fix(builders/netboot): make "normal" evaluation pass

Without this patch running `colmena build` will run into a few assertion
errors for machines that have `config.bagel.baremetal.builders.netboot == true`
set. This is due to an assertion check in the initrd module making sure
there is a mount point for `/`. This can be trivially fixed by just
setting the mount point to the real world value, which is a tmpfs with
64GB assigned.

We also set `deployment.targetHost` to a domain that will
never resolve in the public internet, to make sure nobody applies these
machines by hand. It would have been nice to throw a error whenever
`colmena apply` gets executed for one of these hosts, but doing so would
defeat the purpose of this patch, because the colmena `build` and `apply`
argument both evaluate the exact same code paths and thus colmena
`build` would error again.

The motivation behind this was, so we could run `colmena build` in CI
in the future, and to not scare of new contributors with random build
failures when they first try to build the machines.

The proper solution would be to exclude all the network booted builders
from the regular colmena hive that is exposed to the cli, but this is
too many yaks to shave for now.

flake.nix

@@ -63,6 +63,7 @@
         modules = [
           ./terraform
           {
+            bagel.dnsimple.enable = true;
             bagel.gandi.enable = true;
             bagel.hydra.enable = true;
           }

services/baremetal-builder/default.nix

@@ -135,7 +135,7 @@ in
       { address = "2a01:584:11::1:${toString cfg.num}"; prefixLength = 64; }
     ];
     networking.defaultGateway6 = { interface = "uplink"; address = "2a01:584:11::1"; };
-    deployment.targetHost = "2a01:584:11::1:${toString cfg.num}";
+    deployment.targetHost = lib.mkIf (!cfg.netboot) "2a01:584:11::1:${toString cfg.num}";
     deployment.tags = [ "builders" ];
 
     # Why can't we have nice things? https://bugs.openjdk.org/browse/JDK-8170568

services/baremetal-builder/netboot.nix

@@ -21,13 +21,22 @@ in
       '';
     };
 
+    # machines with the netboot module enabled should only be updated by appliying wob-vpn-gw and rebooting
+    deployment.targetHost = "invalid.example.com";
+    # fixes initrd eval warning, and allows `colmena build` to succed
+    fileSystems."/" = {
+      device = "none";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=64G" "mode=755" ];
+    };
+
     system.build = {
 
       # Build a kernel and initramfs which will download the IPXE script from hydra using
       # u-root pxeboot tool and kexec into the final netbooted system.
       notipxe = import (modulesPath + "/..") {
         system = "x86_64-linux";
-        configuration = 
+        configuration =
           { pkgs, config, ... }:
 
           {
@@ -57,7 +66,7 @@ in
               script = ''
                 ln -sf /dev/console /dev/tty
                 until ${pkgs.iputils}/bin/ping -c 1 hydra.forkos.org; do sleep 1; done
-                ${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe 
+                ${pkgs.u-root}/bin/pxeboot -v -ipv4=false -file https://hydra.forkos.org/job/infra/main/${node.config.networking.hostName}/latest/download-by-type/file/ipxe
               '';
             };
             boot.initrd.systemd.contents."/etc/ssl/certs/ca-certificates.crt".source = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";

terraform/default.nix

@@ -2,6 +2,7 @@
   imports = [
     ./common.nix
     ./gandi.nix
+    ./dnsimple.nix
     ./hydra.nix
     ./state.nix
   ];

terraform/dnsimple.nix

@@ -0,0 +1,49 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkEnableOption mkIf tf genList;
+  cfg = config.bagel.dnsimple;
+in
+{
+  options.bagel.dnsimple = {
+    enable = mkEnableOption "the DNSimple configuration";
+  };
+
+  config = mkIf cfg.enable {
+    terraform.required_providers.dnsimple = {
+      version = "~> 1.7.0";
+      source = "dnsimple/dnsimple";
+    };
+
+    resource.secret_resource.dnsimple_token.lifecycle.prevent_destroy = true;
+    resource.secret_resource.dnsimple_account.lifecycle.prevent_destroy = true;
+
+    provider.dnsimple = {
+      token = tf.ref "resource.secret_resource.dnsimple_token.value";
+      account = tf.ref "resource.secret_resource.dnsimple_account.value";
+    };
+
+    resource.dnsimple_zone.forkos_org = {
+      name = "forkos.org";
+    };
+
+    resource.dnsimple_zone.fleurixos_org = {
+      name = "fleurixos.org";
+    };
+
+    resource.dnsimple_zone.floral_systems = {
+      name = "floral.systems";
+    };
+
+    resource.dnsimple_zone.flowery_systems = {
+      name = "flowery.systems";
+    };
+
+    resource.dnsimple_zone.petalpkgs_org = {
+      name = "petalpkgs.org";
+    };
+
+    resource.dnsimple_zone.vzfdfp_de = {
+      name = "vzfdfp.de";
+    };
+  };
+}