add niks3 binary cache support

[Mic92]

Summary by CodeRabbit

• New Features
  • Optional Niks3 integration for build results.
  • New configuration options: enable toggle, server URL, authentication token file path, and package selection for the uploader.
  • When enabled, build results are uploaded to Niks3 via a post-build step.
  • Authentication token is loaded securely via system credential mechanism and the uploader is made available to build workers.

[coderabbitai]

Walkthrough

Adds a new Niks3 integration NixOS module and imports it into the master module. The module provides options to enable Niks3, configure server URL, auth token file, and package; when enabled it wires systemd LoadCredential, adds the package to worker PATH, and appends a post-build niks3 upload step.

Changes

Cohort / File(s)	Summary
Module import wiring nixosModules/master.nix	Adds ./niks3.nix to the imports list.
Niks3 integration module nixosModules/niks3.nix	New module introducing services.buildbot-nix.master.niks3 options: enable (bool), serverUrl (str), authTokenFile (path), package (package; defaults to pkgs.niks3 or throws). When enabled: adds systemd.services.buildbot-master.serviceConfig.LoadCredential entries, appends the niks3 package to systemd.services.buildbot-worker.path, and adds a postBuildSteps entry that sets NIKS3_SERVER_URL and NIKS3_AUTH_TOKEN_FILE and runs niks3 push for result-<attr> artifacts.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant BM as Buildbot Master (service)
  participant W as Buildbot Worker (env PATH)
  participant N3 as Niks3 Server

  Dev->>BM: Trigger build
  BM->>W: Schedule job / run build
  W-->>BM: Produce artifact(s) (result-<attr>)
  note over BM: postBuildSteps (niks3 enabled)
  BM->>BM: systemd loads credential from cfg.niks3.authTokenFile
  BM->>W: Ensure niks3 binary present in worker PATH (cfg.niks3.package)
  BM->>N3: Run `niks3 push` (env: NIKS3_SERVER_URL, NIKS3_AUTH_TOKEN_FILE)
  N3-->>BM: Acknowledgement / response

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly captures the primary change by stating that Niks3 binary cache support is being added, which aligns directly with the new module and configuration options introduced for Niks3 integration. It is concise, clear, and focused on the main enhancement without extraneous detail. This phrasing ensures that reviewers and future readers can quickly understand the purpose of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch niks3

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4a16a56 and 61cfbef.

📒 Files selected for processing (2)

• nixosModules/master.nix (1 hunks)
• nixosModules/niks3.nix (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• nixosModules/master.nix

🔇 Additional comments (6)

nixosModules/niks3.nix (6)

1-13: LGTM! Clean module structure.

The module structure follows NixOS conventions, and the interpolate helper correctly creates buildbot interpolation objects.

---

18-22: LGTM! ServerUrl option is well-defined.

The option has appropriate type, description, and example. The lack of a default ensures users must explicitly configure it.

---

31-36: LGTM! Excellent error handling.

The package option provides a clear error message when niks3 is not available in pkgs, guiding users to add the necessary flake input and overlay.

---

40-42: LoadCredential implementation depends on fixing authTokenFile type.

The builtins.toString here will trigger a store copy if authTokenFile is a types.path. Once the type is changed to types.str (per the critical issue on lines 24-29), remove builtins.toString and use the string directly.

     systemd.services.buildbot-master.serviceConfig.LoadCredential = [
-      "niks3-auth-token:${builtins.toString cfg.niks3.authTokenFile}"
+      "niks3-auth-token:${cfg.niks3.authTokenFile}"
     ];

---

44-44: LGTM! Correctly adds niks3 to worker PATH.

This ensures the niks3 command invoked in the postBuildSteps (line 53) is available in the worker environment.

---

46-60: LGTM! Buildbot step is correctly structured.

The postBuildSteps configuration:

• Properly uses buildbot interpolations for secrets and properties
• Correctly references the credential loaded via systemd (line 41)
• Uses the standard result-%(prop:attr)s path pattern for nix build outputs
• Environment variable NIKS3_SERVER_URL is appropriately set

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

nixosModules/niks3.nix (2)

17-21: Add URL format validation to serverUrl.

The serverUrl option accepts any string without validation. Consider adding format validation to catch configuration errors early.

Apply this diff to add URL validation:

     serverUrl = lib.mkOption {
-      type = lib.types.str;
+      type = lib.types.strMatching "https?://.*";
       description = "niks3 server URL";
       example = "https://niks3.yourdomain.com";
     };

---

36-49: Verify postBuildSteps list merging.

Similar to the LoadCredential concern, directly assigning to services.buildbot-nix.master.postBuildSteps relies on NixOS list merging behavior. While this typically works for list-typed options, using lib.mkAfter would make the ordering and merging explicit.

Consider using lib.mkAfter for clarity:

-    services.buildbot-nix.master.postBuildSteps = [
+    services.buildbot-nix.master.postBuildSteps = lib.mkAfter [
       {
         name = "Upload to niks3";
         environment = {
           NIKS3_SERVER_URL = cfg.niks3.serverUrl;
           NIKS3_AUTH_TOKEN_FILE = interpolate "%(secret:niks3-auth-token)s";
         };
         command = [
           "niks3" # note that this is the niks3 from the worker's $PATH
           "push"
           (interpolate "result-%(prop:attr)s")
         ];
       }
     ];

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fd3cc9d and 36b6d74.

📒 Files selected for processing (2)

• nixosModules/master.nix (1 hunks)
• nixosModules/niks3.nix (1 hunks)

🔇 Additional comments (3)

nixosModules/master.nix (1)

45-45: LGTM! Import follows the existing pattern.

The addition of ./niks3.nix to the imports list is correctly placed and follows the same pattern as the existing ./cachix.nix import.

Verify that the niks3 module properly integrates with existing LoadCredential settings in this file (lines 862-880) to avoid overriding existing credentials.

nixosModules/niks3.nix (2)

1-12: LGTM! Module structure is correct.

The module structure and interpolate helper function follow standard NixOS patterns and correctly create Buildbot interpolation objects.

---

32-34: LoadCredential lists merge automatically
Direct assignments to serviceConfig.LoadCredential in separate modules are concatenated by NixOS’s list-merge strategy, so lib.mkAfter is unnecessary. You can also remove builtins.toString around cfg.niks3.authTokenFile.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

nixosModules/niks3.nix (1)

43-43: Addressed: ensuring niks3 on worker PATH

Adding the package to systemd.services.buildbot-worker.path solves the earlier “binary must be present” concern.

🧹 Nitpick comments (1)

nixosModules/niks3.nix (1)

31-35: Package option: prefer mkPackageOption for discoverability and defaults

Use lib.mkPackageOption to standardize docs and defaults; keep existing fallback if needed.

-    package = lib.mkOption {
-      type = lib.types.package;
-      default = pkgs.niks3 or (throw "niks3 package not found in pkgs. Please add niks3 flake input and overlay.");
-      description = "The niks3 package to use";
-    };
+    package = lib.mkPackageOption pkgs "niks3" {
+      default = (pkgs.niks3 or null);
+      # If pkgs.niks3 is absent, users can override this option explicitly.
+      # example = lib.literalExpression "inputs.niks3.packages.${pkgs.system}.niks3";
+      description = "niks3 CLI package used on the worker PATH";
+    };

Please confirm mkPackageOption is available in your lib version. If not, we can keep types.package and improve description/defaultText instead.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 36b6d74 and fbf2fdf.

📒 Files selected for processing (2)

• nixosModules/master.nix (1 hunks)
• nixosModules/niks3.nix (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• nixosModules/master.nix

🔇 Additional comments (1)

nixosModules/niks3.nix (1)

38-56: No changes to credential loading: loading the auth token via systemd.services.buildbot-master.serviceConfig.LoadCredential and passing it to workers with interpolate "%(secret:niks3-auth-token)s" follows the existing cachix pattern and is correct.

Likely an incorrect or invalid review comment.