Crate nixfleet_release 

Producer for releases/fleet.resolved.json and signed sidecars. Pipeline: enumerate hosts -> build -> push -> eval -> inject closureHashes -> stamp meta -> canonicalize -> sign -> smoke-verify -> atomic write -> optional git commit/push. Hook contract lives at the binary surface.

Modules

git 🔒

Git plumbing - shells out to git, never embeds a library.

sign 🔒

Sign-hook + smoke-verify + atomic release-dir write.

Structs

GitPushTarget

ReleaseConfig

CLI-assembled config consumed by run.

Enums

HostKind

Which *Configurations attrset a host lives in.

HostsSpec

Hosts to release. Resolved against the consumer’s flake at runtime.

RunOutcome

Functions

build_hosts 🔒

Sequential build. No pin or pin.commit == current_commit -> local build path; non-current commit -> flake-ref build via <pin_source_url>?rev=<commit>. Cross-platform builds rely on the operator’s nix.buildMachines. Failures abort before any push.

build_local 🔒

build_pinned 🔒

Build via flake-ref at a different commit. The url?rev=<commit> form lets Nix handle checkout + caching; we don’t manage a worktree ourselves.

canonicalize_resolved

closure_hash 🔒

enumerate_hosts 🔒

(host, kind) pairs. NixOS sorted, then Darwin sorted; Explicit preserves caller order. Missing attrsets are empty, not errors.

eval_bootstrap_nonces 🔒

eval_fleet_resolved 🔒

eval_revocations 🔒

filter_expired_pins

Drop expired pins (past expires_at); affected hosts fall back to the current-commit build path. Pins with no expires_at always remain.

inject_closure_hashes

Sets hosts[h].closureHash. Unknown hosts in hashes are silently skipped.

interpret_build_output 🔒

list_attr_optional 🔒

Enumerate attribute names; missing attrset -> empty. “Missing attribute” matches a small set of stable nix-eval phrasings.

load_existing_signed_at_if_unchanged 🔒

Returns existing meta.signedAt when on-disk closure hashes match.

pin_target_commit 🔒

Some(commit) iff the host has a pin AND pin.commit ≠ current_commit. Same-commit pins return None so the local build path handles them.

prune_expired_bootstrap_nonces 🔒

Strip entries with expires_at < signed_at. Run at sign time so the signed artifact only contains the operational set; fleet.nix can keep historical entries as an audit log.

push_one 🔒

render_commit_message

run

sha256_hex 🔒

stamp_meta

validate_config 🔒

validate_pin_source_url 🔒

Errors when any host has a non-current-commit pin but --pin-source-url is unset. Run AFTER filter_expired_pins so expired pins aren’t counted.