Commit graph

21853 commits

Author SHA1 Message Date
Florian Klink
859faa8eb1 fix(snix/glue): fix Store Path parsing
All outputs constructed by derivation_to_build_request use inputs_dir as
a prefix (so we cannot use StorePath::from_bytes, which only takes
the basename), and they are relative to their root, so we cannot use
StorePath::from_absolute_path either.

Construct the store paths by stripping inputs_dir early (right after
the call to derivation_to_build_request), and use them later.

Change-Id: I3874e11cf21159c05b02314d9baf26cc98ea7956
Reviewed-on: https://cl.snix.dev/c/snix/+/30569
Reviewed-by: Yureka <snix@yuka.dev>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-06-11 12:24:23 +00:00
Vova Kryachko
d741ca4bb1 feat(glue): Add hashed_mirrors support to eval fetcher
This change adds basic scaffolding to allow configuring hashed_mirrors that will be used
by fetchurl to download artifacts by their hash, this is useful in case certain URLs are
no longer available but required to bootstrap nixpkgs stdenv.

These urls will have higher priority than the url specified in fetchurl(and friends) and
will be attempted before falling back to the actual url specified in fetchurl.

Change-Id: I589bdef609075f274cbdf6b26af602cafaa7496a
Reviewed-on: https://cl.snix.dev/c/snix/+/30567
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-06-11 09:45:16 +00:00
Florian Klink
3c23b323d5 refactor(nix-compat/nixhash/ca_hash): construct algo and digest separately
This is more readable.

Change-Id: I632afc53c3e4b3c07fd913355a02e0fd575f4e02
Reviewed-on: https://cl.snix.dev/c/snix/+/30565
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
2025-06-05 19:46:15 +00:00
Florian Klink
b90da345ab refactor(nix-compat/nixhash/ca_hash): inline algo_str
This is only used in to_nix_nixbase32_string, and in one place in
narinfo2parquet (though it might be sliced wrongly there too).

This is a partial revert of cl/12041, at least for the narinfo2parquet
parts.

Change-Id: Ic8c57373f7ab79043a491267e8484fa8399cea04
Reviewed-on: https://cl.snix.dev/c/snix/+/30564
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
2025-06-05 19:20:12 +00:00
Florian Klink
63036b3c5e refactor(nix-compat/nixhash): drop (encoded) digest length
We use this for both encoded and unencoded strings (and the error
message was missing), so this usize is pointless.

Change-Id: Id2a1000f1b232896605cdd34349ee114a67dc268
Reviewed-on: https://cl.snix.dev/c/snix/+/30563
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
2025-06-04 21:43:08 +00:00
Florian Klink
16136380ec refactor(nix-compat/nixhash): drop NixHashResult type alias
This one is overkill. `NixHashResult<NixHash>` takes exactly as many
characters as `Result<NixHash, Error>`, so removing the type alias
actually removes the total amount of code.

The only external reference to it is somewhere that should probably live
in nixhash::ca_hash.

Change-Id: I0c4a149294d33129a67cb1b699cc8a645c7c18e1
Reviewed-on: https://cl.snix.dev/c/snix/+/30562
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-06-04 21:42:38 +00:00
Florian Klink
4a63d85b06 feat(nix-compat/nixhash): digest_length is const
Change-Id: I565f70b4dd7d44b176a1d6fe5009fdf5346c5ab6
Reviewed-on: https://cl.snix.dev/c/snix/+/30561
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-06-04 21:42:08 +00:00
Florian Klink
2dfbfebb47 test(nix-compat/nixhash): rework NixHash::from_str tests
The test code was way too complicated. We had testcases manually
constructing different NixHash as an input, extracted digest and algo,
then manually encoded them with various encodings, to then compare to
itself.

Instead, write out these different string inputs as explicit testcases.

Change-Id: I2adeedcb9ddc8b3d50f8bdab09a1e95198cda402
Reviewed-on: https://cl.snix.dev/c/snix/+/30560
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-06-04 21:38:07 +00:00
Florian Klink
ea861bba67 refactor(snix/glue/fetchers): cleanup
We can reject early if invalid keys are provided in the attrset, no need
to look at values already.

Also, restructure the code parsing and extracting a sha256 by
destructuring the enum, rather than grabbing a slice and trying to
convert to a fixed-size array.

Change-Id: I1bb067133e398626df25b9c1cf99926c6d836a19
Reviewed-on: https://cl.snix.dev/c/snix/+/30559
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
2025-06-04 21:29:36 +00:00
Florian Klink
f6c66af33d refactor(nix-compat/nixhash): move from_ and to_ to NixHash struct
It was a bit confusing to construct NixHash, having them as separate
functions in the module itself, rather than in the NixHash impl.

Also the names were very inconsistent.

This renames parsers to `from_$format_$encoding` and format methods to
`to_$format_$encoding`. It also adds / moves around a few docstrings,
explaining the formats and encodings in the struct docstring itself.

from_str is changed to accept Option<HashAlgo>, not Option<&str>, and
the otherwise unused `from_nix_hash_string` is folded into from_str.
We also simply use from_sri in from_str, as the error path there doesn't
allocate anymore.

Similarly, the from_nix_str function was only a helper function used to
parse a subset of the formats supported in the NixHash::from_str method.
We shouldn't be using it outside of there, all usages (only in tests)
have been replaced with NixHash::from_algo_and_digest.

Change-Id: I36128839dbef19c58b55d5dc5817e38e37a483cc
Reviewed-on: https://cl.snix.dev/c/snix/+/30554
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
2025-06-04 21:25:57 +00:00
Florian Klink
6c1bfd778e refactor(nix-compat/nixhash): move serde into serde module
Especially the various specific format serializers/deserializers with
used in path_info.rs shouldn't be living there, but in NixHash, so they
can be used by other consumers of the library wanting to restrict to a
certain format.

Change-Id: Id43ba96e3f6ec68999f028854b625d5335d71554
Reviewed-on: https://cl.snix.dev/c/snix/+/30556
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-06-03 23:25:01 +00:00
Florian Klink
87d80eb1cc refactor(nix-compat/nixhash): absorb to_plain_hex_string
This is only used inside NixHash::to_nix_hex_string().

Change-Id: I7c9c0cd7d4feaa41b0861bb5c0e99a47ec0caac1
Reviewed-on: https://cl.snix.dev/c/snix/+/30555
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
2025-06-03 23:19:00 +00:00
Florian Klink
7b6b94c5ca refactor(nix-compat/nixhash): use a bit more map and ok_or_else
This looks more readable like this.

Change-Id: Iaa750fae66c7263612f169405eb7d38fb9541b04
Reviewed-on: https://cl.snix.dev/c/snix/+/30552
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
2025-06-03 20:59:28 +00:00
Florian Klink
963546bd37 refactor(nix-compat/nixhash): s/InvalidEncodedDigestLength/InvalidDigestLength/
This error is used for invalid digest lengths for a passed HashAlgo, not
just when they're encoded (as can be seen in from_algo_and_digest).

Change-Id: I7604846ae133df1be516a1f7ab28efd2a5775145
Reviewed-on: https://cl.snix.dev/c/snix/+/30551
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-06-03 20:22:23 +00:00
Florian Klink
6022fb3cc2 refactor(nix-compat/nixhash): drop impl TryFrom<(HashAlgo, &[u8])> for NixHash
This is not used anywhere, and a bit surprising. Consumers can just use
from_algo_and_digest.

Change-Id: Id4fca98568b1967899fb7428e6767aa993e70c96
Reviewed-on: https://cl.snix.dev/c/snix/+/30550
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
2025-06-03 20:22:23 +00:00
Florian Klink
2a01c40e77 fix(nix-compat/nixhash): fix from_nix_nixbase32_str fn name
This was decoding nixbase32, not hex. Its only consumer (in ca_hash.rs)
was right in its docstring about how it behaves, only was calling the
wrongly-named function.

Change-Id: I97ea273706ba818d16a61b1574989db800f78ead
Reviewed-on: https://cl.snix.dev/c/snix/+/30553
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-06-03 20:22:23 +00:00
Florian Klink
80b5206034 refactor(castore/fs): use streams for dir handles
This changes RootNodes::list to return a BoxStream<'static, _>, and then
drops all the mpsc sender / receiver complexity we were having.

There's also no need to worry about channel buffer sizes - all current
RootNodes implementations are immediately ready to yield new elements in
the stream. Assuming there's new implementations that do take some time,
we can deal with buffer sizes on the producer size, which might know its
own batch sizes better.

RootNodes now doesn't need to implement Clone/Send anymore, and can have
non-static lifetimes. As long as its the list method returns a
BoxStream<'static>, we're fine with all that.

On a first look, this seems like we now need to do more cloning upfront
for the BTreeMap and Directory RootNodes impls. However, we already
had to clone the entire thing at `self.root_nodes_provider.clone()`, and
then did it again for each element.

Now we get an owned version of the data whenever a list() call happens,
and then just move owned things around.

Change-Id: I85fbca0e1171014ae85eeb03b3d58e6176ef4e2d
Reviewed-on: https://cl.snix.dev/c/snix/+/30549
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Tested-by: besadii
2025-06-02 22:19:24 +00:00
Florian Klink
0f9c5f0354 refactor(glue/snix_store_io): add node_get_type helper
There's multiple places where we peek at the node to construct a
FileType, so move this into a helper.

Also, get rid of a async move which didn't move, and use .ok_or_else to
make things a bit more readable.

Change-Id: I2d24a3291029fdc12e0049398d8d51111e22d3cf
Reviewed-on: https://cl.snix.dev/c/snix/+/30548
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Tested-by: besadii
2025-06-02 22:13:23 +00:00
Florian Klink
59aeeb6fe4 refactor(castore/fs): stop using async move
We don't move anything here.

Change-Id: Ia9f345adf86be3c3f64fef0e6aca067ecbf7cf5d
Reviewed-on: https://cl.snix.dev/c/snix/+/30547
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-06-02 22:08:23 +00:00
Florian Klink
33a02267c2 refactor(castore): drop Clone + Send + Sync requirements on BS, DS
We can now use async closures for this.

Change-Id: Iccbe86998726be139e81749745c37eb9f475693c
Reviewed-on: https://cl.snix.dev/c/snix/+/30546
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Connor Brewster <cbrewster@hey.com>
2025-06-02 21:57:51 +00:00
Florian Klink
97f215aef2 feat(nix-compat/nixhash): add NixHash::to_sri_string
As can be seen in https://github.com/andir/npins/pull/139/files#diff-ec60332b9e2ccfe20e64db6d804f37fe4c652ae58c0679a13e30548cecf1c32fR12,
it makes sense to have this as a function for external consumers.

This is already also exposed in the Display impl, but it's better to
have an explicit function.

Change-Id: I1e16d8bd64502802a9642a2f08ddeb5cbbceacae
Reviewed-on: https://cl.snix.dev/c/snix/+/30545
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-06-02 11:55:53 +00:00
Florian Klink
5b41ae66eb chore(3p/chicago95): remove
This caused spurious fetching errors, and isn't used anywhere. Drop.

Change-Id: I338217b96d95e19084e7cba38270dd35f19c2b29
Reviewed-on: https://cl.snix.dev/c/snix/+/30543
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-28 15:21:06 +00:00
Florian Klink
80f5b5c44e docs(glue/snix_build): document why /nix/store is scratch
Even without nix/store in here, all output paths need to be write-able.

Change-Id: Ibeeba503844dee78de11fd2aa79b3ad207795059
Reviewed-on: https://cl.snix.dev/c/snix/+/30542
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
2025-05-28 15:13:05 +00:00
Florian Klink
688973ad78 fix(glue/builtins/derivation): fix comment
The magic builder string is called "builtin:fetchurl", not
"builtins:fetchurl"

Change-Id: I0527aa9ba293807c0da7e67c8d7e9d441de81623
Reviewed-on: https://cl.snix.dev/c/snix/+/30541
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-28 15:13:05 +00:00
Vova Kryachko
2bbd06753b feat(snix-glue): Correctly propagate output placeholders into the build.
Nix's `builtin.placeholder` function produces output paths that are not
known ahead of time, so before propagating these values into the build
we need to replace them in all env variables and arguments to their
corresponding output store paths.

fix #101

Change-Id: I2670c749f2c578e276d698e511598a76a99ebb96
Reviewed-on: https://cl.snix.dev/c/snix/+/30310
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Vova Kryachko <v.kryachko@gmail.com>
2025-05-18 14:30:35 +00:00
Florian Klink
8bb8400304 chore(3p/nixpkgs): bump channels (2025-05-13)
Change-Id: I4a212e710957621c09e7aa7ee1e40bea7a7bf633
Reviewed-on: https://cl.snix.dev/c/snix/+/30536
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 21:29:29 +00:00
Florian Klink
f20ab5c9af chore(3p): cleanup unused napalm dep
This isn't referenced anywhere.

Change-Id: Iffb5631073bd181dc1adc1e732ba86f2efea5b9d
Reviewed-on: https://cl.snix.dev/c/snix/+/30535
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 21:29:29 +00:00
Florian Klink
32cafdc570 feat(ops/modules/monorepo-gerrit): enable webhooks plugin
Fixes: https://git.snix.dev/snix/snix/issues/74
Change-Id: If4ca98cc1886f5e0a26dcc1ebeef4758054d3811
Reviewed-on: https://cl.snix.dev/c/snix/+/30529
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:23:58 +00:00
Florian Klink
6f3699664a feat(ops/machines/gerrit01): deploy gerrit-webhook-to-irccat
And allow gerrit01 to send these hooks over to irccat running on meta01.

Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: Ic5835734b32e8e5a46225e68d4124d55c002d663
Reviewed-on: https://cl.snix.dev/c/snix/+/30527
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:23:28 +00:00
Florian Klink
064765b19a feat(ops/gerrit-webhook-to-irccat): init
This is a listener for gerrit events, sent by their "webhooks" plugin,
as well as a NixOS module to deploy it.

Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: I65c5c5a991e6b1f4f330b3439c8a25aec3f1b484
Reviewed-on: https://cl.snix.dev/c/snix/+/30526
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-16 09:22:58 +00:00
Florian Klink
af4e1303b0 fix(ops/modules/monorepo-gerrit): fix outdated comment
cl/30249 changed this to Postmark, and it was unconfigured before.

Change-Id: I89eb49dbb8a3cb81135ae01c98379151e32ecd7c
Reviewed-on: https://cl.snix.dev/c/snix/+/30528
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-16 09:22:07 +00:00
Florian Klink
0bcae4c083 fix(ops): drop clbot
This removes the old clbot, which kept an SSH connection to gerrit open.

Change-Id: If8faecdd018b45dd087b7332fe3d3a8280947358
Reviewed-on: https://cl.snix.dev/c/snix/+/30525
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:22:00 +00:00
Florian Klink
8035195939 chore(3p/nix-gerrit): bump
Change-Id: I839d006e85726bffe62d59fdef1765cadffe63ce
Reviewed-on: https://cl.snix.dev/c/snix/+/30524
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-16 09:15:26 +00:00
Florian Klink
6666d38584 fix(ops/meta01): fix http listener port, restrict tcp
The config seems a bit underdocumented, but this is what gets it to
listen on 4722 for http.

While we have firewall rules in place, we don't want this to listen on
*:$randomPort, for tcp but just have it disabled.

This doesn't seem to be possible right now, due to a bug in viper, but
we can at least restrict it to listen to localhost only for TCP.

Change-Id: I94d379b8820fd32dc1d75082d3a7fb078f93e4ec
Reviewed-on: https://cl.snix.dev/c/snix/+/30523
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
2025-05-16 09:15:26 +00:00
Florian Klink
c9a77e5b58 feat(ops/meta01): deploy irccat
This deploys irccat, connected to the #snix channel.

We drop the custom irccat third_party, it's 2 years older than the
latest version in nixpkgs.

The irccat.nix module file contains some of the code present in the TVL
version, it however moves the secrets merging to ExecStartPre=,
given https://github.com/systemd/systemd/issues/19604#issuecomment-989279884
has been fixed for almost a year.

Contrary to the setup there, we don't let irccat connect to ZNC, but
hackint directly (so make use of the secrets logic).

We also drop the network-online.target, and make this overall more
tolerant by using Restart=on-failure.

Change-Id: Ieac3b744b7ea58b8dddf1cdc37a8bc057b205b1b
Reviewed-on: https://cl.snix.dev/c/snix/+/30504
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-15 14:31:42 +00:00
Raito Bezarius
5d16817f80 fix(machines/build01): move back to stc-ng
In some distant past, stc-ng had some clear troubles while deploying the
machine when we were bootstrapping infra.

This was fixed by rolling back to the old stc. Having retried right now,
stc-ng seems to transition the new system correctly, so let's switch to
it for the time being.

Change-Id: I99f92618841b49357a28212955b62bf5e495e761
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30503
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-15 14:19:01 +00:00
Florian Klink
e285cbe8cf feat(fun/solves-this): add, deploy to public01
This builds the important website for both snix.systems and its
predecessor, tvix.systems.

Change-Id: I4cce5595098c804bd4df0cc2ae3c05344138e7b1
Reviewed-on: https://cl.snix.dev/c/snix/+/30502
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
2025-05-12 14:40:17 +00:00
Florian Klink
a11099fd1c feat(ops/dns): manage snix.{store,systems} in DO
Also include tvix.{store,systems}, they might still be used in some
places.

Change-Id: I90085d7488f94c8764e61e3d99d8f03459c6f9f0
Reviewed-on: https://cl.snix.dev/c/snix/+/30501
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-12 14:39:47 +00:00
Vova Kryachko
bb8c4e5c0d fix(glue): Set BUILD_TOP correctly as per nix behavior.
This change makes BUILD_TOP to point to /build, which is what nix does.

Change-Id: I4ffef67aff0665d13859378a86329291a53d4ea0
Reviewed-on: https://cl.snix.dev/c/snix/+/30500
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
2025-05-12 00:09:06 +00:00
edef
4749964f06 refactor(nix-daemon/framed): simplify partial header read
Rather than having separate branches, just make it part of the state
machine discipline.

Change-Id: Ib21456227515506495ca06ac2a8a529d04f95fde
Reviewed-on: https://cl.snix.dev/c/snix/+/30496
Reviewed-by: Brian Olsen <brian@maven-group.org>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-11 00:31:30 +00:00
edef
d5c5269ca4 tests(nix-daemon/framed): verify waking behaviour
We should never return `Poll::Pending` without having received it from
the underlying reader.

Change-Id: I8c79c0243dc45889c1df478712971ef930e5f3a9
Reviewed-on: https://cl.snix.dev/c/snix/+/30498
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-11 00:31:30 +00:00
Florian Klink
20589ef8cb fix(ops/dns): drop broken checkZone parts, fix validate
There are no .zone files in here (maybe once were, before switching DNS
providers, or this was copy-pasted from elsewhere).

Also, the validate.terraform target was broken, due to a typo, and not
covered in CI, due to being inside another attrset.

There's only a single check left, so just call that one `validate`,
making it consistent with other //ops terraform workspaces, and getting
CI to actually check it.

Change-Id: I022138d4d3c74181a53738cb53a48b7945392345
Reviewed-on: https://cl.snix.dev/c/snix/+/30499
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-10 16:09:02 +00:00
Florian Klink
ec9e7ee73c refactor(ops): make nixos.snix.cache grafana listen on unix socket
Change-Id: Iadd9850faadb3037825c0465b9aed45fa2826583
Reviewed-on: https://cl.snix.dev/c/snix/+/30495
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-09 23:06:14 +00:00
Florian Klink
7c3d029b8e fix(ops/modules/o11y): disable analytics.reporting_enabled
Change-Id: I1138a3cc9a8a107794bf3053fc48e51af2789d9b
Reviewed-on: https://cl.snix.dev/c/snix/+/30494
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
Florian Klink
6b518f1aed refactor(ops): make status.snix.dev grafana listen on unix socket
Change-Id: Ib3838edf1ee98a8fe1792771f1a948f00e3f466b
Reviewed-on: https://cl.snix.dev/c/snix/+/30493
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
2025-05-09 23:06:14 +00:00
edef
83c3305863 fix(nix-compat/wire/bytes/reader): handle zero cases
Legitimate zero-length reads could cause spurious unexpected EOF,
since we implicitly assumed buffers always have remaining capacity.

For the buffered case, `consume(0)` could cause panics after either
`poll_fill_buf` or `poll_read` had returned `Poll::Pending`.

The bytes_read/with_limited logic receives a stylistic cleanup to make
it obvious that bytes_read is always written before being used.

Change-Id: I46aa47113309552dcef9532b5d4009d2186db9cd
Reviewed-on: https://cl.snix.dev/c/snix/+/30492
Tested-by: besadii
Reviewed-by: Brian Olsen <brian@maven-group.org>
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-09 22:37:31 +00:00
edef
9a8a9c6b67 fix(nix-daemon): ensure Framed NARs are read exactly
This prevents framing confusion, which would otherwise lead to a
trivial confused deputy attack. See issue #120.

The NixFramedReader state machine has been refactored to simplify
its internal logic and accurately account for EOF conditions.

End-of-stream is fused, and unexpected EOF on the underlying reader
is returned as UnexpectedEof, though we don't fuse those ourselves.

We also ensure that the underlying reader does not swap the ReadBuf;
this would otherwise supply a primitive for converting uninitialised
mutable memory into `&mut [u8]` without initialisation, thus allowing
undefined behaviour to be triggered from safe code.

Change-Id: I05ddb7e3ca57b3363f56c0d9b43d5a641748ca36
Reviewed-on: https://cl.snix.dev/c/snix/+/30380
Reviewed-by: Brian Olsen <brian@maven-group.org>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-09 17:15:28 +00:00
edef
4ef7c50a2d tests(nix-daemon/framed): more thorough, failing tests
This is mostly a WIP commit, to demonstrate bugs properly. See #120.
The tests are marked `#[should_panic]`, since they are intended to fail.

Change-Id: I39f1d66742e6629ccb889da8ef1199117b91b126
Reviewed-on: https://cl.snix.dev/c/snix/+/30490
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
2025-05-09 17:15:28 +00:00
Florian Klink
02b084ec0b docs(web/docs): collapse some more indexes
There's no reason for these to not be collapsed, like other siblings.

Change-Id: Ifae2abae6733f69da642e2950a8fe5321d7becfa
Reviewed-on: https://cl.snix.dev/c/snix/+/30482
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
2025-05-08 13:57:15 +00:00
Florian Klink
5dbe46eea7 refactor(ops/machines/snix-cache): use new snix.store domain
Provide redirects when the old domain is accessed, which Nix seems to
follow.

We keep the same hostname, so historical node exporter graphs are still
visible.

Change-Id: Icecd7f5324ac25bbfd4c003ca9cc65681114f0b5
Reviewed-on: https://cl.snix.dev/c/snix/+/30484
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-07 21:03:57 +00:00