Lift the s390x rustc symlink_file patch overlay into overlays.s390xRustcSymlink
so nixos-ci consumes one definition (patch travels with it) instead of
duplicating it. Add nixfmt-rfc-style formatter. Refresh fleet-pins + parity
inputs to HEAD so the lock collapses to a single nixpkgs (1c3fe55).
Replace the bespoke ci/publish.py attic-push logic with parity-lib's
mkAtticClosurePublish builder (attic-closure archetype, cluster#104,
emmett#44). Adds the parity input (locked at d265a79) and wires the
per-arch package closures through builders.mkAtticClosurePublish, with
the endpoint (nix-cache-upload.oleks.space) and passEntry
(infra/attic/ci_token) overridden so the attic push is byte-for-byte the
pre-parity behaviour.
.woodpecker/{amd64,arm64}.yaml thinned to PUBLISH=1 nix run .#publish /
.#publish-aarch64-linux so CI and a local run share one audited impl.
Dead ci/publish.py + ci/build.py removed.
pipeline-doctor: 9 passed / 0 failed / 0 warned.
attic-closure archetype: no parity-lib builder exists for attic pushes, so
wrap the existing per-arch package build in ci/publish.py (woodpecker-peek
pattern) and expose `nix run .#{stage,publish}-amd64` + `.#publish`.
Two-halves rule: STAGE nix-builds every package in the arch list into the
local store (emmett-buildable); PUBLISH additionally attic-pushes each
closure. Local runs DRY-RUN unless --push/PUBLISH=1; CI sets PUBLISH=1.
The .woodpecker/{amd64,arm64}.yaml now call the same ci/publish.py so CI
and local runs can't drift. arm64 stays node-bound (no emmett cross path),
so it has no local-parity app. ci/build.py becomes a forwarding shim.
Rescued from the second flake-hub checkout (~/projects/flake-hub) before
that working copy was removed. Documents the path from local Gitea fork
to the attic binary cache.
Adds mcp-chrome as a flake input (mirroring the woodpecker-peek pattern)
and re-exposes two packages: mcp-chrome-wasm-simd (proven green, ~22 s)
and mcp-chrome-extension (KNOWN-BROKEN under nix-daemon; exposed for
local builds but kept out of the CI matrix to avoid red pipelines).
CI warms attic with mcp-chrome-wasm-simd on x86_64-linux and aarch64-linux
only; s390x cross and Darwin are out of scope.
Closesoleks/mcp-chrome#5.
Re-exposes oleks/woodpecker-peek as packages.<sys>.woodpecker-peek for
x86_64-linux and aarch64-linux, and adds it to ci/build.py so the
amd64/arm64 workflows push the closure to attic-infra-cache-k3s-1.
Consumers (emmett) then set services.woodpecker-peek.package = pkgs.woodpecker-peek
and pull the cached binary instead of rebuilding.
Adds a postPatch step that applies metamcp-observability.patch to
the upstream metatool-ai/metamcp v2.4.22 source before pnpm build.
The patch:
* Drops in apps/backend/src/lib/observability/{trace,metrics}.ts:
AsyncLocalStorage trace context + parser/synthesizer per the W3C
contract (Specs/mcp-request-id), plus a hand-rolled
Counter/Histogram so we don't have to touch pnpm-lock.yaml /
pnpmDeps hash (no new npm dependency).
* Wires a top-level express middleware in apps/backend/src/index.ts
that binds trace context, observes mcp_hop_duration_seconds on
response close, and counts mcp_cancellation_total when the
downstream client hangs up mid-response.
* Adds /metrics to the Express app and last-resort process traps
(unhandledRejection / uncaughtException) feeding
mcp_uncaught_throw_total — the smoking-gun signal from
cluster#44.
* Patches process-managed-transport.send() to inject
params._meta.traceparent on every outbound JSON-RPC bound for a
stdio child (MCP _meta convention, Specs/mcp-request-id).
Retire when this lands upstream.
Adds nix-deps as an input following our nixpkgs and re-exports its
package via mkPackages (gated to native x86_64/aarch64, since its
flake only emits eachDefaultSystem and would break the s390x cross).
Also adds .gitignore for build result symlinks.
Pin to oleks/main c45ea82 (PR #20: push SSE update on issue
close/reopen for project boards, fixes#19). Only src rev/hash/version
change; no go.mod or pnpm-lock changes so vendorHash and pnpmDeps stay
valid.
Pin to oleks/main ad46f6c (PR #18: scope project-issue move to its own
project, fixes#17). Only src rev/hash/version change; no go.mod or
pnpm-lock changes so vendorHash and pnpmDeps stay valid.
Temporary debug pin: rev bfc10289e6 carries the publish-path
instrumentation + the fix routing the async publish goroutine
through graceful.ShutdownContext() instead of the request ctx.
Will repin to a clean tagged release once verified.
Pin to oleks/main @ 9c1699feb5 — adds PR #7 (SSE push updates for
project board pages). pnpm-lock.yaml and go.mod are unchanged from
the previous pin so pnpmDeps.hash and vendorHash stay valid.
The previous pin's pnpm-lock.yaml drifted between snapshots; the
cached fetchPnpmDeps output was stale on hosts without a warmed
store, causing ERR_PNPM_NO_OFFLINE_TARBALL on remote builders.
Recomputed via nix build with empty hash, captured the 'got:'
value.
Picks up oleks/gitea#2 (user-scope and org-scope project board REST
endpoints under /api/v1/users/{username}/projects/... and
/api/v1/orgs/{org}/projects/...) plus the missing MoveProjectIssue
test for repo scope.
Single-derivation pnpm/Turbo monorepo build producing:
- metamcp full orchestrator (waits for PG, runs drizzle
migrations, launches backend :12009 + frontend :12008)
- metamcp-backend bare backend launcher
- metamcp-frontend Next.js standalone server.js launcher
Notes:
- Upstream pins packageManager: pnpm@9.0.0; rewrite to match the nixpkgs
pnpm (Turbo requires the field but won't fight a matching version).
- Frontend uses next.config 'output: standalone'; we copy .next/static
and public/ into the standalone tree since Next doesn't.
- HOSTNAME defaults to 0.0.0.0 (override with METAMCP_HOSTNAME) — Next
standalone otherwise inherits the system hostname and is unreachable
on 127.0.0.1.
Add the renamed gitea-local-fork derivation to the Woodpecker
build matrix on x86_64 and aarch64 (the only platforms the
derivation supports — see flake.nix). Resulting closure is
pushed to attic-infra-cache-k3s-1 so subsequent
`just gitea-run` invocations resolve from cache rather than
recompile Go 1.26.3 locally.
The fork tracked by this derivation is no longer a single-feature
branch ("feat/projects-api") but the integration tip of Oleks's
local gitea fork ($HOME/projects/gitea, branch oleks/main), carrying
upstream/main + PR #37518 Projects REST API + a CI gate + fork-local
commits. Reflect the broader scope in the package and attribute name,
and document the local fork path + branch in the derivation header.
A single-workflow with steps spanning amd64 and arm64 shares one
PVC. The clone step binds the PV to whichever arch ran first, and
the other arch's pod is then permanently Unschedulable (node
affinity mismatch on the PV). Splitting into separate workflow
files gives each arch its own clone, its own PVC, and its own node
binding.
Refactor so `src` is a direct `fetchgit` (instead of a wrapper drv), and
move the package.json engine-strip into a `frontendSrc` derivation that
only fetchPnpmDeps sees. nix-update needs to introspect `src.url` and
`src.rev`; the previous wrapper hid them.
Expose `frontend.pnpmDeps` via passthru so nix-update finds the third
hash. Now `just gitea-update` does the full cycle:
1. git ls-remote → latest commit on feat/projects-api
2. set src.hash / pnpmDeps.hash / goModules.vendorHash to fakeHash
3. nix-build each to capture real hashes
4. nom build the package for final verification
nix-update rewrites version to nixpkgs `<tag>-unstable-<date>` style. Lose
the descriptive "-projects-api" suffix in the version, but pname is
unchanged so store paths still read `gitea-projects-api-*`.
Builds oleks/gitea feat/projects-api (Gitea 1.27.0-dev + Projects REST API)
as `nix build .#gitea-projects-api`. Exposes `out` (binary) and `data`
(templates, options, frontend bundle, locale files) matching the layout
nixpkgs' `services.gitea` module expects.
Notes:
- Pins Go 1.26.3 (built from upstream src) because the fork's go.mod
requires it, while pinned nixpkgs only has 1.26.0.
- Patches package.json to drop engines.pnpm before fetchPnpmDeps runs:
gitea wants pnpm >= 11, but nixpkgs only packages pnpm 10. The
pnpm-lock.yaml is v9 (forward-compatible) so pnpm 10 produces the
same install closure.
- Platforms: x86_64-linux, aarch64-linux (skipped on s390x cross since
the frontend pnpm step has no s390x toolchain).
Pipeline #41 died with exit 127 on `free -h` — procps isn't in the
nix-ci image. New info() helper runs the command and ignores the exit
code, so missing tools no longer abort the build. Also switched to
/proc/meminfo since it's always available on Linux.
google-antigravity pulls in google-chrome, which transitively builds
liberation-fonts; fontforge segfaults while generating the .ttf files
(pipeline #40). Package definitions stay in the flake for local
builds — re-enable in CI once upstream fontforge is fixed.
setup.sh now traces each command (set -ex) so /etc/hosts, nix.conf,
and netrc setup are visible in pipeline logs.
build.py replaces capture() with a streaming build() helper for
nix builds: stderr is inherited (live --print-build-logs output)
while stdout is captured for the out path. Also dumps nix version,
uname, disk, and memory at the start so failures have context.
s390x had no dedicated builder and ran as a cross-compile pinned to
amd64 via nodeSelector, colliding with the x86_64-linux step on the
same node — Woodpecker's k8s backend couldn't create the per-step
secret twice and the workflow failed with either "secrets already
exists" or "Canceled". Disable until a real s390x builder is wired up.
Step names now match the kubernetes.io/arch label they target; the
ci/build.py argument keeps the Nix system tuple (x86_64-linux,
aarch64-linux).
- packages/xontribs.nix: xontrib-prompt-starship, -broot, -term-integrations
wheels for use with `programs.xonsh.extraPackages` (or xonsh.override)
- packages/hyprspace.nix + hyprspace flake input (flake=false): rebuild
plugin against the consumer's hyprland; exposed via overlays.hyprspace
- overlays/gcc15-fixes.nix: hotdoc/kitty/libsecret/xdg-desktop-portal/afdko
workarounds so fleet nodes on the same pin can opt in with one line
- flake.nix: lift overlays out of eachSystem to the root (overlays.default
was previously nested per-system, which doesn't match flake schema)
- packages/xontribs.nix: xontrib-prompt-starship, -broot, -term-integrations
wheels for use with `programs.xonsh.extraPackages` (or xonsh.override)
- packages/hyprspace.nix + hyprspace flake input (flake=false): rebuild
plugin against the consumer's hyprland; exposed via overlays.hyprspace
- overlays/gcc15-fixes.nix: hotdoc/kitty/libsecret/xdg-desktop-portal/afdko
workarounds so fleet nodes on the same pin can opt in with one line
- flake.nix: lift overlays out of eachSystem to the root (overlays.default
was previously nested per-system, which doesn't match flake schema)
Oleks