New build system using nix

.cargo/config.toml

@@ -1,13 +1,15 @@
 [env]
-COMPILE_ENV = { value = "compile-env", relative = true, force = false }
-PATH = { value = "compile-env/bin", relative = true, force = true }
-LIBCLANG_PATH = { value = "compile-env/lib", relative = true, force = true }
-PKG_CONFIG_PATH = { value = "compile-env/sysroot/x86_64-unknown-linux-gnu/release/lib/pkgconfig", relative = true, force = true }
+DATAPLANE_SYSROOT = { value = "sysroot", relative = true, force = false }
+C_INCLUDE_PATH = { value = "sysroot/include", relative = true, force = false }
+LIBRARY_PATH = { value = "sysroot/lib", relative = true, force = false }
+GW_CRD_PATH = { value = "devroot/src/fabric/config/crd/bases", relative = true, force = false }
+PKG_CONFIG_PATH = { value = "sysroot/lib/pkgconfig", relative = true, force = false }
+LIBCLANG_PATH = { value = "devroot/lib", relative = true, force = false }
+CLANG_PATH = { value = "devroot/bin/clang", relative = true, force = false }
+LLVM_COV = { value = "devroot/bin/llvm-cov", relative = true, force = false }
+LLVM_PROFDATA = { value = "devroot/bin/llvm-profdata", relative = true, force = false }
+CARGO_LLVM_COV_TARGET_DIR = { value = "target/llvm-cov/build", relative = true, force = false }
+CARGO_LLVM_COV_BUILD_DIR = { value = "target/llvm-cov/target", relative = true, force = false }
 
 [build]
-target = "x86_64-unknown-linux-gnu"
-rustc = "compile-env/bin/rustc"
-rustflags = ["--cfg", "tokio_unstable"]
-
-[target.x86_64-unknown-linux-gnu]
-runner = ["scripts/test-runner.sh"]
+rustflags = ["--cfg=tokio_unstable"]

.envrc

@@ -1,46 +1,2 @@
-export PROJECT_DIR="$(pwd)"
-
-if [ -h "${PROJECT_DIR}/compile-env" ] || [ -d "${PROJECT_DIR}/compile-env" ]; then
-    export PATH="${PROJECT_DIR}/compile-env/bin:$PATH"
-    export LIBCLANG_PATH="${PROJECT_DIR}/compile-env/bin"
-    export COMPILE_ENV="${PROJECT_DIR}/compile-env"
-else
-    >&2 echo "no compile environment found"
-    exit 0
-fi
-
-export NEXTEST_EXPERIMENTAL_LIBTEST_JSON=1
-
-CRT="-C target-feature=-crt-static"
-DEBUG="-C debuginfo=full -C split-debuginfo=off -C dwarf-version=5"
-LINKER="-C linker=${COMPILE_ENV}/bin/clang -C link-arg=--ld-path=${COMPILE_ENV}/bin/ld.lld"
-RELRO="-C relro-level=full"
-TARGET_CPU="-C target-cpu=x86-64-v3"
-
-RUSTFLAGS="${CRT} ${DEBUG} ${LINKER} ${RELRO} ${TARGET_CPU}"
-
-OPTIMIZE="-C opt-level=3 -C linker-plugin-lto -C lto=thin -C embed-bitcode=yes -C codegen-units=1"
-
-case ${PROFILE:-DEBUG} in
-    fuzz|FUZZ)
-        COVERAGE="-C instrument-coverage"
-        DEBUG_ASSERTIONS="-C debug-assertions=on"
-        OVERFLOW_CHECK="-C overflow-checks=on"
-        RUSTFLAGS="${RUSTFLAGS} ${COVERAGE} ${DEBUG_ASSERTIONS} ${OVERFLOW_CHECK}"
-        ;;
-    release|RELEASE)
-        RUSTFLAGS="${RUSTFLAGS} ${OPTIMIZE}"
-        ;;
-    debug|DEBUG)
-        DEBUG_ASSERTIONS="-C debug-assertions=on"
-        OPTIMIZE="-C opt-level=0"
-        OVERFLOW_CHECK="-C overflow-checks=on"
-        RUSTFLAGS="${RUSTFLAGS} ${OPTIMIZE} ${DEBUG_ASSERTIONS} ${OVERFLOW_CHECK}"
-        ;;
-    *)
-        >&2 echo "unknown profile"
-        exit 1
-        ;;
-esac
-
-export RUSTFLAGS
+export RUSTC_BOOTSTRAP=1
+export PATH="$(pwd)/devroot/bin:$PATH"

.github/copilot-instructions.md

@@ -59,8 +59,7 @@ This comment should
 2. an array which suggests links to any other open and relevant issues or pull requests you find
    - in this repository
    - in the [dpdk-sys repository][dpdk-sys]
-   - in the [gateway-proto repository][gateway-proto]
-   - in the [gateway repository][gateway]
+   - in the [fabric repository][fabric]
    - in the [testn repository][testn]
    - in the [dplane-rpc repository][dplane-rpc]
 3. followed by a fenced code block in markdown format describing the suggested work to be done.
@@ -99,7 +98,6 @@ The `other` tag should only be used if no other tag is appropriate.
 
 [dev-guide]: ../development/README.md
 [dpdk-sys]: https://github.com/githedgehog/dpdk-sys
-[gateway-proto]: https://github.com/githedgehog/gateway-proto
-[gateway]: https://github.com/githedgehog/gateway
+[fabric]: https://github.com/githedgehog/fabric
 [testn]: https://github.com/githedgehog/testn
 [dplane-rpc]: https://github.com/githedgehog/dplane-rpc

.github/workflows/README.md

@@ -9,6 +9,7 @@ management, and validate changes before they are merged.
 - [Main Development Workflow](#main-development-workflow-devyml)
 - [Linting and Validation Workflows](#linting-and-validation-workflows)
 - [Dependency Management](#dependency-management)
+- [Version Management](#version-management)
 - [License and Security Scanning](#license-and-security-scanning)
 - [Merge Control](#merge-control)
 
@@ -18,44 +19,42 @@ management, and validate changes before they are merged.
 
 ### Purpose
 
-Primary CI workflow that ensures developer experience is good by building and
-testing the codebase in a vanilla Ubuntu environment using standard tooling.
+Primary CI workflow that builds and tests the codebase using the nix-based
+build system. All build steps run inside `nix-shell` to ensure a reproducible
+toolchain matching what developers use locally.
 
-The workflow runs several jobs. Some of them only run if users opt in, such as
-the VLAB/HLAB tests. See the lists of dispatch options and Pull Requests labels
-below for details.
+Production artifacts are produced via nix builds in a separate CI workflow.
 
 ### Triggers
 
 - Pull Requests
 - Pushes to `main` branch
+- Tag pushes (`v*`)
 - Merge group checks
-- Manual dispatch (workflow\_dispatch)
+- Manual dispatch (workflow_dispatch)
 
 ### Main steps
 
 1. Check code changes to determine which tests are required
-2. Build and test across multiple profiles and environments:
-   - Profiles: `debug`, `release`, `fuzz`
-   - Build modes: sterile (clean environment) and developer (local-like
-     environment)
-3. Run cargo deny checks for license and security issues
-4. Push container images (for sterile release/debug builds)
-5. Execute tests:
-   - Regular tests using `cargo nextest`
-   - Shuttle tests (concurrent execution testing)
-   - Fuzz tests with coverage
-6. Run `cargo clippy` for linting
-7. Generate documentation with `rustdoc`
-8. Upload test results and coverage to Codecov
-9. Publish test reports with flaky test detection
-10. Run VLAB/HLAB integration tests (virtual/hybrid lab environments)
+2. Build and test across a matrix of nix targets and profiles:
+   - Nix targets: `tests.all`, `frr.dataplane`, `dataplane`
+   - Profiles: `debug`, `release`
+3. Run `cargo deny` checks for license and security issues
+4. Execute tests:
+   - Regular tests using `cargo nextest` (via `just test`)
+   - Shuttle tests (concurrent execution testing with `features=shuttle`)
+5. Run `cargo clippy` for linting (via `just lint`)
+6. Build documentation with `rustdoc` (via `just docs`)
+7. Run doctests (via `just doctest`)
+8. Push container images to GHCR (for non-test targets)
+9. Run VLAB/HLAB integration tests (virtual/hybrid lab environments)
+10. Publish release artifacts and bump fabricator on tag pushes
 
 ### Manual dispatch options
 
 - `debug_enabled` - Enable tmate session for debugging on failure
 - `debug_justfile` - Show debug statements from just recipes
-- `run_vlab_tests` - Run VLAB (virtual lab) tests
+- `skip_vlab_tests` - Skip VLAB (virtual lab) tests
 - `run_hlab_tests` - Run HLAB (hybrid lab) tests
 - `enable_release_tests` - Enable release tests for VLAB/HLAB
 
@@ -64,27 +63,29 @@ below for details.
 - `ci:+vlab` - Run VLAB tests on this PR
 - `ci:+hlab` - Run HLAB tests on this PR
 - `ci:+release` - Enable release tests for VLAB/HLAB on this PR
+- `ci:-upgrade` - Disable upgrade tests on this PR
 
 ### Job matrix
 
-- Profiles: debug, release, fuzz
-- Build modes: sterile and developer environments
-- VLAB configurations: spine-leaf fabric mode, with/without gateway,
-  L2VNI/L3VNI VPC modes
+- Nix targets: `tests.all` (runs tests, lints, docs), `frr.dataplane`
+  and `dataplane` (build and push containers)
+- Profiles: `debug`, `release`
+- VLAB configurations: spine-leaf fabric mode, L2VNI/L3VNI VPC modes,
+  with gateway enabled
 
 ### Artifacts
 
-- Test results (JUnit XML)
-- Coverage reports (Codecov JSON)
-- Container images pushed to GitHub Container Registry
+- Container images pushed to GitHub Container Registry (GHCR)
+- Release containers published on tag pushes via `just push`
 
 ---
 
 ## Linting and Validation Workflows for Pull Requests
 
 ### Rust Code Formatting (`lint-cargo-fmt.yml`)
 
-Ensure Rust code is consistently formatted using `rustfmt`.
+Ensure Rust code is consistently formatted using `rustfmt`. Runs inside
+`nix-shell` to use the same toolchain version that developers use locally.
 
 ### License Headers Check (`lint-license-headers.yml`)
 
@@ -118,26 +119,47 @@ associated workflow file.
 
 Automatically check for and update Cargo dependencies, creating a Pull Request
 with the changes. Each package is upgraded in a separate commit to ease review.
+Runs inside `nix-shell` for access to the nix-managed toolchain.
 
 #### Triggers
 
 - Weekly schedule: Mondays at 3:18 AM UTC
-- Manual dispatch (workflow\_dispatch)
+- Manual dispatch (workflow_dispatch)
 
 #### Manual dispatch options
 
 - `debug_enabled` - Enable tmate session for debugging on failure
 
 #### Main steps
 
-1. Install required tools (`just`, `cargo-edit`, `cargo-deny`)
-2. Set up build environment
-3. Run `cargo deny check` (pre-upgrade, continue on error)
-4. Run `cargo update` to update within version constraints
-5. Run `cargo upgrade` to find and apply upgrades (including incompatible versions)
-6. Create individual commits for each package upgrade
-7. Run `cargo deny check` again (post-upgrade, must pass)
-8. Create a Pull Request with all upgrade commits
+1. Set up nix environment with cachix binary cache
+2. Run `cargo deny check` (pre-upgrade, continue on error)
+3. Run `cargo update` to update within version constraints
+4. Run `cargo upgrade` to find and apply upgrades (including incompatible
+   versions)
+5. Create individual commits for each package upgrade
+6. Run `cargo deny check` again (post-upgrade, must pass)
+7. Create a Pull Request with all upgrade commits
+
+---
+
+## Version Management
+
+### Version Bump (`version-bump.yml`)
+
+#### Purpose
+
+Bump the dataplane version in `Cargo.toml` and create a Pull Request with the
+change. Runs inside `nix-shell` for access to the nix-managed toolchain.
+
+#### Triggers
+
+- Manual dispatch only (workflow_dispatch)
+
+#### Manual dispatch options
+
+- `new_version` - Explicit version string (e.g. `0.15.0`). If not provided,
+  the minor version is bumped automatically.
 
 ---
 
@@ -156,7 +178,7 @@ Reports are available on the [FOSSA Dashboard].
 
 ### Mergeability Check (`mergeability.yml`)
 
-Block Pull Request merges based if the `dont-merge` label is set.
+Block Pull Request merges if the `dont-merge` label is set.
 
 Runs and checks for the presence of the label on various Pull Request events:
 `synchronize`, `opened`, `reopened`, `labeled`, `unlabeled`.

.github/workflows/bump.yml

@@ -29,40 +29,35 @@ permissions:
 jobs:
   cargo-upgrades:
     runs-on: "lab"
+    env:
+      USER: "runner"
     steps:
-      - name: "login to image cache"
-        run: |
-          echo "$REGISTRY_PASSWORD" | docker login -u "$REGISTRY_USERNAME" --password-stdin "$REGISTRY_URL"
-
       # Use a GitHub App token so that the generated PR can trigger CI
       - name: "Generate GitHub App token"
         id: "app-token"
         uses: "actions/create-github-app-token@v3"
         with:
           app-id: "${{ secrets.DP_APP_ID }}"
           private-key: "${{ secrets.DP_PRIVATE_KEY }}"
-      - name: "install rust"
-        uses: "dtolnay/rust-toolchain@stable"
-      - name: "install ansi2txt"
-        run: |
-          # this keeps our GH actions logs from getting messed up with color codes
-          echo 'deb [trusted=yes] https://apt.gabe565.com /' | sudo tee /etc/apt/sources.list.d/gabe565.list
-          sudo apt-get update
-          sudo apt-get install --yes --no-install-recommends ansi2txt
-      - name: "install binstall"
-        uses: "cargo-bins/cargo-binstall@main"
-      - name: "install upgrade tools"
-        run: |
-          cargo binstall -y cargo-edit # required to make `cargo upgrade` edit the Cargo.toml file
-          cargo binstall -y just
-          cargo binstall -y cargo-deny
+
       - name: "Checkout"
         uses: "actions/checkout@v6"
-      - name: "refresh compile-env"
-        run: |
-          just --yes dpdp_sys_registry="$REGISTRY_URL" refresh-compile-env
-          just --yes fake-nix
-      - name: "deny check (pre)"
+
+      - name: "Install nix"
+        uses: "cachix/install-nix-action@v31"
+        with:
+          github_access_token: "${{ secrets.GITHUB_TOKEN }}"
+          nix_path: "nixpkgs=channel:nixpkgs-unstable"
+
+      - uses: "cachix/cachix-action@v14"
+        with:
+          name: "hedgehog"
+          # prettier-ignore
+          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+          # prettier-ignore
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+
+      - name: "check-dependencies (pre)"
         # Confirm that upstream licenses have not changed in some way that prevents us from using them.
         # We want to do this both before and after we run cargo upgrade to make it easier to decide if
         # the problem existed before the upgrade ran, or if the license issue was introduced by the
@@ -72,8 +67,9 @@ jobs:
         # We run our "pre" check with `continue-on-error` set to true because it is equally possible that the upgrade
         # _resolves_ the license / security issue we have had / would have had without the upgrade.
         run: |
-          just cargo deny check
+          nix-shell --run "just check-dependencies"
         continue-on-error: true
+
       - name: "cargo upgrade"
         id: upgrade
         run: |
@@ -83,7 +79,7 @@ jobs:
 
           # Run "cargo update"
           echo "::notice::Running cargo update"
-          just cargo update
+          nix-shell --run "cargo update"
           if ! git diff --quiet; then
               echo "Found changes after cargo update, creating commit"
               git add Cargo.lock
@@ -92,8 +88,8 @@ jobs:
 
           # Check updates available with "cargo upgrade",
           # then bump each package individually through separate commits
-          echo "::notice::Looking for depencies to upgrade"
-          just cargo upgrade --incompatible=allow --dry-run | tee upgrade_output.txt
+          echo "::notice::Looking for dependencies to upgrade"
+          nix-shell --run "cargo upgrade --incompatible=allow --dry-run" | tee upgrade_output.txt
           sed '/^====/d; /^name .*old req .*new req/d; s/ .*//' upgrade_output.txt > list_packages.txt
           nb_upgrades=$(wc -l < list_packages.txt)
 
@@ -104,7 +100,7 @@ jobs:
           while read -r package; do
               echo "bump(cargo)!: bump $package (cargo upgrade)" | tee commit_msg.txt
               echo '' | tee -a commit_msg.txt
-              just cargo upgrade --incompatible=allow --package "$package" | tee -a commit_msg.txt
+              nix-shell --run "cargo upgrade --incompatible=allow --package $package" | tee -a commit_msg.txt
               git add Cargo.lock Cargo.toml cli/Cargo.toml
               git commit -sF commit_msg.txt
           done < list_packages.txt
@@ -137,9 +133,11 @@ jobs:
           } >> "${GITHUB_OUTPUT}"
 
           rm -f -- upgrade.log upgrade_output.txt list_packages.txt commit_msg.txt
-      - name: "deny check (post)"
+
+      - name: "check-dependencies (post)"
         run: |
-          just cargo deny check
+          nix-shell --run "just check-dependencies"
+
       - name: "Create Pull Request"
         uses: "peter-evans/create-pull-request@v8"
         with: