From 00950aa91dc150e1b91bba1b50ef81616bd822cf Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Sun, 23 Mar 2025 14:42:24 +0000
Subject: [PATCH] fix(ops): add +x for /nix/var/nix/gcroots

Previously, the buildkite users were not able to traverse there.

Removing /nix/var/nix/gcroots/buildkite/canon might not be needed, and
is racy with other anchor step - the first one might still be building
`ci.gcroot` (and didn't create the new symlink), so the second one will
fail trying to remove the non-existing symlink.

Change-Id: I0449447f7193113d807d597750b26c7beb48a3a6
Reviewed-on: https://cl.snix.dev/c/snix/+/30257
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
---
 ops/machines/build01/default.nix | 1 +
 ops/pipelines/depot.nix          | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/ops/machines/build01/default.nix b/ops/machines/build01/default.nix
index 7f13ae67d..151286782 100644
--- a/ops/machines/build01/default.nix
+++ b/ops/machines/build01/default.nix
@@ -93,6 +93,7 @@ in
     };
   systemd.tmpfiles.rules = [
     "d '/nix/var/nix/gcroots/buildkite' 0770 - buildkite-agents - -"
+    "z '/nix/var/nix/gcroots' 0771 - - - -"
   ];
 
   services.openssh.enable = true;
diff --git a/ops/pipelines/depot.nix b/ops/pipelines/depot.nix
index 5737f7357..ce8755bcc 100644
--- a/ops/pipelines/depot.nix
+++ b/ops/pipelines/depot.nix
@@ -25,7 +25,6 @@ let
         label = ":anchor:";
         branches = "refs/heads/canon";
         command = ''
-          rm /nix/var/nix/gcroots/buildkite/canon
           nix-build -A ci.gcroot --out-link /nix/var/nix/gcroots/buildkite/canon
         '';