rebuilderd: init at 0.22.1 (#343334)

drupol · web-flow · commit 56e88da108cf · 2025-02-28T09:14:08.000+01:00
diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -173,6 +173,8 @@
 
 - [Recyclarr](https://github.com/recyclarr/recyclarr) a TRaSH Guides synchronizer for Sonarr and Radarr. Available as [services.recyclarr](#opt-services.recyclarr.enable).
 
+- [Rebuilderd](https://github.com/kpcyrd/rebuilderd) an independent verification of binary packages - Reproducible Builds. Available as [services.rebuilderd](#opt-services.rebuilderd.enable).
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-release-25.05-incompatibilities}
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -868,6 +868,7 @@
   ./services/misc/radicle.nix
   ./services/misc/readarr.nix
   ./services/misc/realmd.nix
+  ./services/misc/rebuilderd.nix
   ./services/misc/recyclarr.nix
   ./services/misc/redlib.nix
   ./services/misc/redmine.nix
diff --git a/nixos/modules/services/misc/rebuilderd.nix b/nixos/modules/services/misc/rebuilderd.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib) mkEnableOption mkIf mkPackageOption;
+  cfg = config.services.rebuilderd;
+
+  format = pkgs.formats.toml { };
+  settings = lib.attrsets.filterAttrs (n: v: v != null) cfg.settings;
+  configFile = format.generate "rebuilderd.conf" settings;
+in
+{
+  options.services.rebuilderd = {
+    enable = mkEnableOption "rebuilderd service for independent verification of binary packages";
+    package = mkPackageOption pkgs "rebuilderd" { };
+    settings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+      default = { };
+      description = ''
+        Configuration for rebuilderd (rebuilderd.conf)
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.rebuilderd = {
+      description = "Independent verification of binary packages";
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+        REBUILDERD_COOKIE_PATH = "/var/lib/rebuilderd/auth-cookie";
+      };
+      after = [
+        "network.target"
+      ];
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/rebuilderd --config ${configFile}";
+        DynamicUser = true;
+        StateDirectory = "rebuilderd";
+        WorkingDirectory = "/var/lib/rebuilderd";
+      };
+    };
+  };
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
@@ -956,6 +956,7 @@ in {
   readarr = handleTest ./readarr.nix {};
   realm = handleTest ./realm.nix {};
   readeck = runTest ./readeck.nix;
+  rebuilderd = runTest ./rebuilderd.nix;
   redis = handleTest ./redis.nix {};
   redlib = handleTest ./redlib.nix {};
   redmine = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./redmine.nix {};
diff --git a/nixos/tests/rebuilderd.nix b/nixos/tests/rebuilderd.nix
@@ -0,0 +1,38 @@
+{ lib, ... }:
+
+{
+  name = "rebuilderd";
+
+  nodes = {
+    machine =
+      { pkgs, ... }:
+      {
+        services.rebuilderd = {
+          enable = true;
+        };
+      };
+
+    machine_custom_config =
+      { pkgs, ... }:
+      {
+        services.rebuilderd = {
+          enable = true;
+          settings = {
+            http.bind_addr = "0.0.0.0:1234";
+          };
+        };
+      };
+  };
+
+  testScript = ''
+    machine.start()
+    machine.wait_for_unit("rebuilderd.service")
+    machine.wait_for_open_port(8484)
+
+    machine_custom_config.start()
+    machine_custom_config.wait_for_unit("rebuilderd.service")
+    machine_custom_config.wait_for_open_port(1234)
+  '';
+
+  meta.maintainers = [ lib.maintainers.drupol ];
+}
diff --git a/pkgs/by-name/re/rebuilderd/package.nix b/pkgs/by-name/re/rebuilderd/package.nix
@@ -0,0 +1,126 @@
+{
+  lib,
+  rustPlatform,
+  fetchFromGitHub,
+  pkg-config,
+  shared-mime-info,
+  installShellFiles,
+  scdoc,
+  bzip2,
+  openssl,
+  sqlite,
+  xz,
+  zstd,
+  stdenv,
+  darwin,
+  buildPackages,
+  versionCheckHook,
+  nixosTests,
+  nix-update-script,
+}:
+
+rustPlatform.buildRustPackage (finalAttrs: {
+  pname = "rebuilderd";
+  version = "0.22.1";
+
+  src = fetchFromGitHub {
+    owner = "kpcyrd";
+    repo = "rebuilderd";
+    tag = "v${finalAttrs.version}";
+    hash = "sha256-YMBq+Z9yMQRXOM3U679g2lnBZlH/h0VLjoxySxi4SCo=";
+  };
+
+  postPatch = ''
+    substituteInPlace tools/src/args.rs \
+      --replace-fail "/etc/rebuilderd-sync.conf" '${placeholder "out"}/etc/rebuilderd-sync.conf'
+
+    substituteInPlace worker/src/config.rs \
+      --replace-fail 'from("/etc/rebuilderd-worker.conf")' 'from("${placeholder "out"}/etc/rebuilderd-worker.conf")'
+
+    substituteInPlace worker/src/proc.rs \
+      --replace-fail '/bin/echo' 'echo'
+  '';
+
+  useFetchCargoVendor = true;
+  cargoHash = "sha256-MjFQ5d9VWHodjj+hIsKgAIUdaiarXIi5GCS+47n5MGU=";
+
+  nativeBuildInputs = [
+    pkg-config
+    installShellFiles
+    scdoc
+  ];
+
+  buildInputs =
+    [
+      bzip2
+      openssl
+      shared-mime-info
+      sqlite
+      xz
+      zstd
+    ]
+    ++ lib.optionals stdenv.hostPlatform.isDarwin [
+      darwin.apple_sdk.frameworks.Security
+      darwin.apple_sdk.frameworks.SystemConfiguration
+    ];
+
+  postInstall =
+    let
+      emulator = stdenv.hostPlatform.emulator buildPackages;
+    in
+    ''
+      mkdir -p $out/etc
+
+      # install config files
+      install -Dm 644 -t "$out/etc" contrib/confs/rebuilderd-sync.conf
+      install -Dm 640 -t "$out/etc" contrib/confs/rebuilderd-worker.conf contrib/confs/rebuilderd.conf
+
+      installShellCompletion --cmd rebuildctl \
+        --bash <(${emulator} $out/bin/rebuildctl completions bash) \
+        --fish <(${emulator} $out/bin/rebuildctl completions fish) \
+        --zsh <(${emulator} $out/bin/rebuildctl completions zsh)
+
+      for f in contrib/docs/*.scd; do
+        local page="contrib/docs/$(basename "$f" .scd)"
+        scdoc < "$f" > "$page"
+        installManPage "$page"
+      done
+    '';
+
+  checkFlags = [
+    # Failing tests
+    "--skip=decompress::tests::decompress_bzip2_compression"
+    "--skip=decompress::tests::decompress_gzip_compression"
+    "--skip=decompress::tests::decompress_xz_compression"
+    "--skip=decompress::tests::decompress_zstd_compression"
+    "--skip=decompress::tests::detect_bzip2_compression"
+    "--skip=decompress::tests::detect_gzip_compression"
+    "--skip=decompress::tests::detect_xz_compression"
+    "--skip=decompress::tests::detect_zstd_compression"
+    "--skip=proc::tests::hello_world"
+    "--skip=proc::tests::size_limit_kill"
+    "--skip=proc::tests::size_limit_no_kill"
+    "--skip=proc::tests::size_limit_no_kill_but_timeout"
+    "--skip=proc::tests::timeout"
+  ];
+
+  nativeInstallCheckInputs = [
+    versionCheckHook
+  ];
+  versionCheckProgramArg = [ "--version" ];
+  doInstallCheck = true;
+
+  passthru.tests = {
+    rebuilderd = nixosTests.rebuilderd;
+  };
+
+  passthru.updateScript = nix-update-script { };
+
+  meta = {
+    description = "Independent verification of binary packages - reproducible builds";
+    homepage = "https://github.com/kpcyrd/rebuilderd";
+    license = lib.licenses.gpl3Plus;
+    maintainers = with lib.maintainers; [ drupol ];
+    mainProgram = "rebuilderd";
+  };
+})
