| 27 Jun 2026 |
 hexa (signing key rotation when) | so we have more headroom anyway | 14:42:24 |
| hexa (signing key rotation when) | I have fast-nix-gc prepared locally | 15:22:20 |
 Sergei Zimmerman (xokdvium) | In reply to @emilazy:matrix.org
Sergei Zimmerman (xokdvium): how easy would it be to have an option for "refuse to try building something if some of its outputs are present" that defaults on if fallback paths would be used (i.e. macOS, unsandboxed Linux) and then we could set it on for all of Hydra? Should be doable | 15:25:47 |
 emily | can it extend to "don't try to build if any of the other outputs are able to be substituted"? :) | 15:26:21 |
| Sergei Zimmerman (xokdvium) | In reply to @emilazy:matrix.org
can it extend to "don't try to build if any of the other outputs are able to be substituted"? :) Harder, but maybe doable | 15:29:34 |
| emily | tbh the macOS case is more concerning since at least in principle frankenbuilds without fallback paths should never actually be a problem unless packages are non-reproducible | 15:30:19 |
 Mic92 | In reply to @emilazy:matrix.org
can it extend to "don't try to build if any of the other outputs are able to be substituted"? :) Queue builder always requires inputs to be substituted | 15:38:04 |
| emily | this is siblings though (outputs of the same derivation), rather than inputs | 15:38:23 |
| Mic92 | It could ignore all inputs that haven't been signed by hydra... And sign local paths after upload. | 15:42:58 |
| Mic92 | Or queue runner specifies the content addressed path instead of the input addressed one | 15:45:30 |
| emily | I don't understand what that does for sibling outputs, since those aren't inputs? | 15:52:42 |
| hexa (signing key rotation when) | Jun 27 19:05:46 mimas hydra-evaluator[1724970]: created cached eval 1826650
Jun 27 19:05:46 mimas hydra-evaluator[1867846]: evaluation of jobset ‘nixos:unstable-small (jobset#240)’ succeeded
| 19:08:03 |
| hexa (signing key rotation when) | https://hydra.nixos.org/eval/1826650 | 19:08:09 |
| hexa (signing key rotation when) | does not get listeed in https://hydra.nixos.org/jobset/nixos/unstable-small | 19:09:03 |
| hexa (signing key rotation when) | retrying | 20:24:54 |
| hexa (signing key rotation when) | this time it went … cool. | 20:25:41 |
| 28 Jun 2026 |
|  Eymeric joined the room. | 08:40:34 |
| Eymeric | Hi! From my home Internet connection in Vietnam (ip: 14.160.32.91), https://hydra.nixos.org doesn't work correctly. Instead of the normal Hydra UI, I get a small HTML page with random-looking text (starting with Forward. The man in the middle of the European and Asiatic land-mass, from Portugal to....).
I compared it with machines I have in France and elsewhere. They all resolve the same IP (157.90.104.34), present the same TLS certificate (CN=hydra.nixos.org), and serve the normal Hydra page. The issue also disappears if I use a VPN from Vietnam.
Is there any sort of geo-blocking, filtering, or infrastructure issue that could explain this?
| 08:41:21 |
 Sandro 🐧 | You've run into the bot detection 😂 | 08:43:36 |
| Sandro 🐧 | @hexa:lossy.network | 08:43:56 |
| Eymeric | Could it just be that the IP has a bad reputation or do the bot detection need more hints ? | 08:46:35 |
 Grimmauld (any/all) | is it bot detection or just a funny dns? | 08:46:52 |
| Grimmauld (any/all) | what happens if you dig? | 08:46:58 |
 K900 | It's bot detection | 08:47:16 |
| K900 | Specifically iocaine | 08:47:19 |
| Eymeric | I get the same ip as from france :
dig hydra.nixos.org
; <<>> DiG 9.20.23 <<>> hydra.nixos.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44837
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;hydra.nixos.org. IN A
;; ANSWER SECTION:
hydra.nixos.org. 3600 IN CNAME mimas.nixos.org.
mimas.nixos.org. 3600 IN A 157.90.104.34
;; Query time: 161 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sun Jun 28 15:47:27 +07 2026
;; MSG SIZE rcvd: 80
| 08:47:32 |
| K900 | I assume your AS is on a list somewhere | 08:47:47 |
| K900 | As a lot of the LLM scraperbots use residential connections now to obfuscate their behavior | 08:48:10 |
| Eymeric | hmmm ok so nothing simple to fix it other than switching to a different ip | 08:48:43 |
| K900 | https://github.com/NixOS/infra/blob/8527b8acb0c44c20c592e94eb725e1452592764a/build/hydra-proxy.nix#L50 | 08:49:14 |
