1,26 @@
+{ inputs, sources, ... }:
+
 {
-  imports = [
+  _class = "flake";
-    ./check/basic/flake-part.nix
+
-    ./check/cli/flake-part.nix
+  perSystem =
-    ./check/panel/flake-part.nix
+    { pkgs, ... }:
-  ];
+    {
+      checks = {
+        deployment-basic = import ./check/basic {
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
+        };
+
+        deployment-cli = import ./check/cli {
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
+        };
+
+        deployment-panel = import ./check/panel {
+          inherit (pkgs.testers) runNixOSTest;
+          inherit inputs sources;
+        };
+      };
+    };
 }

deployment/function.nix

@@ -0,0 +1,37 @@
+/**
+  Modular function type
+*/
+{ config, lib, ... }:
+let
+  inherit (lib) mkOption types;
+  inherit (types)
+    deferredModule
+    submodule
+    functionTo
+    optionType
+    ;
+in
+{
+  options = {
+    input-type = mkOption {
+      type = deferredModule;
+    };
+    output-type = mkOption {
+      type = deferredModule;
+    };
+    function-type = mkOption {
+      type = optionType;
+      readOnly = true;
+      default = functionTo (submodule {
+        options = {
+          input = mkOption {
+            type = submodule config.input-type;
+          };
+          output = mkOption {
+            type = submodule config.output-type;
+          };
+        };
+      });
+    };
+  };
+}

deployment/options.nix

@@ -17,6 +17,8 @@ let
   inherit (lib) types mkOption;
 in
 {
+  _class = "nixops4Deployment";
+
   options = {
     enable = lib.mkEnableOption "Fediversity configuration";
     domain = mkOption {

flake.lock

@@ -59,22 +59,6 @@
       }
     },
     "flake-compat_2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1733328505,
@@ -90,7 +74,7 @@
         "type": "github"
       }
     },
-    "flake-compat_4": {
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1696426674,
@@ -143,24 +127,6 @@
       }
     },
     "flake-parts_3": {
-      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib_3"
-      },
-      "locked": {
-        "lastModified": 1738453229,
-        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_4": {
       "inputs": {
         "nixpkgs-lib": [
           "nixops4-nixos",
@@ -201,32 +167,12 @@
         "type": "github"
       }
     },
-    "git-hooks": {
+    "git-hooks-nix": {
       "inputs": {
         "flake-compat": "flake-compat",
         "gitignore": "gitignore",
         "nixpkgs": "nixpkgs"
       },
-      "locked": {
-        "lastModified": 1742649964,
-        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
-    "git-hooks-nix": {
-      "inputs": {
-        "flake-compat": "flake-compat_2",
-        "gitignore": "gitignore_2",
-        "nixpkgs": "nixpkgs_2"
-      },
       "locked": {
         "lastModified": 1737465171,
         "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
@@ -281,27 +227,6 @@
       }
     },
     "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
-    "gitignore_2": {
       "inputs": {
         "nixpkgs": [
           "nixops4-nixos",
@@ -341,8 +266,8 @@
     },
     "nix": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts_4",
+        "flake-parts": "flake-parts_3",
         "git-hooks-nix": "git-hooks-nix_2",
         "nixfmt": "nixfmt",
         "nixpkgs": [
@@ -416,10 +341,10 @@
     },
     "nixops4": {
       "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
         "nix": "nix",
         "nix-cargo-integration": "nix-cargo-integration",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-old": "nixpkgs-old"
       },
       "locked": {
@@ -438,7 +363,7 @@
     },
     "nixops4-nixos": {
       "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
         "git-hooks-nix": "git-hooks-nix",
         "nixops4": "nixops4",
         "nixops4-nixos": [
@@ -520,18 +445,6 @@
         "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
       }
     },
-    "nixpkgs-lib_3": {
-      "locked": {
-        "lastModified": 1738452942,
-        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
-      }
-    },
     "nixpkgs-old": {
       "locked": {
         "lastModified": 1735563628,
@@ -565,22 +478,6 @@
       }
     },
     "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1730768919,
-        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
       "locked": {
         "lastModified": 1738410390,
         "narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=",
@@ -621,7 +518,7 @@
     },
     "purescript-overlay": {
       "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_3",
         "nixpkgs": [
           "nixops4-nixos",
           "nixops4",
@@ -664,8 +561,6 @@
     },
     "root": {
       "inputs": {
-        "flake-parts": "flake-parts",
-        "git-hooks": "git-hooks",
         "nixops4": [
           "nixops4-nixos",
           "nixops4"

flake.nix

@@ -1,94 +1,52 @@
 {
   inputs = {
-    flake-parts.url = "github:hercules-ci/flake-parts";
-    git-hooks.url = "github:cachix/git-hooks.nix";
     nixops4.follows = "nixops4-nixos/nixops4";
     nixops4-nixos.url = "github:nixops4/nixops4-nixos";
   };
 
   outputs =
-    inputs@{ self, flake-parts, ... }:
+    inputs:
-    let
+    import ./mkFlake.nix inputs (
-      sources = import ./npins;
+      { inputs, sources, ... }:
-      inherit (import sources.flake-inputs) import-flake;
-      inherit (sources) git-hooks agenix;
-      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
-      # XXX - this is just importing a flake
-      nixpkgs = import-flake { src = sources.nixpkgs; };
-      # XXX - this overrides the inputs attached to `self`
-      inputs' = self.inputs // {
-        nixpkgs = nixpkgs;
-      };
-      self' = self // {
-        inputs = inputs';
-      };
-    in
-    # XXX - finally we override the overall set of `inputs` -- we need both:
-    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
-    flake-parts.lib.mkFlake
       {
-        inputs = inputs // {
+        imports = [
-          inherit nixpkgs;
+          "${sources.git-hooks}/flake-module.nix"
-        };
+          inputs.nixops4.modules.flake.default
-        self = self';
-      }
-      (
-        { inputs, ... }:
-        {
-          systems = [
-            "x86_64-linux"
-            "aarch64-linux"
-            "x86_64-darwin"
-            "aarch64-darwin"
-          ];
 
-          imports = [
+          ./deployment/flake-part.nix
-            (import "${git-hooks}/flake-module.nix")
+          ./infra/flake-part.nix
-            inputs.nixops4.modules.flake.default
+          ./keys/flake-part.nix
+          ./secrets/flake-part.nix
+          ./services/tests/flake-part.nix
+        ];
 
-            ./deployment/flake-part.nix
+        perSystem =
-            ./infra/flake-part.nix
+          {
-          ];
+            pkgs,
-
+            lib,
-          perSystem =
+            system,
-            {
+            ...
-              pkgs,
+          }:
-              lib,
+          {
-              inputs',
+            checks = {
-              ...
+              panel = (import ./. { inherit sources system; }).tests.panel.basic;
-            }:
-            {
-              formatter = pkgs.nixfmt-rfc-style;
-
-              pre-commit.settings.hooks =
-                let
-                  ## Add a directory here if pre-commit hooks shouldn't apply to it.
-                  optout = [ "npins" ];
-                  excludes = map (dir: "^${dir}/") optout;
-                  addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
-                in
-                addExcludes {
-                  nixfmt-rfc-style.enable = true;
-                  deadnix.enable = true;
-                  trim-trailing-whitespace.enable = true;
-                  shellcheck.enable = true;
-                };
-
-              devShells.default = pkgs.mkShell {
-                packages = [
-                  pkgs.npins
-                  pkgs.nil
-                  (pkgs.callPackage "${agenix}/pkgs/agenix.nix" { })
-                  pkgs.openssh
-                  pkgs.httpie
-                  pkgs.jq
-                  # exposing this env var as a hack to pass info in from form
-                  (inputs'.nixops4.packages.default.overrideAttrs {
-                    impureEnvVars = [ "DEPLOYMENT" ];
-                  })
-                ];
-              };
             };
-        }
+            formatter = pkgs.nixfmt-rfc-style;
-      );
+
+            pre-commit.settings.hooks =
+              let
+                ## Add a directory here if pre-commit hooks shouldn't apply to it.
+                optout = [ "npins" ];
+                excludes = map (dir: "^${dir}/") optout;
+                addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
+              in
+              addExcludes {
+                nixfmt-rfc-style.enable = true;
+                deadnix.enable = true;
+                trim-trailing-whitespace.enable = true;
+                shellcheck.enable = true;
+              };
+          };
+      }
+    );
 }

infra/README.md

@@ -1,14 +1,13 @@
 # Infra
 
-This directory contains the definition of [the VMs](machines.md) that host our
+This directory contains the definition of [the VMs](../machines/machines.md) that host our
 infrastructure.
 
 ## Provisioning VMs with an initial configuration
 
-NOTE[Niols]: This is very manual and clunky. Two things will happen. In the near
+> NOTE[Niols]: This is still very manual and clunky. Two things will happen:
-future, I will improve the provisioning script to make this a bit less clunky.
+> 1. In the near future, I will improve the provisioning script to make this a bit less clunky.
-In the far future, NixOps4 will be able to communicate with Proxmox directly and
+> 2. In the far future, NixOps4 will be able to communicate with Proxmox directly and everything will become much cleaner.
-everything will become much cleaner.
 
 1. Choose names for your VMs. It is recommended to choose `fediXXX`, with `XXX`
    above 100. For instance, `fedi117`.
@@ -25,8 +24,7 @@ everything will become much cleaner.
    Those files need to exist during provisioning, but their content matters only
    when updating the machines' configuration.
 
-   FIXME: Remove this step by making the provisioning script not fail with the
+   > FIXME: Remove this step by making the provisioning script not fail with the public key does not exist yet.
-   public key does not exist yet.
 
 3. Run the provisioning script:
    ```
@@ -44,7 +42,7 @@ everything will become much cleaner.
    ssh fedi117.abundos.eu 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' > keys/systems/fedi117.pub
    ```
 
-   FIXME: Make the provisioning script do that for us.
+   > FIXME: Make the provisioning script do that for us.
 
 7. Regenerate the list of machines:
    ```
@@ -56,7 +54,7 @@ everything will become much cleaner.
    just enough for it to boot and be reachable. Go on to the next section to
    update the machine and put an actual configuration.
 
-   FIXME: Figure out why the full configuration isn't on the machine at this
+   > FIXME: Figure out why the full configuration isn't on the machine at this
    point and fix it.
 
 ## Updating existing VM configurations

infra/common/nixos/default.nix

@@ -5,8 +5,9 @@ let
 
 in
 {
+  _class = "nixos";
+
   imports = [
-    ./hardware.nix
     ./networking.nix
     ./users.nix
   ];
@@ -22,4 +23,9 @@ in
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
 }

infra/common/nixos/networking.nix

@@ -1,63 +1,64 @@
 { config, lib, ... }:
 
 let
-  inherit (lib) mkDefault;
+  inherit (lib) mkDefault mkIf mkMerge;
 
 in
 {
+  _class = "nixos";
+
   config = {
     services.openssh = {
       enable = true;
       settings.PasswordAuthentication = false;
     };
 
-    networking = {
+    networking = mkMerge [
-      hostName = config.fediversityVm.name;
+      {
-      domain = config.fediversityVm.domain;
+        hostName = config.fediversityVm.name;
+        domain = config.fediversityVm.domain;
 
-      ## REVIEW: Do we actually need that, considering that we have static IPs?
+        ## REVIEW: Do we actually need that, considering that we have static IPs?
-      useDHCP = mkDefault true;
+        useDHCP = mkDefault true;
 
-      interfaces = {
+        ## Disable the default firewall and use nftables instead, with a custom
-        eth0 = {
+        ## Procolix-made ruleset.
-          ipv4 = {
+        firewall.enable = false;
-            addresses = [
+        nftables = {
-              {
+          enable = true;
-                inherit (config.fediversityVm.ipv4) address prefixLength;
+          rulesetFile = ./nftables-ruleset.nft;
-              }
-            ];
-          };
-          ipv6 = {
-            addresses = [
-              {
-                inherit (config.fediversityVm.ipv6) address prefixLength;
-              }
-            ];
-          };
         };
-      };
+      }
 
-      defaultGateway = {
+      ## IPv4
-        address = config.fediversityVm.ipv4.gateway;
+      (mkIf config.fediversityVm.ipv4.enable {
-        interface = "eth0";
+        interfaces.${config.fediversityVm.ipv4.interface}.ipv4.addresses = [
-      };
+          { inherit (config.fediversityVm.ipv4) address prefixLength; }
-      defaultGateway6 = {
+        ];
-        address = config.fediversityVm.ipv6.gateway;
+        defaultGateway = {
-        interface = "eth0";
+          address = config.fediversityVm.ipv4.gateway;
-      };
+          interface = config.fediversityVm.ipv4.interface;
+        };
+        nameservers = [
+          "95.215.185.6"
+          "95.215.185.7"
+        ];
+      })
 
-      nameservers = [
+      ## IPv6
-        "95.215.185.6"
+      (mkIf config.fediversityVm.ipv6.enable {
-        "95.215.185.7"
+        interfaces.${config.fediversityVm.ipv6.interface}.ipv6.addresses = [
-        "2a00:51c0::5fd7:b906"
+          { inherit (config.fediversityVm.ipv6) address prefixLength; }
-        "2a00:51c0::5fd7:b907"
+        ];
-      ];
+        defaultGateway6 = {
-
+          address = config.fediversityVm.ipv6.gateway;
-      firewall.enable = false;
+          interface = config.fediversityVm.ipv6.interface;
-      nftables = {
+        };
-        enable = true;
+        nameservers = [
-        rulesetFile = ./nftables-ruleset.nft;
+          "2a00:51c0::5fd7:b906"
-      };
+          "2a00:51c0::5fd7:b907"
-    };
+        ];
+      })
+    ];
   };
 }

infra/common/nixos/users.nix

@@ -1,5 +1,13 @@
 {
+  config,
+  ...
+}:
+{
+  _class = "nixos";
+
   users.users = {
+    root.openssh.authorizedKeys.keys = config.users.users.procolix.openssh.authorizedKeys.keys;
+
     procolix = {
       isNormalUser = true;
       extraGroups = [ "wheel" ];

infra/common/options.nix

@@ -6,6 +6,8 @@ let
 
 in
 {
+  # `config` not set and imported from multiple places: no fixed module class
+
   options.fediversityVm = {
 
     ##########################################################################
@@ -89,6 +91,17 @@ in
     };
 
     ipv4 = {
+      enable = mkOption {
+        default = true;
+      };
+
+      interface = mkOption {
+        description = ''
+          The interface that carries the machine's IPv4 network.
+        '';
+        default = "eth0";
+      };
+
       address = mkOption {
         description = ''
           The IP address of the machine, version 4. It will be injected as a
@@ -114,6 +127,17 @@ in
     };
 
     ipv6 = {
+      enable = mkOption {
+        default = true;
+      };
+
+      interface = mkOption {
+        description = ''
+          The interface that carries the machine's IPv6 network.
+        '';
+        default = "eth0";
+      };
+
       address = mkOption {
         description = ''
           The IP address of the machine, version 6. It will be injected as a

infra/common/proxmox-qemu-vm.nix

@@ -1,20 +1,16 @@
-{ modulesPath, ... }:
+{ sources, ... }:
-
 {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  _class = "nixos";
+
+  imports = [
+    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+  ];
 
   boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-
     initrd = {
       availableKernelModules = [
         "ata_piix"
         "uhci_hcd"
-        "virtio_pci"
-        "virtio_scsi"
         "sd_mod"
         "sr_mod"
       ];

infra/common/resource.nix

@@ -2,6 +2,9 @@
   inputs,
   lib,
   config,
+  sources,
+  keys,
+  secrets,
   ...
 }:
 
@@ -9,15 +12,11 @@ let
   inherit (lib) attrValues elem mkDefault;
   inherit (lib.attrsets) concatMapAttrs optionalAttrs;
   inherit (lib.strings) removeSuffix;
-  sources = import ../../npins;
-  inherit (sources) agenix disko;
-
-  secretsPrefix = ../../secrets;
-  secrets = import (secretsPrefix + "/secrets.nix");
-  keys = import ../../keys;
 
 in
 {
+  _class = "nixops4Resource";
+
   imports = [ ./options.nix ];
 
   fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
@@ -34,8 +33,8 @@ in
   ## should go into the `./nixos` subdirectory.
   nixos.module = {
     imports = [
-      (import "${agenix}/modules/age.nix")
+      "${sources.agenix}/modules/age.nix"
-      (import "${disko}/module.nix")
+      "${sources.disko}/module.nix"
       ./options.nix
       ./nixos
     ];
@@ -44,21 +43,23 @@ in
     ## configuration.
     fediversityVm = config.fediversityVm;
 
-    ## Read all the secrets, filter the ones that are supposed to be readable
+    ## Read all the secrets, filter the ones that are supposed to be readable with
-    ## with this host's public key, and add them correctly to the configuration
+    ## public key, and create a mapping from `<name>.file` to the absolute path of
-    ## as `age.secrets.<name>.file`.
+    ## the secret's file.
     age.secrets = concatMapAttrs (
       name: secret:
-      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
+      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
-        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+        ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
-      })
+      }
-    ) secrets;
+    ) secrets.mapping;
 
     ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
     ## supports users with password-less sudo.
     users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
       # allow our panel vm access to the test machines
       keys.panel
+      # allow continuous deployment access
+      keys.cd
     ];
 
   };

infra/flake-part.nix

@@ -1,6 +1,9 @@
 {
   inputs,
   lib,
+  sources,
+  keys,
+  secrets,
   ...
 }:
 
@@ -13,7 +16,6 @@ let
     filterAttrs
     ;
   inherit (lib.attrsets) genAttrs;
-  sources = import ../../npins;
 
   ## Given a machine's name and whether it is a test VM, make a resource module,
   ## except for its missing provider. (Depending on the use of that resource, we
@@ -22,7 +24,21 @@ let
     { vmName, isTestVm }:
     {
       # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
-      _module.args = { inherit inputs; };
+      _module.args = {
+        inherit
+          inputs
+          keys
+          secrets
+          ;
+      };
+
+      nixos.module.imports = [
+        ./common/proxmox-qemu-vm.nix
+      ];
+
+      nixos.specialArgs = {
+        inherit sources;
+      };
 
       imports =
         [
@@ -35,7 +51,7 @@ let
               {
                 nixos.module.users.users.root.openssh.authorizedKeys.keys = [
                   # allow our panel vm access to the test machines
-                  (import ../keys).panel
+                  keys.panel
                 ];
               }
             ]
@@ -53,17 +69,33 @@ let
     vmNames:
     { providers, ... }:
     {
-      providers.local = inputs.nixops4.modules.nixops4Provider.local;
+      # XXX: this type merge is for adding `specialArgs` to resource modules
-      resources = genAttrs vmNames (vmName: {
+      options.resources = mkOption {
-        type = providers.local.exec;
+        type =
-        imports = [
+          with lib.types;
-          inputs.nixops4-nixos.modules.nixops4Resource.nixos
+          lazyAttrsOf (submoduleWith {
-          (makeResourceModule {
+            class = "nixops4Resource";
-            inherit vmName;
+            modules = [ ];
-            isTestVm = false;
+            # TODO(@fricklerhandwerk): we may want to pass through all of `specialArgs`
-          })
+            # once we're sure it's sane. leaving it here for better control during refactoring.
-        ];
+            specialArgs = {
-      });
+              inherit sources;
+            };
+          });
+      };
+      config = {
+        providers.local = inputs.nixops4.modules.nixops4Provider.local;
+        resources = genAttrs vmNames (vmName: {
+          type = providers.local.exec;
+          imports = [
+            inputs.nixops4-nixos.modules.nixops4Resource.nixos
+            (makeResourceModule {
+              inherit vmName;
+              isTestVm = false;
+            })
+          ];
+        });
+      };
     };
   makeDeployment' = vmName: makeDeployment [ vmName ];
 
@@ -155,6 +187,8 @@ let
 
 in
 {
+  _class = "flake";
+
   ## - Each normal or test machine gets a NixOS configuration.
   ## - Each normal or test machine gets a VM options entry.
   ## - Each normal machine gets a deployment.

infra/makeInstallerIso.nix

@@ -15,7 +15,6 @@ let
 
   installer =
     {
-      config,
       pkgs,
       lib,
       ...

keys/cd-ssh-key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age

keys/default.nix

@@ -35,4 +35,5 @@ in
   contributors = collectKeys ./contributors;
   systems = collectKeys ./systems;
   panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
+  cd = removeTrailingWhitespace (readFile ./cd-ssh-key.pub);
 }

keys/flake-part.nix

@@ -0,0 +1,5 @@
+{
+  _class = "flake";
+
+  _module.args.keys = import ./.;
+}

keys/systems/forgejo-ci.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A

machines/dev/fedi200/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 200;
     proxmox = "fediversity";
@@ -14,4 +16,10 @@
       gateway = "2a00:51c0:13:1305::1";
     };
   };
+
+  nixos.module = {
+    imports = [
+      ../../../infra/common/proxmox-qemu-vm.nix
+    ];
+  };
 }

machines/dev/fedi201/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 201;
     proxmox = "fediversity";
@@ -17,6 +19,7 @@
 
   nixos.module = {
     imports = [
+      ../../../infra/common/proxmox-qemu-vm.nix
       ./fedipanel.nix
     ];
   };

machines/dev/fedi201/fedipanel.nix

@@ -1,13 +1,17 @@
 {
   config,
+  sources,
   ...
 }:
 let
   name = "panel";
 in
 {
+  _class = "nixos";
+
   imports = [
     (import ../../../panel { }).module
+    "${sources.home-manager}/nixos"
   ];
 
   security.acme = {

machines/dev/forgejo-ci/default.nix

@@ -0,0 +1,70 @@
+{ lib, ... }:
+
+let
+  inherit (lib) mkDefault mkForce;
+in
+
+{
+  _class = "nixops4Resource";
+
+  # NOTE: This needs an SSH config entry `forgejo-ci` to locate and access the
+  # machine. This is because different people access the machine in different
+  # way (eg. via a proxy vs. via Procolix's VPN). This might look like:
+  #
+  #     Host forgejo-ci
+  #          HostName 45.142.234.216
+  #          HostKeyAlias forgejo-ci
+  #
+  # The `HostKeyAlias` statement is crucial. Without it, deployment will fail
+  # with the SSH error “Host key verification failed”.
+  ssh.host = mkForce "forgejo-ci";
+
+  fediversityVm = {
+    domain = "procolix.com";
+
+    ipv4 = {
+      interface = "enp1s0f0";
+      address = "192.168.201.65";
+      prefixLength = 24;
+      gateway = "192.168.201.1";
+    };
+    ipv6.enable = false;
+  };
+
+  nixos.module =
+    { config, ... }:
+    {
+      _class = "nixos";
+
+      imports = [
+        ./forgejo-actions-runner.nix
+      ];
+
+      hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
+
+      networking = {
+        nftables.enable = mkForce false;
+        hostId = "1d6ea552";
+      };
+
+      ## NOTE: This is a physical machine, so is not covered by disko
+      fileSystems."/" = lib.mkForce {
+        device = "rpool/root";
+        fsType = "zfs";
+      };
+
+      fileSystems."/home" = {
+        device = "rpool/home";
+        fsType = "zfs";
+      };
+
+      fileSystems."/boot" = lib.mkForce {
+        device = "/dev/disk/by-uuid/50B2-DD3F";
+        fsType = "vfat";
+        options = [
+          "fmask=0077"
+          "dmask=0077"
+        ];
+      };
+    };
+}

machines/dev/forgejo-ci/forgejo-actions-runner.nix

@@ -0,0 +1,47 @@
+{ pkgs, config, ... }:
+
+{
+  _class = "nixos";
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+
+    instances.default = {
+      enable = true;
+
+      name = config.networking.fqdn;
+      url = "https://git.fediversity.eu";
+      tokenFile = config.age.secrets.forgejo-runner-token.path;
+
+      settings = {
+        log.level = "info";
+        runner = {
+          file = ".runner";
+          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
+          capacity = 1;
+          timeout = "3h";
+          insecure = false;
+          fetch_timeout = "5s";
+          fetch_interval = "2s";
+        };
+      };
+
+      ## This runner supports Docker (with a default Ubuntu image) and native
+      ## modes. In native mode, it contains a few default packages.
+      labels = [
+        "docker:docker://node:16-bullseye"
+        "native:host"
+      ];
+
+      hostPackages = with pkgs; [
+        bash
+        git
+        nix
+        nodejs
+      ];
+    };
+  };
+
+  ## For the Docker mode of the runner.
+  virtualisation.docker.enable = true;
+}

machines/dev/vm02116/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 2116;
     proxmox = "procolix";
@@ -12,6 +14,7 @@
     { lib, ... }:
     {
       imports = [
+        ../../../infra/common/proxmox-qemu-vm.nix
         ./forgejo.nix
       ];
 

machines/dev/vm02116/forgejo.nix

@@ -5,6 +5,8 @@ let
 
 in
 {
+  _class = "nixos";
+
   services.forgejo = {
     enable = true;
 

machines/dev/vm02187/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 2187;
     proxmox = "procolix";
@@ -12,6 +14,7 @@
     { lib, ... }:
     {
       imports = [
+        ../../../infra/common/proxmox-qemu-vm.nix
         ./wiki.nix
       ];
 

machines/dev/vm02187/wiki.nix

@@ -1,6 +1,8 @@
 { config, ... }:
 
 {
+  _class = "nixos";
+
   services.phpfpm.pools.mediawiki.phpOptions = ''
     upload_max_filesize = 1024M;
     post_max_size = 1024M;

machines/machines.md

@@ -7,9 +7,10 @@ Currently, this repository keeps track of the following VMs:
 
 Machine | Proxmox | Description
 --------|---------|-------------
-[`fedi200`](./fedi200) | fediversity | Testing machine for Hans
+[`fedi200`](./dev/fedi200) | fediversity | Testing machine for Hans
-[`fedi201`](./fedi201) | fediversity | FediPanel
+[`fedi201`](./dev/fedi201) | fediversity | FediPanel
-[`vm02116`](./vm02116) | procolix | Forgejo
+[`vm02116`](./dev/vm02116) | procolix | Forgejo
-[`vm02187`](./vm02187) | procolix | Wiki
+[`vm02187`](./dev/vm02187) | procolix | Wiki
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.

machines/machines.md.sh

@@ -32,11 +32,12 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
     description=$(echo "$vmOptions" | jq -r ".$machine.description" | head -n 1)
 
     # shellcheck disable=SC2016
-    printf '[`%s`](./%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
+    printf '[`%s`](./dev/%s) | %s | %s\n' "$machine" "$machine" "$proxmox" "$description"
   fi
 done
 
 cat <<\EOF
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.
 EOF

machines/operator/test01/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7001;
     proxmox = "fediversity";

machines/operator/test02/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7002;
     proxmox = "fediversity";

machines/operator/test03/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7003;
     proxmox = "fediversity";

machines/operator/test04/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7004;
     proxmox = "fediversity";

machines/operator/test05/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7005;
     proxmox = "fediversity";

machines/operator/test06/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7006;
     proxmox = "fediversity";

machines/operator/test11/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7011;
     proxmox = "fediversity";

machines/operator/test12/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7012;
     proxmox = "fediversity";

machines/operator/test13/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7013;
     proxmox = "fediversity";

machines/operator/test14/default.nix

@@ -1,4 +1,6 @@
 {
+  _class = "nixops4Resource";
+
   fediversityVm = {
     vmId = 7014;
     proxmox = "fediversity";

mkFlake.nix

@@ -0,0 +1,54 @@
+## This file contains a tweak of flake-parts's `mkFlake` function to splice in
+## sources taken from npins.
+
+## NOTE: Much of the logic in this file feels like it should be not super
+## specific to fediversity. Could it make sense to extract the core of this to
+## another place it feels closer to in spirit, such as @fricklerhandwerk's
+## flake-inputs (which this code already depends on anyway, and which already
+## contained two distinct helpers for migrating away from flakes)? cf
+## https://git.fediversity.eu/Fediversity/Fediversity/pulls/447#issuecomment-8671
+
+inputs@{ self, ... }:
+
+let
+  sources = import ./npins;
+  inherit (import sources.flake-inputs) import-flake;
+
+  # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
+  # XXX - this is just importing a flake
+  nixpkgs = import-flake { src = sources.nixpkgs; };
+
+  # XXX - this overrides the inputs attached to `self`
+  inputs' = self.inputs // {
+    nixpkgs = nixpkgs;
+  };
+  self' = self // {
+    inputs = inputs';
+  };
+
+  flake-parts-lib = import "${sources.flake-parts}/lib.nix" { inherit (nixpkgs) lib; };
+in
+
+flakeModule:
+
+flake-parts-lib.mkFlake
+  {
+    # XXX - finally we override the overall set of `inputs` -- we need both:
+    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
+    inputs = inputs // {
+      inherit nixpkgs;
+    };
+    self = self';
+    specialArgs = {
+      inherit sources;
+    };
+  }
+  {
+    systems = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ];
+    imports = [ flakeModule ];
+  }

npins/sources.json

@@ -96,6 +96,19 @@
       "url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
       "hash": "02wxkdpbhlm3yk5mhkhsp3kwakc16xpmsf2baw57nz1dg459qv8w"
     },
+    "home-manager": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "home-manager"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "863842639722dd12ae9e37ca83bcb61a63b36f6c",
+      "url": "https://github.com/nix-community/home-manager/archive/863842639722dd12ae9e37ca83bcb61a63b36f6c.tar.gz",
+      "hash": "0rw9n8d4v87pzlmw7ws15f0sldb51fd9528skpbzmrzl4pinsgij"
+    },
     "htmx": {
       "type": "GitRelease",
       "repository": {

panel/default.nix

@@ -22,12 +22,12 @@ in
       manage
 
       # NixOps4 and its dependencies
-      # FIXME: grab NixOps4 and add it here
+      pkgs.nixops4
       pkgs.nix
       pkgs.openssh
     ];
     env = {
-      DEPLOYMENT_FLAKE = ../.;
+      DEPLOYMENT_FLAKE = toString ../.;
       DEPLOYMENT_NAME = "test";
       NPINS_DIRECTORY = toString ../npins;
       CREDENTIALS_DIRECTORY = toString ./.credentials;
@@ -45,7 +45,7 @@ in
     '';
   };
 
-  module = import ./nix/configuration.nix;
+  module = ./nix/configuration.nix;
   tests = pkgs.callPackage ./nix/tests.nix { };
 
   # re-export inputs so they can be overridden granularly

panel/nix/configuration.nix

@@ -76,6 +76,8 @@ in
 #       https://git.dgnum.eu/mdebray/djangonix/
 #       unlicensed at the time of writing, but surely worth taking some inspiration from...
 {
+  _class = "nixos";
+
   options.services.${name} = {
     enable = mkEnableOption "Service configuration for `${name}`";
     production = mkOption {
@@ -145,6 +147,7 @@ in
         NixOps4 from the package's npins-based code, we will have to do with
         this workaround.
       '';
+      default = pkgs.nixops4;
     };
 
     deployment = {
@@ -199,11 +202,8 @@ in
       };
     };
 
-    users.users.${name} = {
+    # needed to place a config file with home-manager
-      # TODO[Niols]: change to system user or document why we specifically
+    users.users.${name}.isNormalUser = true;
-      # need a normal user.
-      isNormalUser = true;
-    };
 
     users.groups.${name} = { };
     systemd.services.${name} = {

panel/nix/overlay.nix

@@ -8,4 +8,17 @@ let
 in
 {
   python3 = prev.lib.attrsets.recursiveUpdate prev.python3 { pkgs = extraPython3Packages; };
+  nixops4 =
+    let
+      sources = import ../../npins;
+      inherit (import sources.flake-inputs) import-flake;
+      inherit
+        (import-flake {
+          src = ../../.;
+        })
+        inputs
+        ;
+      inherit (inputs) nixops4;
+    in
+    nixops4.packages.${prev.system}.default;
 }

panel/nix/package.nix

@@ -60,6 +60,8 @@ let
     ];
 in
 python3.pkgs.buildPythonPackage {
+  _class = "package";
+
   pname = name;
   inherit (pyproject.project) version;
   pyproject = true;

panel/nix/python-packages/django-pydantic-field/default.nix

@@ -8,6 +8,8 @@
 }:
 
 buildPythonPackage rec {
+  _class = "package";
+
   pname = "django-pydantic-field";
   version = "v0.3.12";
   pyproject = true;

panel/nix/python-packages/drf-pydantic/default.nix

@@ -10,6 +10,8 @@
 }:
 
 buildPythonPackage rec {
+  _class = "package";
+
   pname = "drf-pydantic";
   version = "v2.7.1";
   pyproject = true;

panel/nix/tests.nix

@@ -13,7 +13,6 @@ let
       secrets = {
         SECRET_KEY = pkgs.writeText "SECRET_KEY" "secret";
       };
-      nixops4Package = pkgs.hello; # FIXME: actually pass NixOps4
     };
 
     virtualisation = {

secrets/default.nix

@@ -0,0 +1,4 @@
+{
+  mapping = import ./secrets.nix;
+  rootPath = ./.;
+}

secrets/flake-part.nix

@@ -0,0 +1,5 @@
+{
+  _class = "flake";
+
+  _module.args.secrets = import ./.;
+}

secrets/forgejo-database-password.age

@@ -1,17 +1,19 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A 9edPaA2tT4SeYNTPzF0E157daC2o+JH/WQQCT+vLbFg
+-> ssh-ed25519 Jpc21A bBCQmvfRUwJuIXbpVJ092XUBVszGrb6gILGbgV9j9BY
-C48EtLdhB75TTzfEZTw1DypicHiVlSmFzjfbqfO9N/8
+7DEGwhqdfqMs5cxXtlMkSTPjw4qhczBgW0dmoJ6dh6g
--> ssh-ed25519 BAs8QA T+kXpZg1v0XRkub5DWir7vYwO7KaOJLZBNYxxXiBUCw
+-> ssh-ed25519 BAs8QA oiVedFC6UklEFCJUybGr93+XrddyCtV4r4TnE4nhpWI
-zBRwMTDpyI7twEwUGsmJYyYPw9btBx5Kakj1yT+XY8U
+xasnkP4NCl9TuYSE1u0Xi0b/PiwcrfHCz2QMnpTjLcU
--> ssh-ed25519 ofQnlg 4UoEDY/tdKz8LrX1BkBU1/cn+vSaYLUl7xX9YmzANBY
+-> ssh-ed25519 ofQnlg LrMcWdaEUVyIgd/KznwJW/2sucIu5MuxDEcEJAmf8mA
-8CACq1n3AJgD9IyPN23iRvThqsfQFF5+jmkKnhun24U
+p6pQoisuXre2J4r6ArV6C6lKO2J/aNdBFhqLPBoZ2wA
--> ssh-ed25519 COspvA HxcbkqHL+LpVmwb+Fo5JuUU+C+Pxzdxtb0yZHixwuzM
+-> ssh-ed25519 COspvA q2OGeVofPKyGCpr4Mf9VoaRvZCWTRl8n2mvkQOdTnyQ
-7FIhxdbjHJlgQQgjrHHUK5cecqs5aT7X3I8TWf8c2gc
+M+ffAGecJG/94k/Z5DdokltrZppS2IcxkZa8JKHwIMs
--> ssh-ed25519 2XrTgw R6Ia8MVIZKPnNZ0rspZ34EqoY8fOLeB9H7vnvNBLg1g
+-> ssh-ed25519 2XrTgw Bsz/G4QderToPSfMKOR6s5yWb0xCGUlsjGJxJYQNBRc
-55NUqz5Yygt6FKJ3bR5iHxQp8G7S2gyFwrJNX1Pb/2Y
+JYrXZb8qj1Yi9u5bnI/WzuNxy7gyFLCTIUaGNmcOYnk
--> ssh-ed25519 awJeHA hJdTuAScoewVMt7HWiisSkL0zSeClFzYzzKL84G893o
+-> ssh-ed25519 awJeHA KKJMQSt0PvC6P+T/kxQv96tSBdLQLiY2f8q35IwGm28
-ou780VLrW1s4d6L+lEVu3kXaGn4dvtFPA31supwEL50
+p7Cf2HLlPl0qmsO6Hh5zwVgKkEs3A6fdSBndMKsacbk
--> ssh-ed25519 Fa25Dw mJcqnXA3fQeoKrG7RJ7nVeLxPvrxqbj+lJdx6jQ9IR8
+-> ssh-ed25519 Fa25Dw 3m/qyannP4gjXxkUuO0LQRU8Z8HXOg4WReMDd7786y8
-f5Q7mrQSSDsm1Z/uSAnvx66mgnRC3XaBLQrVL9f/Ijs
+dNMyiBGeJDrBScE9TEyZZ7+MGMG6FLuoRTK82EVeX1w
---- W/KmboXTLV12X6WtVQKHNe+ZHvS2q9EHUZwofSgJSE8
+-> ssh-ed25519 i+ecmQ oCs4Ep2K75yjmUOh1ox4F25tGq+O/mZ2/c2E8+IRlEc
-^kûÚ	h©0ÔkÇ ¢¸_Ç·ûQÞm‘’7\òÖ}÷Áë?½qø‚<ÿm
+0Wc9gDxhvHK5tEVM5kJ0mQXc3kp7tJ2JNHg54N0+tJ8
+--- mXrqbcHxjjkS5MrQaCVm4hTsAUEENAWlIYtiYx6rtas
+ž`€úì}öÙ7Ù>­iŒbàéëÕè/&ɪŠwŽ„ì7àí[ã±Hˆc“

secrets/forgejo-runner-token.age

@@ -1,15 +1,19 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A N/T7HaInZ13IlJfzeli5nRz5pdBQETO6D1P8X42IHRw
+-> ssh-ed25519 Jpc21A gkSA9BJIPUm4iQdvK8OzozIPomCha7BObc7PBpwSBhc
-q431ZtsodQ9NgcWTjmS0Kx4ATwVFp2nkm+MHe7aXTZU
+QsxIoX8KXbTQPwHcANNotxje8eI51h4NmnMpcOBW2Rk
--> ssh-ed25519 BAs8QA +VUHgmz2oNG6L1FgZy3uGVMs6qUGirFHK8Ts2ghNLHs
+-> ssh-ed25519 BAs8QA 909RuMasqJSYIDWxUf282xkp6vIrmouv/UbGFLw2WXw
-sjQu78xqM6KLmRiYd2o2uK/PjYLnyZihzVoCV7qKBX4
+a7gid67fIVfuRfLsKJPb9f0oH0ZsZsfahJqD22z5Aco
--> ssh-ed25519 ofQnlg cBfd95Ir33ggt1J1P2TkFRULr2uYPVuyrQ5XpjBxEW0
+-> ssh-ed25519 ofQnlg Lx2N7tSXh6eOwcXWDiU27W4D2NEH6xj3W0t72hkNBG8
-TWFVHboXr95cFm5yjQ7gn7hjbSmVBfB/9dldsoga/9Q
+O4/RVwxUSgXgLEMBpmaJ3H49qXulSB5EebpHakcN1rA
--> ssh-ed25519 COspvA RMW9FlDmiQUu7cg0fKir55VqrDRCoYVVZMOcMHyrMj8
+-> ssh-ed25519 COspvA zQ855/8dQm+r2/GnoEFwy7ls3UDaVVaL988Rnsgs5Fs
-qeXkWdKFJN7APgYh7AjyJLeQI2CAEaGAcXiVaBaOJwY
+gl/sC2jLUCDQfsIOy6G67XObfW/io/JwCKBaqTgpzXk
--> ssh-ed25519 2XrTgw BRobowRWZ9giVL2dFyGvzzF7gyWUQd1ounMQBtsM/lM
+-> ssh-ed25519 2XrTgw ic13iHGBiNgco5PemRhzKNGdVILW0d6DpW1f/SvizSg
-dFyli2skTgzVWGVolLG2GuGNh/Xu3IaJsznOkcWqKGc
+D72w8Dgott/agkWJrybDbxBKJ3NKi7Xz2N6YO0nrTa8
--> ssh-ed25519 awJeHA Cu7fiv+SL71oho/xoJMw/Lztf4WkNKmImVS/8xyLiTo
+-> ssh-ed25519 awJeHA 143iH2pm6z9AF8fqdRbcw3c5+crLkk3HH0+wEZelu0A
-3sB/t0squi1crjHFBaN6btrvGUeWaKfmGa7yxREvy2o
+j6gK7R7AnI8JzWy7+3Wm00vmaU9/Th2BtNWs90q2r0k
---- SqPDTJ/XV26nNG1ib5phNNRdQi5+Wk0cxhqUr1ygjGw
+-> ssh-ed25519 8FIE3Q jL6tkwWOvL82zFr+kmyX3WNlFMOLsJav4Rpy7A66Hx4
-Æt”OÊá<C3A1>âåYöª¶^´Iõ×U<C397>j†ë!
k‹Y.<2E>^<5E>}Xúôæ¡3¿ÖŽ"kE×íšú¾‹s¥,0l+¾ýn‡;fW®‹
+gE8+tgytH+y8HTKbeBsQeKKnqfmvl5O38diRsjipTDc
+-> ssh-ed25519 i+ecmQ AukyGGsUOnTj/h7sxxrldeskrMC2Wn4UL+E+HBIs9R0
+S2EwHq05mSOqTAih7nkj31NU9GitxMdSm+/BlLOQsis
+--- jW2fMlcUYlscw0dAkR5T+yfilTWOiODJmuqzFypcjUU
+õ˜›µ 0Ïfø‰œ]Á€âXøè:HœPZðGk<47>ÜþÊÕxmÿÀ©K‚P$z<>ŒŸð¯ÃRCš5Üå˜FH\A 2Z&ì—Óð±¯lü`p

secrets/secrets.nix

@@ -7,11 +7,12 @@ let
 
   keys = import ../keys;
   contributors = attrValues keys.contributors;
+  cd = [ keys.cd ];
 in
 
 concatMapAttrs
   (name: systems: {
-    "${name}.age".publicKeys = contributors ++ systems;
+    "${name}.age".publicKeys = contributors ++ systems ++ cd;
   })
 
   (
@@ -26,7 +27,7 @@ concatMapAttrs
     {
       forgejo-database-password = [ vm02116 ];
       forgejo-email-password = [ vm02116 ];
-      forgejo-runner-token = [ ];
+      forgejo-runner-token = [ forgejo-ci ];
       panel-secret-key = [ fedi201 ];
       panel-ssh-key = [ fedi201 ];
       wiki-basicauth-htpasswd = [ vm02187 ];

secrets/wiki-basicauth-htpasswd.age

@@ -1,18 +1,19 @@
 age-encryption.org/v1
--> ssh-ed25519 Jpc21A EuMYAiZX+4A12eu19mIY7u+WYF7NJ9qJosQSVlxR6n8
+-> ssh-ed25519 Jpc21A NStZFZPTHMhVCnQ5Zkbl39vWztrxfsSXok24/e8H7QQ
-bK5CMXAmP23t1p9bgmqoVg4Qcu2qYKGc4t36v8e9eow
+JjHP6Cus76PGYYxpbnc2cSZ79zvdD8LISYDPbvXsnqU
--> ssh-ed25519 BAs8QA IwRyitDNTzUPzQAUbDNEKjFiF8WPD/OyztOZQeoTEzw
+-> ssh-ed25519 BAs8QA iocHfHjWlEUsbtibqEbYDceAqURr2vjxuYapqon9hyU
-OwiTWvk4NmUgExav0uH6HlThDNU5hsKXfR6KHsFOV3I
+ljL+olZdhWtHeV3uh3pOu22+sY13wPn2vKQDduPSqVs
--> ssh-ed25519 ofQnlg 3TcMbLX1JsQL8+Gqy7IFZwykZr2BspvPCuZT1SHtnQQ
+-> ssh-ed25519 ofQnlg 9YVfMKyoP3+xtzg/ok2I9yf3YdIYoBpUJa/3d2N/8lI
-Ci5OeBj2aiC8ut9jIEUMt3qfYH+cJrnVud6AH54Ndn8
+2yUalyj7O3c1YDA2xTb9QNYrFBDHwcyGBX3mydv0ifI
--> ssh-ed25519 COspvA 0t9f3Wu3ILv4QTJhwT619y+7XFrryCLbpIZC6aE+qQI
+-> ssh-ed25519 COspvA cOSNsZXBbhQ/B49fq3KwcY6siVrTz48doTrta/0d/Hw
-oPQP48F6oO/tkqLZDdjkGtIap7KHiAknbpTNL6/yLaU
+jcRtVxA/tVFM9btPAPI6zKk8BwAVlaQlvHC203MpmIQ
--> ssh-ed25519 2XrTgw YOZsaYQH9vMH0QqSXGh8GyhRV4MbcBGPFfFaKpo3Ckk
+-> ssh-ed25519 2XrTgw d3EKtYkxjeJZ8kt3ofIklGmRwUCgTIB/WVVlvxggGRk
-kUShJbADA+6bpx2adxvzlI/0jSM5bIBfZfdSE/7Vm5Y
+IhcrpWN9xFsKRw9iCfYMONPOU7TpTt4kTBNwMDtk7zo
--> ssh-ed25519 awJeHA dF3m0hQWX9c0EezDr56Kt/F4d1Uim7NwvIX6zRws0Eo
+-> ssh-ed25519 awJeHA Ei64e3+FJDM6S8NP+YfEWEg9t72qTXZ0IdZE8dYQPm4
-pst243yrARODwrnyz8cJAzgDxdPOUsRbs7yPZePABFs
+ggRc86sXin06eXJkLbK8CdJFDa1237WMfSgwNd5ngmM
--> ssh-ed25519 dgBsjw PUYHcP/tgNnKyvlIoJRcNcW3zabVV1iHXIWfKqgW9xc
+-> ssh-ed25519 dgBsjw 9etK6tNrFlWVAKTz5U0TitkiGYLKTad3QiRWVpLPrwM
-tXNjSuVH/g/oN5o75FPkFFpviF7SeFSN9kbqURvgMDE
+xHLzFnRtcvpVZYZrxWz5q4uadhHrHVlfqjteOWfIccE
---- wHgBAN9c6F6T5hFJGo8uH8zqDkQDwx3/jVNKUtQ3arE
+-> ssh-ed25519 i+ecmQ SDTnYBLMOaH173B/wqaOifE6a90gSesRqMHmX7/iZFk
-«Ñ¢Á
+kS9tuKnMXCXNUnoZ06DisOOyZHe/mZl4a0JRA+eynE8
-ò@µú¡fÃ`m;ÕcæäU²€ùò£Íd…eS’èyfv¿»¡€J?ø `œfj£Äa}lÃó ¿Úxç²BÇt2èfìôm08ÓoÝtRál9˜èx¤¢ŒÅž›æ÷
+--- C0R5WxDDCqQGxyvFoeNX838az0bjp55PGh//1NFG4LE
+ŠÉY—±³<EFBFBD>„ÏKRÇËej±éŒ7xÑíE¹ Óì¾7jÏ
-œJý«[ÀF?Ÿ=-w‘XMC~)èÅ›ƒ<E280BA>Éõb«ëƒCÜ4ÌÖÞOwý~–¿š8ñv—ÙÜžèX»ØÆ’ƒí!5¦

services/README.md

@@ -21,11 +21,11 @@ For those that know it, we could say that the current module is an analogous of
 
 ## Content of this directory
 
-- [fediversity][./fediversity] contains the definition of the services. Look in
+- [fediversity](./fediversity) contains the definition of the services. Look in
   particular at its `default.nix` that contains the definition of the options.
 
-- [vm][./vm] contains options specific to making the service run in local QEMU
+- [vm](./vm) contains options specific to making the service run in local QEMU
   VMs. These modules will for instance override the defaults to disable SSL, and
   they will add virtualisation options to forward ports, for instance.
 
-- [tests][./tests] contain full NixOS tests of the services.
+- [tests](./tests) contain full NixOS tests of the services.

services/default.nix

@@ -1,13 +0,0 @@
-{
-  system ? builtins.currentSystem,
-  sources ? import ../npins,
-  pkgs ? import sources.nixpkgs { inherit system; },
-  ...
-}:
-{
-  tests = {
-    mastodon = pkgs.nixosTest ./tests/mastodon.nix;
-    pixelfed-garage = pkgs.nixosTest ./tests/pixelfed-garage.nix;
-    peertube = pkgs.nixosTest ./tests/peertube.nix;
-  };
-}

services/fediversity/default.nix

@@ -6,6 +6,8 @@ let
 
 in
 {
+  _class = "nixos";
+
   imports = [
     ./garage
     ./mastodon
@@ -47,7 +49,7 @@ in
               displayName = mkOption {
                 type = types.str;
                 description = "Name of the initial user, for humans";
-                default = config.fediversity.temp.initialUser.name;
+                default = config.fediversity.temp.initialUser.username;
               };
               email = mkOption {
                 type = types.str;
@@ -63,4 +65,16 @@ in
       };
     };
   };
+
+  config = {
+    ## FIXME: This should clearly go somewhere else; and we should have a
+    ## `staging` vs. `production` setting somewhere.
+    security.acme = {
+      acceptTerms = true;
+      # use a priority more urgent than mkDefault for panel deployment to work,
+      # yet looser than default so this will not clash with the setting in tests.
+      defaults.email = lib.modules.mkOverride 200 "something@fediversity.net";
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+  };
 }

services/fediversity/garage/default.nix

@@ -97,6 +97,8 @@ let
 
 in
 {
+  _class = "nixos";
+
   imports = [ ./options.nix ];
 
   config = mkIf config.fediversity.garage.enable {

services/fediversity/garage/options.nix

@@ -5,6 +5,8 @@ let
 in
 
 {
+  _class = "nixos";
+
   options.fediversity.garage = {
     enable = mkEnableOption "Enable a Garage server on the machine";
 

services/fediversity/mastodon/default.nix

@@ -11,6 +11,8 @@ let
 
 in
 {
+  _class = "nixos";
+
   imports = [ ./options.nix ];
 
   config = mkMerge [

services/fediversity/mastodon/options.nix

@@ -1,6 +1,8 @@
 { config, lib, ... }:
 
 {
+  _class = "nixos";
+
   options.fediversity.mastodon =
     (import ../sharedOptions.nix {
       inherit config lib;

services/fediversity/peertube/default.nix

@@ -5,6 +5,8 @@ let
 
 in
 {
+  _class = "nixos";
+
   imports = [ ./options.nix ];
 
   config = mkMerge [

services/fediversity/peertube/options.nix

@@ -6,6 +6,8 @@ let
 
 in
 {
+  _class = "nixos";
+
   options.fediversity.peertube =
     (import ../sharedOptions.nix {
       inherit config lib;

services/fediversity/pixelfed/default.nix

@@ -15,6 +15,8 @@ let
 
 in
 {
+  _class = "nixos";
+
   imports = [ ./options.nix ];
 
   config = mkMerge [

services/fediversity/pixelfed/options.nix

@@ -1,6 +1,8 @@
 { config, lib, ... }:
 
 {
+  _class = "nixos";
+
   options.fediversity.pixelfed =
     (import ../sharedOptions.nix {
       inherit config lib;