crowdsec-firewall-bouncer: init at 0.0.33#412880
Conversation
TornaxO7
force-pushed
the
crowdsec-firewall-bouncer
branch
from
44cae38 to
7629126
Compare
github-actions
bot
added
10.rebuild-darwin: 1
|
@06kellyjac may I ask for some suggestions here? I saw here (#279874 (comment)) that you'd like to split the package into two outputs. Should I give it a try (I've never done that before)? |
|
You could look at the crane package for reference maybe. For other examples searching for |
|
Or alternatively we can have it all in one output for now. Just having it packaged would be good |
I think that would simplify it xD |
|
Regarding testing: I don't really know how to test it. 👀 nix build .#crowdsec-firewall-bouncer
./result/bin/crowdsec-firewall-bouncergives me this: Running prints the help page. |
|
Ok, I could run it and it printed some valid error messages. |
@06kellyjac (just in case) I'd say, it's ready for review then. Having it as a package to continue working on the service would be very nice. :) (I'd reaaaaaaaaaaaaally love to have |
|
|
|
|
That's... interesting... I successfully build with |
Nix will continue using an old version; if the hash exists in the store, it'll skip fetching the source and will use what it has. We should add |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
EDIT: |
TornaxO7
force-pushed
the
crowdsec-firewall-bouncer
branch
from
906289c to
f0ca41b
Compare
TornaxO7
force-pushed
the
crowdsec-firewall-bouncer
branch
2 times, most recently
from
c5944de to
f9a35db
Compare
acuteaangle
left a comment
acuteaangle
left a comment
There was a problem hiding this comment.
This gets versionCheckHook working :)
Since we're setting the version based on src.tag, it won't help against a stale hash, but I still think it's a good idea to include it.
|
I managed to get extracting version information from crowdsec-firewall-bouncer-extract-metadata-from-git.patchFrom: Summer Tea <acuteaangle@disroot.org>
Date: Tue, 10 Jun 2025 03:36:14 -0400
Subject: [RFC PATCH] crowdsec-firewall-bouncer: extract metadata from git
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Extract versioning information from `git` to allow `versionCheckHook`
to validate that {version} and {src.hash} are maintained in sync.
`.git` is deleted in postFetch after the desired information is written
out, to avoid reproducibility issues described in [#8567].
Additionally, `-version` gives unsurprising output—in contrast to fields
previously being blank or unique to Nix.
The upstream Makefile sets the version metadata to the following values:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
version.Version=$(git describe --tags)
version.BuildDate=$(date +%F"_"%T)
version.Tag=$(git rev-parse HEAD)'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While these are questionably named and perhaps do not produce 'optimal'
output, for now replicate what the upstream Makefile does, with the
exception of substituting the commit date for the build date.
`git describe --tags` seems to produce different output in fetchgit,
despite operating on the same commit.
tag `v0.0.33` (cb8b3e3) gives `v0.0.33` when run interactively against
the upstream repo, but within fetchgit it instead returns
`v0.0.33-rc1-1-gcb8b3e3`, which is technically correct, but different.
This whole version system seems fairly janky. `-version` prints
`v0.0.33-rc1-1-gcb8b3e3-cb8b3e3c654499f745ff487eb1c327d7234a533f`,
catenating the output of `git describe --tags` (which may already
include the commit hash) with the commit hash.
Either `git log --tags --long --abbrev=40` or `git log --tags --abbrev=0`
seems like it would make more sense here, but out of scope
for Nixpkgs.
[#8567]: https://github.com/NixOS/nixpkgs/issues/8567
---
I managed to get extracting version information from `git` working,
but it feels like a decent amount of complexity just to get the full
benefit of `versionCheckHook`. I’ll throw the patch here anyways,
in case future reviewers have any thoughts about it.
.../cr/crowdsec-firewall-bouncer/package.nix | 40 +++++++++++++++++--
1 file changed, 36 insertions(+), 4 deletions(-)
diff --git a/pkgs/by-name/cr/crowdsec-firewall-bouncer/package.nix b/pkgs/by-name/cr/crowdsec-firewall-bouncer/package.nix
index f7b3116e41fd..2b640d3f7c2c 100644
--- a/pkgs/by-name/cr/crowdsec-firewall-bouncer/package.nix
+++ b/pkgs/by-name/cr/crowdsec-firewall-bouncer/package.nix
@@ -13,14 +13,46 @@ buildGoModule rec {
owner = "crowdsecurity";
repo = "cs-firewall-bouncer";
tag = "v${version}";
- hash = "sha256-4fxxAW2sXGNxjsc75fd499ciuN8tjGqlpRIaHYUXwQ0=";
+ hash = "sha256-lfIRKFGVB++sAVDnGujh0VwCyZmfdxXtl3rK8V7xVr0=";
+ leaveDotGit = true;
+ deepClone = true; # needed for `git describe`
+ # By extracting metadata from the git repository in postFetch, we can
+ # delete the rest of `.git` afterwards and avoid the reproducibility
+ # issues described in <https://github.com/NixOS/nixpkgs/issues/8567>.
+ postFetch = ''
+ pushd "$out"
+ # Store the current commit hash and the output of `git describe`
+ # to give to the program during the build.
+ #
+ # Do this rather than directly supplying `{version}` or `{src.tag}`,
+ # as it allows `versionCheckHook` to function as a better sanity check.
+ git describe --tags > COMMIT_DESCRIBE
+ git rev-parse HEAD > COMMIT
+ # Format using `date` rather than git’s builtin `--date` option, as
+ # it’s an easy way to be _certain_ times will be in UTC (without relying
+ # TZ=UTC0), and we can directly use the expected format string from the
+ # Makefile, since it would call `date`.
+ #
+ # While it would be possible to leave the date unset (the program
+ # would print an empty string in its place) or set it to a fixed epoch,
+ # providing the commit date lets it give a useful and unsurprising value.
+ date -u -d "@$(git log -1 --pretty=%ct)" '+%F_%T' > SOURCE_DATE
+ # We want to remove *every* `.git` directory, in case of submodules.
+ find -name .git -print0 | xargs -0 rm -rf
+ popd
+ '';
};
vendorHash = "sha256-Bhp6Z2UlCJ32vdc3uINCGleZFP2WeUn/XK+Q29szUzQ=";
- ldflags = [
- "-X github.com/crowdsecurity/go-cs-lib/version.Version=${src.tag}"
- ];
+ preBuild = ''
+ # Poorly named, but what the programs expects
+ pushd "$src"
+ ldflags+=" -X github.com/crowdsecurity/go-cs-lib/version.Version=$(< COMMIT_DESCRIBE)"
+ ldflags+=" -X github.com/crowdsecurity/go-cs-lib/version.BuildDate=$(< SOURCE_DATE)"
+ ldflags+=" -X github.com/crowdsecurity/go-cs-lib/version.Tag=$(< COMMIT)"
+ popd
+ '';
nativeInstallCheckInputs = [ versionCheckHook ];
|
|
Next chance I get some more free time, I’m hoping to try out this package with the WIP module at #387625. |
Defelo
left a comment
Defelo
left a comment
There was a problem hiding this comment.
also please don't forget to squash your commits 😉
Aye! (And: Long time no see :D) |
TornaxO7
force-pushed
the
crowdsec-firewall-bouncer
branch
from
5706932 to
8927354
Compare
|
06kellyjac
left a comment
06kellyjac
left a comment
There was a problem hiding this comment.
Happy to maintain with you but otherwise LGTM
|
Defelo
left a comment
Defelo
left a comment
There was a problem hiding this comment.
Diff LGTM, however can't test this myself.
Maybe consider rewriting your commit message to mention each co-author only once and remove the old messages ("Update ...", "format ...")
wegank
added
the
12.approvals: 2
ok |
Co-authored-by: Summer Tea <79724236+acuteaangle@users.noreply.github.com> Co-authored-by: Felix Bargfeldt <41747605+Defelo@users.noreply.github.com> Co-authored-by: j-k <dev@j-k.io>
TornaxO7
force-pushed
the
crowdsec-firewall-bouncer
branch
from
c561bfb to
7895713
Compare
5 participants
Closes #279874
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.