Commit graph

21814 commits

Author SHA1 Message Date
edef
4749964f06 refactor(nix-daemon/framed): simplify partial header read
Rather than having separate branches, just make it part of the state
machine discipline.

Change-Id: Ib21456227515506495ca06ac2a8a529d04f95fde
Reviewed-on: https://cl.snix.dev/c/snix/+/30496
Reviewed-by: Brian Olsen <brian@maven-group.org>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-11 00:31:30 +00:00
edef
d5c5269ca4 tests(nix-daemon/framed): verify waking behaviour
We should never return `Poll::Pending` without having received it from
the underlying reader.

Change-Id: I8c79c0243dc45889c1df478712971ef930e5f3a9
Reviewed-on: https://cl.snix.dev/c/snix/+/30498
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-11 00:31:30 +00:00
Florian Klink
20589ef8cb fix(ops/dns): drop broken checkZone parts, fix validate
There are no .zone files in here (maybe once were, before switching DNS
providers, or this was copy-pasted from elsewhere).

Also, the validate.terraform target was broken, due to a typo, and not
covered in CI, due to being inside another attrset.

There's only a single check left, so just call that one `validate`,
making it consistent with other //ops terraform workspaces, and getting
CI to actually check it.

Change-Id: I022138d4d3c74181a53738cb53a48b7945392345
Reviewed-on: https://cl.snix.dev/c/snix/+/30499
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-10 16:09:02 +00:00
Florian Klink
ec9e7ee73c refactor(ops): make nixos.snix.cache grafana listen on unix socket
Change-Id: Iadd9850faadb3037825c0465b9aed45fa2826583
Reviewed-on: https://cl.snix.dev/c/snix/+/30495
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-09 23:06:14 +00:00
Florian Klink
7c3d029b8e fix(ops/modules/o11y): disable analytics.reporting_enabled
Change-Id: I1138a3cc9a8a107794bf3053fc48e51af2789d9b
Reviewed-on: https://cl.snix.dev/c/snix/+/30494
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
Florian Klink
6b518f1aed refactor(ops): make status.snix.dev grafana listen on unix socket
Change-Id: Ib3838edf1ee98a8fe1792771f1a948f00e3f466b
Reviewed-on: https://cl.snix.dev/c/snix/+/30493
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
edef
83c3305863 fix(nix-compat/wire/bytes/reader): handle zero cases
Legitimate zero-length reads could cause spurious unexpected EOF,
since we implicitly assumed buffers always have remaining capacity.

For the buffered case, `consume(0)` could cause panics after either
`poll_fill_buf` or `poll_read` had returned `Poll::Pending`.

The bytes_read/with_limited logic receives a stylistic cleanup to make
it obvious that bytes_read is always written before being used.

Change-Id: I46aa47113309552dcef9532b5d4009d2186db9cd
Reviewed-on: https://cl.snix.dev/c/snix/+/30492
Tested-by: besadii
Reviewed-by: Brian Olsen <brian@maven-group.org>
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-09 22:37:31 +00:00
edef
9a8a9c6b67 fix(nix-daemon): ensure Framed NARs are read exactly
This prevents framing confusion, which would otherwise lead to a
trivial confused deputy attack. See issue #120.

The NixFramedReader state machine has been refactored to simplify
its internal logic and accurately account for EOF conditions.

End-of-stream is fused, and unexpected EOF on the underlying reader
is returned as UnexpectedEof, though we don't fuse those ourselves.

We also ensure that the underlying reader does not swap the ReadBuf;
this would otherwise supply a primitive for converting uninitialised
mutable memory into `&mut [u8]` without initialisation, thus allowing
undefined behaviour to be triggered from safe code.

Change-Id: I05ddb7e3ca57b3363f56c0d9b43d5a641748ca36
Reviewed-on: https://cl.snix.dev/c/snix/+/30380
Reviewed-by: Brian Olsen <brian@maven-group.org>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-09 17:15:28 +00:00
edef
4ef7c50a2d tests(nix-daemon/framed): more thorough, failing tests
This is mostly a WIP commit, to demonstrate bugs properly. See #120.
The tests are marked `#[should_panic]`, since they are intended to fail.

Change-Id: I39f1d66742e6629ccb889da8ef1199117b91b126
Reviewed-on: https://cl.snix.dev/c/snix/+/30490
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-09 17:15:28 +00:00
Florian Klink
02b084ec0b docs(web/docs): collapse some more indexes
There's no reason for these to not be collapsed, like other siblings.

Change-Id: Ifae2abae6733f69da642e2950a8fe5321d7becfa
Reviewed-on: https://cl.snix.dev/c/snix/+/30482
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-05-08 13:57:15 +00:00
Florian Klink
5dbe46eea7 refactor(ops/machines/snix-cache): use new snix.store domain
Provide redirects when the old domain is accessed, which Nix seems to
follow.

We keep the same hostname, so historical node exporter graphs are still
visible.

Change-Id: Icecd7f5324ac25bbfd4c003ca9cc65681114f0b5
Reviewed-on: https://cl.snix.dev/c/snix/+/30484
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-07 21:03:57 +00:00
Florian Klink
7eb15f8123 refactor(eval): make CatchableErrorKind::Throw hold a NixString
The messages we can throw are not necessarily UTF-8 strings. The
to_string() in there did store the result of the Display impl, which is
a quoted string.

Change-Id: I65a77ccc7f2d62ff06a2a9458cdb7e7292f132b0
Reviewed-on: https://cl.snix.dev/c/snix/+/30489
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Bence Nemes <nemes.bence1@gmail.com>
2025-05-07 13:07:18 +00:00
Florian Klink
bbc1efdb0e test(eval): add test for deep force key order
This tests deep forcing happens in lexicographic key order, by comparing
the returned error from the evaluator. It's not possible to observe this
from inside nixlang, which is why we use one_offs.rs here.

Change-Id: I73085addca3a4df20bc23f9fced458758af5b391
Reviewed-on: https://cl.snix.dev/c/snix/+/30488
Reviewed-by: Bence Nemes <nemes.bence1@gmail.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-07 12:34:45 +00:00
Starnick4444
e97cf628a3 refactor(eval): switch NixAttrs implementation to HashMap
Using hashmap seems to give a decent speedup overall.

hello outpath           time:   [528.01 ms 529.17 ms 530.64 ms]
                        change: [-22.932% -22.563% -22.181%] (p = 0.00 < 0.05)
                        Performance has improved.

firefox outpath         time:   [4.7647 s 4.8149 s 4.8917 s]
                        change: [-21.251% -20.408% -18.914%] (p = 0.00 < 0.05)
                        Performance has improved.

But it slows down derivation parsing by about 1-1.5%
Added another attr merge benchmark that helped me while profiling,
not sure if we want to keep that.

Change-Id: Icb9f1e2d40bbb7150af1b8df192bf3c860bae79b
Reviewed-on: https://cl.snix.dev/c/snix/+/30309
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-07 12:08:50 +00:00
Florian Klink
8903fbb975 docs(snix/docs/TODO): drop Store config section
moved to #138 and #139.

Change-Id: I3ad3dc5ab0c38ba4ed0ac43d5c492f802be61ed8
Reviewed-on: https://cl.snix.dev/c/snix/+/30481
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 17:39:55 +00:00
Florian Klink
d02991b6b2 docs(snix/docs/TODO): drop store composition setting
Combinators are tracked in #135, a followup for `CombinedBlobService` is
tracked in #136.
User-facing composition config is tracked in #137.

Everything else mostly already landed with the rest of the store
composition, so can be dropped.

Change-Id: I3e0aee409f8314b1a0582541fd5f1b8b50405ce5
Reviewed-on: https://cl.snix.dev/c/snix/+/30480
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-05 17:39:55 +00:00
Florian Klink
9bbfbd7df3 docs(snix/docs/TODO): drop Error cleanup TODO
Migrated to #134.

Change-Id: I555219085fea8c192e769cb7b5357321087ffdf7
Reviewed-on: https://cl.snix.dev/c/snix/+/30479
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Tested-by: besadii
2025-05-05 17:39:55 +00:00
Florian Klink
c706826aa9 feat(ops/keycloak): configure Buildkite SAML
This enables logging in to Buildkite with SAML.

Fixes #95.

Change-Id: Ieaa87c660692953305619c2bd8270d2329bd7545
Reviewed-on: https://cl.snix.dev/c/snix/+/30478
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 12:36:30 +00:00
Florian Klink
d9ca20a5cc feat(ops/keycloak): configure Forgejo Roles
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).

Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.

Fixes #73.

Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-05 12:36:30 +00:00
Florian Klink
e20ff4cb60 fix(ops/keycloak): fix assigning grafana_roles
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.

We can also disable full scope, as we're not interested in other role
mappings.

The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.

Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 12:36:30 +00:00
Florian Klink
018f3b38a6 docs(snix/docs/TODO): drop object_store o11y TODO
Migrated to #133.

Change-Id: Ia4e23c082b14268b314fa5bd9cbaab3bae1e7d90
Reviewed-on: https://cl.snix.dev/c/snix/+/30475
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-05 11:56:26 +00:00
Florian Klink
ea90045ddc docs(snix/docs/TODO): drop builder TODOs
A mention of these different builders is included in the a footnote
in the documentation, and various issues for the different TODOs were
created:

 - #128 Implement bwrap-based Builder
 - #129 Implement gVisor-based builder
 - #130 Implement Cloud Hypervisor-based builder
 - #131 OCI builder: add preflight checks
 - #132 BuildService: refactor to be more granular

Change-Id: I349b799e233ba8bef39a139cf2453d3214bb69b3
Reviewed-on: https://cl.snix.dev/c/snix/+/30474
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 11:56:26 +00:00
Florian Klink
c1331c3d93 docs(snix/docs/TODO): drop Derivation -> Build section
This was most likely meant to refer to `exportReferencesGraph`, not
`fetchClosure`. `fetchClosure` is not used in nixpkgs - I created #127
still.

Issue #44 is extended to mention `ExportedPathInfo`.

Change-Id: Id898cb381db02c83888dc395cf3ab01ae6baf2aa
Reviewed-on: https://cl.snix.dev/c/snix/+/30473
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-05 11:56:26 +00:00
Florian Klink
0bc0807e24 docs(snix/docs/TODO): drop fetchGit/fetchTree TODO
Migrated to #126.

Change-Id: Iccfc0cbd9bdc08fde337ae097eb7ddb57c67d439
Reviewed-on: https://cl.snix.dev/c/snix/+/30472
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-05 11:56:26 +00:00
Florian Klink
4e62ccd74c docs(snix/docs/TODO): drop Nix Daemon protocol item
This is very generic and not helpful.

Change-Id: Ie851e0e293023ab1794c6815e0a0e188471f509b
Reviewed-on: https://cl.snix.dev/c/snix/+/30471
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-05 11:56:26 +00:00
Florian Klink
6436ed9b0b docs(snix/docs/TODO): drop serde_qs bigtable TODO
This was already migrated to use a BigtableParameters struct, similar to
other backends.

Change-Id: Icc8a4902a6f24ce4a7f965abc800726b09030cb3
Reviewed-on: https://cl.snix.dev/c/snix/+/30470
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-05 11:56:26 +00:00
Florian Klink
01d88ef175 docs(snix/docs/TODO): drop pathinfo sqlite todo
Migrated to #125.

Change-Id: Ib08c064cfe2843ae9b1e746e46688edb7584c84a
Reviewed-on: https://cl.snix.dev/c/snix/+/30469
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 11:56:26 +00:00
Florian Klink
bee96eef14 docs(snix/docs/TODO): drop rnix non-UTF8 todo
Tracked in https://git.snix.dev/snix/snix/issues/124 and
https://github.com/nix-community/rnix-parser/issues/173.

Change-Id: I5431fda1eae574d45bf6bda5d94269ba6e7fb6ba
Reviewed-on: https://cl.snix.dev/c/snix/+/30468
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 11:56:26 +00:00
Florian Klink
81c8260afd docs(snix/docs/TODO): drop remaining perf items
This was migrated to #122 and #123.

Change-Id: I5196a12530fe420c7682312774e14807df688928
Reviewed-on: https://cl.snix.dev/c/snix/+/30467
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 11:56:26 +00:00
Florian Klink
e5c4fb6cb8 docs(snix/docs/TODO): fix heading levels
These don't make sense without a parent, move these one level up.

Change-Id: I492e43da1d1a429e7c46b65b0c676d5d8c54fdf6
Reviewed-on: https://cl.snix.dev/c/snix/+/30466
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-05 11:56:26 +00:00
Florian Klink
dfffd5c295 docs(snix/docs/TODO): remove Nix Language test suite item
This has been migrated to #64 a while ago.

Change-Id: Iec15043650284ac7c2cb62863028f360675bdc82
Reviewed-on: https://cl.snix.dev/c/snix/+/30465
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 11:56:26 +00:00
Florian Klink
3dc13fbae9 docs(snix/docs/TODO): clarify status of this document
This is slowly being plucked apart and migrated to more suitable places.

Change-Id: Ib4f4e76601a657cfef85dc759f8ec9bde4eadb86
Reviewed-on: https://cl.snix.dev/c/snix/+/30464
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 11:56:26 +00:00
Vova Kryachko
4b46d93bd3 chore(gerrit): Disable code-owners on meta/config branch.
Change-Id: I6c56b9c87892e7ff4a1afa7e0cf8e91b2c9c0e8f
Reviewed-on: https://cl.snix.dev/c/snix/+/30451
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
2025-05-04 17:42:24 +00:00
Florian Klink
bce2caaabe docs(web/guides/local-overlay): use context=caution for callouts
This makes them yellow, with a triangle, and a "Caution" title, which is
more appropriate for these warnings.

Change-Id: I2a99db30427bfd6003766214026c9be66acf8a0e
Reviewed-on: https://cl.snix.dev/c/snix/+/30450
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
2025-05-04 17:27:22 +00:00
Florian Klink
8b04f098da docs(web): replace console with bash
This gives us a cute "Terminal Window Look" for these code blocks.

Change-Id: I87fbb739917cef692c692585e7ff569d3da66435
Reviewed-on: https://cl.snix.dev/c/snix/+/30449
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-04 17:26:22 +00:00
Florian Klink
21628f7ad4 docs(web): migrate language-spec,lang-version,value-pointer-equality
Change-Id: I2008d4d5d92dc02f3955828ba93f748282948f07
Reviewed-on: https://cl.snix.dev/c/snix/+/30447
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
2025-05-04 17:26:22 +00:00
Florian Klink
52e7b5b485 refactor(snix/build): drop build_request from Build{Result,Response}
Back when initially working on this, having all info about the Build in
one struct seemed a good idea for some future CI interface, but right
now this simply raises more questions and is quite theoretic.

Let's drop it for now, we can reintroduce it, or other request methods
when we get to it.

Change-Id: I105a8d5ae8bd7e0d5f8ee3e7edf2597100b43119
Reviewed-on: https://cl.snix.dev/c/snix/+/30425
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
2025-05-04 16:12:45 +00:00
Florian Klink
2308cb188f docs(web): some fixes
The last example is TOML too, and flipping the order of footnotes and
expanded link URLs (or however that's called) fixes them.

Change-Id: Ia8f1dc72e2622f41b18fb4746966e667d9882456
Reviewed-on: https://cl.snix.dev/c/snix/+/30446
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
2025-05-04 16:09:44 +00:00
Florian Klink
dd3b447428 docs(web): import store configuration/composition document
Put it in Guides, as it provides some examples at the end as well.

Change-Id: Ic5cd78bcda09c3bb82eeaa88ff0c959c4c876bd7
Reviewed-on: https://cl.snix.dev/c/snix/+/30445
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Yureka <snix@yuka.dev>
Tested-by: besadii
2025-05-04 15:24:10 +00:00
Florian Klink
7b329b402c feat(ops/modules/monorepo-gerrit): replicate refs/meta/config
This makes it possible to fetch refs/meta/config from the forgejo
endpoint too. It was possible to fetch it from Gerrit directly before,
so this isn't more or less private than before.

Forgejo doesn't seem to provide an endpoint to link to refs/meta/config,
but it's perfectly fine to view the tree for a given commit from there:

dd5ed6266a

Change-Id: I9bbfb8c5994118e6a205e84d5584cc82a560cc23
Reviewed-on: https://cl.snix.dev/c/snix/+/30444
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-04 15:06:38 +00:00
Florian Klink
dc6af0823c refactor(ops/modules/monorepo-gerrit): stop pushing r/ refs
We stopped using them a while ago, no need to replicate.

Change-Id: I584a584b401ed357eba6d8f2349d2be40684765e
Reviewed-on: https://cl.snix.dev/c/snix/+/30443
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-04 15:06:07 +00:00
Starnick4444
1a84bc0e62 chore(glue): upgrade to 2024 edition
Part of #114
cargo fix wanted to rewrite `if let else` to match statements, but i
reverted them as they dont belong in this cl.
There weren't any warnings about locks (relative drop order changed in
2024)

Change-Id: I9c851ef8e214a481cbe7b4cf9b2634b5d56970d4
Reviewed-on: https://cl.snix.dev/c/snix/+/30369
Autosubmit: Bence Nemes <nemes.bence1@gmail.com>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-04 14:30:34 +00:00
Starnick4444
916988a7a2 chore(castore-http): upgrade to 2024 edition
Part of #114

Change-Id: I083ad939c836736b44b36c38e16a04cbaabe9442
Reviewed-on: https://cl.snix.dev/c/snix/+/30377
Autosubmit: Bence Nemes <nemes.bence1@gmail.com>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-04 14:30:03 +00:00
Florian Klink
b04011dd53 feat(ops/keycloak): use preferred_username claim from Bornhack IdP
Since https://github.com/bornhack/bornhack-website/pull/1838, users can
set their preferred username there, so it can be correctly propagated
to Keycloak.

Change-Id: If492d4b92b420c07b9e1450883ccb30a18802a42
Reviewed-on: https://cl.snix.dev/c/snix/+/30424
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-04 13:32:57 +00:00
Florian Klink
759f15390c feat(nix-compat/nar): add copy functions
This allows piping NAR data through a reader, and writing it back out to
a writer.

It can be used to validate a NAR to be syntactically correct, or to read
exactly to the end of a NAR file if the size is not given externally.

Change-Id: I0fc8d58e68783400d1cfee75c860138915974f3d
Reviewed-on: https://cl.snix.dev/c/snix/+/30423
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-04 11:55:49 +00:00
Florian Klink
9caaa09765 refactor(snix/build): use stronger typed BuildResult type
This changes the BuildService trait to return a typed `BuildResult`,
which bundles the refscan info alongside the castore nodes.

The proto type is renamed to BuildResponse, to better map to gRPC
semantics.

In proto land, we don't send the name for outputs anymore, be it the
full path or the last component, as there's never been a guarantee this
is a valid PathComponent. That entry is now required to be anonymous.
The path of an output can be retrieved by looking at the original
BuildRequest.

Change-Id: If5ce3a009cd3dd6bb6505cd51d5f4deda261ea85
Reviewed-on: https://cl.snix.dev/c/snix/+/30387
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
2025-05-04 01:38:29 +00:00
Florian Klink
48807c90ec fix(ops/gerrit-tvl): query buildkite-status endpoint and re-enable
This points our own gerrit check to the deployed buildkite-api-proxy,
updates the URL and stops sending an outdated token.

Fixes #118.

Change-Id: Ic7ace4d67a6bd05c408ac14fe988ae3fe829a49b
Reviewed-on: https://cl.snix.dev/c/snix/+/30406
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
2025-05-03 22:49:43 +00:00
Florian Klink
c709d2a5d3 feat(ops/www/cl.snix.dev): deploy buildkite-api-proxy
This deploys buildkite-api-proxy at cl.snix.dev/buildkite-status/.

Part of #118.

Change-Id: Iae927b11acc2163e6edc4ba6e91194e8fa884b0d
Reviewed-on: https://cl.snix.dev/c/snix/+/30405
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-03 22:37:12 +00:00
Florian Klink
d85b322c55 feat(ops/gerrit01): provide buildkite-api-proxy-token.age
This is a read-only Buildkite token, it was generated and installed by
flokli@ and has read_builds, read_build_logs, and read_pipelines
permissions.

Part of #118.

Change-Id: I0bbfbab9ad1152ff8e781b7380f44d3cd7245bab
Reviewed-on: https://cl.snix.dev/c/snix/+/30404
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-05-03 22:36:42 +00:00
Florian Klink
54c313c9b2 feat(ops/buildkite-api-proxy): init
This provides a very simple http server, receiving a git sha1 and
querying the buildkite api for the status - the same that's previously
done by the frontend, but now without exposing the (read-only) token
to users.

We can add caching / rate-limiting if the need arises, for now we
just propagate the `cache-control` headers (which seem to be set at
"cache-control: max-age=0, private, must-revalidate" currently anyways)

Part of #118.

Change-Id: I8989a74cb2b278139d988089ff8d6e59e00969e4
Reviewed-on: https://cl.snix.dev/c/snix/+/30403
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-03 22:36:42 +00:00