harmonia-v3.1.0

Changelog

harmonia 3.1.0

Highlights

• No more nix-daemon dependency: harmonia-cache now reads all store
  metadata directly from db.sqlite and no longer connects to nix-daemon at
  all. This halves narinfo latency, removes the daemon as a runtime dependency
  and ordering constraint, and lets the service run in a fully isolated network
  namespace. See Upgrade notes and Performance below. (#985)

Upgrade notes / breaking changes

• daemon_socket config option, the daemon connection pool and its metrics are
  gone. Remove daemon_socket from your config. (#985)
• The service user must be able to read <store-root>/var/nix/db/db.sqlite
  (and the WAL sidecar files). Override the location with the new nix_db_path
  option if your layout is non-standard. NixOS module users need no action.
  (#985)
• TLS private key files that are group- or world-readable are now rejected at
  startup. Tighten permissions to 0600 if affected. (#999)
• The NixOS module no longer orders harmonia-cache after a daemon unit and
  now uses a systemd socket unit. (#985, #1004)

Features

• Content-addressed derivations: New /build-trace-v2 endpoint implementing
  the upstream store-path-keyed build-trace format (worker protocol ≥ 1.38),
  replacing the legacy hash-modulo realisation format. (#975, #976)
• systemd socket activation & sd_notify: harmonia-cache can inherit
  listeners from LISTEN_FDS and emits READY=1 plus watchdog pings. Enables
  on-demand start, binding privileged ports without extra capabilities, restarts
  without dropping the listener, and watchdog auto-recovery. No-op outside
  Linux/systemd. (#1004)
• NixOS module sandboxing: The module now uses a systemd socket unit and
  runs the service inside an empty network namespace with
  RestrictAddressFamilies=AF_UNIX. (#1004)
• Tunable zstd compression: Replaced actix's fixed level-3 Compress
  middleware with a dedicated zstd encoder that pledges the body size and
  defaults to level 1 with long-distance matching (32 MiB window). On a 500 MiB
  closure this is both smaller (ratio 0.276 → 0.262) and ~2× faster. Tunable via
  the new [zstd] config section; compression remains opt-in via
  enable_compression. (#984)

Performance

• Direct SQLite metadata reads: All metadata queries (narinfo, nar,
  ls, serve, build-log, build-trace) are now served straight from
  db.sqlite instead of round-tripping through nix-daemon. narinfo latency
  drops ~49% (158 µs → 82 µs), bringing throughput on par with nix-serve-ng.
  (#985)
• Zero-copy NAR streaming: Reworked the NAR serving path to forward file
  payloads as their original Bytes without copying, batch blocking-pool work
  per directory instead of per file, and enable TCP_NODELAY. ~2× faster on a
  500 MiB closure (839/394/284 ms → 401/179/154 ms at 1/4/16 connections,
  ~3.2 GiB/s peak). (#980, #983)

Security

All items below are defense-in-depth hardening; we are not aware of any
practical exploitation.

• Fixed several XSS vectors in HTML template rendering (reflected Host/
  X-Forwarded-Proto on the landing page, store filenames in /serve/
  directory listings). Low impact: harmonia has no cookies, sessions or
  authenticated state, so this is defense-in-depth rather than a practically
  exploitable issue. (#998)
• Signature comparison is now constant-time and key material is redacted from
  Debug output. (#999)
• harmonia-nar: the NAR parser now bounds entry name length, symlink target
  length and directory nesting depth. (#1000)
• Hardened Range header handling on the NAR endpoint. (#1000)
• Dropped unmaintained rustls-pemfile dependency (RUSTSEC-2025-0134).
  (#1000)
• Internal error details (on-disk paths, libc error strings) are no longer
  leaked in HTTP response bodies. (#1001)
• Bounded zstd LDM encoder concurrency and total connection count to cap
  worst-case memory usage under load. (#1003)

Fixes

• Malformed hashes on .ls and /log/ now return 4xx instead of 500. (#1002)
• narinfo responses now include signatures stored in the Nix database in
  addition to locally generated ones. (#999)
• Fixed CA fixed-output store path computation: flat-hash fetchurl and
  non-sha256 recursive fixed-output derivations previously yielded wrong store
  paths. (#959)
• harmonia-store-remote: drain trailing reply word from nix-daemon for
  AddTempRoot/EnsurePath/AddIndirectRoot/OptimiseStore/AddSignatures/
  AddBuildLog, fixing protocol desync on connection reuse; fixed
  CollectGarbage wire format and __structuredAttrs round-tripping in
  BasicDerivation. (#977)
• Logging: restored info default when RUST_LOG is unset and fixed the NixOS
  module's RUST_LOG so harmonia's own messages are no longer suppressed.
  (#968)

Internal / library

• Replaced ring with pure-Rust crypto in harmonia-utils-hash and
  harmonia-store-core, enabling builds on targets like wasm32. (#964)
• New harmonia-store-aterm crate; ATerm parser now supports the
  DrvWithVersion("xp-dyn-drv") format. (#906, #955)
• harmonia-store-core: Realisation restructured to match upstream key-value
  format, plus fingerprint/signing, Derivation::try_resolve, batched
  try_resolve, DerivationT::map_inputs/apply_rewrites,
  StorePath::to_absolute_path. (#868, #880, #897, #905, #912,
  #913, #915)
• Dependency trimming: dropped serde_with, actix cookies feature, jiff
  (via env_logger default features), unused deps in
  store-core/aterm, and replaced the futures umbrella with
  futures-core/-sink/-util. (#965, #966, #967, #969)

Full Changelog: harmonia-v3.0.0...harmonia-v3.1.0

harmonia-v3.0.0

What's Changed

Highlights

• Rust-based nix daemon replacing C++ nix-daemon:
  harmonia-daemon is a pure-Rust implementation of the Nix daemon protocol that speaks directly to the store database, eliminating the dependency on the C++ nix-daemon
  by @Mic92 in #570
• NixOS module: services.harmonia-dev.daemon.enable:
  New option to run the Rust-based daemon instead of depending on
  the C++ nix-daemon. When enabled, harmonia-cache automatically
  connects to the harmonia-daemon socket. The cache options moved
  under services.harmonia-dev.cache.* (old paths are aliased)
  by @Mic92 in #570
• Prometheus metrics and Grafana dashboard:
  Built-in metrics endpoint with a ready-to-use Grafana dashboard
  by @Mic92 in #570
• Landing page with public keys:
  New landing page showing cache configuration and public keys, with automatic URL scheme detection for HTTP-only deployments
  by @Mic92 in #647
  #653
• Drop support for daemon protocol versions < 1.37:
  Only Nix 2.24+ is now supported
  by @Mic92 in #643

Bug Fixes

• Fix resuming downloads (closes #578)
  by @the-sun-will-rise-tomorrow in
  #600
• Fix chroot store support (fixes #616):
  Use virtual store path for daemon communication when files are physically located elsewhere
  by @Mic92 in #743
• Fix NixOS module with recent nixpkgs:
  lib.mdDoc was removed from nixpkgs, causing build failures
  by @teto in #697
• Improve error messages:
  Replace panics with descriptive error messages throughout
  by @Mic92 in #656
  #657

New Contributors

• @Ericson2314 made their first contribution in
  #658
• @teto made their first contribution in
  #697
• @amaanq made their first contribution in
  #773

Full Changelog:
harmonia-v2.1.0...harmonia-v3.0.0

harmonia-v2.1.0

What's Changed

Improvements

• fix error message if we cannot query nar hash in database by @Mic92 in #544
• Replace libsodium with ed25519-dalek by @liberodark in #545

Dependency updates

• chore(deps): bump serde from 1.0.215 to 1.0.219 by @dependabot in #483, #491, #510, #525
• chore(deps): bump serde_json from 1.0.133 to 1.0.140 by @dependabot in #487, #493, #495, #501, #515
• chore(deps): bump env_logger from 0.11.5 to 0.11.6 by @dependabot in #488
• chore(deps): bump anyhow from 1.0.94 to 1.0.98 by @dependabot in #489, #513, #541
• chore(deps): bump tokio from 1.42.0 to 1.44.2 by @dependabot in #492, #527, #536, #540
• chore(deps): bump log from 0.4.22 to 0.4.27 by @dependabot in #496, #508, #532
• chore(deps): bump openssl from 0.10.68 to 0.10.72 by @dependabot in #498, #499, #504, #538
• chore(deps): bump tempfile from 3.14.0 to 3.19.1 by @dependabot in #500, #505, #524, #531
• chore(deps): bump toml from 0.8.19 to 0.8.20 by @dependabot in #502
• chore(deps): bump pkg-config from 0.3.31 to 0.3.32 by @dependabot in #514
• chore(deps): bump cachix/install-nix-action from 30 to 31 by @dependabot in #523
• chore(deps): bump async-compression from 0.4.18 to 0.4.22 by @dependabot in #528, #533, #535
• chore(deps): bump actix-web from 4.9.0 to 4.10.2 by @dependabot in #526
• chore(deps): bump tokio-util from 0.7.13 to 0.7.14 by @dependabot in #530
• chore(deps): bump askama_escape from 0.10.3 to 0.13.0 by @dependabot in #537
• chore(deps): bump actions/create-github-app-token from 1 to 2 by @dependabot in #539

New Contributors

• @harmonia-ci made their first contribution in #521

Full Changelog: harmonia-v2.0.1...harmonia-v2.1.0

harmonia-v2.0.1

What's Changed

• improve overall config error handling by @Mic92 in #469
• chore(deps): bump anyhow from 1.0.93 to 1.0.94 by @dependabot in #475
• chore(deps): bump tokio-util from 0.7.12 to 0.7.13 by @dependabot in #476
• chore(deps): bump tokio-stream from 0.1.16 to 0.1.17 by @dependabot in #477
• chore(deps): bump tokio from 1.41.1 to 1.42.0 by @dependabot in #478
• fix incorrect version number of 2.0.0 release

Full Changelog: harmonia-v2.0.0...harmonia-v2.0.1

harmonia-v2.0.0

What's Changed

Highlights

Harmonia now provides built-in zstd compression for content. If you had the nginx zstd module configured before, you can now remove it. Nix will automatically use compression when available. This release gets rid of libnix dependencies in Harmonia. This means harmonia no longer has "unsafe" code in its source tree with except for one call to libsodium for signing. Instead harmonia now uses the nix-daemon protocol whenever it needs to reach out to Nix.

Pull requests in details

• re-implement nar signing in rust by @Mic92 in #439
• Implement Binding to Unix Domain Sockets by @lorenzleutgeb in #242
• no longer expose System in narinfo by @Mic92 in #440
• re-implement get_nar_list in rust by @Mic92 in #441
• move crypt_sign_detached out of libnixstore to harmonia by @Mic92 in #442
• Re-implement get_buildlog in rust by @Mic92 in #443
• Implement deamon protocol to get rid of libnix eventually by @Mic92 in #445
• Replace most of libnix with nix daemon implementation by @Mic92 in #462
• enable transparent zstd compression by @Mic92 in #463
• Get rid of libnixstore by @Mic92 in #464
• Make config file optional by @Mic92 in #465
• fix invalid deriver by @Mic92 in #467

New Contributors

• @lorenzleutgeb made their first contribution in #242

Full Changelog: harmonia-v1.0.2...harmonia-v2.0.0

harmonia-v1.0.2

What's Changed

• chore(deps): bump cxx from 1.0.124 to 1.0.126 by @dependabot in #388
• chore(deps): bump serde_json from 1.0.124 to 1.0.125 by @dependabot in #389
• chore(deps): bump cxx-build from 1.0.124 to 1.0.126 by @dependabot in #390
• chore(deps): bump serde from 1.0.206 to 1.0.208 by @dependabot in #391
• chore(deps): bump tokio from 1.39.2 to 1.39.3 by @dependabot in #396
• harmonia: work around infinite recursion regression by @Mic92 in #394
• chore(deps): bump tokio from 1.39.3 to 1.40.0 by @dependabot in #404
• chore(deps): bump cxx-build from 1.0.126 to 1.0.128 by @dependabot in #405
• chore(deps): bump cxx from 1.0.126 to 1.0.128 by @dependabot in #406
• chore(deps): bump serde_json from 1.0.125 to 1.0.127 by @dependabot in #401
• chore(deps): bump serde from 1.0.208 to 1.0.209 by @dependabot in #400
• chore(deps): bump pkg-config from 0.3.30 to 0.3.31 by @dependabot in #417
• chore(deps): bump anyhow from 1.0.86 to 1.0.89 by @dependabot in #415
• chore(deps): bump serde_json from 1.0.127 to 1.0.128 by @dependabot in #411
• chore(deps): bump tokio-stream from 0.1.15 to 0.1.16 by @dependabot in #409
• chore(deps): bump serde from 1.0.209 to 1.0.210 by @dependabot in #410

Full Changelog: harmonia-v1.0.1...harmonia-v1.0.2

harmonia-v1.0.1

What's Changed

• Fix time compilation failure by @a-kenji in #386

New Contributors

• @a-kenji made their first contribution in #386

Full Changelog: harmonia-v1.0.0...harmonia-v1.0.1

harmonia-v1.0.0

What's Changed

• fix build with latest nix version by @Mic92 in #378

Full Changelog: harmonia-v0.9.0...harmonia-v1.0.0

harmonia-v0.9.0

What's Changed

• Sign with multiple signing keys by @clerie in #324
• Serve signatures from Nix store if no signing key is specified by @wentasah in #336
• Add TLS support by @the-sun-will-rise-tomorrow in #366

New Contributors

• @clerie made their first contribution in #324
• @wentasah made their first contribution in #336
• @the-sun-will-rise-tomorrow made their first contribution in #366

Full Changelog: harmonia-v0.8.0...harmonia-v0.9.0

harmonia-v0.8.0

What's Changed

• Added support for non-root Nix store by @Thesola10 in #306

New Contributors

• @Thesola10 made their first contribution in #306

Full Changelog: harmonia-v0.7.5...harmonia-v0.8.0