Commit graph

21839 commits

Author SHA1 Message Date
Florian Klink
6022fb3cc2 refactor(nix-compat/nixhash): drop impl TryFrom<(HashAlgo, &[u8])> for NixHash
This is not used anywhere, and a bit surprising. Consumers can just use
from_algo_and_digest.

Change-Id: Id4fca98568b1967899fb7428e6767aa993e70c96
Reviewed-on: https://cl.snix.dev/c/snix/+/30550
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
2025-06-03 20:22:23 +00:00
Florian Klink
2a01c40e77 fix(nix-compat/nixhash): fix from_nix_nixbase32_str fn name
This was decoding nixbase32, not hex. Its only consumer (in ca_hash.rs)
was right in its docstring about how it behaves, only was calling the
wrongly-named function.

Change-Id: I97ea273706ba818d16a61b1574989db800f78ead
Reviewed-on: https://cl.snix.dev/c/snix/+/30553
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-06-03 20:22:23 +00:00
Florian Klink
80b5206034 refactor(castore/fs): use streams for dir handles
This changes RootNodes::list to return a BoxStream<'static, _>, and then
drops all the mpsc sender / receiver complexity we were having.

There's also no need to worry about channel buffer sizes - all current
RootNodes implementations are immediately ready to yield new elements in
the stream. Assuming there's new implementations that do take some time,
we can deal with buffer sizes on the producer size, which might know its
own batch sizes better.

RootNodes now doesn't need to implement Clone/Send anymore, and can have
non-static lifetimes. As long as its the list method returns a
BoxStream<'static>, we're fine with all that.

On a first look, this seems like we now need to do more cloning upfront
for the BTreeMap and Directory RootNodes impls. However, we already
had to clone the entire thing at `self.root_nodes_provider.clone()`, and
then did it again for each element.

Now we get an owned version of the data whenever a list() call happens,
and then just move owned things around.

Change-Id: I85fbca0e1171014ae85eeb03b3d58e6176ef4e2d
Reviewed-on: https://cl.snix.dev/c/snix/+/30549
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Tested-by: besadii
2025-06-02 22:19:24 +00:00
Florian Klink
0f9c5f0354 refactor(glue/snix_store_io): add node_get_type helper
There's multiple places where we peek at the node to construct a
FileType, so move this into a helper.

Also, get rid of a async move which didn't move, and use .ok_or_else to
make things a bit more readable.

Change-Id: I2d24a3291029fdc12e0049398d8d51111e22d3cf
Reviewed-on: https://cl.snix.dev/c/snix/+/30548
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Tested-by: besadii
2025-06-02 22:13:23 +00:00
Florian Klink
59aeeb6fe4 refactor(castore/fs): stop using async move
We don't move anything here.

Change-Id: Ia9f345adf86be3c3f64fef0e6aca067ecbf7cf5d
Reviewed-on: https://cl.snix.dev/c/snix/+/30547
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-06-02 22:08:23 +00:00
Florian Klink
33a02267c2 refactor(castore): drop Clone + Send + Sync requirements on BS, DS
We can now use async closures for this.

Change-Id: Iccbe86998726be139e81749745c37eb9f475693c
Reviewed-on: https://cl.snix.dev/c/snix/+/30546
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Connor Brewster <cbrewster@hey.com>
2025-06-02 21:57:51 +00:00
Florian Klink
97f215aef2 feat(nix-compat/nixhash): add NixHash::to_sri_string
As can be seen in https://github.com/andir/npins/pull/139/files#diff-ec60332b9e2ccfe20e64db6d804f37fe4c652ae58c0679a13e30548cecf1c32fR12,
it makes sense to have this as a function for external consumers.

This is already also exposed in the Display impl, but it's better to
have an explicit function.

Change-Id: I1e16d8bd64502802a9642a2f08ddeb5cbbceacae
Reviewed-on: https://cl.snix.dev/c/snix/+/30545
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-06-02 11:55:53 +00:00
Florian Klink
5b41ae66eb chore(3p/chicago95): remove
This caused spurious fetching errors, and isn't used anywhere. Drop.

Change-Id: I338217b96d95e19084e7cba38270dd35f19c2b29
Reviewed-on: https://cl.snix.dev/c/snix/+/30543
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-28 15:21:06 +00:00
Florian Klink
80f5b5c44e docs(glue/snix_build): document why /nix/store is scratch
Even without nix/store in here, all output paths need to be write-able.

Change-Id: Ibeeba503844dee78de11fd2aa79b3ad207795059
Reviewed-on: https://cl.snix.dev/c/snix/+/30542
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
2025-05-28 15:13:05 +00:00
Florian Klink
688973ad78 fix(glue/builtins/derivation): fix comment
The magic builder string is called "builtin:fetchurl", not
"builtins:fetchurl"

Change-Id: I0527aa9ba293807c0da7e67c8d7e9d441de81623
Reviewed-on: https://cl.snix.dev/c/snix/+/30541
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-28 15:13:05 +00:00
Vova Kryachko
2bbd06753b feat(snix-glue): Correctly propagate output placeholders into the build.
Nix's `builtin.placeholder` function produces output paths that are not
known ahead of time, so before propagating these values into the build
we need to replace them in all env variables and arguments to their
corresponding output store paths.

fix #101

Change-Id: I2670c749f2c578e276d698e511598a76a99ebb96
Reviewed-on: https://cl.snix.dev/c/snix/+/30310
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Vova Kryachko <v.kryachko@gmail.com>
2025-05-18 14:30:35 +00:00
Florian Klink
8bb8400304 chore(3p/nixpkgs): bump channels (2025-05-13)
Change-Id: I4a212e710957621c09e7aa7ee1e40bea7a7bf633
Reviewed-on: https://cl.snix.dev/c/snix/+/30536
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 21:29:29 +00:00
Florian Klink
f20ab5c9af chore(3p): cleanup unused napalm dep
This isn't referenced anywhere.

Change-Id: Iffb5631073bd181dc1adc1e732ba86f2efea5b9d
Reviewed-on: https://cl.snix.dev/c/snix/+/30535
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 21:29:29 +00:00
Florian Klink
32cafdc570 feat(ops/modules/monorepo-gerrit): enable webhooks plugin
Fixes: https://git.snix.dev/snix/snix/issues/74
Change-Id: If4ca98cc1886f5e0a26dcc1ebeef4758054d3811
Reviewed-on: https://cl.snix.dev/c/snix/+/30529
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:23:58 +00:00
Florian Klink
6f3699664a feat(ops/machines/gerrit01): deploy gerrit-webhook-to-irccat
And allow gerrit01 to send these hooks over to irccat running on meta01.

Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: Ic5835734b32e8e5a46225e68d4124d55c002d663
Reviewed-on: https://cl.snix.dev/c/snix/+/30527
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:23:28 +00:00
Florian Klink
064765b19a feat(ops/gerrit-webhook-to-irccat): init
This is a listener for gerrit events, sent by their "webhooks" plugin,
as well as a NixOS module to deploy it.

Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: I65c5c5a991e6b1f4f330b3439c8a25aec3f1b484
Reviewed-on: https://cl.snix.dev/c/snix/+/30526
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-16 09:22:58 +00:00
Florian Klink
af4e1303b0 fix(ops/modules/monorepo-gerrit): fix outdated comment
cl/30249 changed this to Postmark, and it was unconfigured before.

Change-Id: I89eb49dbb8a3cb81135ae01c98379151e32ecd7c
Reviewed-on: https://cl.snix.dev/c/snix/+/30528
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-16 09:22:07 +00:00
Florian Klink
0bcae4c083 fix(ops): drop clbot
This removes the old clbot, which kept an SSH connection to gerrit open.

Change-Id: If8faecdd018b45dd087b7332fe3d3a8280947358
Reviewed-on: https://cl.snix.dev/c/snix/+/30525
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:22:00 +00:00
Florian Klink
8035195939 chore(3p/nix-gerrit): bump
Change-Id: I839d006e85726bffe62d59fdef1765cadffe63ce
Reviewed-on: https://cl.snix.dev/c/snix/+/30524
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-16 09:15:26 +00:00
Florian Klink
6666d38584 fix(ops/meta01): fix http listener port, restrict tcp
The config seems a bit underdocumented, but this is what gets it to
listen on 4722 for http.

While we have firewall rules in place, we don't want this to listen on
*:$randomPort, for tcp but just have it disabled.

This doesn't seem to be possible right now, due to a bug in viper, but
we can at least restrict it to listen to localhost only for TCP.

Change-Id: I94d379b8820fd32dc1d75082d3a7fb078f93e4ec
Reviewed-on: https://cl.snix.dev/c/snix/+/30523
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:15:26 +00:00
Florian Klink
c9a77e5b58 feat(ops/meta01): deploy irccat
This deploys irccat, connected to the #snix channel.

We drop the custom irccat third_party, it's 2 years older than the
latest version in nixpkgs.

The irccat.nix module file contains some of the code present in the TVL
version, it however moves the secrets merging to ExecStartPre=,
given https://github.com/systemd/systemd/issues/19604#issuecomment-989279884
has been fixed for almost a year.

Contrary to the setup there, we don't let irccat connect to ZNC, but
hackint directly (so make use of the secrets logic).

We also drop the network-online.target, and make this overall more
tolerant by using Restart=on-failure.

Change-Id: Ieac3b744b7ea58b8dddf1cdc37a8bc057b205b1b
Reviewed-on: https://cl.snix.dev/c/snix/+/30504
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-15 14:31:42 +00:00
Raito Bezarius
5d16817f80 fix(machines/build01): move back to stc-ng
In some distant past, stc-ng had some clear troubles while deploying the
machine when we were bootstrapping infra.

This was fixed by rolling back to the old stc. Having retried right now,
stc-ng seems to transition the new system correctly, so let's switch to
it for the time being.

Change-Id: I99f92618841b49357a28212955b62bf5e495e761
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30503
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-15 14:19:01 +00:00
Florian Klink
e285cbe8cf feat(fun/solves-this): add, deploy to public01
This builds the important website for both snix.systems and its
predecessor, tvix.systems.

Change-Id: I4cce5595098c804bd4df0cc2ae3c05344138e7b1
Reviewed-on: https://cl.snix.dev/c/snix/+/30502
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-12 14:40:17 +00:00
Florian Klink
a11099fd1c feat(ops/dns): manage snix.{store,systems} in DO
Also include tvix.{store,systems}, they might still be used in some
places.

Change-Id: I90085d7488f94c8764e61e3d99d8f03459c6f9f0
Reviewed-on: https://cl.snix.dev/c/snix/+/30501
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-12 14:39:47 +00:00
Vova Kryachko
bb8c4e5c0d fix(glue): Set BUILD_TOP correctly as per nix behavior.
This change makes BUILD_TOP to point to /build, which is what nix does.

Change-Id: I4ffef67aff0665d13859378a86329291a53d4ea0
Reviewed-on: https://cl.snix.dev/c/snix/+/30500
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
2025-05-12 00:09:06 +00:00
edef
4749964f06 refactor(nix-daemon/framed): simplify partial header read
Rather than having separate branches, just make it part of the state
machine discipline.

Change-Id: Ib21456227515506495ca06ac2a8a529d04f95fde
Reviewed-on: https://cl.snix.dev/c/snix/+/30496
Reviewed-by: Brian Olsen <brian@maven-group.org>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-11 00:31:30 +00:00
edef
d5c5269ca4 tests(nix-daemon/framed): verify waking behaviour
We should never return `Poll::Pending` without having received it from
the underlying reader.

Change-Id: I8c79c0243dc45889c1df478712971ef930e5f3a9
Reviewed-on: https://cl.snix.dev/c/snix/+/30498
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-11 00:31:30 +00:00
Florian Klink
20589ef8cb fix(ops/dns): drop broken checkZone parts, fix validate
There are no .zone files in here (maybe once were, before switching DNS
providers, or this was copy-pasted from elsewhere).

Also, the validate.terraform target was broken, due to a typo, and not
covered in CI, due to being inside another attrset.

There's only a single check left, so just call that one `validate`,
making it consistent with other //ops terraform workspaces, and getting
CI to actually check it.

Change-Id: I022138d4d3c74181a53738cb53a48b7945392345
Reviewed-on: https://cl.snix.dev/c/snix/+/30499
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-10 16:09:02 +00:00
Florian Klink
ec9e7ee73c refactor(ops): make nixos.snix.cache grafana listen on unix socket
Change-Id: Iadd9850faadb3037825c0465b9aed45fa2826583
Reviewed-on: https://cl.snix.dev/c/snix/+/30495
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-09 23:06:14 +00:00
Florian Klink
7c3d029b8e fix(ops/modules/o11y): disable analytics.reporting_enabled
Change-Id: I1138a3cc9a8a107794bf3053fc48e51af2789d9b
Reviewed-on: https://cl.snix.dev/c/snix/+/30494
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
Florian Klink
6b518f1aed refactor(ops): make status.snix.dev grafana listen on unix socket
Change-Id: Ib3838edf1ee98a8fe1792771f1a948f00e3f466b
Reviewed-on: https://cl.snix.dev/c/snix/+/30493
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
edef
83c3305863 fix(nix-compat/wire/bytes/reader): handle zero cases
Legitimate zero-length reads could cause spurious unexpected EOF,
since we implicitly assumed buffers always have remaining capacity.

For the buffered case, `consume(0)` could cause panics after either
`poll_fill_buf` or `poll_read` had returned `Poll::Pending`.

The bytes_read/with_limited logic receives a stylistic cleanup to make
it obvious that bytes_read is always written before being used.

Change-Id: I46aa47113309552dcef9532b5d4009d2186db9cd
Reviewed-on: https://cl.snix.dev/c/snix/+/30492
Tested-by: besadii
Reviewed-by: Brian Olsen <brian@maven-group.org>
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-09 22:37:31 +00:00
edef
9a8a9c6b67 fix(nix-daemon): ensure Framed NARs are read exactly
This prevents framing confusion, which would otherwise lead to a
trivial confused deputy attack. See issue #120.

The NixFramedReader state machine has been refactored to simplify
its internal logic and accurately account for EOF conditions.

End-of-stream is fused, and unexpected EOF on the underlying reader
is returned as UnexpectedEof, though we don't fuse those ourselves.

We also ensure that the underlying reader does not swap the ReadBuf;
this would otherwise supply a primitive for converting uninitialised
mutable memory into `&mut [u8]` without initialisation, thus allowing
undefined behaviour to be triggered from safe code.

Change-Id: I05ddb7e3ca57b3363f56c0d9b43d5a641748ca36
Reviewed-on: https://cl.snix.dev/c/snix/+/30380
Reviewed-by: Brian Olsen <brian@maven-group.org>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-09 17:15:28 +00:00
edef
4ef7c50a2d tests(nix-daemon/framed): more thorough, failing tests
This is mostly a WIP commit, to demonstrate bugs properly. See #120.
The tests are marked `#[should_panic]`, since they are intended to fail.

Change-Id: I39f1d66742e6629ccb889da8ef1199117b91b126
Reviewed-on: https://cl.snix.dev/c/snix/+/30490
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-09 17:15:28 +00:00
Florian Klink
02b084ec0b docs(web/docs): collapse some more indexes
There's no reason for these to not be collapsed, like other siblings.

Change-Id: Ifae2abae6733f69da642e2950a8fe5321d7becfa
Reviewed-on: https://cl.snix.dev/c/snix/+/30482
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-05-08 13:57:15 +00:00
Florian Klink
5dbe46eea7 refactor(ops/machines/snix-cache): use new snix.store domain
Provide redirects when the old domain is accessed, which Nix seems to
follow.

We keep the same hostname, so historical node exporter graphs are still
visible.

Change-Id: Icecd7f5324ac25bbfd4c003ca9cc65681114f0b5
Reviewed-on: https://cl.snix.dev/c/snix/+/30484
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-07 21:03:57 +00:00
Florian Klink
7eb15f8123 refactor(eval): make CatchableErrorKind::Throw hold a NixString
The messages we can throw are not necessarily UTF-8 strings. The
to_string() in there did store the result of the Display impl, which is
a quoted string.

Change-Id: I65a77ccc7f2d62ff06a2a9458cdb7e7292f132b0
Reviewed-on: https://cl.snix.dev/c/snix/+/30489
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Bence Nemes <nemes.bence1@gmail.com>
2025-05-07 13:07:18 +00:00
Florian Klink
bbc1efdb0e test(eval): add test for deep force key order
This tests deep forcing happens in lexicographic key order, by comparing
the returned error from the evaluator. It's not possible to observe this
from inside nixlang, which is why we use one_offs.rs here.

Change-Id: I73085addca3a4df20bc23f9fced458758af5b391
Reviewed-on: https://cl.snix.dev/c/snix/+/30488
Reviewed-by: Bence Nemes <nemes.bence1@gmail.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-07 12:34:45 +00:00
Starnick4444
e97cf628a3 refactor(eval): switch NixAttrs implementation to HashMap
Using hashmap seems to give a decent speedup overall.

hello outpath           time:   [528.01 ms 529.17 ms 530.64 ms]
                        change: [-22.932% -22.563% -22.181%] (p = 0.00 < 0.05)
                        Performance has improved.

firefox outpath         time:   [4.7647 s 4.8149 s 4.8917 s]
                        change: [-21.251% -20.408% -18.914%] (p = 0.00 < 0.05)
                        Performance has improved.

But it slows down derivation parsing by about 1-1.5%
Added another attr merge benchmark that helped me while profiling,
not sure if we want to keep that.

Change-Id: Icb9f1e2d40bbb7150af1b8df192bf3c860bae79b
Reviewed-on: https://cl.snix.dev/c/snix/+/30309
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-07 12:08:50 +00:00
Florian Klink
8903fbb975 docs(snix/docs/TODO): drop Store config section
moved to #138 and #139.

Change-Id: I3ad3dc5ab0c38ba4ed0ac43d5c492f802be61ed8
Reviewed-on: https://cl.snix.dev/c/snix/+/30481
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 17:39:55 +00:00
Florian Klink
d02991b6b2 docs(snix/docs/TODO): drop store composition setting
Combinators are tracked in #135, a followup for `CombinedBlobService` is
tracked in #136.
User-facing composition config is tracked in #137.

Everything else mostly already landed with the rest of the store
composition, so can be dropped.

Change-Id: I3e0aee409f8314b1a0582541fd5f1b8b50405ce5
Reviewed-on: https://cl.snix.dev/c/snix/+/30480
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-05 17:39:55 +00:00
Florian Klink
9bbfbd7df3 docs(snix/docs/TODO): drop Error cleanup TODO
Migrated to #134.

Change-Id: I555219085fea8c192e769cb7b5357321087ffdf7
Reviewed-on: https://cl.snix.dev/c/snix/+/30479
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Tested-by: besadii
2025-05-05 17:39:55 +00:00
Florian Klink
c706826aa9 feat(ops/keycloak): configure Buildkite SAML
This enables logging in to Buildkite with SAML.

Fixes #95.

Change-Id: Ieaa87c660692953305619c2bd8270d2329bd7545
Reviewed-on: https://cl.snix.dev/c/snix/+/30478
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 12:36:30 +00:00
Florian Klink
d9ca20a5cc feat(ops/keycloak): configure Forgejo Roles
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).

Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.

Fixes #73.

Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-05 12:36:30 +00:00
Florian Klink
e20ff4cb60 fix(ops/keycloak): fix assigning grafana_roles
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.

We can also disable full scope, as we're not interested in other role
mappings.

The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.

Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 12:36:30 +00:00
Florian Klink
018f3b38a6 docs(snix/docs/TODO): drop object_store o11y TODO
Migrated to #133.

Change-Id: Ia4e23c082b14268b314fa5bd9cbaab3bae1e7d90
Reviewed-on: https://cl.snix.dev/c/snix/+/30475
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-05 11:56:26 +00:00
Florian Klink
ea90045ddc docs(snix/docs/TODO): drop builder TODOs
A mention of these different builders is included in the a footnote
in the documentation, and various issues for the different TODOs were
created:

 - #128 Implement bwrap-based Builder
 - #129 Implement gVisor-based builder
 - #130 Implement Cloud Hypervisor-based builder
 - #131 OCI builder: add preflight checks
 - #132 BuildService: refactor to be more granular

Change-Id: I349b799e233ba8bef39a139cf2453d3214bb69b3
Reviewed-on: https://cl.snix.dev/c/snix/+/30474
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
2025-05-05 11:56:26 +00:00
Florian Klink
c1331c3d93 docs(snix/docs/TODO): drop Derivation -> Build section
This was most likely meant to refer to `exportReferencesGraph`, not
`fetchClosure`. `fetchClosure` is not used in nixpkgs - I created #127
still.

Issue #44 is extended to mention `ExportedPathInfo`.

Change-Id: Id898cb381db02c83888dc395cf3ab01ae6baf2aa
Reviewed-on: https://cl.snix.dev/c/snix/+/30473
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-05 11:56:26 +00:00
Florian Klink
0bc0807e24 docs(snix/docs/TODO): drop fetchGit/fetchTree TODO
Migrated to #126.

Change-Id: Iccfc0cbd9bdc08fde337ae097eb7ddb57c67d439
Reviewed-on: https://cl.snix.dev/c/snix/+/30472
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-05 11:56:26 +00:00
Florian Klink
4e62ccd74c docs(snix/docs/TODO): drop Nix Daemon protocol item
This is very generic and not helpful.

Change-Id: Ie851e0e293023ab1794c6815e0a0e188471f509b
Reviewed-on: https://cl.snix.dev/c/snix/+/30471
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-05 11:56:26 +00:00