move attic to infra - TODO garage wiring, which may need #309

Reviewed-on: Fediversity/Fediversity#489
Reviewed-by: kiara Grouwstra <kiara@procolix.eu>
Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>
Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>

.forgejo/workflows/cache.yaml

@@ -0,0 +1,25 @@
+name: cache-build
+
+on:
+  workflow_dispatch: # allows manual triggering
+  push:
+    branches:
+      # - main
+
+jobs:
+  deploy:
+    runs-on: native
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Cache
+        run: |
+          nix-shell --run "attic login fediversity https://attic.fediversity.net '${{ secrets.ATTIC_PUSH_KEY }}' && attic use demo"
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          cat ~/.config/attic/config.toml
+          cat ~/.config/nix/nix.conf
+          nix-shell --run "attic push demo $(nix-build)"

.forgejo/workflows/ci.yaml

@@ -21,6 +21,19 @@ jobs:
       - uses: actions/checkout@v4
       - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
 
+      - name: Cache
+        run: |
+          nix-shell --run "attic login fediversity https://attic.fediversity.net '${{ secrets.ATTIC_PUSH_KEY }}' && attic use demo"
+          env
+          mkdir -p ~/.ssh
+          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          cat ~/.config/attic/config.toml
+          cat ~/.config/nix/nix.conf
+          echo "RUNNER_DEBUG: ${{ secrets.RUNNER_DEBUG }}"
+          echo "GIT_TRACE: ${{ secrets.GIT_TRACE }}"
+          nix-shell --run "attic push demo $(nix-build)"
+
   check-mastodon:
     runs-on: native
     steps:
@@ -56,3 +69,29 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-panel -L
+
+  ## NOTE: NixOps4 does not provide a good “dry run” mode, so we instead check
+  ## proxies for resources, namely whether their `.#vmOptions.<machine>` and
+  ## `.#nixosConfigurations.<machine>` outputs evaluate and build correctly, and
+  ## whether we can dry run `infra/proxmox-*.sh` on them. This will not catch
+  ## everything, and in particular not issues in how NixOps4 wires up the
+  ## resources, but that is still something.
+  check-resources:
+    runs-on: native
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          set -euC
+          echo ==================== [ VM Options ] ====================
+          machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).vmOptions)')
+          for machine in $machines; do
+            echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
+            nix build .#checks.x86_64-linux.vmOptions-$machine
+          done
+          echo
+          echo ==================== [ NixOS Configurations ] ====================
+          machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).nixosConfigurations)')
+          for machine in $machines; do
+            echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
+            nix build .#checks.x86_64-linux.nixosConfigurations-$machine
+          done

.forgejo/workflows/update.yaml

@@ -13,7 +13,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Update pins
-        run: nix-shell --run "npins update"
+        run: nix-shell --run "npins --verbose update"
       - name: Create PR
         uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
         with:

default.nix

@@ -65,6 +65,7 @@ in
         pkgs.httpie
         pkgs.jq
         pkgs.nix-unit
+        pkgs.attic-client
         test-loop
         nixops4.packages.${system}.default
       ];

deployment/check/cli/nixosTest.nix

@@ -45,6 +45,8 @@ in
         peertube.inputDerivation
         gixy
         gixy.inputDerivation
+        shellcheck
+        shellcheck.inputDerivation
       ];
 
       system.extraDependenciesFromModule = {

deployment/check/common/deployerNode.nix

@@ -40,7 +40,7 @@ in
       ## default. These values have been trimmed down to the gigabyte.
       ## Memory use is expected to be dominated by the NixOS evaluation,
       ## which happens on the deployer.
-      memorySize = 4 * 1024;
+      memorySize = 5 * 1024;
       diskSize = 4 * 1024;
       cores = 2;
     };
@@ -59,8 +59,11 @@ in
         inputs.nixpkgs
 
         sources.flake-parts
+        sources.nixpkgs
         sources.flake-inputs
         sources.git-hooks
+        sources.vars
+        sources.nix-templating
 
         pkgs.stdenv
         pkgs.stdenvNoCC

deployment/check/common/nixosTest.nix

@@ -48,7 +48,8 @@ in
     extraTestScript = mkOption { };
 
     sourceFileset = mkOption {
-      ## REVIEW: Upstream to nixpkgs?
+      ## FIXME: grab `lib.types.fileset` from NixOS, once upstreaming PR
+      ## https://github.com/NixOS/nixpkgs/pull/428293 lands.
       type = types.mkOptionType {
         name = "fileset";
         description = "fileset";

infra/common/nixos/default.nix

@@ -24,6 +24,14 @@ in
     experimental-features = nix-command flakes
   '';
 
+  nix.settings = {
+    substituters = [
+      "https://attic.fediversity.net/demo"
+    ];
+    trusted-public-keys = [
+      "demo:N3CAZ049SeBVqBM+OnhLMrxWJ9altbD/aoJtHrY19KM="
+    ];
+  };
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;

infra/common/nixos/users.nix

@@ -6,7 +6,7 @@
   _class = "nixos";
 
   users.users = {
-    root.openssh.authorizedKeys.keys = config.user.users.procolix.openssh.authorizedKeys.keys;
+    root.openssh.authorizedKeys.keys = config.users.users.procolix.openssh.authorizedKeys.keys;
 
     procolix = {
       isNormalUser = true;

infra/common/options.nix

@@ -20,16 +20,13 @@ in
       '';
     };
 
-    proxmox = mkOption {
-      type = types.nullOr (
-        types.enum [
-          "procolix"
-          "fediversity"
-        ]
-      );
+    isFediversityVm = mkOption {
+      type = types.bool;
       description = ''
-        The Proxmox instance. This is used for provisioning only and should be
-        set to `null` if the machine is not a VM.
+        Whether the machine is a Fediversity VM or not. This is used to
+        determine whether the machine should be provisioned via Proxmox or not.
+        Machines that are _not_ Fediversity VM could be physical machines, or
+        VMs that live outside Fediversity, eg. on Procolix's Proxmox.
       '';
     };
 

infra/common/proxmox-qemu-vm.nix

@@ -1,10 +1,14 @@
-{ sources, ... }:
+{ ... }:
+
 {
   _class = "nixos";
 
-  imports = [
-    "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
-  ];
+  ## FIXME: It would be nice, but the following leads to infinite recursion
+  ## in the way we currently plug `sources` in.
+  ##
+  # imports = [
+  #   "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+  # ];
 
   boot = {
     initrd = {

infra/common/resource.nix

@@ -2,7 +2,6 @@
   inputs,
   lib,
   config,
-  sources,
   keys,
   secrets,
   ...
@@ -33,10 +32,9 @@ in
   ## should go into the `./nixos` subdirectory.
   nixos.module = {
     imports = [
-      "${sources.agenix}/modules/age.nix"
-      "${sources.disko}/module.nix"
       ./options.nix
       ./nixos
+      ./proxmox-qemu-vm.nix
     ];
 
     ## Inject the shared options from the resource's `config` into the NixOS

infra/flake-part.nix

@@ -14,53 +14,40 @@ let
     mkOption
     evalModules
     filterAttrs
+    mapAttrs'
+    deepSeq
     ;
   inherit (lib.attrsets) genAttrs;
 
-  ## Given a machine's name and whether it is a test VM, make a resource module,
-  ## except for its missing provider. (Depending on the use of that resource, we
-  ## will provide a different one.)
-  makeResourceModule =
-    { vmName, isTestVm }:
-    {
-      # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch flake-parts and have our own data model for how the project is organised internally
+  commonResourceModule = {
+    # TODO(@fricklerhandwerk): this is terrible but IMO we should just ditch
+    # flake-parts and have our own data model for how the project is organised
+    # internally
     _module.args = {
       inherit
         inputs
         keys
         secrets
+        sources
         ;
     };
 
+    ## FIXME: It would be preferrable to have those `sources`-related imports in
+    ## the modules that use them. However, doing so triggers infinite recursions
+    ## because of the way we propagate `sources`. `sources` must be propagated by
+    ## means of `specialArgs`, but this requires a bigger change.
     nixos.module.imports = [
-        ./common/proxmox-qemu-vm.nix
+      "${sources.nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+      "${sources.agenix}/modules/age.nix"
+      "${sources.disko}/module.nix"
+      "${sources.home-manager}/nixos"
+      "${sources.vars}/options.nix"
+      "${sources.vars}/backends/on-machine.nix"
     ];
 
-      nixos.specialArgs = {
-        inherit sources;
-      };
-
-      imports =
-        [
+    imports = [
       ./common/resource.nix
-        ]
-        ++ (
-          if isTestVm then
-            [
-              ../machines/operator/${vmName}
-              {
-                nixos.module.users.users.root.openssh.authorizedKeys.keys = [
-                  # allow our panel vm access to the test machines
-                  keys.panel
     ];
-              }
-            ]
-          else
-            [
-              ../machines/dev/${vmName}
-            ]
-        );
-      fediversityVm.name = vmName;
   };
 
   ## Given a list of machine names, make a deployment with those machines'
@@ -69,34 +56,16 @@ let
     vmNames:
     { providers, ... }:
     {
-      # XXX: this type merge is for adding `specialArgs` to resource modules
-      options.resources = mkOption {
-        type =
-          with lib.types;
-          lazyAttrsOf (submoduleWith {
-            class = "nixops4Resource";
-            modules = [ ];
-            # TODO(@fricklerhandwerk): we may want to pass through all of `specialArgs`
-            # once we're sure it's sane. leaving it here for better control during refactoring.
-            specialArgs = {
-              inherit sources;
-            };
-          });
-      };
-      config = {
       providers.local = inputs.nixops4.modules.nixops4Provider.local;
       resources = genAttrs vmNames (vmName: {
         type = providers.local.exec;
         imports = [
           inputs.nixops4-nixos.modules.nixops4Resource.nixos
-            (makeResourceModule {
-              inherit vmName;
-              isTestVm = false;
-            })
+          commonResourceModule
+          ../machines/dev/${vmName}
         ];
       });
     };
-    };
   makeDeployment' = vmName: makeDeployment [ vmName ];
 
   ## Given an attrset of test configurations (key = test machine name, value =
@@ -110,21 +79,29 @@ let
         fediversity = import ../services/fediversity;
       }
       {
-        garageConfigurationResource = makeResourceModule {
-          vmName = "test01";
-          isTestVm = true;
+        garageConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test01
+          ];
         };
-        mastodonConfigurationResource = makeResourceModule {
-          vmName = "test06"; # somehow `test02` has a problem - use test06 instead
-          isTestVm = true;
+        mastodonConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test06 # somehow `test02` has a problem - use test06 instead
+          ];
         };
-        peertubeConfigurationResource = makeResourceModule {
-          vmName = "test05";
-          isTestVm = true;
+        peertubeConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test05
+          ];
         };
-        pixelfedConfigurationResource = makeResourceModule {
-          vmName = "test04";
-          isTestVm = true;
+        pixelfedConfigurationResource = {
+          imports = [
+            commonResourceModule
+            ../machines/operator/test04
+          ];
         };
       };
 
@@ -137,54 +114,63 @@ let
     ## this is only needed to expose NixOS configurations for provisioning
     ## purposes, and eventually all of this should be handled by NixOps4.
     options = {
-      nixos.module = mkOption { }; # NOTE: not just `nixos` otherwise merging will go wrong
+      nixos.module = mkOption { type = lib.types.deferredModule; }; # NOTE: not just `nixos` otherwise merging will go wrong
       nixpkgs = mkOption { };
       ssh = mkOption { };
     };
   };
 
   makeResourceConfig =
-    vm:
+    { vmName, isTestVm }:
     (evalModules {
       modules = [
         nixops4ResourceNixosMockOptions
-        (makeResourceModule vm)
+        commonResourceModule
+        (if isTestVm then ../machines/operator/${vmName} else ../machines/dev/${vmName})
       ];
     }).config;
 
   ## Given a VM name, make a NixOS configuration for this machine.
   makeConfiguration =
     isTestVm: vmName:
-    let
-      inherit (sources) nixpkgs;
-    in
-    import "${nixpkgs}/nixos" {
-      modules = [
-        (makeResourceConfig { inherit vmName isTestVm; }).nixos.module
-      ];
+    import "${sources.nixpkgs}/nixos" {
+      configuration = (makeResourceConfig { inherit vmName isTestVm; }).nixos.module;
+      system = "x86_64-linux";
     };
 
-  makeVmOptions = isTestVm: vmName: {
-    inherit ((makeResourceConfig { inherit vmName isTestVm; }).fediversityVm)
-      proxmox
+  makeVmOptions =
+    isTestVm: vmName:
+    let
+      config = (makeResourceConfig { inherit vmName isTestVm; }).fediversityVm;
+    in
+    if config.isFediversityVm then
+      {
+        inherit (config)
           vmId
           description
-
           sockets
           cores
           memory
           diskSize
-
           hostPublicKey
           unsafeHostPrivateKey
           ;
-  };
+      }
+    else
+      null;
 
   listSubdirectories = path: attrNames (filterAttrs (_: type: type == "directory") (readDir path));
 
   machines = listSubdirectories ../machines/dev;
   testMachines = listSubdirectories ../machines/operator;
 
+  nixosConfigurations =
+    genAttrs machines (makeConfiguration false)
+    // genAttrs testMachines (makeConfiguration true);
+  vmOptions =
+    filterAttrs (_: value: value != null) # Filter out non-Fediversity VMs
+      (genAttrs machines (makeVmOptions false) // genAttrs testMachines (makeVmOptions true));
+
 in
 {
   _class = "flake";
@@ -208,10 +194,23 @@ in
       )
     );
   };
-  flake.nixosConfigurations =
-    genAttrs machines (makeConfiguration false)
-    // genAttrs testMachines (makeConfiguration true);
-  flake.vmOptions =
-    genAttrs machines (makeVmOptions false)
-    // genAttrs testMachines (makeVmOptions true);
+  flake = { inherit nixosConfigurations vmOptions; };
+
+  perSystem =
+    { pkgs, ... }:
+    {
+      checks =
+        mapAttrs' (name: nixosConfiguration: {
+          name = "nixosConfigurations-${name}";
+          value = nixosConfiguration.config.system.build.toplevel;
+        }) nixosConfigurations
+        // mapAttrs' (name: vmOptions: {
+          name = "vmOptions-${name}";
+          ## Check that VM options builds/evaluates correctly. `deepSeq e1
+          ## e2` evaluates `e1` strictly in depth before returning `e2`. We
+          ## use this trick because checks need to be derivations, which VM
+          ## options are not.
+          value = deepSeq vmOptions pkgs.hello;
+        }) vmOptions;
+    };
 }

infra/proxmox-provision.sh

@@ -179,15 +179,9 @@ grab_vm_options () {
     --log-format raw --quiet
   )
 
-  proxmox=$(echo "$options" | jq -r .proxmox)
   vm_id=$(echo "$options" | jq -r .vmId)
   description=$(echo "$options" | jq -r .description)
 
-  if [ "$proxmox" != fediversity ]; then
-    die "I do not know how to provision things that are not Fediversity VMs,
-but I got proxmox = '%s' for VM %s." "$proxmox" "$vm_name"
-  fi
-
   sockets=$(echo "$options" | jq -r .sockets)
   cores=$(echo "$options" | jq -r .cores)
   memory=$(echo "$options" | jq -r .memory)

infra/proxmox-remove.sh

@@ -167,16 +167,10 @@ grab_vm_options () {
       --log-format raw --quiet
     )
 
-    proxmox=$(echo "$options" | jq -r .proxmox)
     vm_id=$(echo "$options" | jq -r .vmId)
 
-    if [ "$proxmox" != fediversity ]; then
-      die "I do not know how to remove things that are not Fediversity VMs,
-  but I got proxmox = '%s' for VM %s." "$proxmox" "$vm_name"
-    fi
-
-    printf 'done grabing VM options for VM %s. Found VM %d on %s Proxmox.\n' \
-      "$vm_name" "$vm_id" "$proxmox"
+    printf 'done grabing VM options for VM %s. Got id: %d.\n' \
+      "$vm_name" "$vm_id"
   fi
 }
 

machines/dev/fedi200/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "fedi200";
+    isFediversityVm = true;
     vmId = 200;
-    proxmox = "fediversity";
     description = "Testing machine for Hans";
 
     domain = "abundos.eu";
@@ -19,7 +20,7 @@
 
   nixos.module = {
     imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
+      ../../../services/fediversity/attic
     ];
   };
 }

machines/dev/fedi201/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "fedi201";
+    isFediversityVm = true;
     vmId = 201;
-    proxmox = "fediversity";
     description = "FediPanel";
 
     domain = "abundos.eu";
@@ -19,7 +20,6 @@
 
   nixos.module = {
     imports = [
-      ../../../infra/common/proxmox-qemu-vm.nix
       ./fedipanel.nix
     ];
   };

machines/dev/fedi201/fedipanel.nix

@@ -1,6 +1,5 @@
 {
   config,
-  sources,
   ...
 }:
 let
@@ -11,7 +10,6 @@ in
 
   imports = [
     (import ../../../panel { }).module
-    "${sources.home-manager}/nixos"
   ];
 
   security.acme = {

machines/dev/forgejo-ci/default.nix

@@ -20,7 +20,9 @@ in
   ssh.host = mkForce "forgejo-ci";
 
   fediversityVm = {
+    name = "forgejo-ci";
     domain = "procolix.com";
+    isFediversityVm = false;
 
     ipv4 = {
       interface = "enp1s0f0";

machines/dev/vm02116/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "vm02116";
+    isFediversityVm = false;
     vmId = 2116;
-    proxmox = "procolix";
     description = "Forgejo";
 
     ipv4.address = "185.206.232.34";
@@ -14,7 +15,6 @@
     { lib, ... }:
     {
       imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
         ./forgejo.nix
       ];
 

machines/dev/vm02187/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "vm02187";
+    isFediversityVm = false;
     vmId = 2187;
-    proxmox = "procolix";
     description = "Wiki";
 
     ipv4.address = "185.206.232.187";
@@ -14,7 +15,6 @@
     { lib, ... }:
     {
       imports = [
-        ../../../infra/common/proxmox-qemu-vm.nix
         ./wiki.nix
       ];
 

machines/operator/test01/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test01";
+    isFediversityVm = true;
     vmId = 7001;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test02/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test02";
+    isFediversityVm = true;
     vmId = 7002;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test03/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test03";
+    isFediversityVm = true;
     vmId = 7003;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test04/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test04";
+    isFediversityVm = true;
     vmId = 7004;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test05/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test05";
+    isFediversityVm = true;
     vmId = 7005;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test06/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test06";
+    isFediversityVm = true;
     vmId = 7006;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test11/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test11";
+    isFediversityVm = true;
     vmId = 7011;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test12/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test12";
+    isFediversityVm = true;
     vmId = 7012;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test13/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test13";
+    isFediversityVm = true;
     vmId = 7013;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

machines/operator/test14/default.nix

@@ -2,8 +2,9 @@
   _class = "nixops4Resource";
 
   fediversityVm = {
+    name = "test14";
+    isFediversityVm = true;
     vmId = 7014;
-    proxmox = "fediversity";
 
     hostPublicKey = builtins.readFile ./ssh_host_ed25519_key.pub;
     unsafeHostPrivateKey = builtins.readFile ./ssh_host_ed25519_key;

npins/sources.json

@@ -125,6 +125,19 @@
       "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
       "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
     },
+    "nix-templating": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "KiaraGrouwstra",
+        "repo": "nix-templating"
+      },
+      "branch": "lib-default-arg",
+      "submodules": false,
+      "revision": "e1ff247d508b4efd057a4d6bb13cf45b62c2512f",
+      "url": "https://github.com/KiaraGrouwstra/nix-templating/archive/e1ff247d508b4efd057a4d6bb13cf45b62c2512f.tar.gz",
+      "hash": "0g59h4r029jw8vlvn8da62fk9m737s80fg2qk57322iv9lkqlvp0"
+    },
     "nix-unit": {
       "type": "Git",
       "repository": {
@@ -150,6 +163,19 @@
       "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921",
       "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz",
       "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj"
+    },
+    "vars": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "KiaraGrouwstra",
+        "repo": "vars"
+      },
+      "branch": "kiara",
+      "submodules": false,
+      "revision": "7f16fc3d6457b54ecd31aa681cde6db2aefcf4d3",
+      "url": "https://github.com/KiaraGrouwstra/vars/archive/7f16fc3d6457b54ecd31aa681cde6db2aefcf4d3.tar.gz",
+      "hash": "0pvmyhsjlplcsb0fv4ns45lnvwkbjf0jvj26rsxl4hnp2amspc33"
     }
   },
   "version": 5

secrets/secrets.nix

@@ -25,6 +25,7 @@ concatMapAttrs
     ## are able to decrypt them.
 
     {
+      attic-ci-token = [ forgejo-ci ];
       forgejo-database-password = [ vm02116 ];
       forgejo-email-password = [ vm02116 ];
       forgejo-runner-token = [ forgejo-ci ];

services/fediversity/attic/default.nix

@@ -0,0 +1,322 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  sources = import ../../../npins;
+  inherit (import "${sources.nix-templating}/lib.nix" { inherit pkgs; }) fileContents template_text;
+  s3 = {
+    # REVIEW: how were these generated above? how do i add one?
+    s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKaaaaaaaaaaaaaaaaaaaaaaaa";
+    s3SecretKeyFile = pkgs.writeText "s3SecretKey" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+  };
+in
+{
+  imports = with sources; [
+    "${vars}/options.nix"
+    "${vars}/backends/on-machine.nix"
+  ];
+
+  # fediversity.garage = {
+  #   ensureBuckets = {
+  #     attic = {
+  #       website = true;
+  #       # TODO: these are too broad, after getting everything to work narrow it down to the domain we actually want
+  #       corsRules = {
+  #         enable = true;
+  #         allowedHeaders = [ "*" ];
+  #         allowedMethods = [ "GET" ];
+  #         allowedOrigins = [ "*" ];
+  #       };
+  #     };
+  #   };
+  #   ensureKeys = {
+  #     attic = {
+  #       inherit (s3) s3AccessKeyFile s3SecretKeyFile;
+  #       ensureAccess = {
+  #         attic = {
+  #           read = true;
+  #           write = true;
+  #           owner = true;
+  #         };
+  #       };
+  #     };
+  #   };
+  # };
+
+  services.postgresql = {
+    enable = true;
+    authentication = lib.mkForce ''
+      local all all trust
+    '';
+    ensureDatabases = [
+      "atticd"
+    ];
+    ensureUsers = [
+      {
+        name = "atticd";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  # open up access. 80 is necessary if only for ACME
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+    8080
+    9000
+  ];
+
+  # https://wiki.nixos.org/wiki/Nginx#TLS_reverse_proxy
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts."attic.fediversity.net" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8080";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig =
+          # required when the target is also TLS server with multiple hosts
+          "proxy_ssl_server_name on;"
+          +
+            # required when the server wants to use HTTP Authentication
+            "proxy_pass_header Authorization;";
+      };
+    };
+  };
+
+  vars.settings.on-machine.enable = true;
+
+  vars.generators.attic = {
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.openssl
+    ];
+    files.token = {
+      secret = true;
+      owner = "atticd";
+    };
+    script = ''
+      openssl genrsa -traditional 4096 | base64 -w0 > "$out"/token
+    '';
+  };
+
+  systemd.services.atticd.serviceConfig = {
+    EnvironmentFile = lib.mkForce "-/tmp/attic.env";
+    ExecStartPre = "${
+      template_text {
+        # FIXME find a place not public
+        outPath = "/tmp/attic.env";
+        text = ''
+          ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="${fileContents config.vars.generators.attic.files.token.path}"
+          AWS_ACCESS_KEY_ID="${fileContents s3.s3AccessKeyFile}"
+          AWS_SECRET_ACCESS_KEY="${fileContents s3.s3SecretKeyFile}"
+        '';
+        name = "write";
+      }
+    }/bin/write";
+  };
+
+  services.atticd = {
+    enable = true;
+    environmentFile = "/dev/null"; # set dummy to overwrite
+    # one `monolithic` and any number of `api-server` nodes
+    mode = "monolithic";
+
+    # https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml
+    settings = {
+      # Socket address to listen on
+      listen = "127.0.0.1:8080";
+
+      # Allowed `Host` headers
+      #
+      # This _must_ be configured for production use. If unconfigured or the
+      # list is empty, all `Host` headers are allowed.
+      allowed-hosts = [ ];
+
+      # The canonical API endpoint of this server
+      #
+      # This is the endpoint exposed to clients in `cache-config` responses.
+      #
+      # This _must_ be configured for production use. If not configured, the
+      # API endpoint is synthesized from the client's `Host` header which may
+      # be insecure.
+      #
+      # The API endpoint _must_ end with a slash (e.g., `https://domain.tld/attic/`
+      # not `https://domain.tld/attic`).
+      api-endpoint = "https://attic.fediversity.net/";
+
+      # Whether to soft-delete caches
+      #
+      # If this is enabled, caches are soft-deleted instead of actually
+      # removed from the database. Note that soft-deleted caches cannot
+      # have their names reused as long as the original database records
+      # are there.
+      #soft-delete-caches = false;
+
+      # Whether to require fully uploading a NAR if it exists in the global cache.
+      #
+      # If set to false, simply knowing the NAR hash is enough for
+      # an uploader to gain access to an existing NAR in the global
+      # cache.
+      #require-proof-of-possession = true;
+
+      # Database connection
+      database = {
+        # Connection URL
+        #
+        # For production use it's recommended to use PostgreSQL.
+        # url = "postgresql:///atticd:password@127.0.0.1:5432/atticd";
+        url = "postgresql:///atticd?host=/run/postgresql";
+
+        # Whether to enable sending on periodic heartbeat queries
+        #
+        # If enabled, a heartbeat query will be sent every minute
+        #heartbeat = false;
+      };
+
+      # File storage configuration
+      storage = {
+        # Storage type
+        #
+        # Can be "local" or "s3".
+        type = "s3";
+
+        # ## Local storage
+
+        # The directory to store all files under
+        # path = "%storage_path%";
+
+        # ## S3 Storage (set type to "s3" and uncomment below)
+
+        # The AWS region
+        region = "garage";
+
+        # The name of the bucket
+        bucket = "attic";
+
+        # Custom S3 endpoint
+        #
+        # Set this if you are using an S3-compatible object storage (e.g., Minio).
+        endpoint = "http://s3.garage.fediversity.net:3900";
+
+        # Credentials
+        #
+        # If unset, the credentials are read from the `AWS_ACCESS_KEY_ID` and
+        # `AWS_SECRET_ACCESS_KEY` environment variables.
+        # storage.credentials = {
+        #   access_key_id = "";
+        #   secret_access_key = "";
+        # };
+      };
+
+      # Data chunking
+      #
+      # Warning: If you change any of the values here, it will be
+      # difficult to reuse existing chunks for newly-uploaded NARs
+      # since the cutpoints will be different. As a result, the
+      # deduplication ratio will suffer for a while after the change.
+      chunking = {
+        # The minimum NAR size to trigger chunking
+        #
+        # If 0, chunking is disabled entirely for newly-uploaded NARs.
+        # If 1, all NARs are chunked.
+        nar-size-threshold = 65536; # chunk files that are 64 KiB or larger
+
+        # The preferred minimum size of a chunk, in bytes
+        min-size = 16384; # 16 KiB
+
+        # The preferred average size of a chunk, in bytes
+        avg-size = 65536; # 64 KiB
+
+        # The preferred maximum size of a chunk, in bytes
+        max-size = 262144; # 256 KiB
+      };
+
+      # Compression
+      compression = {
+        # Compression type
+        #
+        # Can be "none", "brotli", "zstd", or "xz"
+        type = "zstd";
+
+        # Compression level
+        #level = 8;
+      };
+
+      # Garbage collection
+      garbage-collection = {
+        # The frequency to run garbage collection at
+        #
+        # By default it's 12 hours. You can use natural language
+        # to specify the interval, like "1 day".
+        #
+        # If zero, automatic garbage collection is disabled, but
+        # it can still be run manually with `atticd --mode garbage-collector-once`.
+        interval = "12 hours";
+
+        # Default retention period
+        #
+        # Zero (default) means time-based garbage-collection is
+        # disabled by default. You can enable it on a per-cache basis.
+        #default-retention-period = "6 months";
+      };
+
+      # jwt = {
+      # WARNING: Changing _anything_ in this section will break any existing
+      # tokens. If you need to regenerate them, ensure that you use the the
+      # correct secret and include the `iss` and `aud` claims.
+
+      # JWT `iss` claim
+      #
+      # Set this to the JWT issuer that you want to validate.
+      # If this is set, all received JWTs will validate that the `iss` claim
+      # matches this value.
+      #token-bound-issuer = "some-issuer";
+
+      # JWT `aud` claim
+      #
+      # Set this to the JWT audience(s) that you want to validate.
+      # If this is set, all received JWTs will validate that the `aud` claim
+      # contains at least one of these values.
+      #token-bound-audiences = ["some-audience1", "some-audience2"];
+      # };
+
+      # jwt.signing = {
+      # You must configure JWT signing and verification inside your TOML configuration by setting one of the following options in the [jwt.signing] block:
+      # * token-rs256-pubkey-base64
+      # * token-rs256-secret-base64
+      # * token-hs256-secret-base64
+      # or by setting one of the following environment variables:
+      # * ATTIC_SERVER_TOKEN_RS256_PUBKEY_BASE64
+      # * ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64
+      # * ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64
+      # Options will be tried in that same order (configuration options first, then environment options if none of the configuration options were set, starting with the respective RSA pubkey option, the RSA secret option, and finally the HMAC secret option). The first option that is found will be used.
+      # If an RS256 pubkey (asymmetric RSA PEM PKCS1 public key) is provided, it will only be possible to verify received JWTs, and not sign new JWTs.
+      # If an RS256 secret (asymmetric RSA PEM PKCS1 private key) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+      # If an HS256 secret (symmetric HMAC secret) is provided, it will be used for both signing new JWTs and verifying received JWTs.
+
+      # JWT RS256 secret key
+      #
+      # Set this to the base64-encoded private half of an RSA PEM PKCS1 key.
+      # TODO
+      # You can also set it via the `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64`
+      # environment variable.
+      # token-rs256-secret-base64 = "%token_rs256_secret_base64%";
+
+      # JWT HS256 secret key
+      #
+      # Set this to the base64-encoded HMAC secret key.
+      # You can also set it via the `ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64`
+      # environment variable.
+      #token-hs256-secret-base64 = "";
+      # };
+    };
+  };
+}