feat(init): init

.gitignore

@@ -0,0 +1,6 @@
+result
+result-*
+
+.pre-commit-config.yaml
+
+*.swp

default.nix

@@ -0,0 +1,37 @@
+{
+  sources ? import ./npins,
+  nixpkgs ? sources.nixpkgs,
+  pkgs ? import nixpkgs { overlays = [ (import ./pkgs/overlay.nix) ]; },
+}:
+let
+  check = (import sources.git-hooks).run {
+    src = ./.;
+
+    hooks = {
+      # Nix Hooks
+      statix.enable = true;
+      deadnix.enable = true;
+      rfc101 = {
+        enable = true;
+
+        name = "RFC-101 formatting";
+        entry = "${pkgs.lib.getExe pkgs.nixfmt-rfc-style}";
+        files = "\\.nix$";
+      };
+
+      # Misc Hooks
+      commitizen.enable = true;
+    };
+  };
+in
+{
+  inherit pkgs;
+  shell = pkgs.mkShell {
+    name = "binary-cache";
+    buildInputs = check.enabledPackages;
+    shellHook = ''
+      ${check.shellHook}
+    '';
+
+  };
+}

modules/default.nix

@@ -0,0 +1,90 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.services.tvix-binary-cache;
+in
+{
+  options = {
+    services.tvix-binary-cache = {
+      enable = lib.mkEnableOption "BinaryCache using tvix ca-store";
+      port = lib.mkOption {
+        type = lib.types.port;
+        default = 9000;
+      };
+    };
+  };
+
+  config = {
+
+    systemd.services =
+      let
+        stateDir = "tvix-binary-cache";
+      in
+      lib.mkIf cfg.enable {
+        nar-bridge = {
+          wants = [ "tvix-store.service" ];
+          wantedBy = [ "multi-user.target" ];
+          after = [ "tvix-store.service" ];
+          serviceConfig = rec {
+            ExecStart = "${lib.getExe pkgs.nar-bridge-go} --otlp=false --listen-addr=\"[::1]:${builtins.toString cfg.port}\" --store-addr=\"unix://%t/${stateDir}/socket\"";
+
+            DynamicUser = true;
+            User = "tvix-binary-cache";
+            Group = "nginx";
+
+            PrivateDevices = true;
+            PrivateTmp = true;
+            ProtectControlGroups = true;
+            ProtectKernelTunables = true;
+            RestrictSUIDSGID = true;
+
+            ProtectSystem = "strict";
+            ProtectKernelLogs = true;
+            ProtectProc = "invisible";
+            PrivateUsers = true;
+            ProtectHome = true;
+            UMask = "0077";
+            RuntimeDirectoryMode = "0750";
+            StateDirectoryMode = "0750";
+          };
+        };
+        tvix-store = {
+          environment = {
+            BLOB_SERVICE_ADDR = "objectstore+file://%S/${stateDir}/blobs.object_store";
+            DIRECTORY_SERVICE_ADDR = "sled://%S/${stateDir}/directories.sled";
+            PATH_INFO_SERVICE_ADDR = "sled://%S/${stateDir}/pathinfo.sled";
+          };
+          serviceConfig = {
+            ExecStart = "${pkgs.tvix-store}/bin/tvix-store --otlp=false daemon --listen-address=\"%t/${stateDir}/socket\"";
+
+            DynamicUser = true;
+            User = "tvix-binary-cache";
+            Group = "nginx";
+            StateDirectory = stateDir;
+            RuntimeDirectory = stateDir;
+
+            PrivateDevices = true;
+            PrivateTmp = true;
+            ProtectControlGroups = true;
+            ProtectKernelTunables = true;
+            RestrictSUIDSGID = true;
+
+            ProtectSystem = "strict";
+            ProtectKernelLogs = true;
+            ProtectProc = "invisible";
+            PrivateUsers = true;
+            ProtectHome = true;
+            UMask = "0077";
+            RuntimeDirectoryMode = "0750";
+            StateDirectoryMode = "0750";
+          };
+        };
+
+      };
+
+  };
+}

npins/default.nix

@@ -0,0 +1,79 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  inherit (data) version;
+
+  mkSource =
+    spec:
+    assert spec ? type;
+    let
+      path =
+        if spec.type == "Git" then
+          mkGitSource spec
+        else if spec.type == "GitRelease" then
+          mkGitSource spec
+        else if spec.type == "PyPi" then
+          mkPyPiSource spec
+        else if spec.type == "Channel" then
+          mkChannelSource spec
+        else
+          builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource =
+    {
+      repository,
+      revision,
+      url ? null,
+      hash,
+      ...
+    }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else
+      assert repository.type == "Git";
+      let
+        urlToName =
+          url: rev:
+          let
+            matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
+
+            short = builtins.substring 0 7 rev;
+
+            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
+          in
+          "${if matched == null then "source" else builtins.head matched}${appendShort}";
+        name = urlToName repository.url revision;
+      in
+      builtins.fetchGit {
+        inherit (repository) url;
+        rev = revision;
+        inherit name;
+        # hash = hash;
+      };
+
+  mkPyPiSource =
+    { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource =
+    { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"

npins/sources.json

@@ -0,0 +1,23 @@
+{
+  "pins": {
+    "git-hooks": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "cachix",
+        "repo": "git-hooks.nix"
+      },
+      "branch": "master",
+      "revision": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07.tar.gz",
+      "hash": "0bmgc731c5rvky6qxc4f6gvgyiic8dna5dv3j19kya86idf7wn0p"
+    },
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixpkgs-unstable",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre644361.1e3deb3d8a86/nixexprs.tar.xz",
+      "hash": "0q8wrydwkyyjag9dz6mazmqnzw14jgg0vzj4n5zz94zq9fgnl8kc"
+    }
+  },
+  "version": 3
+}

pkgs/nar-bridge-go/default.nix

@@ -0,0 +1,9 @@
+{ buildGoModule, tvix-src }:
+buildGoModule rec {
+  pname = "nar-bridge-go";
+  version = "0.1.0";
+  src = tvix-src;
+  sourceRoot = "${src.name}/nar-bridge-go";
+  vendorHash = "sha256-7jugbC5sEGhppjiZgnoLP5A6kQSaHK9vE6cXVZBG22s=";
+  meta.mainProgram = "nar-bridge-http";
+}

pkgs/overlay.nix

@@ -0,0 +1,5 @@
+final: _: {
+  tvix-store = final.callPackage ./tvix { packages = [ "tvix-store" ]; };
+  nar-bridge-go = final.callPackage ./nar-bridge-go { };
+  tvix-src = final.callPackage ./tvix-src.nix { };
+}

pkgs/tvix-src.nix

@@ -0,0 +1,7 @@
+{ fetchgit }:
+fetchgit {
+  name = "tvix";
+  url = "https://code.tvl.fyi/depot.git:workspace=views/tvix.git";
+  rev = "6ae6c37fac42e10a34d020a5fd7e71640f3ffe68";
+  hash = "sha256-AmGCRGsGMQVnPMm+g1qZEE4tRxejZgHfqDSmsxwaRcw=";
+}

pkgs/tvix/default.nix

@@ -0,0 +1,32 @@
+{
+  tvix-src,
+  rustPlatform,
+  protobuf,
+  packages ? [ ],
+  pname ? "tvix",
+}:
+
+rustPlatform.buildRustPackage rec {
+  inherit pname;
+  version = "0.1.0";
+
+  src = tvix-src;
+
+  doCheck = false;
+
+  cargoBuildFlags = builtins.concatStringsSep " " (builtins.map (v: "-p ${v}") packages);
+
+  nativeBuildInputs = [ protobuf ];
+
+  PROTO_ROOT = "/build";
+
+  cargoLock = {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "bigtable_rs-0.2.9" = "sha256-lPatDrsEtEdEP4dtBz5+su4ADFKPBqJOtbSLTkNVUto=";
+      "wu-manber-0.1.0" = "sha256-7YIttaQLfFC/32utojh2DyOHVsZiw8ul/z0lvOhAE/4=";
+    };
+  };
+  cargoHash = "sha256-j7+O6KRhUk3cWWoiCdFM0S6f0CMVIfqHshpdKpXsa/g=";
+  meta = { };
+}

shell.nix

@@ -0,0 +1 @@
+(import ./default.nix { }).shell

test.nix

@@ -0,0 +1,53 @@
+let
+  sources = import ./npins;
+  inherit (sources) nixpkgs;
+  pkgs = import nixpkgs { overlays = [ (import ./pkgs/overlay.nix) ]; };
+  inherit (pkgs) hello;
+in
+pkgs.testers.runNixOSTest (_: {
+  name = "cache smoke test";
+  nodes.machine =
+    { config, ... }:
+    {
+      imports = [ ./modules ];
+
+      system.extraDependencies = [ hello ];
+
+      services.tvix-binary-cache.enable = true;
+
+      services.nginx = {
+        enable = true;
+        recommendedProxySettings = true;
+        virtualHosts.cachix = {
+          default = true;
+          locations."/" = {
+            proxyPass = "http://localhost:${toString config.services.tvix-binary-cache.port}";
+            extraConfig = ''
+              client_max_body_size 10G;
+            '';
+          };
+
+        };
+      };
+    };
+  testScript = ''
+    import sys
+    import time
+    start_all()
+    machine.wait_for_unit("tvix-store.service")
+    machine.wait_for_unit("nginx.service")
+    machine.wait_for_unit("nar-bridge.service")
+    time.sleep(1)
+    with subtest("Nar bridge home"):
+        out = machine.succeed("curl http://127.0.0.1/")
+        print(repr(out))
+        if out != "nar-bridge":
+            sys.exit(1)
+    with subtest("Nar upload"):
+        machine.succeed("nix copy --extra-experimental-features nix-command --to 'http://127.0.0.1/?compression=none' ${hello}")
+    with subtest("narinfo retrieve"):
+        narHash = "${hello}"[11:11+32]
+        machine.succeed("curl 'http://127.0.0.1/{narHash}.narinfo'")
+
+  '';
+})