fix typo

get parity in authorized keys between procolix and root for nixops4 ssh to non-VMs (#474 )
Reviewed-on: Fediversity/Fediversity#474 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>
2025-07-17 19:00:41 +02:00 · 2025-07-17 18:59:31 +02:00 · 2025-07-17 15:25:17 +02:00 · 2025-07-17 10:01:51 +02:00 · 2025-07-16 20:51:23 +02:00 · 2025-07-16 18:18:16 +02:00
110 changed files with 1181 additions and 863 deletions
--- a/.forgejo/workflows/cd.yaml
+++ b/.forgejo/workflows/cd.yaml
@ -0,0 +1,24 @@
 name: deploy-infra
 on:
  workflow_dispatch: # allows manual triggering
  push:
    branches:
      - main
 jobs:
  deploy:
    runs-on: native
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up SSH key for age secrets and SSH
        run: |
          env
          mkdir -p ~/.ssh
          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
      - name: Deploy
        run: nix-shell --run 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519 && SHELL=$(which bash) nixops4 apply -v default'
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -21,17 +21,23 @@ jobs:
      - uses: actions/checkout@v4
      - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
  check-mastodon:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
      - run: nix build .#checks.x86_64-linux.test-mastodon-service -L
  check-peertube:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
-      - run: cd services && nix-build -A tests.peertube
+      - run: nix build .#checks.x86_64-linux.test-peertube-service -L
  check-panel:
    runs-on: native
    steps:
      - uses: actions/checkout@v4
-      - run: cd panel && nix-build -A tests
+      - run: nix-build -A tests.panel
  check-deployment-basic:
    runs-on: native
--- a/.forgejo/workflows/update.yaml
+++ b/.forgejo/workflows/update.yaml
@ -2,8 +2,9 @@ name: update-dependencies
 on:
  workflow_dispatch: # allows manual triggering
-  schedule:
+  # FIXME: re-enable when manual run works
-    - cron: '0 0 1 * *' # monthly
+  # schedule:
  #   - cron: '0 0 1 * *' # monthly
 jobs:
  lockfile:
@ -11,11 +12,12 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
-      - name: Install npins
+      - name: Update pins
        run: nix-shell --run "npins update"
      - name: Create PR
-        uses: peter-evans/create-pull-request@v7
+        uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
        with:
          remote-instance-api-version: v1
          token: "${{ secrets.DEPLOY_KEY }}"
          branch: npins-update
          commit-message: "npins: update sources"
--- a/default.nix
+++ b/default.nix
@ -10,6 +10,9 @@ let
    gitignore
    ;
  inherit (pkgs) lib;
  inherit (import sources.flake-inputs) import-flake;
  inherit ((import-flake { src = ./.; }).inputs) nixops4;
  panel = import ./panel { inherit sources system; };
  pre-commit-check =
    (import "${git-hooks}/nix" {
      inherit nixpkgs system;
@ -55,13 +58,21 @@ in
        };
      in
      [
        pkgs.npins
        pkgs.nil
        (pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
        pkgs.openssh
        pkgs.httpie
        pkgs.jq
        pkgs.nix-unit
        test-loop
        nixops4.packages.${system}.default
      ];
  };
  tests = {
    inherit pre-commit-check;
    panel = panel.tests;
  };
  # re-export inputs so they can be overridden granularly
--- a/deployment/check/basic/constants.nix
+++ b/deployment/check/basic/constants.nix
@ -0,0 +1,8 @@
 {
  targetMachines = [
    "hello"
    "cowsay"
  ];
  pathToRoot = ../../..;
  pathFromRoot = ./.;
 }
--- a/deployment/check/basic/default.nix
+++ b/deployment/check/basic/default.nix
@ -0,0 +1,14 @@
 {
  runNixOSTest,
  inputs,
  sources,
 }:
 runNixOSTest {
  imports = [
    ../common/nixosTest.nix
    ./nixosTest.nix
  ];
  _module.args = { inherit inputs sources; };
  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
 }
--- a/deployment/check/basic/deployment.nix
+++ b/deployment/check/basic/deployment.nix
@ -0,0 +1,36 @@
 {
  inputs,
  sources,
  lib,
  providers,
  ...
 }:
 let
  inherit (import ./constants.nix) targetMachines pathToRoot pathFromRoot;
 in
 {
  providers = {
    inherit (inputs.nixops4.modules.nixops4Provider) local;
  };
  resources = lib.genAttrs targetMachines (nodeName: {
    type = providers.local.exec;
    imports = [
      inputs.nixops4-nixos.modules.nixops4Resource.nixos
      ../common/targetResource.nix
    ];
    _module.args = { inherit inputs sources; };
    inherit nodeName pathToRoot pathFromRoot;
    nixos.module =
      { pkgs, ... }:
      {
        environment.systemPackages = [ pkgs.${nodeName} ];
      };
  });
 }
--- a/deployment/check/basic/flake-part.nix
+++ b/deployment/check/basic/flake-part.nix
@ -1,54 +0,0 @@
 {
  self,
  inputs,
  lib,
  ...
 }:
 let
  inherit (lib) genAttrs;
  targetMachines = [
    "hello"
    "cowsay"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
 in
 {
  perSystem =
    { pkgs, ... }:
    {
      checks.deployment-basic = pkgs.testers.runNixOSTest {
        imports = [
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
        _module.args.inputs = inputs;
        inherit targetMachines pathToRoot pathFromRoot;
      };
    };
  nixops4Deployments.check-deployment-basic =
    { providers, ... }:
    {
      providers = {
        inherit (inputs.nixops4.modules.nixops4Provider) local;
      };
      resources = genAttrs targetMachines (nodeName: {
        type = providers.local.exec;
        imports = [
          inputs.nixops4-nixos.modules.nixops4Resource.nixos
          ../common/targetResource.nix
        ];
        _module.args.inputs = inputs;
        inherit nodeName pathToRoot pathFromRoot;
        nixos.module =
          { pkgs, ... }:
          {
            environment.systemPackages = [ pkgs.${nodeName} ];
          };
      });
    };
 }
--- a/deployment/check/basic/flake-under-test.nix
+++ b/deployment/check/basic/flake-under-test.nix
@ -0,0 +1,22 @@
 {
  inputs = {
    nixops4.follows = "nixops4-nixos/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };
  outputs =
    inputs:
    import ./mkFlake.nix inputs (
      { inputs, sources, ... }:
      {
        imports = [
          inputs.nixops4.modules.flake.default
        ];
        nixops4Deployments.check-deployment-basic = {
          imports = [ ./deployment/check/basic/deployment.nix ];
          _module.args = { inherit inputs sources; };
        };
      }
    );
 }
--- a/deployment/check/basic/nixosTest.nix
+++ b/deployment/check/basic/nixosTest.nix
@ -1,8 +1,15 @@
-{ inputs, ... }:
+{ inputs, lib, ... }:
 {
  _class = "nixosTest";
  name = "deployment-basic";
  sourceFileset = lib.fileset.unions [
    ./constants.nix
    ./deployment.nix
  ];
  nodes.deployer =
    { pkgs, ... }:
    {
--- a/deployment/check/cli/constants.nix
+++ b/deployment/check/cli/constants.nix
@ -0,0 +1,11 @@
 {
  targetMachines = [
    "garage"
    "mastodon"
    "peertube"
    "pixelfed"
  ];
  pathToRoot = ../../..;
  pathFromRoot = ./.;
  enableAcme = true;
 }
--- a/deployment/check/cli/default.nix
+++ b/deployment/check/cli/default.nix
@ -0,0 +1,19 @@
 {
  runNixOSTest,
  inputs,
  sources,
 }:
 runNixOSTest {
  imports = [
    ../common/nixosTest.nix
    ./nixosTest.nix
  ];
  _module.args = { inherit inputs sources; };
  inherit (import ./constants.nix)
    targetMachines
    pathToRoot
    pathFromRoot
    enableAcme
    ;
 }
--- a/deployment/check/cli/deployments.nix
+++ b/deployment/check/cli/deployments.nix
@ -0,0 +1,59 @@
 {
  inputs,
  sources,
  lib,
 }:
 let
  inherit (builtins) fromJSON readFile listToAttrs;
  inherit (import ./constants.nix)
    targetMachines
    pathToRoot
    pathFromRoot
    enableAcme
    ;
  makeTargetResource = nodeName: {
    imports = [ ../common/targetResource.nix ];
    _module.args = { inherit inputs sources; };
    inherit
      nodeName
      pathToRoot
      pathFromRoot
      enableAcme
      ;
  };
  ## The deployment function - what we are here to test!
  ##
  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
  ## function calls.
  makeTestDeployment =
    args:
    (import ../..)
      {
        inherit lib;
        inherit (inputs) nixops4 nixops4-nixos;
        fediversity = import ../../../services/fediversity;
      }
      (listToAttrs (
        map (nodeName: {
          name = "${nodeName}ConfigurationResource";
          value = makeTargetResource nodeName;
        }) targetMachines
      ))
      (fromJSON (readFile ../../configuration.sample.json) // args);
 in
 {
  check-deployment-cli-nothing = makeTestDeployment { };
  check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
    mastodon.enable = true;
    pixelfed.enable = true;
  };
  check-deployment-cli-peertube = makeTestDeployment {
    peertube.enable = true;
  };
 }
--- a/deployment/check/cli/flake-part.nix
+++ b/deployment/check/cli/flake-part.nix
@ -1,87 +0,0 @@
 {
  self,
  inputs,
  lib,
  ...
 }:
 let
  inherit (builtins) fromJSON readFile listToAttrs;
  targetMachines = [
    "garage"
    "mastodon"
    "peertube"
    "pixelfed"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
  enableAcme = true;
 in
 {
  perSystem =
    { pkgs, ... }:
    {
      checks.deployment-cli = pkgs.testers.runNixOSTest {
        imports = [
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
        _module.args.inputs = inputs;
        inherit
          targetMachines
          pathToRoot
          pathFromRoot
          enableAcme
          ;
      };
    };
  nixops4Deployments =
    let
      makeTargetResource = nodeName: {
        imports = [ ../common/targetResource.nix ];
        _module.args.inputs = inputs;
        inherit
          nodeName
          pathToRoot
          pathFromRoot
          enableAcme
          ;
      };
      ## The deployment function - what we are here to test!
      ##
      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
      ## function calls.
      makeTestDeployment =
        args:
        (import ../..)
          {
            inherit lib;
            inherit (inputs) nixops4 nixops4-nixos;
            fediversity = import ../../../services/fediversity;
          }
          (listToAttrs (
            map (nodeName: {
              name = "${nodeName}ConfigurationResource";
              value = makeTargetResource nodeName;
            }) targetMachines
          ))
          (fromJSON (readFile ../../configuration.sample.json) // args);
    in
    {
      check-deployment-cli-nothing = makeTestDeployment { };
      check-deployment-cli-mastodon-pixelfed = makeTestDeployment {
        mastodon.enable = true;
        pixelfed.enable = true;
      };
      check-deployment-cli-peertube = makeTestDeployment {
        peertube.enable = true;
      };
    };
 }
--- a/deployment/check/cli/flake-under-test.nix
+++ b/deployment/check/cli/flake-under-test.nix
@ -0,0 +1,26 @@
 {
  inputs = {
    nixops4.follows = "nixops4-nixos/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };
  outputs =
    inputs:
    import ./mkFlake.nix inputs (
      {
        inputs,
        sources,
        lib,
        ...
      }:
      {
        imports = [
          inputs.nixops4.modules.flake.default
        ];
        nixops4Deployments = import ./deployment/check/cli/deployments.nix {
          inherit inputs sources lib;
        };
      }
    );
 }
--- a/deployment/check/cli/nixosTest.nix
+++ b/deployment/check/cli/nixosTest.nix
@ -1,4 +1,9 @@
-{ inputs, hostPkgs, ... }:
+{
  inputs,
  hostPkgs,
  lib,
  ...
 }:
 let
  ## Some places need a dummy file that will in fact never be used. We create
@ -7,8 +12,25 @@ let
 in
 {
  _class = "nixosTest";
  name = "deployment-cli";
  sourceFileset = lib.fileset.unions [
    ./constants.nix
    ./deployments.nix
    # REVIEW: I would like to be able to grab all of `/deployment` minus
    # `/deployment/check`, but I can't because there is a bunch of other files
    # in `/deployment`. Maybe we can think of a reorg making things more robust
    # here? (comment also in panel test)
    ../../default.nix
    ../../options.nix
    ../../configuration.sample.json
    ../../../services/fediversity
  ];
  nodes.deployer =
    { pkgs, ... }:
    {
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@ -3,6 +3,7 @@
  lib,
  pkgs,
  config,
  sources,
  ...
 }:
@ -14,10 +15,10 @@ let
    types
    ;
  sources = import ../../../npins;
 in
 {
  _class = "nixos";
  imports = [ ./sharedOptions.nix ];
  options.system.extraDependenciesFromModule = mkOption {
@ -53,13 +54,13 @@ in
    system.extraDependencies =
      [
-        "${inputs.flake-parts}"
+        inputs.nixops4
-        "${inputs.flake-parts.inputs.nixpkgs-lib}"
+        inputs.nixops4-nixos
-        "${inputs.nixops4}"
+        inputs.nixpkgs
        "${inputs.nixops4-nixos}"
        "${inputs.nixpkgs}"
-        "${sources.flake-inputs}"
+        sources.flake-parts
        sources.flake-inputs
        sources.git-hooks
        pkgs.stdenv
        pkgs.stdenvNoCC
@ -76,7 +77,7 @@ in
              config.system.extraDependenciesFromModule
              {
                nixpkgs.hostPlatform = "x86_64-linux";
-                _module.args.inputs = inputs;
+                _module.args = { inherit inputs sources; };
                enableAcme = config.enableAcme;
                acmeNodeIP = config.acmeNodeIP;
              }
--- a/deployment/check/common/nixosTest.nix
+++ b/deployment/check/common/nixosTest.nix
@ -3,6 +3,7 @@
  lib,
  config,
  hostPkgs,
  sources,
  ...
 }:
@ -12,6 +13,7 @@ let
    toJSON
    ;
  inherit (lib)
    types
    fileset
    mkOption
    genAttrs
@ -26,14 +28,6 @@ let
  forConcat = xs: f: concatStringsSep "\n" (map f xs);
  ## The whole repository, with the flake at its root.
  ## FIXME: We could probably have fileset be the union of ./. with flake.nix
  ## and flake.lock - I doubt we need anything else.
  src = fileset.toSource {
    fileset = config.pathToRoot;
    root = config.pathToRoot;
  };
  ## We will need to override some inputs by the empty flake, so we make one.
  emptyFlake = runCommandNoCC "empty-flake" { } ''
    mkdir $out
@ -42,6 +36,8 @@ let
 in
 {
  _class = "nixosTest";
  imports = [
    ./sharedOptions.nix
  ];
@ -50,16 +46,46 @@ in
    ## FIXME: I wish I could just use `testScript` but with something like
    ## `mkOrder` to put this module's string before something else.
    extraTestScript = mkOption { };
    sourceFileset = mkOption {
      ## REVIEW: Upstream to nixpkgs?
      type = types.mkOptionType {
        name = "fileset";
        description = "fileset";
        descriptionClass = "noun";
        check = (x: (builtins.tryEval (fileset.unions [ x ])).success);
        merge = (_: defs: fileset.unions (map (x: x.value) defs));
      };
      description = ''
        A fileset that will be copied to the deployer node in the current
        working directory. This should contain all the files that are
        necessary to run that particular test, such as the NixOS
        modules necessary to evaluate a deployment.
      '';
    };
  };
  config = {
    sourceFileset = fileset.unions [
      # NOTE: not the flake itself; it will be overridden.
      ../../../mkFlake.nix
      ../../../flake.lock
      ../../../npins
      ./sharedOptions.nix
      ./targetNode.nix
      ./targetResource.nix
      (config.pathToCwd + "/flake-under-test.nix")
    ];
    acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
    nodes =
      {
        deployer = {
          imports = [ ./deployerNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
          enableAcme = config.enableAcme;
          acmeNodeIP = config.nodes.acme.networking.primaryIPAddress;
        };
@ -86,7 +112,7 @@ in
        genAttrs config.targetMachines (_: {
          imports = [ ./targetNode.nix ];
-          _module.args.inputs = inputs;
+          _module.args = { inherit inputs sources; };
          enableAcme = config.enableAcme;
          acmeNodeIP = if config.enableAcme then config.nodes.acme.networking.primaryIPAddress else null;
        });
@ -100,8 +126,16 @@ in
        ${n}.wait_for_unit("multi-user.target")
      '')}
      ## A subset of the repository that is necessary for this test. It will be
      ## copied inside the test. The smaller this set, the faster our CI, because we
      ## won't need to re-run when things change outside of it.
      with subtest("Unpacking"):
-        deployer.succeed("cp -r --no-preserve=mode ${src}/* .")
+        deployer.succeed("cp -r --no-preserve=mode ${
          fileset.toSource {
            root = ../../..;
            fileset = config.sourceFileset;
          }
        }/* .")
      with subtest("Configure the network"):
        ${forConcat config.targetMachines (
@ -131,11 +165,16 @@ in
      ## NOTE: This is super slow. It could probably be optimised in Nix, for
      ## instance by allowing to grab things directly from the host's store.
-      with subtest("Override the lock"):
+      ##
      ## NOTE: We use the repository as-is (cf `src` above), overriding only
      ## `flake.nix` by our `flake-under-test.nix`. We also override the flake
      ## lock file to use locally available inputs, as we cannot download them.
      ##
      with subtest("Override the flake and its lock"):
        deployer.succeed("cp ${config.pathFromRoot}/flake-under-test.nix flake.nix")
        deployer.succeed("""
          nix flake lock --extra-experimental-features 'flakes nix-command' \
            --offline -v \
            --override-input flake-parts ${inputs.flake-parts} \
            --override-input nixops4 ${inputs.nixops4.packages.${system}.flake-in-a-bottle} \
            \
            --override-input nixops4-nixos ${inputs.nixops4-nixos} \
@ -147,9 +186,6 @@ in
              inputs.nixops4-nixos.inputs.nixops4.packages.${system}.flake-in-a-bottle
            } \
            --override-input nixops4-nixos/git-hooks-nix ${emptyFlake} \
            \
            --override-input nixpkgs ${inputs.nixpkgs} \
            --override-input git-hooks ${inputs.git-hooks} \
            ;
        """)
--- a/deployment/check/common/sharedOptions.nix
+++ b/deployment/check/common/sharedOptions.nix
@ -11,6 +11,7 @@ let
  inherit (lib) mkOption types;
 in
 # `config` not set and imported from multiple places: no fixed module class
 {
  options = {
    targetMachines = mkOption {
--- a/deployment/check/common/targetNode.nix
+++ b/deployment/check/common/targetNode.nix
@ -12,6 +12,8 @@ let
 in
 {
  _class = "nixos";
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
    (modulesPath + "/../lib/testing/nixos-test-base.nix")
--- a/deployment/check/common/targetResource.nix
+++ b/deployment/check/common/targetResource.nix
@ -2,6 +2,7 @@
  inputs,
  lib,
  config,
  sources,
  ...
 }:
@ -12,6 +13,8 @@ let
 in
 {
  _class = "nixops4Resource";
  imports = [ ./sharedOptions.nix ];
  options = {
@ -38,7 +41,7 @@ in
        (lib.modules.importJSON (config.pathToCwd + "/${config.nodeName}-network.json"))
      ];
-      _module.args.inputs = inputs;
+      _module.args = { inherit inputs sources; };
      enableAcme = config.enableAcme;
      acmeNodeIP = trim (readFile (config.pathToCwd + "/acme_server_ip"));
--- a/deployment/check/panel/constants.nix
+++ b/deployment/check/panel/constants.nix
@ -0,0 +1,11 @@
 {
  targetMachines = [
    "garage"
    "mastodon"
    "peertube"
    "pixelfed"
  ];
  pathToRoot = ../../..;
  pathFromRoot = ./.;
  enableAcme = true;
 }
--- a/deployment/check/panel/default.nix
+++ b/deployment/check/panel/default.nix
@ -0,0 +1,19 @@
 {
  runNixOSTest,
  inputs,
  sources,
 }:
 runNixOSTest {
  imports = [
    ../common/nixosTest.nix
    ./nixosTest.nix
  ];
  _module.args = { inherit inputs sources; };
  inherit (import ./constants.nix)
    targetMachines
    pathToRoot
    pathFromRoot
    enableAcme
    ;
 }
--- a/deployment/check/panel/deployment.nix
+++ b/deployment/check/panel/deployment.nix
@ -0,0 +1,58 @@
 {
  inputs,
  sources,
  lib,
 }:
 let
  inherit (builtins) fromJSON listToAttrs;
  inherit (import ./constants.nix)
    targetMachines
    pathToRoot
    pathFromRoot
    enableAcme
    ;
  makeTargetResource = nodeName: {
    imports = [ ../common/targetResource.nix ];
    _module.args = { inherit inputs sources; };
    inherit
      nodeName
      pathToRoot
      pathFromRoot
      enableAcme
      ;
  };
  ## The deployment function - what we are here to test!
  ##
  ## TODO: Modularise `deployment/default.nix` to get rid of the nested
  ## function calls.
  makeTestDeployment =
    args:
    (import ../..)
      {
        inherit lib;
        inherit (inputs) nixops4 nixops4-nixos;
        fediversity = import ../../../services/fediversity;
      }
      (listToAttrs (
        map (nodeName: {
          name = "${nodeName}ConfigurationResource";
          value = makeTargetResource nodeName;
        }) targetMachines
      ))
      args;
 in
 makeTestDeployment (
  fromJSON (
    let
      env = builtins.getEnv "DEPLOYMENT";
    in
    if env == "" then
      throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
    else
      env
  )
 )
--- a/deployment/check/panel/flake-part.nix
+++ b/deployment/check/panel/flake-part.nix
@ -1,91 +0,0 @@
 {
  self,
  inputs,
  lib,
  ...
 }:
 let
  inherit (builtins)
    fromJSON
    listToAttrs
    ;
  targetMachines = [
    "garage"
    "mastodon"
    "peertube"
    "pixelfed"
  ];
  pathToRoot = /. + (builtins.unsafeDiscardStringContext self);
  pathFromRoot = ./.;
  enableAcme = true;
 in
 {
  perSystem =
    { pkgs, ... }:
    {
      checks.deployment-panel = pkgs.testers.runNixOSTest {
        imports = [
          ../common/nixosTest.nix
          ./nixosTest.nix
        ];
        _module.args.inputs = inputs;
        inherit
          targetMachines
          pathToRoot
          pathFromRoot
          enableAcme
          ;
      };
    };
  nixops4Deployments =
    let
      makeTargetResource = nodeName: {
        imports = [ ../common/targetResource.nix ];
        _module.args.inputs = inputs;
        inherit
          nodeName
          pathToRoot
          pathFromRoot
          enableAcme
          ;
      };
      ## The deployment function - what we are here to test!
      ##
      ## TODO: Modularise `deployment/default.nix` to get rid of the nested
      ## function calls.
      makeTestDeployment =
        args:
        (import ../..)
          {
            inherit lib;
            inherit (inputs) nixops4 nixops4-nixos;
            fediversity = import ../../../services/fediversity;
          }
          (listToAttrs (
            map (nodeName: {
              name = "${nodeName}ConfigurationResource";
              value = makeTargetResource nodeName;
            }) targetMachines
          ))
          args;
    in
    {
      check-deployment-panel = makeTestDeployment (
        fromJSON (
          let
            env = builtins.getEnv "DEPLOYMENT";
          in
          if env == "" then
            throw "The DEPLOYMENT environment needs to be set. You do not want to use this deployment unless in the `deployment-panel` NixOS test."
          else
            env
        )
      );
    };
 }
--- a/deployment/check/panel/flake-under-test.nix
+++ b/deployment/check/panel/flake-under-test.nix
@ -0,0 +1,26 @@
 {
  inputs = {
    nixops4.follows = "nixops4-nixos/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };
  outputs =
    inputs:
    import ./mkFlake.nix inputs (
      {
        inputs,
        sources,
        lib,
        ...
      }:
      {
        imports = [
          inputs.nixops4.modules.flake.default
        ];
        nixops4Deployments.check-deployment-panel = import ./deployment/check/panel/deployment.nix {
          inherit inputs sources lib;
        };
      }
    );
 }
--- a/deployment/check/panel/nixosTest.nix
+++ b/deployment/check/panel/nixosTest.nix
@ -121,8 +121,24 @@ let
 in
 {
  _class = "nixosTest";
  name = "deployment-panel";
  sourceFileset = lib.fileset.unions [
    ./constants.nix
    ./deployment.nix
    # REVIEW: I would like to be able to grab all of `/deployment` minus
    # `/deployment/check`, but I can't because there is a bunch of other files
    # in `/deployment`. Maybe we can think of a reorg making things more robust
    # here? (comment also in CLI test)
    ../../default.nix
    ../../options.nix
    ../../../services/fediversity
  ];
  ## The panel's module sets `nixpkgs.overlays` which clashes with
  ## `pkgsReadOnly`. We disable it here.
  node.pkgsReadOnly = false;
@ -153,7 +169,6 @@ in
          SECRET_KEY = dummyFile;
        };
        port = panelPort;
        nixops4Package = inputs.nixops4.packages.${pkgs.system}.default;
        deployment = {
          flake = "/run/fedipanel/flake";
--- a/deployment/data-model-test.nix
+++ b/deployment/data-model-test.nix
@ -1,9 +1,13 @@
 let
-  inherit (import ../default.nix { }) pkgs;
+  inherit (import ../default.nix { }) pkgs inputs;
  inherit (pkgs) lib;
  inherit (lib) mkOption;
  eval =
    module:
    (lib.evalModules {
      specialArgs = {
        inherit inputs;
      };
      modules = [
        module
        ./data-model.nix
@ -11,35 +15,56 @@ let
    }).config;
 in
 {
  _class = "nix-unit";
  test-eval = {
    expr =
      let
-        example = eval {
+        fediversity = eval (
-          runtime-environments.bar.nixos = {
+          { config, ... }:
-            module =
+          {
-              { ... }:
+            config = {
-              {
+              applications.hello =
-                system.stateVersion = "25.05";
+                { ... }:
                {
                  description = ''Command-line tool that will print "Hello, world!" on the terminal'';
                  module =
                    { ... }:
                    {
                      options = {
                        enable = lib.mkEnableOption "Hello in the shell";
                      };
                    };
                  implementation =
                    cfg:
                    lib.optionalAttrs cfg.enable {
                      dummy.login-shell.packages.hello = pkgs.hello;
                    };
                };
            };
            options = {
              example-configuration = mkOption {
                type = config.configuration;
                readOnly = true;
                default = {
                  enable = true;
                  applications.hello.enable = true;
                };
              };
-          };
+            };
-          applications.foo = {
+          }
-            module =
+        );
              { pkgs, ... }:
              {
                environment.systemPackages = [
                  pkgs.hello
                ];
              };
          };
        };
      in
      {
-        has-runtime = lib.isAttrs example.runtime-environments.bar.nixos.module;
+        inherit (fediversity)
-        has-application = lib.isAttrs example.applications.foo.module;
+          example-configuration
          ;
      };
    expected = {
-      has-runtime = true;
+      example-configuration = {
-      has-application = true;
+        enable = true;
        applications.hello.enable = true;
      };
    };
  };
 }
--- a/deployment/data-model.nix
+++ b/deployment/data-model.nix
@ -1,43 +1,89 @@
 {
  lib,
  config,
  ...
 }:
 let
-  inherit (lib) types mkOption;
+  inherit (lib) mkOption types;
  inherit (lib.types)
    attrsOf
    attrTag
    deferredModuleWith
    submodule
    optionType
    functionTo
    ;
  functionType = import ./function.nix;
  application-resources = {
    options.resources = mkOption {
      # TODO: maybe transpose, and group the resources by type instead
      type = attrsOf (
        attrTag (lib.mapAttrs (_name: resource: mkOption { type = resource.request; }) config.resources)
      );
    };
  };
 in
 with types;
 {
  _class = "nixops4Deployment";
  options = {
-    runtime-environments = mkOption {
+    applications = mkOption {
-      description = "Collection of runtime environments into which applications can be deployed";
+      description = "Collection of Fediversity applications";
-      type = attrsOf (attrTag {
+      type = attrsOf (
-        nixos = mkOption {
+        submodule (application: {
-          description = "A single NixOS machine";
+          _class = "fediversity-application";
-          type = submodule {
+          options = {
-            options = {
+            description = mkOption {
-              module = mkOption {
+              description = "Description to be shown in the application overview";
-                description = "The NixOS module describing the base configuration for that machine";
+              type = types.str;
-                type = deferredModule;
+            };
            module = mkOption {
              description = "Operator-facing configuration options for the application";
              type = deferredModuleWith { staticModules = [ { _class = "fediversity-application-config"; } ]; };
            };
            implementation = mkOption {
              description = "Mapping of application configuration to deployment resources, a description of what an application needs to run";
              type = application.config.config-mapping.function-type;
            };
            resources = mkOption {
              description = "Compute resources required by an application";
              type = functionTo application.config.config-mapping.output-type;
              readOnly = true;
              default = input: (application.config.implementation input).output;
            };
            config-mapping = mkOption {
              description = "Function type for the mapping from application configuration to required resources";
              type = submodule functionType;
              readOnly = true;
              default = {
                input-type = application.config.module;
                output-type = application-resources;
              };
            };
          };
-        };
+        })
-      });
+      );
    };
-    applications = mkOption {
+    configuration = mkOption {
-      description = "Collection of Fediversity applications";
+      description = "Configuration type declaring options to be set by operators";
-      type = attrsOf (submoduleWith {
+      type = optionType;
-        modules = [
+      readOnly = true;
-          {
+      default = submodule {
-            options = {
+        options = {
-              module = mkOption {
+          enable = lib.mkEnableOption {
-                description = "The NixOS module for that application, for configuring that application";
+            description = "your Fediversity configuration";
-                type = deferredModule;
+          };
-              };
+          applications = lib.mapAttrs (
-            };
+            _name: application:
-          }
+            mkOption {
-        ];
+              description = application.description;
-      });
+              type = submodule application.module;
              default = { };
            }
          ) config.applications;
        };
      };
    };
  };
 }
--- a/deployment/default.nix
+++ b/deployment/default.nix
@ -65,6 +65,8 @@ let
  cfg = config.deployment;
 in
 {
  _class = "nixops4Deployment";
  options = {
    deployment = lib.mkOption {
      description = ''
--- a/deployment/flake-part.nix
+++ b/deployment/flake-part.nix
@ -1,7 +1,26 @@
 { inputs, sources, ... }:
 {
-  imports = [
+  _class = "flake";
-    ./check/basic/flake-part.nix
+
-    ./check/cli/flake-part.nix
+  perSystem =
-    ./check/panel/flake-part.nix
+    { pkgs, ... }:
-  ];
+    {
      checks = {
        deployment-basic = import ./check/basic {
          inherit (pkgs.testers) runNixOSTest;
          inherit inputs sources;
        };
        deployment-cli = import ./check/cli {
          inherit (pkgs.testers) runNixOSTest;
          inherit inputs sources;
        };
        deployment-panel = import ./check/panel {
          inherit (pkgs.testers) runNixOSTest;
          inherit inputs sources;
        };
      };
    };
 }
--- a/deployment/function.nix
+++ b/deployment/function.nix
@ -0,0 +1,37 @@
 /**
  Modular function type
 */
 { config, lib, ... }:
 let
  inherit (lib) mkOption types;
  inherit (types)
    deferredModule
    submodule
    functionTo
    optionType
    ;
 in
 {
  options = {
    input-type = mkOption {
      type = deferredModule;
    };
    output-type = mkOption {
      type = deferredModule;
    };
    function-type = mkOption {
      type = optionType;
      readOnly = true;
      default = functionTo (submodule {
        options = {
          input = mkOption {
            type = submodule config.input-type;
          };
          output = mkOption {
            type = submodule config.output-type;
          };
        };
      });
    };
  };
 }
--- a/deployment/options.nix
+++ b/deployment/options.nix
@ -17,6 +17,8 @@ let
  inherit (lib) types mkOption;
 in
 {
  _class = "nixops4Deployment";
  options = {
    enable = lib.mkEnableOption "Fediversity configuration";
    domain = mkOption {
--- a/flake.lock
+++ b/flake.lock
@ -59,22 +59,6 @@
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1733328505,
@ -90,7 +74,7 @@
        "type": "github"
      }
    },
-    "flake-compat_4": {
+    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
@ -143,24 +127,6 @@
      }
    },
    "flake-parts_3": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib_3"
      },
      "locked": {
        "lastModified": 1738453229,
        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-parts_4": {
      "inputs": {
        "nixpkgs-lib": [
          "nixops4-nixos",
@ -201,32 +167,12 @@
        "type": "github"
      }
    },
-    "git-hooks": {
+    "git-hooks-nix": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1742649964,
        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "git-hooks-nix": {
      "inputs": {
        "flake-compat": "flake-compat_2",
        "gitignore": "gitignore_2",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1737465171,
        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
@ -281,27 +227,6 @@
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "git-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "gitignore_2": {
      "inputs": {
        "nixpkgs": [
          "nixops4-nixos",
@ -341,8 +266,8 @@
    },
    "nix": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
-        "flake-parts": "flake-parts_4",
+        "flake-parts": "flake-parts_3",
        "git-hooks-nix": "git-hooks-nix_2",
        "nixfmt": "nixfmt",
        "nixpkgs": [
@ -416,10 +341,10 @@
    },
    "nixops4": {
      "inputs": {
-        "flake-parts": "flake-parts_3",
+        "flake-parts": "flake-parts_2",
        "nix": "nix",
        "nix-cargo-integration": "nix-cargo-integration",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-old": "nixpkgs-old"
      },
      "locked": {
@ -438,7 +363,7 @@
    },
    "nixops4-nixos": {
      "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
        "git-hooks-nix": "git-hooks-nix",
        "nixops4": "nixops4",
        "nixops4-nixos": [
@ -520,18 +445,6 @@
        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
      }
    },
    "nixpkgs-lib_3": {
      "locked": {
        "lastModified": 1738452942,
        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
      },
      "original": {
        "type": "tarball",
        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
      }
    },
    "nixpkgs-old": {
      "locked": {
        "lastModified": 1735563628,
@ -565,22 +478,6 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1730768919,
        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1738410390,
        "narHash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc=",
@ -621,7 +518,7 @@
    },
    "purescript-overlay": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_3",
        "nixpkgs": [
          "nixops4-nixos",
          "nixops4",
@ -664,8 +561,6 @@
    },
    "root": {
      "inputs": {
        "flake-parts": "flake-parts",
        "git-hooks": "git-hooks",
        "nixops4": [
          "nixops4-nixos",
          "nixops4"
--- a/flake.nix
+++ b/flake.nix
@ -1,94 +1,52 @@
 {
  inputs = {
    flake-parts.url = "github:hercules-ci/flake-parts";
    git-hooks.url = "github:cachix/git-hooks.nix";
    nixops4.follows = "nixops4-nixos/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };
  outputs =
-    inputs@{ self, flake-parts, ... }:
+    inputs:
-    let
+    import ./mkFlake.nix inputs (
-      sources = import ./npins;
+      { inputs, sources, ... }:
      inherit (import sources.flake-inputs) import-flake;
      inherit (sources) git-hooks agenix;
      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
      # XXX - this is just importing a flake
      nixpkgs = import-flake { src = sources.nixpkgs; };
      # XXX - this overrides the inputs attached to `self`
      inputs' = self.inputs // {
        nixpkgs = nixpkgs;
      };
      self' = self // {
        inputs = inputs';
      };
    in
    # XXX - finally we override the overall set of `inputs` -- we need both:
    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
    flake-parts.lib.mkFlake
      {
-        inputs = inputs // {
+        imports = [
-          inherit nixpkgs;
+          "${sources.git-hooks}/flake-module.nix"
-        };
+          inputs.nixops4.modules.flake.default
        self = self';
      }
      (
        { inputs, ... }:
        {
          systems = [
            "x86_64-linux"
            "aarch64-linux"
            "x86_64-darwin"
            "aarch64-darwin"
          ];
-          imports = [
+          ./deployment/flake-part.nix
-            (import "${git-hooks}/flake-module.nix")
+          ./infra/flake-part.nix
-            inputs.nixops4.modules.flake.default
+          ./keys/flake-part.nix
          ./secrets/flake-part.nix
          ./services/tests/flake-part.nix
        ];
-            ./deployment/flake-part.nix
+        perSystem =
-            ./infra/flake-part.nix
+          {
-          ];
+            pkgs,
-
+            lib,
-          perSystem =
+            system,
-            {
+            ...
-              pkgs,
+          }:
-              lib,
+          {
-              inputs',
+            checks = {
-              ...
+              panel = (import ./. { inherit sources system; }).tests.panel.basic;
            }:
            {
              formatter = pkgs.nixfmt-rfc-style;
              pre-commit.settings.hooks =
                let
                  ## Add a directory here if pre-commit hooks shouldn't apply to it.
                  optout = [ "npins" ];
                  excludes = map (dir: "^${dir}/") optout;
                  addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
                in
                addExcludes {
                  nixfmt-rfc-style.enable = true;
                  deadnix.enable = true;
                  trim-trailing-whitespace.enable = true;
                  shellcheck.enable = true;
                };
              devShells.default = pkgs.mkShell {
                packages = [
                  pkgs.npins
                  pkgs.nil
                  (pkgs.callPackage "${agenix}/pkgs/agenix.nix" { })
                  pkgs.openssh
                  pkgs.httpie
                  pkgs.jq
                  # exposing this env var as a hack to pass info in from form
                  (inputs'.nixops4.packages.default.overrideAttrs {
                    impureEnvVars = [ "DEPLOYMENT" ];
                  })
                ];
              };
            };
-        }
+            formatter = pkgs.nixfmt-rfc-style;
-      );
+
            pre-commit.settings.hooks =
              let
                ## Add a directory here if pre-commit hooks shouldn't apply to it.
                optout = [ "npins" ];
                excludes = map (dir: "^${dir}/") optout;
                addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; });
              in
              addExcludes {
                nixfmt-rfc-style.enable = true;
                deadnix.enable = true;
                trim-trailing-whitespace.enable = true;
                shellcheck.enable = true;
              };
          };
      }
    );
 }
--- a/infra/README.md
+++ b/infra/README.md
@ -1,14 +1,13 @@
 # Infra
-This directory contains the definition of [the VMs](machines.md) that host our
+This directory contains the definition of [the VMs](../machines/machines.md) that host our
 infrastructure.
 ## Provisioning VMs with an initial configuration
-NOTE[Niols]: This is very manual and clunky. Two things will happen. In the near
+> NOTE[Niols]: This is still very manual and clunky. Two things will happen:
-future, I will improve the provisioning script to make this a bit less clunky.
+> 1. In the near future, I will improve the provisioning script to make this a bit less clunky.
-In the far future, NixOps4 will be able to communicate with Proxmox directly and
+> 2. In the far future, NixOps4 will be able to communicate with Proxmox directly and everything will become much cleaner.
 everything will become much cleaner.
 1. Choose names for your VMs. It is recommended to choose `fediXXX`, with `XXX`
   above 100. For instance, `fedi117`.
@ -25,8 +24,7 @@ everything will become much cleaner.
   Those files need to exist during provisioning, but their content matters only
   when updating the machines' configuration.
-   FIXME: Remove this step by making the provisioning script not fail with the
+   > FIXME: Remove this step by making the provisioning script not fail with the public key does not exist yet.
   public key does not exist yet.
 3. Run the provisioning script:
   ```
@ -44,7 +42,7 @@ everything will become much cleaner.
   ssh fedi117.abundos.eu 'sudo cat /etc/ssh/ssh_host_ed25519_key.pub' > keys/systems/fedi117.pub
   ```
-   FIXME: Make the provisioning script do that for us.
+   > FIXME: Make the provisioning script do that for us.
 7. Regenerate the list of machines:
   ```
@ -56,7 +54,7 @@ everything will become much cleaner.
   just enough for it to boot and be reachable. Go on to the next section to
   update the machine and put an actual configuration.
-   FIXME: Figure out why the full configuration isn't on the machine at this
+   > FIXME: Figure out why the full configuration isn't on the machine at this
   point and fix it.
 ## Updating existing VM configurations
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@ -5,8 +5,9 @@ let
 in
 {
  _class = "nixos";
  imports = [
    ./hardware.nix
    ./networking.nix
    ./users.nix
  ];
@ -22,4 +23,9 @@ in
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
  boot.loader = {
    systemd-boot.enable = true;
    efi.canTouchEfiVariables = true;
  };
 }
--- a/infra/common/nixos/hardware.nix
+++ b/infra/common/nixos/hardware.nix
@ -1,84 +0,0 @@
 { config, lib, ... }:
 let
  inherit (lib) mkIf mkMerge;
 in
 {
  config = mkMerge [
    {
      boot.loader = {
        systemd-boot.enable = true;
        efi.canTouchEfiVariables = true;
      };
    }
    (mkIf config.fediversityVm.isQemuVm {
      boot.initrd = {
        availableKernelModules = [
          "ata_piix"
          "uhci_hcd"
          "sd_mod"
          "sr_mod"
          # from `/profiles/qemu-guest.nix`
          "virtio_net"
          "virtio_pci"
          "virtio_mmio"
          "virtio_blk"
          "virtio_scsi"
          "9p"
          "9pnet_virtio"
        ];
        kernelModules = [
          "dm-snapshot"
          # from `/profiles/qemu-guest.nix`
          "virtio_balloon"
          "virtio_console"
          "virtio_rng"
          "virtio_gpu"
        ];
      };
      disko.devices.disk.main = {
        device = "/dev/sda";
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            MBR = {
              priority = 0;
              size = "1M";
              type = "EF02";
            };
            ESP = {
              priority = 1;
              size = "500M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
              };
            };
            root = {
              priority = 2;
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
              };
            };
          };
        };
      };
    })
  ];
 }
--- a/infra/common/nixos/networking.nix
+++ b/infra/common/nixos/networking.nix
@ -5,6 +5,8 @@ let
 in
 {
  _class = "nixos";
  config = {
    services.openssh = {
      enable = true;
@ -19,13 +21,8 @@ in
        ## REVIEW: Do we actually need that, considering that we have static IPs?
        useDHCP = mkDefault true;
-        nameservers = [
+        ## Disable the default firewall and use nftables instead, with a custom
-          "95.215.185.6"
+        ## Procolix-made ruleset.
          "95.215.185.7"
          "2a00:51c0::5fd7:b906"
          "2a00:51c0::5fd7:b907"
        ];
        firewall.enable = false;
        nftables = {
          enable = true;
@ -42,6 +39,10 @@ in
          address = config.fediversityVm.ipv4.gateway;
          interface = config.fediversityVm.ipv4.interface;
        };
        nameservers = [
          "95.215.185.6"
          "95.215.185.7"
        ];
      })
      ## IPv6
@ -53,6 +54,10 @@ in
          address = config.fediversityVm.ipv6.gateway;
          interface = config.fediversityVm.ipv6.interface;
        };
        nameservers = [
          "2a00:51c0::5fd7:b906"
          "2a00:51c0::5fd7:b907"
        ];
      })
    ];
  };
--- a/infra/common/nixos/users.nix
+++ b/infra/common/nixos/users.nix
@ -1,5 +1,13 @@
 {
  config,
  ...
 }:
 {
  _class = "nixos";
  users.users = {
    root.openssh.authorizedKeys.keys = config.users.users.procolix.openssh.authorizedKeys.keys;
    procolix = {
      isNormalUser = true;
      extraGroups = [ "wheel" ];
--- a/infra/common/options.nix
+++ b/infra/common/options.nix
@ -6,6 +6,8 @@ let
 in
 {
  # `config` not set and imported from multiple places: no fixed module class
  options.fediversityVm = {
    ##########################################################################
@ -175,13 +177,5 @@ in
        this for testing machines, as it is a security hole for so many reasons.
      '';
    };
    isQemuVm = mkOption {
      description = ''
        Whether the machine is a QEMU VM. This will import all the necessary
        things.
      '';
      default = true;
    };
  };
 }
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@ -0,0 +1,58 @@
 { sources, ... }:
 {
  _class = "nixos";
  imports = [
    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
  ];
  boot = {
    initrd = {
      availableKernelModules = [
        "ata_piix"
        "uhci_hcd"
        "sd_mod"
        "sr_mod"
      ];
      kernelModules = [ "dm-snapshot" ];
    };
  };
  disko.devices.disk.main = {
    device = "/dev/sda";
    type = "disk";
    content = {
      type = "gpt";
      partitions = {
        MBR = {
          priority = 0;
          size = "1M";
          type = "EF02";
        };
        ESP = {
          priority = 1;
          size = "500M";
          type = "EF00";
          content = {
            type = "filesystem";
            format = "vfat";
            mountpoint = "/boot";
          };
        };
        root = {
          priority = 2;
          size = "100%";
          content = {
            type = "filesystem";
            format = "ext4";
            mountpoint = "/";
          };
        };
      };
    };
  };
 }
--- a/infra/common/resource.nix
+++ b/infra/common/resource.nix
@ -2,6 +2,9 @@
  inputs,
  lib,
  config,
  sources,
  keys,
  secrets,
  ...
 }:
@ -9,15 +12,11 @@ let
  inherit (lib) attrValues elem mkDefault;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;
  sources = import ../../npins;
  inherit (sources) agenix disko;
  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;
 in
 {
  _class = "nixops4Resource";
  imports = [ ./options.nix ];
  fediversityVm.hostPublicKey = mkDefault keys.systems.${config.fediversityVm.name};
@ -34,8 +33,8 @@ in
  ## should go into the `./nixos` subdirectory.
  nixos.module = {
    imports = [
-      "${agenix}/modules/age.nix"
+      "${sources.agenix}/modules/age.nix"
-      "${disko}/module.nix"
+      "${sources.disko}/module.nix"
      ./options.nix
      ./nixos
    ];
@ -44,21 +43,23 @@ in
    ## configuration.
    fediversityVm = config.fediversityVm;
-    ## Read all the secrets, filter the ones that are supposed to be readable
+    ## Read all the secrets, filter the ones that are supposed to be readable with
-    ## with this host's public key, and add them correctly to the configuration
+    ## public key, and create a mapping from `<name>.file` to the absolute path of
-    ## as `age.secrets.<name>.file`.
+    ## the secret's file.
    age.secrets = concatMapAttrs (
      name: secret:
-      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
+      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
-        ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
+        ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
-      })
+      }
-    ) secrets;
+    ) secrets.mapping;
    ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
    ## supports users with password-less sudo.
    users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors ++ [
      # allow our panel vm access to the test machines
      keys.panel
      # allow continuous deployment access
      keys.cd
    ];
  };
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -1,6 +1,9 @@
 {
  inputs,
  lib,
  sources,
  keys,
  secrets,
  ...
 }:
@ -13,7 +16,6 @@ let
    filterAttrs
    ;
  inherit (lib.attrsets) genAttrs;
  sources = import ../../npins;
  ## Given a machine's name and whether it is a test VM, make a resource module,
  ## except for its missing provider. (Depending on the use of that resource, we
@ -22,7 +24,21 @@ let
    { vmName, isTestVm }:
    {
      # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
-      _module.args = { inherit inputs; };
+      _module.args = {
        inherit
          inputs
          keys
          secrets
          ;
      };
      nixos.module.imports = [
        ./common/proxmox-qemu-vm.nix
      ];
      nixos.specialArgs = {
        inherit sources;
      };
      imports =
        [
@ -35,7 +51,7 @@ let
              {
                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
                  # allow our panel vm access to the test machines
-                  (import ../keys).panel
+                  keys.panel
                ];
              }
            ]
@ -53,17 +69,33 @@ let
    vmNames:
    { providers, ... }:
    {
-      providers.local = inputs.nixops4.modules.nixops4Provider.local;
+      # XXX: this type merge is for adding `specialArgs` to resource modules
-      resources = genAttrs vmNames (vmName: {
+      options.resources = mkOption {
-        type = providers.local.exec;
+        type =
-        imports = [
+          with lib.types;
-          inputs.nixops4-nixos.modules.nixops4Resource.nixos
+          lazyAttrsOf (submoduleWith {
-          (makeResourceModule {
+            class = "nixops4Resource";
-            inherit vmName;
+            modules = [ ];
-            isTestVm = false;
+            # TODO(@fricklerhandwerk): we may want to pass through all of `specialArgs`
-          })
+            # once we're sure it's sane. leaving it here for better control during refactoring.
-        ];
+            specialArgs = {
-      });
+              inherit sources;
            };
          });
      };
      config = {
        providers.local = inputs.nixops4.modules.nixops4Provider.local;
        resources = genAttrs vmNames (vmName: {
          type = providers.local.exec;
          imports = [
            inputs.nixops4-nixos.modules.nixops4Resource.nixos
            (makeResourceModule {
              inherit vmName;
              isTestVm = false;
            })
          ];
        });
      };
    };
  makeDeployment' = vmName: makeDeployment [ vmName ];
@ -155,9 +187,7 @@ let
 in
 {
-  # NOTE: `forgejo-ci`, being a physical machine and not a Proxmox VM, gets
+  _class = "flake";
  # custom treatment.
  imports = [ ./forgejo-ci/flake-part.nix ];
  ## - Each normal or test machine gets a NixOS configuration.
  ## - Each normal or test machine gets a VM options entry.
--- a/infra/forgejo-ci/configuration.nix
+++ b/infra/forgejo-ci/configuration.nix
@ -1,76 +0,0 @@
 { config, lib, ... }:
 let
  inherit (lib) mkDefault mkForce;
 in
 {
  imports = [
    ../common/options.nix
    ../common/nixos
    ./forgejo-actions-runner.nix
  ];
  fediversityVm = {
    name = "forgejo-ci";
    domain = "procolix.com";
    ipv4 = {
      interface = "enp1s0f0";
      address = "192.168.201.65";
      prefixLength = 24;
      gateway = "192.168.201.1";
    };
    ipv6.enable = false;
    # Most Procolix machines are QEMU VMs so the options are tailored to them by
    # default. `forgejo-ci` is not, so we need to explicitly disable them.
    isQemuVm = false;
  };
  networking = {
    nftables.enable = mkForce false;
    hostId = "1d6ea552";
  };
  hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
  boot = {
    ## In an initial version, we used `mkForce` to remove QEMU VM-specific
    ## kernel modules. This is a terrible idea as it will also remove other
    ## kernel modules, for instance the ones added for ZFS.
    initrd = {
      availableKernelModules = [
        "ahci"
        "xhci_pci"
        "ehci_pci"
        "nvme"
        "megaraid_sas"
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [ ];
    };
    kernelModules = [ "kvm-intel" ];
  };
  fileSystems."/" = {
    device = "rpool/root";
    fsType = "zfs";
  };
  fileSystems."/home" = {
    device = "rpool/home";
    fsType = "zfs";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/50B2-DD3F";
    fsType = "vfat";
    options = [
      "fmask=0077"
      "dmask=0077"
    ];
  };
 }
--- a/infra/forgejo-ci/flake-part.nix
+++ b/infra/forgejo-ci/flake-part.nix
@ -1,55 +0,0 @@
 { lib, inputs, ... }:
 ## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
 ## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
 ## should be integrated with the code for other machines (in particular VMs).
 let
  inherit (lib) attrValues elem;
  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
  inherit (lib.strings) removeSuffix;
  secretsPrefix = ../../secrets;
  secrets = import (secretsPrefix + "/secrets.nix");
  keys = import ../../keys;
  hostPublicKey = keys.systems.forgejo-ci;
  sources = import ../../npins;
 in
 {
  nixops4Deployments.forgejo-ci =
    { providers, ... }:
    {
      providers.local = inputs.nixops4.modules.nixops4Provider.local;
      resources.forgejo-ci = {
        type = providers.local.exec;
        imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
        ssh = {
          host = "192.168.201.65";
          opts = "-i ~/.ssh/procolix-id_rsa";
          hostPublicKey = hostPublicKey;
        };
        nixpkgs = inputs.nixpkgs;
        nixos.module = {
          imports = with sources; [
            "${agenix}/modules/age.nix"
            "${disko}/module.nix"
            ./configuration.nix
          ];
          age.secrets = concatMapAttrs (
            name: secret:
            optionalAttrs (elem hostPublicKey secret.publicKeys) ({
              ${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
            })
          ) secrets;
          users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
        };
      };
    };
 }
--- a/infra/makeInstallerIso.nix
+++ b/infra/makeInstallerIso.nix
@ -15,7 +15,6 @@ let
  installer =
    {
      config,
      pkgs,
      lib,
      ...
--- a/keys/cd-ssh-key.pub
+++ b/keys/cd-ssh-key.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age
--- a/keys/contributors/procolix
+++ b/keys/contributors/procolix
@ -1 +0,0 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2
--- a/keys/default.nix
+++ b/keys/default.nix
@ -35,4 +35,5 @@ in
  contributors = collectKeys ./contributors;
  systems = collectKeys ./systems;
  panel = removeTrailingWhitespace (readFile ./panel-ssh-key.pub);
  cd = removeTrailingWhitespace (readFile ./cd-ssh-key.pub);
 }
--- a/keys/flake-part.nix
+++ b/keys/flake-part.nix
@ -0,0 +1,5 @@
 {
  _class = "flake";
  _module.args.keys = import ./.;
 }
--- a/machines/dev/fedi200/default.nix
+++ b/machines/dev/fedi200/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 200;
    proxmox = "fediversity";
@ -14,4 +16,10 @@
      gateway = "2a00:51c0:13:1305::1";
    };
  };
  nixos.module = {
    imports = [
      ../../../infra/common/proxmox-qemu-vm.nix
    ];
  };
 }
--- a/machines/dev/fedi201/default.nix
+++ b/machines/dev/fedi201/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 201;
    proxmox = "fediversity";
@ -17,6 +19,7 @@
  nixos.module = {
    imports = [
      ../../../infra/common/proxmox-qemu-vm.nix
      ./fedipanel.nix
    ];
  };
--- a/machines/dev/fedi201/fedipanel.nix
+++ b/machines/dev/fedi201/fedipanel.nix
@ -1,15 +1,17 @@
 {
  config,
  sources,
  ...
 }:
 let
  name = "panel";
  sources = import ../../../npins;
 in
 {
  _class = "nixos";
  imports = [
    (import ../../../panel { }).module
-    (import "${sources.home-manager}/nixos")
+    "${sources.home-manager}/nixos"
  ];
  security.acme = {
--- a/machines/dev/forgejo-ci/default.nix
+++ b/machines/dev/forgejo-ci/default.nix
@ -0,0 +1,70 @@
 { lib, ... }:
 let
  inherit (lib) mkDefault mkForce;
 in
 {
  _class = "nixops4Resource";
  # NOTE: This needs an SSH config entry `forgejo-ci` to locate and access the
  # machine. This is because different people access the machine in different
  # way (eg. via a proxy vs. via Procolix's VPN). This might look like:
  #
  #     Host forgejo-ci
  #          HostName 45.142.234.216
  #          HostKeyAlias forgejo-ci
  #
  # The `HostKeyAlias` statement is crucial. Without it, deployment will fail
  # with the SSH error “Host key verification failed”.
  ssh.host = mkForce "forgejo-ci";
  fediversityVm = {
    domain = "procolix.com";
    ipv4 = {
      interface = "enp1s0f0";
      address = "192.168.201.65";
      prefixLength = 24;
      gateway = "192.168.201.1";
    };
    ipv6.enable = false;
  };
  nixos.module =
    { config, ... }:
    {
      _class = "nixos";
      imports = [
        ./forgejo-actions-runner.nix
      ];
      hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
      networking = {
        nftables.enable = mkForce false;
        hostId = "1d6ea552";
      };
      ## NOTE: This is a physical machine, so is not covered by disko
      fileSystems."/" = lib.mkForce {
        device = "rpool/root";
        fsType = "zfs";
      };
      fileSystems."/home" = {
        device = "rpool/home";
        fsType = "zfs";
      };
      fileSystems."/boot" = lib.mkForce {
        device = "/dev/disk/by-uuid/50B2-DD3F";
        fsType = "vfat";
        options = [
          "fmask=0077"
          "dmask=0077"
        ];
      };
    };
 }
--- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@ -1,6 +1,8 @@
 { pkgs, config, ... }:
 {
  _class = "nixos";
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
@ -15,6 +17,7 @@
        log.level = "info";
        runner = {
          file = ".runner";
          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
          capacity = 1;
          timeout = "3h";
          insecure = false;
--- a/machines/dev/vm02116/default.nix
+++ b/machines/dev/vm02116/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 2116;
    proxmox = "procolix";
@ -12,6 +14,7 @@
    { lib, ... }:
    {
      imports = [
        ../../../infra/common/proxmox-qemu-vm.nix
        ./forgejo.nix
      ];
--- a/machines/dev/vm02116/forgejo.nix
+++ b/machines/dev/vm02116/forgejo.nix
@ -5,6 +5,8 @@ let
 in
 {
  _class = "nixos";
  services.forgejo = {
    enable = true;
--- a/machines/dev/vm02187/default.nix
+++ b/machines/dev/vm02187/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 2187;
    proxmox = "procolix";
@ -12,6 +14,7 @@
    { lib, ... }:
    {
      imports = [
        ../../../infra/common/proxmox-qemu-vm.nix
        ./wiki.nix
      ];
--- a/machines/dev/vm02187/wiki.nix
+++ b/machines/dev/vm02187/wiki.nix
@ -1,6 +1,8 @@
 { config, ... }:
 {
  _class = "nixos";
  services.phpfpm.pools.mediawiki.phpOptions = ''
    upload_max_filesize = 1024M;
    post_max_size = 1024M;
--- a/machines/operator/test01/default.nix
+++ b/machines/operator/test01/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7001;
    proxmox = "fediversity";
--- a/machines/operator/test02/default.nix
+++ b/machines/operator/test02/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7002;
    proxmox = "fediversity";
--- a/machines/operator/test03/default.nix
+++ b/machines/operator/test03/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7003;
    proxmox = "fediversity";
--- a/machines/operator/test04/default.nix
+++ b/machines/operator/test04/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7004;
    proxmox = "fediversity";
--- a/machines/operator/test05/default.nix
+++ b/machines/operator/test05/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7005;
    proxmox = "fediversity";
--- a/machines/operator/test06/default.nix
+++ b/machines/operator/test06/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7006;
    proxmox = "fediversity";
--- a/machines/operator/test11/default.nix
+++ b/machines/operator/test11/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7011;
    proxmox = "fediversity";
--- a/machines/operator/test12/default.nix
+++ b/machines/operator/test12/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7012;
    proxmox = "fediversity";
--- a/machines/operator/test13/default.nix
+++ b/machines/operator/test13/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7013;
    proxmox = "fediversity";
--- a/machines/operator/test14/default.nix
+++ b/machines/operator/test14/default.nix
@ -1,4 +1,6 @@
 {
  _class = "nixops4Resource";
  fediversityVm = {
    vmId = 7014;
    proxmox = "fediversity";
--- a/mkFlake.nix
+++ b/mkFlake.nix
@ -0,0 +1,54 @@
 ## This file contains a tweak of flake-parts's `mkFlake` function to splice in
 ## sources taken from npins.
 ## NOTE: Much of the logic in this file feels like it should be not super
 ## specific to fediversity. Could it make sense to extract the core of this to
 ## another place it feels closer to in spirit, such as @fricklerhandwerk's
 ## flake-inputs (which this code already depends on anyway, and which already
 ## contained two distinct helpers for migrating away from flakes)? cf
 ## https://git.fediversity.eu/Fediversity/Fediversity/pulls/447#issuecomment-8671
 inputs@{ self, ... }:
 let
  sources = import ./npins;
  inherit (import sources.flake-inputs) import-flake;
  # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
  # XXX - this is just importing a flake
  nixpkgs = import-flake { src = sources.nixpkgs; };
  # XXX - this overrides the inputs attached to `self`
  inputs' = self.inputs // {
    nixpkgs = nixpkgs;
  };
  self' = self // {
    inputs = inputs';
  };
  flake-parts-lib = import "${sources.flake-parts}/lib.nix" { inherit (nixpkgs) lib; };
 in
 flakeModule:
 flake-parts-lib.mkFlake
  {
    # XXX - finally we override the overall set of `inputs` -- we need both:
    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
    inputs = inputs // {
      inherit nixpkgs;
    };
    self = self';
    specialArgs = {
      inherit sources;
    };
  }
  {
    systems = [
      "x86_64-linux"
      "aarch64-linux"
      "x86_64-darwin"
      "aarch64-darwin"
    ];
    imports = [ flakeModule ];
  }
--- a/panel/default.nix
+++ b/panel/default.nix
@ -22,12 +22,12 @@ in
      manage
      # NixOps4 and its dependencies
-      # FIXME: grab NixOps4 and add it here
+      pkgs.nixops4
      pkgs.nix
      pkgs.openssh
    ];
    env = {
-      DEPLOYMENT_FLAKE = ../.;
+      DEPLOYMENT_FLAKE = toString ../.;
      DEPLOYMENT_NAME = "test";
      NPINS_DIRECTORY = toString ../npins;
      CREDENTIALS_DIRECTORY = toString ./.credentials;
@ -45,7 +45,7 @@ in
    '';
  };
-  module = import ./nix/configuration.nix;
+  module = ./nix/configuration.nix;
  tests = pkgs.callPackage ./nix/tests.nix { };
  # re-export inputs so they can be overridden granularly
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@ -2,7 +2,6 @@
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 let
@ -77,6 +76,8 @@ in
 #       https://git.dgnum.eu/mdebray/djangonix/
 #       unlicensed at the time of writing, but surely worth taking some inspiration from...
 {
  _class = "nixos";
  options.services.${name} = {
    enable = mkEnableOption "Service configuration for `${name}`";
    production = mkOption {
@ -146,19 +147,7 @@ in
        NixOps4 from the package's npins-based code, we will have to do with
        this workaround.
      '';
-      default =
+      default = pkgs.nixops4;
        let
          sources = import ../../npins;
          inherit (import sources.flake-inputs) import-flake load-flake;
          inherit
            (import-flake {
              src = ../../.;
            })
            inputs
            ;
          inherit (inputs) nixops4;
        in
        (load-flake nixops4).packages.${pkgs.system}.default;
    };
    deployment = {
@ -213,11 +202,8 @@ in
      };
    };
-    users.users.${name} = {
+    # needed to place a config file with home-manager
-      # TODO[Niols]: change to system user or document why we specifically
+    users.users.${name}.isNormalUser = true;
      # need a normal user.
      isNormalUser = true;
    };
    users.groups.${name} = { };
    systemd.services.${name} = {
--- a/panel/nix/overlay.nix
+++ b/panel/nix/overlay.nix
@ -8,4 +8,17 @@ let
 in
 {
  python3 = prev.lib.attrsets.recursiveUpdate prev.python3 { pkgs = extraPython3Packages; };
  nixops4 =
    let
      sources = import ../../npins;
      inherit (import sources.flake-inputs) import-flake;
      inherit
        (import-flake {
          src = ../../.;
        })
        inputs
        ;
      inherit (inputs) nixops4;
    in
    nixops4.packages.${prev.system}.default;
 }
--- a/panel/nix/package.nix
+++ b/panel/nix/package.nix
@ -60,6 +60,8 @@ let
    ];
 in
 python3.pkgs.buildPythonPackage {
  _class = "package";
  pname = name;
  inherit (pyproject.project) version;
  pyproject = true;
--- a/panel/nix/python-packages/django-pydantic-field/default.nix
+++ b/panel/nix/python-packages/django-pydantic-field/default.nix
@ -8,6 +8,8 @@
 }:
 buildPythonPackage rec {
  _class = "package";
  pname = "django-pydantic-field";
  version = "v0.3.12";
  pyproject = true;
--- a/panel/nix/python-packages/drf-pydantic/default.nix
+++ b/panel/nix/python-packages/drf-pydantic/default.nix
@ -10,6 +10,8 @@
 }:
 buildPythonPackage rec {
  _class = "package";
  pname = "drf-pydantic";
  version = "v2.7.1";
  pyproject = true;
--- a/panel/nix/tests.nix
+++ b/panel/nix/tests.nix
@ -13,7 +13,6 @@ let
      secrets = {
        SECRET_KEY = pkgs.writeText "SECRET_KEY" "secret";
      };
      nixops4Package = pkgs.hello; # FIXME: actually pass NixOps4
    };
    virtualisation = {
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -0,0 +1,4 @@
 {
  mapping = import ./secrets.nix;
  rootPath = ./.;
 }
--- a/secrets/flake-part.nix
+++ b/secrets/flake-part.nix
@ -0,0 +1,5 @@
 {
  _class = "flake";
  _module.args.secrets = import ./.;
 }
--- a/secrets/forgejo-database-password.age
+++ b/secrets/forgejo-database-password.age
--- a/secrets/forgejo-email-password.age
+++ b/secrets/forgejo-email-password.age
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
@ -1,25 +1,19 @@
 age-encryption.org/v1
-> ssh-ed25519 Jpc21A 5YVZwmmsBW1XCtm6gEVErkkNdLxoYtR/i7I4T79WQQI
+-> ssh-ed25519 Jpc21A gkSA9BJIPUm4iQdvK8OzozIPomCha7BObc7PBpwSBhc
-v8JQJN1I3BDP+8XhezeVAVl/Cc6jvKPYlwiT3+O5x3w
+QsxIoX8KXbTQPwHcANNotxje8eI51h4NmnMpcOBW2Rk
-> ssh-ed25519 BAs8QA K9vO+kokOiKg5XHvTbIdSeC+WPTLHP/r5TQ2ySs3AHY
+-> ssh-ed25519 BAs8QA 909RuMasqJSYIDWxUf282xkp6vIrmouv/UbGFLw2WXw
-gSXsyZraT3pPxSURXohpkR44ZuUHP2aXfmfMNqbZnZA
+a7gid67fIVfuRfLsKJPb9f0oH0ZsZsfahJqD22z5Aco
-> ssh-ed25519 ofQnlg S+31bIhRpPG2ijrYd6RVDtPLoiH7FtREh+7upM1B6mU
+-> ssh-ed25519 ofQnlg Lx2N7tSXh6eOwcXWDiU27W4D2NEH6xj3W0t72hkNBG8
-7YILiVq3nZ5+XMmXi5KhsnzQRZdI2Fum21/v7tfGBhM
+O4/RVwxUSgXgLEMBpmaJ3H49qXulSB5EebpHakcN1rA
-> ssh-ed25519 COspvA kIiX95UPzbeOHBeLXPfahesfFpU2zlg0pAhsxJd1pWc
+-> ssh-ed25519 COspvA zQ855/8dQm+r2/GnoEFwy7ls3UDaVVaL988Rnsgs5Fs
-aIZp2xv+JpKMj0mSVy3kU98Pvu3IPns+Yvz4aq0yhFA
+gl/sC2jLUCDQfsIOy6G67XObfW/io/JwCKBaqTgpzXk
-> ssh-ed25519 2XrTgw joBq+DOUf944z/RpN3554eAb5EItlQbpEdpYMPtlVC0
+-> ssh-ed25519 2XrTgw ic13iHGBiNgco5PemRhzKNGdVILW0d6DpW1f/SvizSg
-qyUb1c0g9OlAOkTTj+oMpn8I3oI4D4czhdnJ4oA3d80
+D72w8Dgott/agkWJrybDbxBKJ3NKi7Xz2N6YO0nrTa8
-> ssh-ed25519 awJeHA +bt39LTdJLhq4NG4T2wAS5PDSgYAYyNIpYgRO5lhvFk
+-> ssh-ed25519 awJeHA 143iH2pm6z9AF8fqdRbcw3c5+crLkk3HH0+wEZelu0A
-LbJOrKxtnOuMHRxQTtTYGJSnwuNCooFOawJU/xhnquw
+j6gK7R7AnI8JzWy7+3Wm00vmaU9/Th2BtNWs90q2r0k
-> ssh-rsa pO5rrg
+-> ssh-ed25519 8FIE3Q jL6tkwWOvL82zFr+kmyX3WNlFMOLsJav4Rpy7A66Hx4
-cbw33rxD0P5OyfBjH1PwqSdN6DmhKyDZ8+JbJjs6hqblx1M2DX754POfMmOkQNBX
+gE8+tgytH+y8HTKbeBsQeKKnqfmvl5O38diRsjipTDc
-hbCFc2jtLAU598rFwWBewfO4X4C/mT7JDHHN3WK1T8rq35QBN35rfIdNqjYQttt2
+-> ssh-ed25519 i+ecmQ AukyGGsUOnTj/h7sxxrldeskrMC2Wn4UL+E+HBIs9R0
-mZ1KDtBKg3+FRkc7F9VL1SwsYkhnW1dz1esb6J1bnAxXHFQEwAX3F30O7to4c7my
+S2EwHq05mSOqTAih7nkj31NU9GitxMdSm+/BlLOQsis
-5t5bjJHPDuMZvNCWy8H5eA/AIuXZ5/OOA5z5lpWhtp+hNyVjWukrYr/PacdA5n9n
+--- jW2fMlcUYlscw0dAkR5T+yfilTWOiODJmuqzFypcjUU
-gAm8z6fsEhdGkM9AK+P29lYFvWOnkzOtQ6bzSEHCSvxZcZ922n+grLmuUtMvMPo7
+õ˜›µ 0Ïfø‰œ]Á€âXøè:HœPZðGk<47>ÜþÊÕxmÿÀ©K‚P$z<>ŒŸð¯ÃRCš5Üå˜FH\A 2Z&ì—Óð±¯lü`p
 bozXzZfCG7//SgxKdbE5TQ
 -> ssh-ed25519 8FIE3Q COBr0dcOY+LseUEl8pe2CzGVHZ1+h21s/qlGwoSwIRU
 Ea1XvW4QAXnd4L1t4TiAwb3m2wbLvcEcB8UowilQTVs
 --- X2cdDTgAGKfqFu1oaaDJWCWzNBw0q/BTy9rIIxuryTg
 5Ïo—›Õ²s<C2B2> W	éœs,âEÎ=§kÂ-ˆ	:œ»)Jq_¿)®™¶4ŽQ@Í6ôý<C3B4>øÂz)e´Ðµ.¹RYQo8ö:*8•
--- a/secrets/panel-secret-key.age
+++ b/secrets/panel-secret-key.age
--- a/secrets/panel-ssh-key.age
+++ b/secrets/panel-ssh-key.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,11 +7,12 @@ let
  keys = import ../keys;
  contributors = attrValues keys.contributors;
  cd = [ keys.cd ];
 in
 concatMapAttrs
  (name: systems: {
-    "${name}.age".publicKeys = contributors ++ systems;
+    "${name}.age".publicKeys = contributors ++ systems ++ cd;
  })
  (
--- a/secrets/wiki-basicauth-htpasswd.age
+++ b/secrets/wiki-basicauth-htpasswd.age
--- a/secrets/wiki-password.age
+++ b/secrets/wiki-password.age
--- a/secrets/wiki-smtp-password.age
+++ b/secrets/wiki-smtp-password.age
--- a/services/README.md
+++ b/services/README.md
@ -21,11 +21,11 @@ For those that know it, we could say that the current module is an analogous of
 ## Content of this directory
- [fediversity][./fediversity] contains the definition of the services. Look in
+- [fediversity](./fediversity) contains the definition of the services. Look in
  particular at its `default.nix` that contains the definition of the options.
- [vm][./vm] contains options specific to making the service run in local QEMU
+- [vm](./vm) contains options specific to making the service run in local QEMU
  VMs. These modules will for instance override the defaults to disable SSL, and
  they will add virtualisation options to forward ports, for instance.
- [tests][./tests] contain full NixOS tests of the services.
+- [tests](./tests) contain full NixOS tests of the services.
--- a/services/default.nix
+++ b/services/default.nix
@ -1,13 +0,0 @@
 {
  system ? builtins.currentSystem,
  sources ? import ../npins,
  pkgs ? import sources.nixpkgs { inherit system; },
  ...
 }:
 {
  tests = {
    mastodon = pkgs.nixosTest ./tests/mastodon.nix;
    pixelfed-garage = pkgs.nixosTest ./tests/pixelfed-garage.nix;
    peertube = pkgs.nixosTest ./tests/peertube.nix;
  };
 }
--- a/services/fediversity/default.nix
+++ b/services/fediversity/default.nix
@ -6,6 +6,8 @@ let
 in
 {
  _class = "nixos";
  imports = [
    ./garage
    ./mastodon
@ -47,7 +49,7 @@ in
              displayName = mkOption {
                type = types.str;
                description = "Name of the initial user, for humans";
-                default = config.fediversity.temp.initialUser.name;
+                default = config.fediversity.temp.initialUser.username;
              };
              email = mkOption {
                type = types.str;
@ -63,4 +65,16 @@ in
      };
    };
  };
  config = {
    ## FIXME: This should clearly go somewhere else; and we should have a
    ## `staging` vs. `production` setting somewhere.
    security.acme = {
      acceptTerms = true;
      # use a priority more urgent than mkDefault for panel deployment to work,
      # yet looser than default so this will not clash with the setting in tests.
      defaults.email = lib.modules.mkOverride 200 "something@fediversity.net";
      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };
  };
 }
--- a/services/fediversity/garage/default.nix
+++ b/services/fediversity/garage/default.nix
@ -97,6 +97,8 @@ let
 in
 {
  _class = "nixos";
  imports = [ ./options.nix ];
  config = mkIf config.fediversity.garage.enable {
--- a/services/fediversity/garage/options.nix
+++ b/services/fediversity/garage/options.nix
@ -5,6 +5,8 @@ let
 in
 {
  _class = "nixos";
  options.fediversity.garage = {
    enable = mkEnableOption "Enable a Garage server on the machine";
--- a/services/fediversity/mastodon/default.nix
+++ b/services/fediversity/mastodon/default.nix
@ -11,6 +11,8 @@ let
 in
 {
  _class = "nixos";
  imports = [ ./options.nix ];
  config = mkMerge [
--- a/services/fediversity/mastodon/options.nix
+++ b/services/fediversity/mastodon/options.nix
@ -1,6 +1,8 @@
 { config, lib, ... }:
 {
  _class = "nixos";
  options.fediversity.mastodon =
    (import ../sharedOptions.nix {
      inherit config lib;
--- a/services/fediversity/peertube/default.nix
+++ b/services/fediversity/peertube/default.nix
@ -5,6 +5,8 @@ let
 in
 {
  _class = "nixos";
  imports = [ ./options.nix ];
  config = mkMerge [
--- a/services/fediversity/peertube/options.nix
+++ b/services/fediversity/peertube/options.nix
@ -6,6 +6,8 @@ let
 in
 {
  _class = "nixos";
  options.fediversity.peertube =
    (import ../sharedOptions.nix {
      inherit config lib;
--- a/services/fediversity/pixelfed/default.nix
+++ b/services/fediversity/pixelfed/default.nix
@ -15,6 +15,8 @@ let
 in
 {
  _class = "nixos";
  imports = [ ./options.nix ];
  config = mkMerge [
--- a/services/fediversity/pixelfed/options.nix
+++ b/services/fediversity/pixelfed/options.nix
@ -1,6 +1,8 @@
 { config, lib, ... }:
 {
  _class = "nixos";
  options.fediversity.pixelfed =
    (import ../sharedOptions.nix {
      inherit config lib;
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Kiara Grouwstra	e5710979ba	fix typo	2025-07-17 19:00:41 +02:00
Kiara Grouwstra	6cf1d87f0b	get parity in authorized keys between procolix and root for nixops4 ssh to non-VMs (#474 ) Reviewed-on: Fediversity/Fediversity#474 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-17 18:59:31 +02:00
Kiara Grouwstra	8253288f8a	remove pixelfed from CI until fixed (#472 ) this test is still borked as per #33. the intent would be to get this test on a feature branch pertaining to that issue - the point being we should be able to rely on CI's boolean result for detecting (newly induced) regressions. Reviewed-on: Fediversity/Fediversity#472 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-17 15:25:17 +02:00
Kiara Grouwstra	67f50f08de	enable continuous deployment (#471 ) closes #177 Reviewed-on: Fediversity/Fediversity#471 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-17 10:01:51 +02:00
Kiara Grouwstra	5402178e7b	reinstate import statement for panel module, fixes error deploying fedi201 (#468 ) resolves error on CI run https://git.fediversity.eu/Fediversity/Fediversity/actions/runs/1026: ``` 123456 error: attempt to call something which is not a function but a path: /nix/store/93yyf22vw60l1j3l6h02c99p93lp55q5-source/panel at /nix/store/93yyf22vw60l1j3l6h02c99p93lp55q5-source/machines/dev/fedi201/fedipanel.nix:13:6: 12\| imports = [ 13\| (../../../panel { }).module \| ^ 14\| "${sources.home-manager}/nixos"``` ``` Reviewed-on: Fediversity/Fediversity#468	2025-07-16 20:51:23 +02:00
Kiara Grouwstra	e627815399	pass `SHELL` env var in CD (#466 ) see #177 Reviewed-on: Fediversity/Fediversity#466	2025-07-16 18:18:16 +02:00
Kiara Grouwstra	354dba260a	verbose CD (#465 ) debugging effort part of #177 Reviewed-on: Fediversity/Fediversity#465	2025-07-16 14:14:06 +02:00
Valentin Gagarin	b791bd515d	pass `sources` via `specialArgs` (#464 ) this gets rid of ugly in-place imports and upward paths Reviewed-on: Fediversity/Fediversity#464 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-committed-by: Valentin Gagarin <valentin.gagarin@tweag.io>	2025-07-16 10:53:36 +02:00
Kiara Grouwstra	f2017aaeb4	CD: lump SSH commands into a single shell invocation (#462 ) Reviewed-on: Fediversity/Fediversity#462 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 13:00:47 +02:00
Kiara Grouwstra	980a994f83	run ssh commands thru the shell (which has openssh) (#461 ) Reviewed-on: Fediversity/Fediversity#461 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 12:26:16 +02:00
Kiara Grouwstra	b9b13df04e	allow SSH access from continuous deployment (#460 ) Reviewed-on: Fediversity/Fediversity#460 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 11:56:22 +02:00
Kiara Grouwstra	159e4107b8	fix Pixelfed test eval failure (#458 ) Reviewed-on: Fediversity/Fediversity#458 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 10:38:10 +02:00
fricklerhandwerk	86305a6a2e	fix link; readability	2025-07-15 09:04:56 +02:00
Valentin Gagarin	e62f14d9be	expose panel tests in flake	2025-07-15 08:54:48 +02:00
Kiara Grouwstra	82f83eea0d	fix mastodon test (#457 ) closes #34. Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Reviewed-on: Fediversity/Fediversity#457 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-15 08:54:20 +02:00
Kiara Grouwstra	aef414ffe8	resolve regressions from recent qemu files (#432 ) - move import to match module classes - manually import sources to resolve infinite recursion closes #431. Reviewed-on: Fediversity/Fediversity#432 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-11 16:09:27 +02:00
Kiara Grouwstra	6d74112518	ditch `sources` arg in fedi201, fixing infinite recursion error (#454 ) c.f. #432. closes #453. Reviewed-on: Fediversity/Fediversity#454 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-11 16:06:15 +02:00
Kiara Grouwstra	2b2fb059fd	fix cd command (#455 ) Reviewed-on: Fediversity/Fediversity#455 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-11 11:07:03 +02:00
Kiara Grouwstra	66ceb66382	add deployment pipeline (#452 ) part of #177 Reviewed-on: Fediversity/Fediversity#452 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-10 16:45:46 +02:00
fricklerhandwerk	ad9c61a3db	docs: fix typos	2025-07-10 00:37:27 +02:00
Nicolas “Niols” Jeannerod	b4e1c5b5b3	Restrict fileset necessary for deployment tests (#450 ) Now that we won't depend on the flake.nix anymore, we won't depend on all the flake-part.nix files (necessary to evaluate flake.nix) and all the files they depend on etc., so the Nix dependencies of the tests will be drastically reduced, and I will be able to leverage that by introducing a more subtle src. This will make the test not need to re-run if only things outside that reduced src changed (and the previous run is in the Nix store). Reviewed-on: Fediversity/Fediversity#450 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 22:57:52 +02:00
Nicolas “Niols” Jeannerod	de38611572	Unflakify deployment tests (#449 ) This PR builds on top of #447 and #448. Since these might be rejected, there will be some changes needed for this PR as well. Let's see how the discussions go in #447. In the meantime, @fricklerhandwerk, would you mind (in)validating the core idea of this PR? You only need to look at `7cf43c4041`, really. Reviewed-on: Fediversity/Fediversity#449 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 15:07:02 +02:00
Nicolas “Niols” Jeannerod	1d40dcfc0e	Grab `git-hooks` from npins (#448 ) This PR builds on top of #447 and will be subject to the same discussion. Let's discuss there whether it makes sense to get rid of the `flake-parts` and `git-hooks` flake inputs. Reviewed-on: Fediversity/Fediversity#448 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 13:21:48 +02:00
Nicolas “Niols” Jeannerod	c3bf158130	Note on extracting `mkFlake` to an external library (#451 ) follow-up on Fediversity/Fediversity#447 (comment) Reviewed-on: Fediversity/Fediversity#451 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 12:34:43 +02:00
Nicolas “Niols” Jeannerod	48c6a1f22b	Extract `mkFlake` to own file - get `flake-parts` from npins (#447 ) The goal is to contain the “`mkFlake` hack” to a file that we can heavily document but otherwise ignore. This also will allow me to reuse it in the “flake under test” of the deployment tests. Reviewed-on: Fediversity/Fediversity#447 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-09 10:12:47 +02:00
Kiara Grouwstra	8a7984933d	reinstate acme settings needed by applications (#434 ) closes #417 Reviewed-on: Fediversity/Fediversity#434 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-08 10:02:13 +02:00
Kiara Grouwstra	5520fa721b	gitea PR unpruned (#445 ) see #65 Reviewed-on: Fediversity/Fediversity#445 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 13:38:09 +02:00
Kiara Grouwstra	eabfc228c5	updater: try the first upstream commit without `git remote prune` (#444 ) Reviewed-on: Fediversity/Fediversity#444 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 13:23:08 +02:00
Kiara Grouwstra	3f923532a2	updater: fully qualify github domain in `uses` (#443 ) part of #65. succeeds #442. Reviewed-on: Fediversity/Fediversity#443 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 12:50:55 +02:00
Kiara Grouwstra	37d4fc5a42	un-qualify github.com domain in updater `uses`, which resolved to data.forgejo.org/github.com (#442 ) attempt to address https://git.fediversity.eu/Fediversity/Fediversity/actions/runs/920. part of #65. Reviewed-on: Fediversity/Fediversity#442 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 12:47:06 +02:00
Kiara Grouwstra	c7b05bb473	deduplicate `import-flake`, fixing test regression from git merge (#441 ) Reviewed-on: Fediversity/Fediversity#441 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-07 10:58:10 +02:00
Kiara Grouwstra	5345860006	data model: add run-time configuration (#437 ) based on @fricklerhandwerk's work at https://git.fediversity.eu/fricklerhandwerk/Fediversity/compare/main...data-model-as-diagram part of #103. supersedes #402. on the application model, feedback on a [sample implementation](#2) welcome as well. Reviewed-on: Fediversity/Fediversity#437 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-06 21:42:25 +02:00
Kiara Grouwstra	fbb0806072	in `update` workflow use PR action actually meant for gitea (#438 ) see #65 Reviewed-on: Fediversity/Fediversity#438 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-06 21:39:26 +02:00
Kiara Grouwstra	b0848727fd	clarify the use of isNormalUser (#436 ) Reviewed-on: Fediversity/Fediversity#436 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-06 09:09:43 +02:00
Kiara Grouwstra	a882de0b8e	address linter gripes in nix files (#430 ) Reviewed-on: Fediversity/Fediversity#430 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-03 15:56:16 +02:00
Kiara Grouwstra	05572ff69e	remove string interpolation from imports (#429 ) Reviewed-on: Fediversity/Fediversity#429 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-03 15:55:39 +02:00
Nicolas “Niols” Jeannerod	13c92280ab	Clean up `lib` in `forgejo-ci` and extend on the `.ssh/config` comment (#428 ) Reviewed-on: Fediversity/Fediversity#428 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-02 17:49:44 +02:00
Kiara Grouwstra	871672d447	Add `forgejo-ci` machine to our infrastructure (#389 ) picked up from https://git.fediversity.eu/Fediversity/Fediversity/compare/main...niols:forgejo-ci. closes #356. Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#389 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-02 17:43:09 +02:00
Kiara Grouwstra	6da42936e7	add missing home-manager import to fedipanel VM (#425 ) Reviewed-on: Fediversity/Fediversity#425 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-02 17:32:38 +02:00
Kiara Grouwstra	8df70a2ff0	classify recent flake-parts files	2025-07-02 13:25:23 +02:00
Kiara Grouwstra	5a92c2c0bc	docs: fix links to machines (#426 ) Reviewed-on: Fediversity/Fediversity#426 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-02 13:16:38 +02:00
Nicolas “Niols” Jeannerod	1c92009879	Do not force QEMU options onto machines	2025-07-01 23:55:33 +02:00
Kiara Grouwstra	a791ad41ec	Inject sources, secrets and keys via module system - avoid `import ../` (#421 ) Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#421 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-01 21:08:15 +02:00
Nicolas “Niols” Jeannerod	c1dc0fef01	Split nameservers between IPv4 and IPv6 (#420 ) Reviewed-on: Fediversity/Fediversity#420 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>	2025-07-01 13:09:06 +02:00
Kiara Grouwstra	5a3cbe4d83	fix agenix package in shell (#422 ) as per Fediversity/Fediversity#419 (comment) Reviewed-on: Fediversity/Fediversity#422 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-07-01 11:29:38 +02:00
Kiara Grouwstra	fd1d55df5f	move shell from flake	2025-07-01 10:22:58 +02:00
Kiara Grouwstra	0c23115cff	allow configuring network interface (#413 ) Reviewed-on: Fediversity/Fediversity#413 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-30 19:23:51 +02:00
Nicolas “Niols” Jeannerod	3f1c8a9bb7	Document why Nix and OpenSSH lost in #412. Alternatively, we could have a comment on both lines saying eg. “for NixOps4”	2025-06-30 14:30:29 +02:00
Kiara Grouwstra	737aecaba6	set default value for nixops4Package (#412 ) Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Reviewed-on: Fediversity/Fediversity#412 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-30 12:44:53 +02:00
Kiara Grouwstra	d7dbdd923c	make CI test invocations idempotent to better facilitate manual use (#416 ) Reviewed-on: Fediversity/Fediversity#416 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-30 12:42:19 +02:00
Kiara Grouwstra	1c44004cfe	update documentation for #375 (#406 ) Reviewed-on: Fediversity/Fediversity#406 Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-27 14:40:40 +02:00
Kiara Grouwstra	ae444d5352	simplify imports (#415 ) Reviewed-on: Fediversity/Fediversity#415 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-27 14:01:41 +02:00
Valentin Gagarin	e77fdd9eec	expose nixops4 in `nix-shell` (#411 ) Instead of Fediversity/Fediversity#406 Eventually we should merge `//panel/default.nix` with `//default.nix` of course. Co-authored-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#411 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-committed-by: Valentin Gagarin <valentin.gagarin@tweag.io>	2025-06-27 12:00:47 +02:00
Kiara Grouwstra	1f1cf0d516	unset class, fixing #408 (#410 ) Reviewed-on: Fediversity/Fediversity#410 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-27 11:53:17 +02:00
Kiara Grouwstra	f94eac698a	disable updater schedule while it hangs	2025-06-26 17:01:40 +02:00
Kiara Grouwstra	46182e7512	fix workflow step title (#404 ) split off from #399 Reviewed-on: Fediversity/Fediversity#404 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-24 08:58:01 +02:00
Kiara Grouwstra	9a25a04bfa	specify `_class` module attributes to explicitly declare module types (#398 ) closes #93. note that this includes classes: - `nixos` - `nixosTest` - `nixops4Resource` - `nixops4Deployment` .. and my (made-up, as per the [docs](https://ryantm.github.io/nixpkgs/module-system/module-system/#module-system-lib-evalModules-param-class)): - `nix-unit` - `package` .. while i did not manage to cover: - service tests, given `pkgs.nixosTest` seemed to not actually like `_class = "nixosTest"` (?!) ... nor #93's mentioned destructured arguments for that matter, as per Fediversity/Fediversity#93 (comment) - let me know if that is still desired as well. Reviewed-on: Fediversity/Fediversity#398 Reviewed-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>	2025-06-23 17:24:54 +02:00
Valentin Gagarin	c1b33121b6	expose npins in shell for CI (#403 ) Should fix Fediversity/Fediversity#65 (comment) Reviewed-on: Fediversity/Fediversity#403 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-committed-by: Valentin Gagarin <valentin.gagarin@tweag.io>	2025-06-23 17:21:32 +02:00
Kiara Grouwstra	d073bd706d	cast `DEPLOYMENT_FLAKE` to string	2025-06-22 14:42:14 +02:00
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMlsYTtMx3hFO8B5B8iHaXL2JKj9izHeC+/AMhIWXBPs cd-age`
		`@ -1 +0,0 @@`
			`ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2`