nixos/rebuilderd: init

Author: drupol

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -171,6 +171,8 @@
 
 - [Recyclarr](https://github.com/recyclarr/recyclarr) a TRaSH Guides synchronizer for Sonarr and Radarr. Available as [services.recyclarr](#opt-services.recyclarr.enable).
 
+- [Rebuilderd](https://github.com/kpcyrd/rebuilderd) an independent verification of binary packages - Reproducible Builds. Available as [services.rebuilderd](#opt-services.rebuilderd.enable).
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-25.05-incompatibilities}

nixos/modules/module-list.nix

@@ -868,6 +868,7 @@
   ./services/misc/radicle.nix
   ./services/misc/readarr.nix
   ./services/misc/realmd.nix
+  ./services/misc/rebuilderd.nix
   ./services/misc/recyclarr.nix
   ./services/misc/redlib.nix
   ./services/misc/redmine.nix

nixos/modules/services/misc/rebuilderd.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib) mkEnableOption mkIf mkPackageOption;
+  cfg = config.services.rebuilderd;
+
+  format = pkgs.formats.toml { };
+  settings = lib.attrsets.filterAttrs (n: v: v != null) cfg.settings;
+  configFile = format.generate "rebuilderd.conf" settings;
+in
+{
+  options.services.rebuilderd = {
+    enable = mkEnableOption "rebuilderd service for independent verification of binary packages";
+    package = mkPackageOption pkgs "rebuilderd" { };
+    settings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+      default = { };
+      description = ''
+        Configuration for rebuilderd (rebuilderd.conf)
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.rebuilderd = {
+      description = "Independent verification of binary packages";
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+        REBUILDERD_COOKIE_PATH = "/var/lib/rebuilderd/auth-cookie";
+      };
+      after = [
+        "network.target"
+      ];
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/rebuilderd --config ${configFile}";
+        DynamicUser = true;
+        StateDirectory = "rebuilderd";
+        WorkingDirectory = "/var/lib/rebuilderd";
+      };
+    };
+  };
+}

nixos/tests/all-tests.nix

@@ -953,6 +953,7 @@ in {
   readarr = handleTest ./readarr.nix {};
   realm = handleTest ./realm.nix {};
   readeck = runTest ./readeck.nix;
+  rebuilderd = runTest ./rebuilderd.nix;
   redis = handleTest ./redis.nix {};
   redlib = handleTest ./redlib.nix {};
   redmine = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./redmine.nix {};

nixos/tests/rebuilderd.nix

@@ -0,0 +1,38 @@
+{ lib, ... }:
+
+{
+  name = "rebuilderd";
+
+  nodes = {
+    machine =
+      { pkgs, ... }:
+      {
+        services.rebuilderd = {
+          enable = true;
+        };
+      };
+
+    machine_custom_config =
+      { pkgs, ... }:
+      {
+        services.rebuilderd = {
+          enable = true;
+          settings = {
+            http.bind_addr = "0.0.0.0:1234";
+          };
+        };
+      };
+  };
+
+  testScript = ''
+    machine.start()
+    machine.wait_for_unit("rebuilderd.service")
+    machine.wait_for_open_port(8484)
+
+    machine_custom_config.start()
+    machine_custom_config.wait_for_unit("rebuilderd.service")
+    machine_custom_config.wait_for_open_port(1234)
+  '';
+
+  meta.maintainers = [ lib.maintainers.drupol ];
+}

pkgs/by-name/re/rebuilderd/package.nix

@@ -15,6 +15,7 @@
   darwin,
   buildPackages,
   versionCheckHook,
+  nixosTests,
   nix-update-script,
 }:
 
@@ -109,6 +110,10 @@ rustPlatform.buildRustPackage (finalAttrs: {
   versionCheckProgramArg = [ "--version" ];
   doInstallCheck = true;
 
+  passthru.tests = {
+    rebuilderd = nixosTests.rebuilderd;
+  };
+
   passthru.updateScript = nix-update-script { };
 
   meta = {