From bad5d78455bc2a5d11f0809ff3ab858d9a9b72a2 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Sun, 17 May 2026 17:59:21 -0400 Subject: [PATCH 01/13] forgot to add pkgs --- src/pkgs/iptables-legacy.nix | 8 ++++++++ src/pkgs/iptables-nft.nix | 8 ++++++++ 2 files changed, 16 insertions(+) create mode 100644 src/pkgs/iptables-legacy.nix create mode 100644 src/pkgs/iptables-nft.nix diff --git a/src/pkgs/iptables-legacy.nix b/src/pkgs/iptables-legacy.nix new file mode 100644 index 0000000..72164ff --- /dev/null +++ b/src/pkgs/iptables-legacy.nix @@ -0,0 +1,8 @@ +pkgs: + +# In modern nixpkgs, the plain "iptables" symlink points to the NFT backend, +# so we must explicitly request "iptables-legacy" (→ xtables-legacy-multi). +pkgs.iptables // { + iglooName = "iptables-legacy"; + meta = pkgs.iptables.meta // { mainProgram = "iptables-legacy"; }; +} diff --git a/src/pkgs/iptables-nft.nix b/src/pkgs/iptables-nft.nix new file mode 100644 index 0000000..b5965ad --- /dev/null +++ b/src/pkgs/iptables-nft.nix @@ -0,0 +1,8 @@ +pkgs: + +# xtables-nft-multi is the multi-call binary for the nf_tables frontend. +# Override mainProgram so getExe resolves to the nft variant's symlink. +pkgs.iptables // { + iglooName = "iptables-nft"; + meta = pkgs.iptables.meta // { mainProgram = "iptables-nft"; }; +} From efdbea3ae69d14dd972afee0505fb14806cbda66 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Sun, 17 May 2026 18:04:54 -0400 Subject: [PATCH 02/13] build on PRs --- .github/workflows/build.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index af3c91e..aee30b7 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -3,6 +3,8 @@ name: Build on: push: branches: main + pull_request: + branches: main jobs: build: @@ -30,6 +32,7 @@ jobs: use_api: true - name: Create release + if: github.event_name == 'push' id: create_release uses: actions/create-release@v1 env: @@ -42,6 +45,7 @@ jobs: prerelease: false - name: Upload release asset + if: github.event_name == 'push' uses: actions/upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -52,6 +56,7 @@ jobs: asset_content_type: application/gzip - name: Publish release + if: github.event_name == 'push' uses: StuYarrow/publish-release@v1.1.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From bc3a5015f8eb93b339a0595af4156be6cdfe0ba3 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Sun, 17 May 2026 22:15:47 -0400 Subject: [PATCH 03/13] try skipping devdoc for gnutls --- src/cross-overlays.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/cross-overlays.nix b/src/cross-overlays.nix index 10d546a..75ed32b 100644 --- a/src/cross-overlays.nix +++ b/src/cross-overlays.nix @@ -22,10 +22,14 @@ p11-kit = super.p11-kit.overrideAttrs { doCheck = false; }; }) - # GnuTLS' docs build runs generated target binaries such as lt-errcodes. + # GnuTLS' docs build runs generated target binaries such as lt-errcodes, + # which fails when cross-compiling. Disable the build and also drop the + # devdoc output, otherwise nix fails with "failed to produce output path + # for output 'devdoc'" since the directory is never created. (self: super: { gnutls = super.gnutls.overrideAttrs (o: { configureFlags = (o.configureFlags or [ ]) ++ [ "--disable-doc" ]; + outputs = builtins.filter (x: x != "devdoc") (o.outputs or [ "out" ]); }); }) From db54f44382fb0719d8310b021cde56f433d6fac3 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Mon, 18 May 2026 06:41:02 -0400 Subject: [PATCH 04/13] try without man pages? --- src/cross-overlays.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/cross-overlays.nix b/src/cross-overlays.nix index 75ed32b..820c914 100644 --- a/src/cross-overlays.nix +++ b/src/cross-overlays.nix @@ -24,12 +24,15 @@ # GnuTLS' docs build runs generated target binaries such as lt-errcodes, # which fails when cross-compiling. Disable the build and also drop the - # devdoc output, otherwise nix fails with "failed to produce output path - # for output 'devdoc'" since the directory is never created. + # devdoc/man outputs, otherwise nix fails with "failed to produce output + # path for output 'devdoc'" / "'man'" since the directories are never + # created. (self: super: { gnutls = super.gnutls.overrideAttrs (o: { configureFlags = (o.configureFlags or [ ]) ++ [ "--disable-doc" ]; - outputs = builtins.filter (x: x != "devdoc") (o.outputs or [ "out" ]); + outputs = builtins.filter + (x: !(builtins.elem x [ "devdoc" "man" ])) + (o.outputs or [ "out" ]); }); }) From fa279d74a4588d701076f30987b83bca8c9b5476 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Mon, 18 May 2026 09:33:26 -0400 Subject: [PATCH 05/13] skip openssl checks? --- src/cross-overlays.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/cross-overlays.nix b/src/cross-overlays.nix index 820c914..213b290 100644 --- a/src/cross-overlays.nix +++ b/src/cross-overlays.nix @@ -22,6 +22,13 @@ p11-kit = super.p11-kit.overrideAttrs { doCheck = false; }; }) + # OpenSSL's 04-test_bio_dgram.t fails in restricted CI sandboxes that lack + # proper DGRAM/IPv6 loopback. Skip the test phase rather than carry an + # upstream-specific patch. + (self: super: { + openssl = super.openssl.overrideAttrs { doCheck = false; }; + }) + # GnuTLS' docs build runs generated target binaries such as lt-errcodes, # which fails when cross-compiling. Disable the build and also drop the # devdoc/man outputs, otherwise nix fails with "failed to produce output From 90ceadfcc07bad0738f203f4abaaaee7d490e8d3 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Mon, 18 May 2026 22:24:57 -0400 Subject: [PATCH 06/13] trying to fix deps --- .github/workflows/build.yaml | 4 ++++ src/cross-overlays.nix | 9 +++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index aee30b7..b3983f4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -19,6 +19,10 @@ jobs: extra_nix_config: | max-jobs = 8 cores = 8 + - uses: cachix/cachix-action@v17 + with: + name: rehosting + authToken: ${{ secrets.CACHIX_REHOSTING }} - uses: nix-community/cache-nix-action@v5 with: primary-key: ${{ runner.os }}-nix-store diff --git a/src/cross-overlays.nix b/src/cross-overlays.nix index 213b290..64e5cb6 100644 --- a/src/cross-overlays.nix +++ b/src/cross-overlays.nix @@ -51,9 +51,14 @@ }); }) - # Disable unused and/or broken-on-some-platforms elfutils features + # Disable unused and/or broken-on-some-platforms elfutils features, and + # ensure pkg-config is available at build time (the configure script + # needs it to locate zlib/bzip2/lzma/zstd; for cross builds nixpkgs + # doesn't always inject it automatically). (self: super: { - elfutils = super.elfutils.override { enableDebuginfod = false; }; + elfutils = (super.elfutils.override { enableDebuginfod = false; }).overrideAttrs (o: { + nativeBuildInputs = (o.nativeBuildInputs or [ ]) ++ [ self.pkg-config ]; + }); }) ] From 0ac5e6f46b7dfd70b9cf2d98080ebad9fc210514 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Mon, 18 May 2026 22:29:52 -0400 Subject: [PATCH 07/13] cachix: set USER --- .github/workflows/build.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b3983f4..277a15c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -20,6 +20,8 @@ jobs: max-jobs = 8 cores = 8 - uses: cachix/cachix-action@v17 + env: + USER: root with: name: rehosting authToken: ${{ secrets.CACHIX_REHOSTING }} From 016e0c80e35e442c93662d8f44f8e51e519a051c Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Mon, 18 May 2026 22:36:36 -0400 Subject: [PATCH 08/13] rehosting-arc: nix installed? --- .github/workflows/build.yaml | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 277a15c..1a6f000 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -6,31 +6,23 @@ on: pull_request: branches: main +env: + USER: root + jobs: build: runs-on: rehosting-arc steps: - - uses: actions/checkout@v3 - - run: sudo apt-get update - - run: sudo apt-get install xz-utils curl p7zip-full jq sqlite3 -y - - uses: cachix/install-nix-action@v27 - with: - github_access_token: ${{ secrets.GITHUB_TOKEN }} - extra_nix_config: | - max-jobs = 8 - cores = 8 - uses: cachix/cachix-action@v17 - env: - USER: root with: name: rehosting authToken: ${{ secrets.CACHIX_REHOSTING }} - - uses: nix-community/cache-nix-action@v5 - with: - primary-key: ${{ runner.os }}-nix-store + - uses: actions/checkout@v3 + - run: sudo apt-get update + - run: sudo apt-get install xz-utils curl p7zip-full jq sqlite3 -y - uses: DeterminateSystems/flake-checker-action@main - run: nix flake check - - run: nix build + - run: nix build --max-jobs 8 --cores 8 - run: tar -chzvf hyperfs.tar.gz result - uses: reecetech/version-increment@2023.10.1 id: version From cb2fb4dede9d91db19c4e3cdd9a7abd8e7d0b3d8 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Mon, 18 May 2026 22:43:07 -0400 Subject: [PATCH 09/13] try nix-action --- .github/workflows/build.yaml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1a6f000..6b84a2b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -13,16 +13,25 @@ jobs: build: runs-on: rehosting-arc steps: + - uses: actions/checkout@v3 + - run: sudo apt-get update + - run: sudo apt-get install xz-utils curl p7zip-full jq sqlite3 -y + - uses: cachix/install-nix-action@v27 + with: + github_access_token: ${{ secrets.GITHUB_TOKEN }} + extra_nix_config: | + max-jobs = 8 + cores = 8 + # install-nix-action writes /etc/nix/nix.conf as root; loosen perms so + # the runner user (used by cachix-action) can append substituter lines. + - run: sudo chmod 666 /etc/nix/nix.conf - uses: cachix/cachix-action@v17 with: name: rehosting authToken: ${{ secrets.CACHIX_REHOSTING }} - - uses: actions/checkout@v3 - - run: sudo apt-get update - - run: sudo apt-get install xz-utils curl p7zip-full jq sqlite3 -y - uses: DeterminateSystems/flake-checker-action@main - run: nix flake check - - run: nix build --max-jobs 8 --cores 8 + - run: nix build - run: tar -chzvf hyperfs.tar.gz result - uses: reecetech/version-increment@2023.10.1 id: version From 2dada6d341c1edc2edf6b80ccf741e6b4c0cc151 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Mon, 18 May 2026 22:46:34 -0400 Subject: [PATCH 10/13] chown? --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 6b84a2b..00132e6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,6 +16,7 @@ jobs: - uses: actions/checkout@v3 - run: sudo apt-get update - run: sudo apt-get install xz-utils curl p7zip-full jq sqlite3 -y + - run: sudo chown -R "$(id -u):$(id -g)" /nix || true - uses: cachix/install-nix-action@v27 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} From ab31618b21fe29b2b2da3f2c205900033662cb18 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Mon, 18 May 2026 22:48:46 -0400 Subject: [PATCH 11/13] chown? --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 00132e6..5cafa19 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v3 - run: sudo apt-get update - run: sudo apt-get install xz-utils curl p7zip-full jq sqlite3 -y - - run: sudo chown -R "$(id -u):$(id -g)" /nix || true + - run: sudo mkdir -p /nix && sudo chown -R "$(id -u):$(id -g)" /nix - uses: cachix/install-nix-action@v27 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} From 537e5188d01b3792e71728ba0036a31045246e66 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Tue, 19 May 2026 07:05:08 -0400 Subject: [PATCH 12/13] pkg-config from buildPackages --- src/cross-overlays.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/cross-overlays.nix b/src/cross-overlays.nix index 64e5cb6..6a8a829 100644 --- a/src/cross-overlays.nix +++ b/src/cross-overlays.nix @@ -52,12 +52,13 @@ }) # Disable unused and/or broken-on-some-platforms elfutils features, and - # ensure pkg-config is available at build time (the configure script - # needs it to locate zlib/bzip2/lzma/zstd; for cross builds nixpkgs - # doesn't always inject it automatically). + # ensure pkg-config is available at build time. Must use + # buildPackages.pkg-config (the build-host variant) rather than + # self.pkg-config — the latter is the cross/target pkg-config and the + # build sandbox can't execute it. (self: super: { elfutils = (super.elfutils.override { enableDebuginfod = false; }).overrideAttrs (o: { - nativeBuildInputs = (o.nativeBuildInputs or [ ]) ++ [ self.pkg-config ]; + nativeBuildInputs = (o.nativeBuildInputs or [ ]) ++ [ self.buildPackages.pkg-config ]; }); }) From 6e43ad097ccef79985c3df6e74221508eee5c980 Mon Sep 17 00:00:00 2001 From: Zak Estrada Date: Tue, 19 May 2026 22:21:05 -0400 Subject: [PATCH 13/13] debug --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5cafa19..449e27b 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -32,7 +32,7 @@ jobs: authToken: ${{ secrets.CACHIX_REHOSTING }} - uses: DeterminateSystems/flake-checker-action@main - run: nix flake check - - run: nix build + - run: nix build -L - run: tar -chzvf hyperfs.tar.gz result - uses: reecetech/version-increment@2023.10.1 id: version