Nix support

[abraverm]

Package Sourcebot with Nix, NixOS module for deployment, integration test and microvm.

Summary by CodeRabbit

• New Features

  • Added comprehensive NixOS deployment support, including a dedicated NixOS module, overlay, and flake for streamlined installation and configuration.
  • Introduced a microVM configuration for running SourceBot in a virtualized environment.
  • Provided a development shell environment with all necessary dependencies.
  • Added a manifest of package hashes for improved package integrity in Nix-based setups.

• Documentation

  • Expanded the deployment guide with a detailed NixOS deployment section and clarified container deployment instructions.

[coderabbitai]

Walkthrough

A comprehensive Nix-based deployment and development setup for SourceBot was introduced. This includes a Nix flake, NixOS module, overlay, and system/test configurations, along with a detailed deployment guide update. New files define systemd services, package builds, virtual machine setup, and a hash manifest for dependencies, enabling reproducible builds and deployments.

Changes

File(s)	Change Summary
docs/docs/deployment-guide.mdx	Extended deployment guide with a new "NixOS deployment" section, heading adjustments, and container deployment heading added.
flake.nix	Added Nix flake: defines inputs, outputs, NixOS modules, overlays, packages, tests, and devShell for SourceBot.
nix/nixosModule.nix	New NixOS module: declares services.sourcebot with options, systemd services, user/group, firewall, Redis, and PostgreSQL config.
nix/overlay.nix	New Nix overlay: adds sourcebot package and overrides zoekt package source/hash.
nix/sourcebot.nix	New Nix derivation: builds SourceBot, sets up build/install phases, offline cache, and wrapper scripts for executables.
nix/microvm.nix	New microVM config: defines VM interfaces, port forwarding, shares, volumes, user config, and enables SourceBot service.
nix/nixosTest.nix	New NixOS test: spins up VM, enables SourceBot service, runs service checks and HTTP request assertion.
nix/missing-hashes.json	New JSON file: maps package-version-platform identifiers to cryptographic hashes for dependency integrity.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant NixOS System
    participant SourceBot Service
    participant PostgreSQL
    participant Redis

    User->>NixOS System: Deploy using Nix flake/module
    NixOS System->>SourceBot Service: Start systemd units (web, backend, zoekt)
    SourceBot Service->>PostgreSQL: Connect/setup database
    SourceBot Service->>Redis: Connect/setup cache
    SourceBot Service->>User: Expose API/Web on configured port

Loading

Poem

In Nixy fields where flakes now grow,
SourceBot hops with a reproducible glow.
Modules, overlays, hashes align—
Systemd and services all in line.
Rabbits rejoice, the build is neat—
With NixOS, deployments can’t be beat!
🐇✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 8

🔭 Outside diff range comments (1)

nix/missing-hashes.json (1)

1-181: Improve automated hash verification

The current suggestion uses dist.shasum (SHA-1) from the npm registry, which won’t match the SHA-256 entries in nix/missing-hashes.json. Instead, fetch each package tarball and compute its SHA-256. For example:

#!/usr/bin/env bash
# Verify SHA-256 for a sample of packages against missing-hashes.json

# Sample list of entries <name>@<version>
packages=(
  "@esbuild/[email protected]"
  "@next/[email protected]"
)

for pkg in "${packages[@]}"; do
  name=${pkg%@*}
  version=${pkg#*@}

  # Fetch tarball URL
  url=$(curl -s "https://registry.npmjs.org/$name/$version" | jq -r '.dist.tarball')
  echo "Verifying $pkg from $url"

  # Compute SHA-256 (Nix’s prefetch-url is ideal here)
  actual=$(nix-prefetch-url --unpack --type sha256 "$url" 2>/dev/null)
  expected=$(jq -r --arg key "${name}@npm:${version}" '.[$key]' nix/missing-hashes.json)

  echo "  expected: $expected"
  echo "  actual:   $actual"
  if [[ "$actual" == "$expected" ]]; then
    echo "  ✅ OK"
  else
    echo "  ❌ MISMATCH"
    exit 1
  fi
done

• No changes needed in nix/missing-hashes.json itself.
• Incorporate this (or similar) check into your CI to catch stale or incorrect hashes automatically.

🧹 Nitpick comments (7)

nix/overlay.nix (1)

1-12: Well-structured overlay with appropriate package additions.

The overlay correctly adds the sourcebot package and updates zoekt to a specific revision. The structure follows Nix overlay best practices.

Consider adding comments to clarify the purpose of the zoekt override:

final: prev: {
  sourcebot = final.callPackage ./sourcebot.nix {};
+ # Override zoekt with updated version compatible with sourcebot
  zoekt = prev.zoekt.overrideAttrs (old: rec {
    vendorHash = "sha256-laiBp+nMWEGofu7zOgfM2b8MIC+Dfw7eCLgb/5zf9oo=";
    src = final.fetchFromGitHub {
      owner = "sourcegraph";
      repo = "zoekt";
+     # Updated to revision with sourcebot compatibility improvements
      rev = "12a2f4ad075359a09bd8a91793acb002211217aa";
      hash = "sha256-JByTgJsnqLlP7hNbQumM4zqZZuj7igc2V35vw0ahCqM=";
    };
  });
}

Note: The static analysis warning about "sourcegraph-access-token" is a false positive - this is just the repository owner name in the GitHub URL.

docs/docs/deployment-guide.mdx (1)

101-208: Comprehensive NixOS deployment documentation with good examples.

The documentation provides clear step-by-step instructions for deploying SourceBot on NixOS, including proper secret management and configuration examples.

Consider these improvements for better security and usability:

1. Reduce concurrency values in the example - The current values (1000) are extremely high:

  settings = {
    resyncConnectionIntervalMs = 1000 * 60 * 60 * 24 * 7; # 1 week
    reindexIntervalMs = 1000 * 60 * 60 * 24 * 7; # 1 week
-   maxRepoIndexingJobConcurrency = 1000; # 8 default
-   maxConnectionSyncJobConcurrency = 1000; # 8 default
-   maxRepoGarbageCollectionJobConcurrency = 1000; # 8 default
+   maxRepoIndexingJobConcurrency = 8; # Default value
+   maxConnectionSyncJobConcurrency = 8; # Default value
+   maxRepoGarbageCollectionJobConcurrency = 8; # Default value
  };

2. Add security note about file permissions:

+ <Warning>
+   Ensure your secrets files have restrictive permissions (600) and are owned by the sourcebot user.
+ </Warning>

3. Add firewall configuration guidance:

+ <Step title="Configure firewall (optional)">
+   If you need to access SourceBot from external networks, configure your firewall:
+   
+   ```nix
+   networking.firewall.allowedTCPPorts = [ 7734 ]; # Default SourceBot port
+   ```
+ </Step>

nix/nixosTest.nix (1)

1-31: Good basic test structure for NixOS module validation.

The test correctly validates that all essential SourceBot services start up and respond to HTTP requests.

Consider enhancing the test for better coverage and robustness:

  testScript = ''
    start_all()
    machine.wait_for_unit("sourcebot-web.service")
    machine.wait_for_unit("sourcebot-backend.service")
    machine.wait_for_unit("sourcebot-db-setup.service")
    machine.wait_for_unit("postgresql.service")
    machine.wait_for_unit("sourcebot-zoekt.service")
-   machine.succeed("${pkgs.curl}/bin/curl http://localhost:7734")
+   
+   # Wait for web service to be ready
+   machine.wait_for_open_port(7734)
+   
+   # Test web interface responds correctly
+   machine.succeed("${pkgs.curl}/bin/curl -f http://localhost:7734")
+   
+   # Verify database connection
+   machine.succeed("systemctl is-active postgresql.service")
+   
+   # Check logs for any startup errors
+   machine.succeed("! journalctl -u sourcebot-web.service --since=-1m | grep -i error")
  '';

Also consider using a minimal but valid configuration instead of empty JSON:

  configPath = "${pkgs.writeText "config" ''
-   {
-   }
+   {
+     "$schema": "https://github.com/raw/sourcebot-dev/sourcebot/main/schemas/v3/index.json",
+     "connections": {}
+   }
  ''}"

nix/microvm.nix (1)

40-43: Consider security implications of dev environment settings.

The empty root password and autologin are appropriate for development but should be documented as such.

+ # Development environment settings - NOT for production
  users.users.root.password = "";

  # Enable autologin for root user
  services.getty.autologinUser = "root";

nix/nixosModule.nix (2)

52-52: Fix typo in option description

-      description = "Open Firwall ports for SourceBot";
+      description = "Open Firewall ports for SourceBot";

---

64-68: Consider security implications of default hostname

The default hostname 0.0.0.0 binds to all network interfaces, which might expose the service more broadly than intended. Consider using 127.0.0.1 as default for better security.

flake.nix (1)

15-15: Consider supporting additional architectures

The flake is currently limited to x86_64-linux. Consider supporting additional architectures like aarch64-linux for broader compatibility.

-    flake-utils.lib.eachSystemPassThrough ["x86_64-linux"] (system: {
+    flake-utils.lib.eachSystemPassThrough ["x86_64-linux" "aarch64-linux"] (system: {

and

-    // flake-utils.lib.eachSystem ["x86_64-linux"] (
+    // flake-utils.lib.eachSystem ["x86_64-linux" "aarch64-linux"] (

Also applies to: 30-30

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8060ade and f2b43f1.

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

• docs/docs/deployment-guide.mdx (3 hunks)
• flake.nix (1 hunks)
• nix/microvm.nix (1 hunks)
• nix/missing-hashes.json (1 hunks)
• nix/nixosModule.nix (1 hunks)
• nix/nixosTest.nix (1 hunks)
• nix/overlay.nix (1 hunks)
• nix/sourcebot.nix (1 hunks)

🧰 Additional context used

🪛 Gitleaks (8.26.0)

nix/overlay.nix

8-8: Sourcegraph is a code search and navigation engine.

(sourcegraph-access-token)

🔇 Additional comments (2)

nix/microvm.nix (1)

45-62: Well-configured SourceBot service for development.

The service configuration is appropriate for development with debug logging and a comprehensive test configuration including both GitHub and the JSON schema reference.

nix/nixosModule.nix (1)

191-191: Verify different restart policies for services

The web service uses Restart = "always" while the backend service uses Restart = "on-failure". Is this intentional?

Also applies to: 224-224

[coderabbitai]

⚠️ Potential issue

Fix inconsistent volume size configuration.

The comment indicates 10GB but the actual size is configured as 1GB (1 * 1024 MB).

  volumes = [
    {
      mountPoint = "/var";
      image = "sourcebot-var.img";
-     size = 1 * 1024; # 10GB
+     size = 10 * 1024; # 10GB
    }
  ];

Or if 1GB is intended:

-     size = 1 * 1024; # 10GB
+     size = 1 * 1024; # 1GB

🤖 Prompt for AI Agents

In nix/microvm.nix between lines 29 and 35, the volume size is set to 1 * 1024
MB but the comment incorrectly states 10GB. To fix this inconsistency, either
update the size to 10 * 1024 MB to match the 10GB comment or change the comment
to reflect the actual 1GB size if that is intended.

[coderabbitai]

⚠️ Potential issue

Fix typo in interface identifier.

There's a typo in the interface ID that should be corrected.

  interfaces = [
    {
      type = "user";
-     id = "sourecbot";
+     id = "sourcebot";
      mac = "02:00:00:00:00:10";
    }
  ];

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{
	type = "user";
	id = "sourecbot";
	mac = "02:00:00:00:00:10";
	}
	interfaces = [
	{
	type = "user";
	id = "sourcebot";
	mac = "02:00:00:00:00:10";
	}
	];

🤖 Prompt for AI Agents

In nix/microvm.nix around lines 8 to 12, the interface ID "sourecbot" contains a
typo. Correct the ID by changing "sourecbot" to the intended correct identifier,
likely "sourcebot" or the appropriate name as per your naming conventions.

[coderabbitai]

🛠️ Refactor suggestion

Remove redundant node_modules copying

The node_modules directory is being copied multiple times which could cause conflicts and is inefficient. Consider consolidating these operations.

-    cp -r node_modules/* $out/node_modules
-
     mkdir -p $out/packages/web
     cp -r packages/web/public $out/packages/web/public
     mkdir -p $out/packages/web/.next
     cp -r packages/web/.next/static $out/packages/web/.next/static

     mkdir -p $out/packages/backend
-    cp -r packages/backend/node_modules/* $out/node_modules
     cp -r packages/backend/* $out/packages/backend

     cp -r packages/db/* $out/packages/db
     cp -r packages/schemas/* $out/packages/schemas
     cp -r packages/crypto/* $out/packages/crypto
     cp -r packages/error $out/packages/error
     cp -r packages/mcp $out/packages/mcp
     cp -r node_modules/* $out/node_modules

Also applies to: 57-57, 65-65

🤖 Prompt for AI Agents

In nix/sourcebot.nix at lines 49, 57, and 65, the node_modules directory is
copied multiple times redundantly. Remove the duplicate cp -r node_modules/*
$out/node_modules commands at lines 57 and 65, keeping only one copy operation
to avoid conflicts and improve efficiency.

[coderabbitai]

⚠️ Potential issue

Fix typo in directory path

There's a typo in the path: pacakages should be packages.

Apply this fix:

-    rm -rf $out/pacakages/web/.next/cache
+    rm -rf $out/packages/web/.next/cache

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	rm -rf $out/pacakages/web/.next/cache
	rm -rf $out/packages/web/.next/cache

🤖 Prompt for AI Agents

In nix/sourcebot.nix at line 69, correct the typo in the directory path by
changing "pacakages" to "packages" in the rm command to ensure the correct cache
directory is targeted for removal.

[coderabbitai]

⚠️ Potential issue

Avoid hardcoded secrets in environment

Using hardcoded placeholder secrets even as defaults is a security risk. Consider requiring users to provide an envFile or generate random secrets.

Consider either:

1. Making envFile required when auth is enabled
2. Generating random secrets at runtime
3. Providing clear documentation that these are insecure defaults

Would you like me to implement a solution that generates secure random secrets?

Also applies to: 218-221

🤖 Prompt for AI Agents

In nix/nixosModule.nix around lines 185 to 188 and also lines 218 to 221, the
code uses hardcoded placeholder secrets for AUTH_SECRET and
SOURCEBOT_ENCRYPTION_KEY, which is a security risk. To fix this, remove the
hardcoded secrets and instead require users to provide an envFile when
authentication is enabled or implement logic to generate secure random secrets
at runtime. Additionally, update documentation to clearly state that default
secrets are insecure if you keep any defaults.

[coderabbitai]

⚠️ Potential issue

Fix incorrect package description

The description mentions "nixos-cli" but should reference "sourcebot".

-      description = "Package to use for nixos-cli";
+      description = "Package to use for sourcebot";

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	description = "Package to use for nixos-cli";
	description = "Package to use for sourcebot";

🤖 Prompt for AI Agents

In nix/nixosModule.nix at line 20, the package description incorrectly
references "nixos-cli" instead of "sourcebot". Update the description string to
correctly mention "sourcebot" to accurately reflect the package purpose.

[coderabbitai]

🛠️ Refactor suggestion

Add default value for configPath

The configPath option lacks a default value, which could cause runtime errors if not explicitly set by users.

Consider adding a sensible default:

     configPath = mkOption {
       type = types.str;
+      default = "${cfg.dataDir}/config.json";
       description = "Path to the SourceBot configuration file";
     };

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	configPath = mkOption {
	type = types.str;
	description = "Path to the SourceBot configuration file";
	};
	configPath = mkOption {
	type = types.str;
	default = "${cfg.dataDir}/config.json";
	description = "Path to the SourceBot configuration file";
	};

🤖 Prompt for AI Agents

In nix/nixosModule.nix around lines 55 to 58, the configPath option is missing a
default value, which may lead to runtime errors if users do not set it. Add a
default value field to the mkOption definition, providing a sensible default
path string for the SourceBot configuration file to ensure safe fallback
behavior.

[coderabbitai]

⚠️ Potential issue

Import makeBinPath function

The makeBinPath function is used but not imported.

-          "PATH=${makeBinPath (with pkgs; [prisma openssl])}"
+          "PATH=${lib.makeBinPath (with pkgs; [prisma openssl])}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"PATH=${makeBinPath (with pkgs; [prisma openssl])}"
	"PATH=${lib.makeBinPath (with pkgs; [prisma openssl])}"

🤖 Prompt for AI Agents

In nix/nixosModule.nix at line 154, the function makeBinPath is used but not
imported. To fix this, import makeBinPath from the appropriate package or module
at the beginning of the file so it is available for use in constructing the PATH
variable.

[abraverm]

@msukkari , if you are intrested in this change, I would fix coderabbitai suggestions. But also I recommend to somehow run Nix in CI. Basically these commands:

• nix build - build Sourcebot package
• nix flake check - testing NixOS module in a VM

Sometimes you would need to update the missing-hashes.json and the hash values in *.nix files. I can explain how to do this in the contribution doc (after you have the tests above in CI).

Another option is to push this change to nixpkgs main repository, then any NixOS user would be able to deploy Sourcebot, but you would have less control over its deployment options and it depends on contributors (or you) to maintain its version.

[msukkari]

Thanks for this change @abraverm! Just left a few comments on the docs page to fix broken links and styling

Adding the build to CI shouldn't be too hard and is something we can look into once we get some bandwidth. I think we should be safe to merge this for now and add CI once usage of this deployment flow increases?

[msukkari]

is this meant to link to external docs? It seems this is broken since no nixos-flakes docs page exists

[msukkari]

It seems this is meant to link to the nixosModule.nix file in the repo, in which case you have to link to the file itself on GitHub. Mintlify (the docs library we're using) doesn't support linking to files outside of the docs folder like this as far as I'm aware

[msukkari]

nit: please add additional params to the code snippets to follow the styling of the rest of the document

For example:
bash wrap icon="terminal" Create example config

The icon can be any valid lucide icon: https://lucide.dev/icons/

For more info check out the mintlify docs: https://mintlify.com/docs/code#code-block-options

[msukkari]

nit: please add the Login and Done steps from the container deployment here. Copy and paste should be fine!

[msukkari]

Also don't feel like you need to address all of the coderabbit comments! It sometimes provides reviews that aren't really needed