Add debug output

Do not serve derivations with /.private
2025-10-03 17:43:14 +02:00 · 2025-10-03 17:42:54 +02:00
2 changed files with 22 additions and 8 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -83,10 +83,6 @@
      rec {
        packages = {
          inherit nix-serve-ng lix-serve-ng;
-          private = pkgs.runCommand "private" { } ''
-            mkdir -p $out/nix-support
-            touch $out/nix-support/private
-          '';
          default = nix-serve-ng;
        };

--- a/src/Main.hs
+++ b/src/Main.hs
@@ -253,10 +253,28 @@ makeApplication ApplicationOptions{..} request respond = do

                    done response

-                let privateFilePath = ByteString.Char8.unpack storePath ++ "/nix-support/private"
-                isPrivate <- liftIO $ Directory.doesPathExist privateFilePath
+                isPrivate <- not <$> liftIO (Directory.doesPathExist (ByteString.Char8.unpack storePath ++ "/.private"))
+                let sockAddr = Wai.remoteHost request
+                hostAddr  <- case sockAddr of
+                    SockAddrInet _ host -> return host
+                    _ -> return $ Socket.tupleToHostAddress (255, 255, 255, 255)
+
+                let isInternalClient = hostAddr >= Socket.tupleToHostAddress (10, 0, 0, 0) && hostAddr < Socket.tupleToHostAddress (11, 0, 0, 0)
+
+                traceM $ show ("private", isPrivate, "host", hostAddr, "isInternalClient", isInternalClient)
+                Monad.unless (isInternalClient || not isPrivate) do
+                    let headers = [ ("Content-Type", "text/plain") ]
+
+                    let builder = "Forbbiden.\n"
+
+                    let response =
+                            Wai.responseBuilder
+                                    Types.status403
+                                    headers
+                                    builder
+
+                    done response

-                traceM $ show (privateFilePath, isPrivate)

                let streamingBody write flush = do
                       result <- Nix.dumpPath hashPart callback
@@ -269,7 +287,7 @@ makeApplication ApplicationOptions{..} request respond = do
                            () <- write builder
                            flush

-                let headers = [ ("Content-Type", "text/plain") ] <> [("X-Private", "true") | isPrivate]
+                let headers = [ ("Content-Type", "text/plain") ]

                let response =
                        Wai.responseStream Types.status200 headers streamingBody
Author	SHA1	Message	Date
Aleix Boné	1f23e97cac	Add debug output	2025-10-03 17:43:14 +02:00
Aleix Boné	85e97b5260	Do not serve derivations with /.private	2025-10-03 17:42:54 +02:00