fastly: implement "Lockable HTTP Tarball Protocol" (Flakes) for chann…

…els.nixos.org This is part of another PR over in NixOS/nixos-channel-scripts that implements the precomputed x-amz-meta-link header. For the motivation behind this change look there. Hydra executes mirror-nixos-branch.pl when a given channel advances. Thus, we need some sort of fallback to handle channels which have long been EOL. A fallback also allows this change to be deployed in any order and over the span of multiple days. Our default mode of operation is simply renaming the precomputed "x-amz-meta-link" header created by the script to "link", if it exists. Note that we cannot use "link" directly because AWS S3 does not allow it. As a fallback we take the "location" header (which always exists) and template it into "link". This lacks additional flake attributes like "rev" or whatever additional metadata the script may precompute, but is perfectly compliant with the "Lockable HTTP Tarball Protocol". When running into the fallback, the string returned by nixpkgs' lib.trivial.versionSuffix will contain "dirty" instead of "pre-git" or the proper 7-char substring of the rev. While we could have Fastly do a sub-request to fetch the git-revision txt right next to the tarball, I don't think it's worth the effort and complexity. Tested using <https://fiddle.fastly.dev/>. Ref: https://github.com/NixOS/nix/blob/61f49de7ae0b3899abdcc102832523153dd40d35/doc/manual/source/protocols/tarball-fetcher.md
NixOS · Feb 24, 2025 · 9bf7440 · 9bf7440
1 parent da3ef84
commit 9bf7440
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/terraform/channels.tf b/terraform/channels.tf
@@ -229,11 +229,24 @@ resource "fastly_service_vcl" "channels" {
       # Note: we need to match on 301s and 302s here, since Fastly has multiple
       # layers, and otherwise a redirect might still get cached at the second
       # layer after the first layer turned a 301 into a 302.
+      #
+      # Additionally, this also implements the "Lockable HTTP Tarball Protocol"
+      # to use nixexprs.tar.xz with Flakes and have it locked properly.
       if (beresp.status == 301 || beresp.status == 302) {
         set beresp.status = 302;
         set beresp.ttl = 0s;
         set beresp.grace = 0s;
         set beresp.cacheable = false;
+        if (req.backend.is_origin && std.suffixof(bereq.url, "/nixexprs.tar.xz")) {
+          # rename prepared link header if available
+          if (beresp.http.x-amz-meta-link) {
+            set beresp.http.link = beresp.http.x-amz-meta-link;
+            unset beresp.http.x-amz-meta-link;
+          # otherwise, use fallback that contains no flake attributes (e.g. rev)
+          } else {
+            set beresp.http.link = "<" + beresp.http.location + {">; rel="immutable""};
+          }
+        }
         return (pass);
       }
     EOT