diff --git a/flake.lock b/flake.lock index 9e457c250..eea9940e0 100644 --- a/flake.lock +++ b/flake.lock @@ -287,16 +287,15 @@ "opam2json": "opam2json" }, "locked": { - "lastModified": 1770866632, - "narHash": "sha256-OmtGtQ7YUjUXsdpfJMB5STuTqmisp1JlHX4lZEkthkU=", - "owner": "ju1m", + "lastModified": 1771067167, + "narHash": "sha256-XSw8dQIkdr+6eLvbUHo3cJPtTU7o5SMODz3qlnzmGpQ=", + "owner": "tweag", "repo": "opam-nix", - "rev": "963f498bef5d7d179a0e7955c218b4e87f73ba12", + "rev": "2e20bbbe8130d1880338291446fd4e710a4db9a1", "type": "github" }, "original": { - "owner": "ju1m", - "ref": "materialize-monorepo", + "owner": "tweag", "repo": "opam-nix", "type": "github" } diff --git a/flake.nix b/flake.nix index c2198f4f3..e85ef0af1 100644 --- a/flake.nix +++ b/flake.nix @@ -25,9 +25,7 @@ inputs.nix-filter.url = "github:numtide/nix-filter/3e1fff9"; - # FixMe(maint/upstream): merge this branch upstream - #inputs.opam-nix.url = "github:tweag/opam-nix"; - inputs.opam-nix.url = "github:ju1m/opam-nix/materialize-monorepo"; + inputs.opam-nix.url = "github:tweag/opam-nix"; inputs.opam-nix.inputs.nixpkgs.follows = "nixpkgs"; inputs.opam-nix.inputs.flake-utils.follows = "flake-utils"; inputs.opam-nix.inputs.opam-repository.follows = "opam-repository"; diff --git a/pkgs/by-name/dnsvizor/monorepo-materialized/hvt.json b/pkgs/by-name/dnsvizor/materialized/hvt/monorepo.json similarity index 100% rename from pkgs/by-name/dnsvizor/monorepo-materialized/hvt.json rename to pkgs/by-name/dnsvizor/materialized/hvt/monorepo.json diff --git a/pkgs/by-name/dnsvizor/packages-materialized/hvt.json b/pkgs/by-name/dnsvizor/materialized/hvt/packages.json similarity index 100% rename from pkgs/by-name/dnsvizor/packages-materialized/hvt.json rename to pkgs/by-name/dnsvizor/materialized/hvt/packages.json diff --git a/pkgs/by-name/dnsvizor/monorepo-materialized/muen.json b/pkgs/by-name/dnsvizor/materialized/muen/monorepo.json similarity index 100% rename from pkgs/by-name/dnsvizor/monorepo-materialized/muen.json rename to pkgs/by-name/dnsvizor/materialized/muen/monorepo.json diff --git a/pkgs/by-name/dnsvizor/packages-materialized/muen.json b/pkgs/by-name/dnsvizor/materialized/muen/packages.json similarity index 100% rename from pkgs/by-name/dnsvizor/packages-materialized/muen.json rename to pkgs/by-name/dnsvizor/materialized/muen/packages.json diff --git a/pkgs/by-name/dnsvizor/monorepo-materialized/qubes.json b/pkgs/by-name/dnsvizor/materialized/qubes/monorepo.json similarity index 100% rename from pkgs/by-name/dnsvizor/monorepo-materialized/qubes.json rename to pkgs/by-name/dnsvizor/materialized/qubes/monorepo.json diff --git a/pkgs/by-name/dnsvizor/packages-materialized/qubes.json b/pkgs/by-name/dnsvizor/materialized/qubes/packages.json similarity index 100% rename from pkgs/by-name/dnsvizor/packages-materialized/qubes.json rename to pkgs/by-name/dnsvizor/materialized/qubes/packages.json diff --git a/pkgs/by-name/dnsvizor/monorepo-materialized/spt.json b/pkgs/by-name/dnsvizor/materialized/spt/monorepo.json similarity index 100% rename from pkgs/by-name/dnsvizor/monorepo-materialized/spt.json rename to pkgs/by-name/dnsvizor/materialized/spt/monorepo.json diff --git a/pkgs/by-name/dnsvizor/packages-materialized/spt.json b/pkgs/by-name/dnsvizor/materialized/spt/packages.json similarity index 100% rename from pkgs/by-name/dnsvizor/packages-materialized/spt.json rename to pkgs/by-name/dnsvizor/materialized/spt/packages.json diff --git a/pkgs/by-name/dnsvizor/monorepo-materialized/unix.json b/pkgs/by-name/dnsvizor/materialized/unix/monorepo.json similarity index 100% rename from pkgs/by-name/dnsvizor/monorepo-materialized/unix.json rename to pkgs/by-name/dnsvizor/materialized/unix/monorepo.json diff --git a/pkgs/by-name/dnsvizor/packages-materialized/unix.json b/pkgs/by-name/dnsvizor/materialized/unix/packages.json similarity index 100% rename from pkgs/by-name/dnsvizor/packages-materialized/unix.json rename to pkgs/by-name/dnsvizor/materialized/unix/packages.json diff --git a/pkgs/by-name/dnsvizor/monorepo-materialized/virtio.json b/pkgs/by-name/dnsvizor/materialized/virtio/monorepo.json similarity index 100% rename from pkgs/by-name/dnsvizor/monorepo-materialized/virtio.json rename to pkgs/by-name/dnsvizor/materialized/virtio/monorepo.json diff --git a/pkgs/by-name/dnsvizor/packages-materialized/virtio.json b/pkgs/by-name/dnsvizor/materialized/virtio/packages.json similarity index 100% rename from pkgs/by-name/dnsvizor/packages-materialized/virtio.json rename to pkgs/by-name/dnsvizor/materialized/virtio/packages.json diff --git a/pkgs/by-name/dnsvizor/monorepo-materialized/xen.json b/pkgs/by-name/dnsvizor/materialized/xen/monorepo.json similarity index 100% rename from pkgs/by-name/dnsvizor/monorepo-materialized/xen.json rename to pkgs/by-name/dnsvizor/materialized/xen/monorepo.json diff --git a/pkgs/by-name/dnsvizor/packages-materialized/xen.json b/pkgs/by-name/dnsvizor/materialized/xen/packages.json similarity index 100% rename from pkgs/by-name/dnsvizor/packages-materialized/xen.json rename to pkgs/by-name/dnsvizor/materialized/xen/packages.json diff --git a/pkgs/by-name/dnsvizor/mirage.nix b/pkgs/by-name/dnsvizor/mirage.nix index ece9d55c2..ed7267ce6 100644 --- a/pkgs/by-name/dnsvizor/mirage.nix +++ b/pkgs/by-name/dnsvizor/mirage.nix @@ -1,3 +1,7 @@ +# Description: this file implements build helpers +# for MirageOS unikernels . +# Though currently located in ngipkgs/pkgs/by-name/dnsvizor/mirage.nix +# it is not specific to NGIpkgs, DNSvizor nor any `src` updater. { coreutils, jq, @@ -6,139 +10,256 @@ opam-nix, stdenv, writeShellApplication, + writeText, }: +let + excludeDrvArgNames = [ + "target" + "targets" + "materializedDir" + "monorepoQuery" + "overrideUnikernel" + "query" + "queryArgs" + "opamPackages" + "mirageDir" + ]; +in + rec { # Description: run `mirage configure` on source, # with mirage, dune, and ocaml from `opam-nix`. - configure = - { - pname, - version, - mirageDir ? ".", - query, - src, - target, - opamPackages ? opam-nix.queryToScope { } ({ mirage = "*"; } // query), - ... - }: - stdenv.mkDerivation { - name = "mirage-${pname}-${target}"; - inherit src version; - buildInputs = with opamPackages; [ mirage ]; - nativeBuildInputs = with opamPackages; [ - dune - ocaml - ]; - buildPhase = '' - runHook preBuild - mirage configure -f ${mirageDir}/config.ml -t ${target} - # Move Opam file to root so a recursive search for opam files isn't required. - # Prefix it so it doesn't interfere with other packages. - cp ${mirageDir}/mirage/${pname}-${target}.opam mirage-${pname}-${target}.opam - runHook postBuild - ''; - installPhase = '' - runHook preBuild - cp -R . $out - runHook postBuild - ''; - }; + configure = lib.extendMkDerivation { + constructDrv = stdenv.mkDerivation; + inherit excludeDrvArgNames; + extendDrvArgs = + finalAttrs: + { + pname, + target, + opamPackages, + mirageDir ? finalAttrs.mirageDir or ".", + ... + }: + { + name = "mirage-${pname}-${target}"; + buildInputs = with opamPackages; [ mirage ]; + nativeBuildInputs = with opamPackages; [ + dune + ocaml + ]; + buildPhase = '' + runHook preBuild + mirage configure -f ${mirageDir}/config.ml -t ${target} + # Move Opam file to root so a recursive search for opam files isn't required. + # Prefix it so it doesn't interfere with other packages. + cp ${mirageDir}/mirage/${pname}-${target}.opam mirage-${pname}-${target}.opam + runHook postBuild + ''; + installPhase = '' + runHook preInstall + cp -R . $out + runHook postInstall + ''; + }; + }; - # Description: read opam files from mirage-conf and build the unikernel. - build = - { - pname, - version, - mirageDir ? ".", - queryArgs ? { }, - query ? { }, - monorepoQuery, - packages-materialized-path, - monorepo-materialized-path, - target, - overrideAttrs ? finalAttrs: previousAttrs: { }, - ... - }@args: - let - name = "mirage-${pname}-${target}"; - mirage-conf = configure args; - mirage-conf-unmaterialized = configure ( - args - // { - opamPackages = packages-unmaterialized; - } - ); - packages-materialized = opam-nix.materializeOpamProject { } name mirage-conf query; - monorepo-materialized = opam-nix.materializeBuildOpamMonorepo { } mirage-conf monorepoQuery; - monorepo-unmaterialized = opam-nix.unmaterializeQueryToMonorepo { } monorepo-materialized-path; - packages-unmaterialized = - (opam-nix.materializedDefsToScope { - sourceMap.${name} = mirage-conf-unmaterialized; - } packages-materialized-path).overrideScope - ( - finalOpam: previousOpam: { - ${name} = previousOpam.${name}.overrideAttrs (previousAttrs: { - inherit version; - __intentionallyOverridingVersion = true; + # Description: read opam files from mirage configuration + # and build a unikernel for the given target. + build = lib.extendMkDerivation { + constructDrv = stdenv.mkDerivation; + inherit excludeDrvArgNames; + extendDrvArgs = + finalAttrs: + { + pname, + version, + src, + target, + monorepoQuery, + materializedDir, + mirageDir ? ".", + queryArgs ? { }, + query ? { }, + overrideUnikernel ? finalAttrs: previousAttrs: { }, + ... + }@args: + let + mirageName = "mirage-${pname}-${target}"; + mirageConfIFD = configure ( + args + // { + inherit target; + opamPackages = opam-nix.queryToScope { } ({ mirage = "*"; } // query); + } + ); + mirageConf = configure ( + args + // { + inherit target; + opamPackages = packages; + } + ); + packagesMaterialized = opam-nix.materializeOpamProject { } mirageName mirageConfIFD query; + monorepoMaterialized = opam-nix.materializeBuildOpamMonorepo { } mirageConfIFD monorepoQuery; + monorepo = opam-nix.unmaterializeQueryToMonorepo { } (materializedDir + "/${target}/monorepo.json"); + packages = + (opam-nix.materializedDefsToScope { + sourceMap.${mirageName} = finalAttrs.passthru.mirageConf; + } (materializedDir + "/${target}/packages.json")).overrideScope + ( + finalOpam: previousOpam: { + ${mirageName} = previousOpam.${mirageName}.overrideAttrs ( + lib.composeExtensions (finalUnikernel: previousUnikernel: { + inherit version; + __intentionallyOverridingVersion = true; - env = - previousAttrs.env or { } - // lib.optionalAttrs (finalOpam ? "ocaml-solo5") { - OCAMLFIND_CONF = finalOpam.ocaml-solo5 + "/lib/findlib.conf"; - }; + env = + previousUnikernel.env or { } + // lib.optionalAttrs (finalOpam ? "ocaml-solo5") { + OCAMLFIND_CONF = finalOpam.ocaml-solo5 + "/lib/findlib.conf"; + }; - buildPhase = '' - runHook preBuild - mkdir duniverse - echo '(vendored_dirs *)' > duniverse/dune - ${lib.concatStringsSep "\n" ( - lib.mapAttrsToList ( - # ToDo: get dune build to pick up symlinks? - name: path: "cp -r ${path} duniverse/${lib.toLower name}" - ) monorepo-unmaterialized - )} - # Note: doesn't fail on warnings - dune build ${mirageDir} --profile release - runHook postBuild - ''; + buildPhase = '' + runHook preBuild + mkdir duniverse + echo '(vendored_dirs *)' > duniverse/dune + ${lib.concatStringsSep "\n" ( + lib.mapAttrsToList (name: path: '' + cp -r ${path} duniverse/${lib.toLower name} + '') finalAttrs.passthru.monorepo + )} + dune build ${mirageDir} --profile release + runHook postBuild + ''; - installPhase = '' - runHook preInstall - mkdir $out - cp -L ${mirageDir}/dist/${pname}* $out/ - runHook postInstall - ''; + installPhase = '' + runHook preInstall + mkdir -p $out/share/mirageos/ + cp -L ${mirageDir}/dist/${pname}* $out/share/mirageos/ + runHook postInstall + ''; - # Reduce the full closure size by several hundreds MiB - # By not propagating inputs and stripping all symbols. - doNixSupport = false; - stripAllList = previousAttrs.stripAllList or [ ] ++ [ "." ]; - }); - } - ); - unikernel = - if lib.pathExists packages-materialized-path && lib.pathExists monorepo-materialized-path then - packages-unmaterialized.${name} - else - # Give access to `passthru` when materialized files - # have not yet been generated. - stdenv.mkDerivation { - name = "stub"; - src = null; - }; - in - unikernel.overrideAttrs (previousAttrs: { - passthru = previousAttrs.passthru or { } // { - inherit - mirage-conf - mirage-conf-unmaterialized - monorepo-materialized - packages-materialized - packages-unmaterialized - ; + # Reduce the full closure size by several hundreds MiB + # since if you're using an unikernel you probably care about this. + doNixSupport = false; + stripAllList = previousUnikernel.stripAllList or [ ] ++ [ "share/mirageos" ]; + }) overrideUnikernel + ); + } + ); + in + { + pname = "${pname}-${target}"; + installPhase = '' + runHook preInstall + cp -R --no-preserve=mode ${finalAttrs.passthru.packages.${mirageName}} $out + ${lib.optionalString + ( + (stdenv.hostPlatform.isLinux && target == "unix") + || (stdenv.hostPlatform.isDarwin && target == "macosx") + ) + '' + install -Dm755 $out/share/mirageos/${pname} $out/bin/${pname} + rm -rf $out/share + '' + } + runHook postInstall + ''; + passthru = { + materialize = lib.getExe (writeShellApplication { + name = "${pname}-materialize-${target}"; + runtimeInputs = [ + coreutils + jq + nix + ]; + text = '' + set -x + materializedDir=$(nix --extra-experimental-features nix-command -L eval \ + -f. ${pname}.${target}.passthru.materializedDir) + mkdir -p "$materializedDir/${target}/" + packagesJson=$(nix --extra-experimental-features nix-command -L build \ + --no-link --print-out-paths --allow-import-from-derivation --show-trace \ + -f. ${pname}.${target}.passthru.packagesMaterialized) + jq <"$packagesJson" >"$materializedDir/${target}/packages.json" + monorepoJson=$(nix --extra-experimental-features nix-command -L build \ + --no-link --print-out-paths --allow-import-from-derivation --show-trace \ + -f. ${pname}.${target}.passthru.monorepoMaterialized) + jq <"$monorepoJson" >"$materializedDir/${target}/monorepo.json" + ''; + }); + inherit + materializedDir + mirageConf + mirageConfIFD + monorepo + monorepoMaterialized + packages + packagesMaterialized + ; + }; }; - }); + }; + + # Description: generate a package set to `build` each one of the given `targets`, + # with an additional `update` package providing a `materializeTargets` script. + # + # Usage: the `materializeTargets` script must be called after having updated + # the given `src` (and possibly `opam-nix`) to generate required materialization files. + # This update should be done inside a `update.passthru.updateScript`, + # that can be inserted with a call to `extend` on the resulting package set. + builds = lib.extendMkDerivation { + extendDrvArgs = + finalAttrs: + { + pname, + src, + version, + targets ? finalAttrs.targets or possibleTargets, + ... + }@args: + args; + constructDrv = + fnOrArgs: + let + finalArgs = lib.fix (lib.toFunction fnOrArgs); + in + lib.recurseIntoAttrs ( + lib.makeExtensible ( + finalSet: + lib.genAttrs finalArgs.targets (target: build (finalArgs // { inherit target; })) + // { + update = + (writeText "${finalArgs.pname}-${finalArgs.version}" '' + This package only exists to provide a location for an `updateScript` + updating `src` only once before calling `materializeTargets`. + '').overrideAttrs + ( + finalAttrs: _previousAttrs: { + # Let `update-source-version` find where to update `version` and `hash`. + pos = builtins.unsafeGetAttrPos "src" finalArgs; + passthru = { + inherit (finalArgs) src materializedDir; + materializeTargets = lib.getExe (writeShellApplication { + name = "${finalArgs.pname}-materializeTargets"; + text = '' + materializedDir=$(nix --extra-experimental-features nix-command -L eval \ + -f. ${finalArgs.pname}.update.passthru.materializedDir) + rm -f "$materializedDir/*/*.json" + '' + + lib.concatMapStringsSep "\n" (target: '' + ${finalSet.${target}.passthru.materialize} + '') finalArgs.targets; + }); + }; + } + ); + } + ) + ); + }; possibleTargets = [ "genode" @@ -151,68 +272,4 @@ rec { "virtio" "xen" ]; - - builds = - { - pname, - targets, - packages-materialized-path, - monorepo-materialized-path, - overrideAttrs ? _finalAttrs: _previousAttrs: { }, - ... - }@args: - let - self = lib.genAttrs targets ( - target: - (build ( - args - // { - inherit target; - monorepo-materialized-path = monorepo-materialized-path + "/${target}.json"; - packages-materialized-path = packages-materialized-path + "/${target}.json"; - } - )).overrideAttrs - ( - lib.composeExtensions (finalAttrs: previousAttrs: { - passthru = previousAttrs.passthru or { } // { - updateScript = writeShellApplication { - name = "${pname}-${target}-update"; - runtimeInputs = [ - coreutils - jq - nix - ]; - text = '' - set -x - packagesJson=$(nix --extra-experimental-features nix-command -L build \ - --no-link --print-out-paths --allow-import-from-derivation -f. \ - ${pname}.${target}.packages-materialized) - jq <"$packagesJson" | - install -Dm660 /dev/stdin pkgs/by-name/${pname}/packages-materialized/${target}.json - - monorepoJson=$(nix --extra-experimental-features nix-command -L build \ - --no-link --print-out-paths --allow-import-from-derivation -f. \ - ${pname}.${target}.monorepo-materialized) - jq <"$monorepoJson" | - install -Dm660 /dev/stdin pkgs/by-name/${pname}/monorepo-materialized/${target}.json - ''; - }; - }; - }) overrideAttrs - ) - ); - in - lib.recurseIntoAttrs ( - self - // { - updateScript = writeShellApplication { - name = "dnsvizor-update"; - runtimeInputs = [ - jq - nix - ]; - text = lib.concatMapStringsSep "\n" (target: lib.getExe self.${target}.updateScript) targets; - }; - } - ); } diff --git a/pkgs/by-name/dnsvizor/package.nix b/pkgs/by-name/dnsvizor/package.nix index adceae843..ba30fedef 100644 --- a/pkgs/by-name/dnsvizor/package.nix +++ b/pkgs/by-name/dnsvizor/package.nix @@ -5,15 +5,16 @@ stdenv, callPackage, overrideCC, + unstableGitUpdater, + _experimental-update-script-combinators, }: let libMirage = callPackage ./mirage.nix { }; in -libMirage.builds { +(libMirage.builds (finalAttrs: { pname = "dnsvizor"; version = "0-unstable-2026-01-21"; - monorepo-materialized-path = ./monorepo-materialized; - packages-materialized-path = ./packages-materialized; + materializedDir = ./materialized; src = fetchFromGitHub { owner = "robur-coop"; repo = "dnsvizor"; @@ -26,46 +27,49 @@ libMirage.builds { rm -vrf $out/test ''; }; - overrideAttrs = finalAttrs: previousAttrs: { - meta = { - homepage = "https://github.com/robur-coop/dnsvizor"; - teams = with lib.teams; [ ngi ]; - }; + meta = { + homepage = "https://github.com/robur-coop/dnsvizor"; + teams = with lib.teams; [ ngi ]; + }; + overrideUnikernel = finalAttrs: previousAttrs: { buildInputs = previousAttrs.buildInputs or [ ] ++ [ # Some targets, such as hvt, need static GMP (or MPIR) - ( - (pkgsStatic.gmp.override { - # This compiles GMP with a GCC compiled with some flag implying --disable-tls - # Disabling or rather emulating TLS (Thread-Local Storage) - # is still required as of solo5-hvt-0.9.3 when compiling with OCaml-4 - # to avoid a crash at startup in __gmpn_cpuvec_init at an instruction mov %fs:0x28,%r12 - # accessing %fs (the address of the current thread's user-space thread structure): - # - # solo5-hvt-debug --dumpcore=dump --mem=512 --net:service=tap-unikernel -- \ - # $(nix -L build --print-out-paths --no-link -f. dnsvizor.hvt)/dnsvizor.hvt - # - # Solo5: trap: type=#PF ec=0x0 rip=0x466a86 rsp=0x1ffffc10 rflags=0x10002 - # Solo5: trap: cr2=0x28 - # Solo5: ABORT: cpu_x86_64.c:181: Fatal trap - stdenv = overrideCC pkgsStatic.stdenv pkgsStatic.stdenv.cc.cc; - }).overrideAttrs - (prevAttrs: { - # This is to support cxx = true which is not necessary for DNSvizor, - # but it's pkgs.gmp's default on most platforms. - depsBuildBuild = [ - pkgsStatic.stdenv.cc - pkgsStatic.binutils - ]; - }) - ) + (pkgsStatic.gmp.override { + # This compiles GMP with a GCC compiled with some flag implying --disable-tls + # Disabling or rather emulating TLS (Thread-Local Storage) + # is still required as of solo5-hvt-0.9.3 when compiling with OCaml-4 + # to avoid a crash at startup in __gmpn_cpuvec_init at an instruction mov %fs:0x28,%r12 + # accessing %fs (the address of the current thread's user-space thread structure): + # + # solo5-hvt-debug --dumpcore=dump --mem=512 --net:service=tap-unikernel -- \ + # $(nix -L build --print-out-paths --no-link -f. dnsvizor.hvt)/dnsvizor.hvt + # + # Solo5: trap: type=#PF ec=0x0 rip=0x466a86 rsp=0x1ffffc10 rflags=0x10002 + # Solo5: trap: cr2=0x28 + # Solo5: ABORT: cpu_x86_64.c:181: Fatal trap + stdenv = overrideCC pkgsStatic.stdenv pkgsStatic.stdenv.cc.cc; + # Can be supported by adding pkgsStatic.stdenv.{cc,binutils} to depsBuildBuild + # but DNSvizor does not need it. + cxx = false; + }) ]; }; query = { # follow upstream CI version (.cirrus.yml) because newer ones fail to build ocaml-base-compiler = "4.14.2"; }; + # ToDo(maint/update): increase the version boundary asserted + # or remove the pinned entries when no longer needed. + # Boundary literals are split in two when they would otherwise + # be replaced by update-source-version. monorepoQuery = { - uutf = "1.0.3+dune"; # default version is not in the dune overlay yet + # mirage-dnsvizor-hvt> File "duniverse/multipart_form/lib/dune", line 5, characters 31-35: + # mirage-dnsvizor-hvt> 5 | base64.rfc2045 prettym pecu uutf fmt angstrom)) + # mirage-dnsvizor-hvt> ^^^^ + # mirage-dnsvizor-hvt> Error: Library "uutf" not found. + uutf = + assert lib.versionAtLeast ("0" + "-unstable-2026-01-21") finalAttrs.version; + "1.0.3+dune"; # default version is not in the dune overlay yet }; # Explanation: remove broken targets instead of setting meta.broken @@ -83,4 +87,19 @@ libMirage.builds { "xen" ] ) libMirage.possibleTargets; -} +})).extend + ( + finalSet: previousSet: { + update = previousSet.update.overrideAttrs ( + _finalAttrs: previousAttrs: { + passthru = previousAttrs.passthru or { } // { + updateScript = _experimental-update-script-combinators.sequence [ + # To update `src` only once before materializing all `targets`. + (unstableGitUpdater { }) + [ previousAttrs.passthru.materializeTargets ] + ]; + }; + } + ); + } + ) diff --git a/projects/DNSvizor/services/dnsvizor/module.nix b/projects/DNSvizor/services/dnsvizor/module.nix index dfd672a3e..b387f2db7 100644 --- a/projects/DNSvizor/services/dnsvizor/module.nix +++ b/projects/DNSvizor/services/dnsvizor/module.nix @@ -7,12 +7,12 @@ }: # TODO(linj) implement and test DHCP -# - run dnsvizor as a DHCP server +# - run DNSvizor as a DHCP server # - update DNS record in the authoritative DNS server when DHCP ip changes # - update config for tlstunnel mirageos unikernel when DHCP ip changes # - need to add module (and package) for tlstunnel unikernel first, which itself is a complex project # TODO(linj) implement and test --ipv6-only: currently we assume ipv4 is always there and have implemented/tested --ipv4-only and dual stack configs -# - dnsvizor always has a default value for --ipv4 (but not ipv4-gateway?), seems conflict with --ipv6-only. is --ipv6-only even supported by dnsvizor? +# - DNSvizor always has a default value for --ipv4 (but not ipv4-gateway?), seems conflict with --ipv6-only. is --ipv6-only even supported by DNSvizor? # TODO(linj) test DNSSEC (is that even possible?) let @@ -40,14 +40,17 @@ let in { options.services.dnsvizor = { - enable = lib.mkEnableOption "dnsvizor"; + enable = lib.mkEnableOption "DNSvizor"; - package = lib.mkPackageOption pkgs "dnsvizor (hvt target)" { + package = lib.mkPackageOption pkgs "HVT (Hardware Virtualized Tender) target of DNSvizor" { default = [ "dnsvizor" "hvt" ]; - extraDescription = "We assume dnsvizor.hvt exists at the root dir of the package."; + extraDescription = '' + This package must provide an HVT unikernel + at `share/mirageos/dnsvizor.hvt`. + ''; }; memory = lib.mkOption { @@ -240,7 +243,7 @@ in description = "The main network interface of the host."; }; - openFirewall = lib.mkEnableOption "opening ports in the firewall for dnsvizor"; + openFirewall = lib.mkEnableOption "opening ports in the firewall for DNSvizor"; packetForwardingIsSecure = lib.mkOption { type = lib.types.bool; @@ -328,7 +331,7 @@ in config = lib.mkIf cfg.enable { systemd.services.dnsvizor = { - description = "dnsvizor recursive/stub DNS resolver and DHCP server"; + description = "DNSvizor recursive/stub DNS resolver and DHCP server"; documentation = [ "https://robur-coop.github.io/dnsvizor-handbook/" ]; wantedBy = [ "multi-user.target" ]; bindsTo = [ unikernelInterfaceSystemdUnit ]; @@ -339,7 +342,7 @@ in --mem=${builtins.toString cfg.memory} \ --net:service=${utils.escapeSystemdExecArg cfg.unikernelInterface} \ -- \ - ${cfg.package}/dnsvizor.hvt \ + ${cfg.package}/share/mirageos/dnsvizor.hvt \ ${utils.escapeSystemdExecArgs (lib.cli.toCommandLineGNU { } cfg.settings)} ''; Restart = "on-failure"; @@ -452,7 +455,7 @@ in warnings = lib.optional (!cfg.packetForwardingIsSecure) '' services.dnsvizor module enables packet forwarding. A properly configured firewall or a trusted L2 on all network interfaces is required to prevent unauthorized access to the internal network. - A simple firewall will be added and configured for dnsvizor if you enable networking.firewall.enable, networking.firewall.filterForward and networking.nftables.enable. + A simple firewall will be added and configured for DNSvizor if you enable networking.firewall.enable, networking.firewall.filterForward and networking.nftables.enable. If you build your own firewall, allow packets from ${cfg.unikernelInterface} to ${cfg.mainInterface}. After a firewall is set up, set services.dnsvizor.packetForwardingIsSecure to true to disable this warning. '';