Expose the other remaining options

[grahamc]

Summary by CodeRabbit

• New Features
  • Added public listener options for TFTP, HTTP (":80"), HTTPS (":443"), DHCPv6 listen port (default 547) and explicit baseAddress; exposed a cross-system nixfmt formatter.
• Bug Fixes
  • Service start-up now assembles and respects ordered listen flags and conditional TLS options; firewall rules use the configured DHCPv6 port.
• Chores
  • CI formatting check renamed to nixfmt; packaging/dev-shell naming and several config blocks reformatted for clarity.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added explicit flake outputs and formatter export; replaced nixpkgs-fmt with nixfmt; introduced new public options for TFTP/HTTP/HTTPS/DHCPv6 listen addresses, DHCPv6 listen port, and baseAddress; reworked service ExecStart argument assembly, firewall port wiring, package/makeFlags, and updated tests and CI step.

Changes

Cohort / File(s)	Summary
Flake outputs & formatter flake.nix	Rewrote outputs to an explicit attrset, expanded supportedSystems, and added top-level formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.nixfmt).
DevShell / CI formatting tool flake.nix, .github/workflows/ci.yml	Switched dev shell / format tool references from nixpkgs-fmt to nixfmt; CI job renamed and command changed to nixfmt --check.
NixOS module: options & service args flake.nix	Added public options: tftpListenAddress, httpListenAddress, httpsListenAddress, dhcpv6ListenPort, baseAddress, plus interface/listen placeholders; reworked ExecStart to assemble ordered flags including conditional TLS flags; firewall ports now use cfg.dhcpv6ListenPort.
Packaging / mkiPXE / iPXE flake.nix (packages/... , mkiPXE overrides)	Adjusted cert handling and makeFlags to append TRUST in a single string; updated iPXE override path and reformatted package blocks.
Tests & harness tests/...* , flake.nix	Updated test harness and test scripts to assert new listen-address/port flags and revised topology; adjusted expectations accordingly.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Firewall
    participant DHCPv6macd as "dhcpv6macd"
    participant ArtifactServer as "TFTP/HTTP/HTTPS"

    Note over Client,ArtifactServer: Boot-time interactions using configured listen addresses/ports
    Client->>Firewall: Packet to dhcpv6ListenPort
    Firewall->>DHCPv6macd: Allow/forward to configured port
    DHCPv6macd->>Client: DHCPv6 reply (assign address from baseAddress)
    Client->>ArtifactServer: Fetch boot artifacts from tftp/http/https listen addresses
    ArtifactServer->>Client: Serve boot artifacts

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I stitched new ports and flags with care,
Listen addresses placed for files to share,
baseAddress hops in line, TLS tucked tight,
Nixfmt polishes outputs into sight,
A rabbit's cheer for boot and build tonight.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Expose the other remaining options' is vague and doesn't clearly indicate what options are being exposed or their purpose relative to the changeset.	Use a more descriptive title that specifies which options are exposed (e.g., 'Add configurable listen addresses and base address options for dhcpv6macd') or mentions the key change being made.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch push-xvyvtlwyxpvy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@flake.nix`:
- Around line 214-228: The firewall rules no longer match the new default listen
ports: update the firewall configuration so it opens TCP 80 and 443 by default
(or derives ports from cfg.httpListenAddress and cfg.httpsListenAddress) and
ensure the DHCPv6 port uses cfg.dhcpv6ListenPort instead of the hardcoded
547/6315; specifically modify the rules that currently open TCP 547 and 6315 to
reference cfg.dhcpv6ListenPort and add rules for port 80 and 443 (or parse the
ports from cfg.httpListenAddress/cfg.httpsListenAddress) so the ExecStart
listeners and firewall stay in sync.

🧹 Nitpick comments (1)

flake.nix (1)

122-148: Clarify listen address format (host:port / IPv6 brackets).
The new options don’t describe the expected address format; without this, IPv6 values can be mis-specified. Consider adding brief examples (e.g., ":80", "0.0.0.0:80", "[::]:80").

✏️ Suggested doc tweak

 tftpListenAddress = lib.mkOption {
   type = lib.types.str;
   default = ":69";
   description = lib.mdDoc ''
-    The address to listen on for TFTP requests.
+    The address to listen on for TFTP requests (format: "IP:port" or ":port"; IPv6 must be bracketed like "[::]:69").
   '';
 };
 ...
 httpListenAddress = lib.mkOption {
   type = lib.types.str;
   default = ":80";
   description = lib.mdDoc ''
-    The address to listen on for HTTP requests.
+    The address to listen on for HTTP requests (format: "IP:port" or ":port"; IPv6 must be bracketed like "[::]:80").
   '';
 };
 ...
 httpsListenAddress = lib.mkOption {
   type = lib.types.str;
   default = ":443";
   description = lib.mdDoc ''
-    The address to listen on for HTTPS requests.
+    The address to listen on for HTTPS requests (format: "IP:port" or ":port"; IPv6 must be bracketed like "[::]:443").
   '';
 };

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@flake.nix`:
- Line 205: Formatting error: the array literal assigned to allowedTCPPorts has
no space before the closing bracket; update the array for the symbol
allowedTCPPorts so it follows nixpkgs-fmt style by inserting a space before the
closing `]` (i.e., change `[ 547]` to include a space before the `]`) and re-run
formatting/CI.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@flake.nix`:
- Around line 262-268: ExecStart is passing literal "null" for optional path
args (cfg.tlsCertFile, cfg.tlsKeyFile, cfg.netbootDirectory) because
lib.escapeShellArgs is given nullOr values; filter out nulls or only concatenate
flag/value pairs when the value != null so empty values become "" to the Go
binary. Update the ExecStart construction that calls lib.escapeShellArgs (and/or
the surrounding list) to use lib.filter (x: x != null) on the argument list or
wrap each flag/value pair with an if check (e.g., include "-tls-cert-file" and
cfg.tlsCertFile only when cfg.tlsCertFile != null) so no "null" string is passed
to the dhcpv6macd binary.
- Around line 137-178: The option descriptions currently wrap text with
lib.mdDoc (for options baseAddress, interface, tftpListenAddress,
httpListenAddress, httpsListenAddress, dhcpv6ListenPort); remove the
lib.mdDoc(...) wrapper and provide the description as a plain string/heredoc
(e.g. ''...'' or "..." directly) so descriptions are just string values, which
avoids the missing mdDoc attribute on newer NixOS versions.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@flake.nix`:
- Line 353: The CI failure shows flake.nix is not formatted; run the Nix
formatter to fix the formatting of the expression that defines formatter (the
line using formatter = forAllSystems (system:
nixpkgs.legacyPackages.${system}.nixfmt)); run `nixfmt flake.nix` (or `nix
develop --command nixfmt flake.nix`) and commit the resulting changes so the
formatter declaration and surrounding file match nixfmt's output.
- Around line 266-271: The tlsCertFile entry is wrapped in an extra nested list
which causes lib.escapeShellArgs to produce malformed command-line arguments;
update the block that builds the "-tls-cert-file" argument (the lib.optionals
(cfg.tlsCertFile != null) [...] construct referencing cfg.tlsCertFile and
"-tls-cert-file") to match the structure used by the tlsKeyFile block so it
returns a flat [ "-tls-cert-file", cfg.tlsCertFile ] pair (no additional inner
list).

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@flake.nix`:
- Around line 145-150: The `interface` option is declared as nullOr str but
later used unguarded as cfg.interface in the firewall attribute path
(networking.firewall.interfaces."${cfg.interface}"), which will fail if null;
fix by either making the option required (change the lib.mkOption type to
lib.types.str for the interface option) or by guarding the firewall block with
lib.mkIf (cfg.interface != null) so the
networking.firewall.interfaces..."${cfg.interface}" stanza is only evaluated
when cfg.interface is non-null; update the declaration around the interface
lib.mkOption or wrap the firewall config accordingly to eliminate interpolation
of null.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@flake.nix`:
- Around line 194-199: The netbootDirectory option (type nullOr lib.types.path)
is missing a default, making it effectively required; add a default = null;
inside the netbootDirectory lib.mkOption block (same pattern used by tlsCertFile
and tlsKeyFile) so the option is truly optional and consistent with the nullOr
type.