Expand description
NixFleet control plane: TLS server + RFC-0006 runtime.
Modules§
- auth
- Auth: mTLS peer-cert binding and enrollment cert issuance.
- db
- SQLite persistence: rusqlite + refinery, WAL + FK, single
Mutex<Connection>. - metrics
- Prometheus counters surface - minimum viable set for alerting.
- polling
- Periodic upstream polls and shared signed-fetch primitive.
- rollouts_
source - On-demand HTTP-fetched rollout manifests. This module is a thin
signed-pair fetcher: it substitutes the canonical RolloutId
(
{channel}@{channel_ref}per RFC-0008 §6.3) into the URL templates and returns the raw (manifest, signature) byte pair. It performs no identifier validation. The caller (manifest_poll) is responsible for signature verification (verify_rollout_manifest) and identifier discrimination (parsedRolloutIdequality against the requested id); both checks are mandated by theverify_rollout_manifestdocstring. - runtime
- CP runtime: MPSC reducer loop + applier + workers (RFC-0006 §7.2).
- server
- Long-running TLS server: router + listener + reconcile loop + polls.
- timers
- Background SQLite-state timers.
- tls
- TLS server config builder; mTLS layered via
WebPkiClientVerifierwhenclient_ca_pathis set.