refactor(flake.nix): Use flake-parts to simplify flake.nix

configuration/hardware-specific/hetzner/vm.nix

@@ -0,0 +1,70 @@
+{ lib, ... }:
+{
+  virtualisation.vmVariant = {
+    users.users.tlater.password = "insecure";
+
+    # Disable graphical tty so -curses works
+    boot.kernelParams = [ "nomodeset" ];
+
+    networking.hostName = lib.mkForce "testvm";
+
+    services = {
+      # Sets the base domain for nginx to a local domain so that we can
+      # easily test locally with the VM.
+      nginx.domain = lib.mkForce "dev.local";
+
+      # Don't run this
+      batteryManager.enable = lib.mkForce false;
+      btrfs.autoScrub.enable = lib.mkForce false;
+
+      openssh.hostKeys = lib.mkForce [
+        {
+          type = "rsa";
+          bits = 4096;
+          path = "/etc/staging.key";
+        }
+      ];
+    };
+
+    # Use the staging secrets
+    sops.defaultSopsFile = lib.mkOverride 99 ../../../keys/staging.yaml;
+
+    systemd.network.networks."10-eth0" = {
+      matchConfig.Name = "eth0";
+      gateway = [ "192.168.9.1" ];
+      networkConfig = {
+        Address = "192.168.9.2/24";
+      };
+    };
+
+    # Both so we have a predictable key for the staging env, as well as
+    # to have a static key for decrypting the sops secrets for the
+    # staging env.
+    environment.etc."staging.key" = {
+      mode = "0400";
+      source = ../../../keys/hosts/staging.key;
+    };
+
+    # Pretend the acme renew succeeds.
+    #
+    # TODO(tlater): Set up pebble to retrieve certs "properly"
+    # instead
+    systemd.services."acme-order-renew-tlater.net".script = ''
+      touch out/acme-success
+    '';
+
+    virtualisation = {
+      memorySize = 3941;
+      cores = 2;
+      graphics = false;
+      diskSize = 1024 * 20;
+
+      qemu = {
+        networkingOptions = lib.mkForce [
+          "-device virtio-net,netdev=n1"
+          "-netdev bridge,id=n1,br=br0,helper=$(which qemu-bridge-helper)"
+        ];
+      };
+    };
+  };
+}