This is only used inside NixHash::to_nix_hex_string().
Change-Id: I7c9c0cd7d4feaa41b0861bb5c0e99a47ec0caac1
Reviewed-on: https://cl.snix.dev/c/snix/+/30555
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
This looks more readable like this.
Change-Id: Iaa750fae66c7263612f169405eb7d38fb9541b04
Reviewed-on: https://cl.snix.dev/c/snix/+/30552
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
This error is used for invalid digest lengths for a passed HashAlgo, not
just when they're encoded (as can be seen in from_algo_and_digest).
Change-Id: I7604846ae133df1be516a1f7ab28efd2a5775145
Reviewed-on: https://cl.snix.dev/c/snix/+/30551
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
This is not used anywhere, and a bit surprising. Consumers can just use
from_algo_and_digest.
Change-Id: Id4fca98568b1967899fb7428e6767aa993e70c96
Reviewed-on: https://cl.snix.dev/c/snix/+/30550
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
This was decoding nixbase32, not hex. Its only consumer (in ca_hash.rs)
was right in its docstring about how it behaves, only was calling the
wrongly-named function.
Change-Id: I97ea273706ba818d16a61b1574989db800f78ead
Reviewed-on: https://cl.snix.dev/c/snix/+/30553
Reviewed-by: Ilan Joselevich <personal@ilanjoselevich.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
This changes RootNodes::list to return a BoxStream<'static, _>, and then
drops all the mpsc sender / receiver complexity we were having.
There's also no need to worry about channel buffer sizes - all current
RootNodes implementations are immediately ready to yield new elements in
the stream. Assuming there's new implementations that do take some time,
we can deal with buffer sizes on the producer size, which might know its
own batch sizes better.
RootNodes now doesn't need to implement Clone/Send anymore, and can have
non-static lifetimes. As long as its the list method returns a
BoxStream<'static>, we're fine with all that.
On a first look, this seems like we now need to do more cloning upfront
for the BTreeMap and Directory RootNodes impls. However, we already
had to clone the entire thing at `self.root_nodes_provider.clone()`, and
then did it again for each element.
Now we get an owned version of the data whenever a list() call happens,
and then just move owned things around.
Change-Id: I85fbca0e1171014ae85eeb03b3d58e6176ef4e2d
Reviewed-on: https://cl.snix.dev/c/snix/+/30549
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Tested-by: besadii
There's multiple places where we peek at the node to construct a
FileType, so move this into a helper.
Also, get rid of a async move which didn't move, and use .ok_or_else to
make things a bit more readable.
Change-Id: I2d24a3291029fdc12e0049398d8d51111e22d3cf
Reviewed-on: https://cl.snix.dev/c/snix/+/30548
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Tested-by: besadii
We can now use async closures for this.
Change-Id: Iccbe86998726be139e81749745c37eb9f475693c
Reviewed-on: https://cl.snix.dev/c/snix/+/30546
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Even without nix/store in here, all output paths need to be write-able.
Change-Id: Ibeeba503844dee78de11fd2aa79b3ad207795059
Reviewed-on: https://cl.snix.dev/c/snix/+/30542
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Vova Kryachko <v.kryachko@gmail.com>
Nix's `builtin.placeholder` function produces output paths that are not
known ahead of time, so before propagating these values into the build
we need to replace them in all env variables and arguments to their
corresponding output store paths.
fix#101
Change-Id: I2670c749f2c578e276d698e511598a76a99ebb96
Reviewed-on: https://cl.snix.dev/c/snix/+/30310
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Vova Kryachko <v.kryachko@gmail.com>
And allow gerrit01 to send these hooks over to irccat running on meta01.
Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: Ic5835734b32e8e5a46225e68d4124d55c002d663
Reviewed-on: https://cl.snix.dev/c/snix/+/30527
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
This is a listener for gerrit events, sent by their "webhooks" plugin,
as well as a NixOS module to deploy it.
Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: I65c5c5a991e6b1f4f330b3439c8a25aec3f1b484
Reviewed-on: https://cl.snix.dev/c/snix/+/30526
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
cl/30249 changed this to Postmark, and it was unconfigured before.
Change-Id: I89eb49dbb8a3cb81135ae01c98379151e32ecd7c
Reviewed-on: https://cl.snix.dev/c/snix/+/30528
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
This removes the old clbot, which kept an SSH connection to gerrit open.
Change-Id: If8faecdd018b45dd087b7332fe3d3a8280947358
Reviewed-on: https://cl.snix.dev/c/snix/+/30525
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
The config seems a bit underdocumented, but this is what gets it to
listen on 4722 for http.
While we have firewall rules in place, we don't want this to listen on
*:$randomPort, for tcp but just have it disabled.
This doesn't seem to be possible right now, due to a bug in viper, but
we can at least restrict it to listen to localhost only for TCP.
Change-Id: I94d379b8820fd32dc1d75082d3a7fb078f93e4ec
Reviewed-on: https://cl.snix.dev/c/snix/+/30523
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
This deploys irccat, connected to the #snix channel.
We drop the custom irccat third_party, it's 2 years older than the
latest version in nixpkgs.
The irccat.nix module file contains some of the code present in the TVL
version, it however moves the secrets merging to ExecStartPre=,
given https://github.com/systemd/systemd/issues/19604#issuecomment-989279884
has been fixed for almost a year.
Contrary to the setup there, we don't let irccat connect to ZNC, but
hackint directly (so make use of the secrets logic).
We also drop the network-online.target, and make this overall more
tolerant by using Restart=on-failure.
Change-Id: Ieac3b744b7ea58b8dddf1cdc37a8bc057b205b1b
Reviewed-on: https://cl.snix.dev/c/snix/+/30504
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
In some distant past, stc-ng had some clear troubles while deploying the
machine when we were bootstrapping infra.
This was fixed by rolling back to the old stc. Having retried right now,
stc-ng seems to transition the new system correctly, so let's switch to
it for the time being.
Change-Id: I99f92618841b49357a28212955b62bf5e495e761
Signed-off-by: Raito Bezarius <raito@lix.systems>
Reviewed-on: https://cl.snix.dev/c/snix/+/30503
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
This builds the important website for both snix.systems and its
predecessor, tvix.systems.
Change-Id: I4cce5595098c804bd4df0cc2ae3c05344138e7b1
Reviewed-on: https://cl.snix.dev/c/snix/+/30502
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Also include tvix.{store,systems}, they might still be used in some
places.
Change-Id: I90085d7488f94c8764e61e3d99d8f03459c6f9f0
Reviewed-on: https://cl.snix.dev/c/snix/+/30501
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
This change makes BUILD_TOP to point to /build, which is what nix does.
Change-Id: I4ffef67aff0665d13859378a86329291a53d4ea0
Reviewed-on: https://cl.snix.dev/c/snix/+/30500
Reviewed-by: Florian Klink <flokli@flokli.de>
Autosubmit: Vova Kryachko <v.kryachko@gmail.com>
Tested-by: besadii
Rather than having separate branches, just make it part of the state
machine discipline.
Change-Id: Ib21456227515506495ca06ac2a8a529d04f95fde
Reviewed-on: https://cl.snix.dev/c/snix/+/30496
Reviewed-by: Brian Olsen <brian@maven-group.org>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
We should never return `Poll::Pending` without having received it from
the underlying reader.
Change-Id: I8c79c0243dc45889c1df478712971ef930e5f3a9
Reviewed-on: https://cl.snix.dev/c/snix/+/30498
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
There are no .zone files in here (maybe once were, before switching DNS
providers, or this was copy-pasted from elsewhere).
Also, the validate.terraform target was broken, due to a typo, and not
covered in CI, due to being inside another attrset.
There's only a single check left, so just call that one `validate`,
making it consistent with other //ops terraform workspaces, and getting
CI to actually check it.
Change-Id: I022138d4d3c74181a53738cb53a48b7945392345
Reviewed-on: https://cl.snix.dev/c/snix/+/30499
Tested-by: besadii
Reviewed-by: Ryan Lahfa <masterancpp@gmail.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Legitimate zero-length reads could cause spurious unexpected EOF,
since we implicitly assumed buffers always have remaining capacity.
For the buffered case, `consume(0)` could cause panics after either
`poll_fill_buf` or `poll_read` had returned `Poll::Pending`.
The bytes_read/with_limited logic receives a stylistic cleanup to make
it obvious that bytes_read is always written before being used.
Change-Id: I46aa47113309552dcef9532b5d4009d2186db9cd
Reviewed-on: https://cl.snix.dev/c/snix/+/30492
Tested-by: besadii
Reviewed-by: Brian Olsen <brian@maven-group.org>
Reviewed-by: Florian Klink <flokli@flokli.de>
This prevents framing confusion, which would otherwise lead to a
trivial confused deputy attack. See issue #120.
The NixFramedReader state machine has been refactored to simplify
its internal logic and accurately account for EOF conditions.
End-of-stream is fused, and unexpected EOF on the underlying reader
is returned as UnexpectedEof, though we don't fuse those ourselves.
We also ensure that the underlying reader does not swap the ReadBuf;
this would otherwise supply a primitive for converting uninitialised
mutable memory into `&mut [u8]` without initialisation, thus allowing
undefined behaviour to be triggered from safe code.
Change-Id: I05ddb7e3ca57b3363f56c0d9b43d5a641748ca36
Reviewed-on: https://cl.snix.dev/c/snix/+/30380
Reviewed-by: Brian Olsen <brian@maven-group.org>
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
This is mostly a WIP commit, to demonstrate bugs properly. See #120.
The tests are marked `#[should_panic]`, since they are intended to fail.
Change-Id: I39f1d66742e6629ccb889da8ef1199117b91b126
Reviewed-on: https://cl.snix.dev/c/snix/+/30490
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
There's no reason for these to not be collapsed, like other siblings.
Change-Id: Ifae2abae6733f69da642e2950a8fe5321d7becfa
Reviewed-on: https://cl.snix.dev/c/snix/+/30482
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: edef <edef@edef.eu>
Provide redirects when the old domain is accessed, which Nix seems to
follow.
We keep the same hostname, so historical node exporter graphs are still
visible.
Change-Id: Icecd7f5324ac25bbfd4c003ca9cc65681114f0b5
Reviewed-on: https://cl.snix.dev/c/snix/+/30484
Reviewed-by: edef <edef@edef.eu>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
The messages we can throw are not necessarily UTF-8 strings. The
to_string() in there did store the result of the Display impl, which is
a quoted string.
Change-Id: I65a77ccc7f2d62ff06a2a9458cdb7e7292f132b0
Reviewed-on: https://cl.snix.dev/c/snix/+/30489
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Bence Nemes <nemes.bence1@gmail.com>
This tests deep forcing happens in lexicographic key order, by comparing
the returned error from the evaluator. It's not possible to observe this
from inside nixlang, which is why we use one_offs.rs here.
Change-Id: I73085addca3a4df20bc23f9fced458758af5b391
Reviewed-on: https://cl.snix.dev/c/snix/+/30488
Reviewed-by: Bence Nemes <nemes.bence1@gmail.com>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Using hashmap seems to give a decent speedup overall.
hello outpath time: [528.01 ms 529.17 ms 530.64 ms]
change: [-22.932% -22.563% -22.181%] (p = 0.00 < 0.05)
Performance has improved.
firefox outpath time: [4.7647 s 4.8149 s 4.8917 s]
change: [-21.251% -20.408% -18.914%] (p = 0.00 < 0.05)
Performance has improved.
But it slows down derivation parsing by about 1-1.5%
Added another attr merge benchmark that helped me while profiling,
not sure if we want to keep that.
Change-Id: Icb9f1e2d40bbb7150af1b8df192bf3c860bae79b
Reviewed-on: https://cl.snix.dev/c/snix/+/30309
Tested-by: besadii
Reviewed-by: Florian Klink <flokli@flokli.de>
moved to #138 and #139.
Change-Id: I3ad3dc5ab0c38ba4ed0ac43d5c492f802be61ed8
Reviewed-on: https://cl.snix.dev/c/snix/+/30481
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Combinators are tracked in #135, a followup for `CombinedBlobService` is
tracked in #136.
User-facing composition config is tracked in #137.
Everything else mostly already landed with the rest of the store
composition, so can be dropped.
Change-Id: I3e0aee409f8314b1a0582541fd5f1b8b50405ce5
Reviewed-on: https://cl.snix.dev/c/snix/+/30480
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
This enables logging in to Buildkite with SAML.
Fixes#95.
Change-Id: Ieaa87c660692953305619c2bd8270d2329bd7545
Reviewed-on: https://cl.snix.dev/c/snix/+/30478
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
There's two Roles for the Forgejo application, "Admin" and
"Contributors".
Everyone gets the "Contributor" role assigned automatically (it doesn't
really give you a ton of privileges).
Regarding mapping Gerrit groups, it seems there's no support for this in
the `gerrit-oauth-provider` plugin (yet) -
see https://github.com/davido/gerrit-oauth-provider/issues/170.
Fixes#73.
Change-Id: I3cbb968e664125b1f08235db3008d1dbf778922a
Reviewed-on: https://cl.snix.dev/c/snix/+/30477
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
Autosubmit: Florian Klink <flokli@flokli.de>
keycloak_openid_user_client_role_protocol_mapper.grafana_role_mapper was
missing. It is configured to make the client roles for this Application
(and only those for this application) available in the grafana_roles
claim.
We can also disable full scope, as we're not interested in other role
mappings.
The Terraform files are a bit reorganized, everything configuring the
Grafana client lives in grafana.tf (and vice-versa for Forgejo,
Buildkite and Gerrit). The only thing left in permissions.tf is global
groups, their memberships and mappings.
Change-Id: I37b0755f4f8658518083353ec6cc0193e805d5c2
Reviewed-on: https://cl.snix.dev/c/snix/+/30476
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
A mention of these different builders is included in the a footnote
in the documentation, and various issues for the different TODOs were
created:
- #128 Implement bwrap-based Builder
- #129 Implement gVisor-based builder
- #130 Implement Cloud Hypervisor-based builder
- #131 OCI builder: add preflight checks
- #132 BuildService: refactor to be more granular
Change-Id: I349b799e233ba8bef39a139cf2453d3214bb69b3
Reviewed-on: https://cl.snix.dev/c/snix/+/30474
Autosubmit: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Reviewed-by: Jonas Chevalier <zimbatm@zimbatm.com>
