Log each line of build failure output as a separate structured log entry
at WARN level, making output readable and queryable in Loki/Grafana.
Add repo and rev fields to all build-related log entries. Add
truncateOutputLines helper that returns a []string for per-line logging.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a build timed out, the timeout error was silently replaced by
truncated stderr output. Split into separate Error and Output fields
on BuildHostResult so the cause (e.g. "build timed out after 30m0s")
is always visible in logs and CLI output.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Build errors from nix can be very large (100k+ chars). This truncates
error output to the first 50 and last 50 lines when it exceeds 100
lines, preventing journal and NATS message overflow.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Address medium severity security issues:
- Validate repo names in config only allow alphanumeric, dash, underscore
(prevents NATS subject injection via dots or wildcards)
- Validate repo URLs must start with git+https://, git+ssh://, or git+file://
- Validate ReplyTo field must start with "build.responses." to prevent
publishing responses to arbitrary NATS subjects
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add input validation to address security concerns:
- Validate Target field in BuildRequest against safe character pattern
(must be "all" or match alphanumeric/dash/underscore/dot pattern)
- Filter hostnames discovered from nix flake show output, skipping any
with invalid characters before using them in build commands
This prevents potential command injection via crafted NATS messages or
malicious flake configurations.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a new "builder" capability to trigger Nix builds on a dedicated
build host via NATS messaging. This allows pre-building NixOS
configurations before deployment.
New components:
- Builder mode: subscribes to build.<repo>.* subjects, executes nix build
- Build CLI command: triggers builds with progress tracking
- MCP build tool: available with --enable-builds flag
- Builder metrics: tracks build success/failure per repo and host
- NixOS module: services.homelab-deploy.builder
The builder uses a YAML config file to define allowed repositories
with their URLs and default branches. Builds can target all hosts
or specific hosts, with real-time progress updates.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
