Add x86_64 dev binaries and make Postgres setup idempotent

[devin-ai-integration]

Changes

flake.nix - Idempotent Postgres setup

• Replace ephemeral mktemp Postgres data directory with stable .pgdata/ in the repo root
• Make setup idempotent: skip if Postgres is already running, skip user/db creation if they already exist
• Use a sockets/ subdirectory inside .pgdata/ for Unix sockets (fixes /run/postgresql not found error)

x86_64 dev binaries

• continuum-proxy-x86_64: Built via nix build ./privatemode-public#privatemode-proxy.bin (same method as ARM version)
• tinfoil-proxy/dist/tinfoil-proxy-x86_64: Built with CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-s -w" -trimpath (same flags as ARM Dockerfile)
• These are NOT imported into Nitro builds — only used for local x86_64 development

.gitignore

• Add .pgdata/, .envrc, .direnv/
• Keep x86_64 tinfoil-proxy binary

Testing

Please test locally on your ARM machine to verify the flake.nix Postgres changes work correctly with nix develop / direnv.

---

Summary by CodeRabbit

• Chores
  • Enhanced development environment setup with improved database persistence and initialization logic.
  • Expanded runtime environment configuration to include additional support files, libraries, and tools for better runtime stability.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[AnthonyRonning]

@coderabbitai review

[coderabbitai]

Walkthrough

This pull request modifies Git ignore patterns to exclude the local PostgreSQL data directory, updates the Nix build configuration to implement persistent PostgreSQL data storage with on-demand initialization and readiness checks, and enriches the runtime environment with additional binaries and shared libraries.

Changes

Cohort / File(s)	Summary
Gitignore Updates .gitignore	Added .pgdata/ to ignore patterns and expanded binary tracking to include tinfoil-proxy-x86_64 alongside existing .pgdata/ directory exclusion.
Build Configuration & Runtime Setup flake.nix	Refactored PostgreSQL initialization script to use persistent data directory with on-demand setup, socket management, and readiness polling. Expanded root filesystem with additional binaries (libnsm.so, kmstool_enclave_cli), libraries, and Python environment paths. Enhanced entrypoint and app-mode assembly to include opensecret, continuum-proxy, and tinfoil-proxy assets with supporting libraries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A rabbit hops through databases deep,
Where Postgres now wakes and its data to keep,
With binaries bundled and libraries bright,
The build system dances through Nix-flavored night! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: adding x86_64 dev binaries (tinfoil-proxy-x86_64, continuum-proxy-x86_64) and making Postgres setup idempotent with a persistent .pgdata/ directory.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/nix-dev-setup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[coderabbitai]

🧹 Nitpick comments (1)

flake.nix (1)

64-93: Well-structured idempotent Postgres setup.

The rework correctly addresses the PR objectives: persistent .pgdata/ directory, skip-if-running logic, and conditional user/database creation. A few observations:

1. Redundant wait: Line 83's -w flag already waits for startup completion, making the until loop on line 86 redundant (though harmless).

2. Potential infinite loop: If pg_ctl start fails (e.g., port conflict, disk full), line 86 will loop indefinitely. Consider adding a timeout or checking pg_ctl exit status.

💡 Optional: Add timeout and error handling

   # Start Postgres
-  ${pkgs.postgresql}/bin/pg_ctl start -D "$PGDATA" -o "-h localhost -p $PGPORT -k $PGSOCKETS" -l "$PGDATA/logfile" -w
+  if ! ${pkgs.postgresql}/bin/pg_ctl start -D "$PGDATA" -o "-h localhost -p $PGPORT -k $PGSOCKETS" -l "$PGDATA/logfile" -w; then
+    echo "Failed to start Postgres. Check $PGDATA/logfile for details."
+    exit 1
+  fi

-  # Wait for it to be ready
-  until ${pkgs.postgresql}/bin/pg_isready -h localhost -p $PGPORT >/dev/null 2>&1; do sleep 0.5; done
+  # The -w flag above already waits, but verify readiness with timeout
+  timeout=30
+  while ! ${pkgs.postgresql}/bin/pg_isready -h localhost -p $PGPORT >/dev/null 2>&1; do
+    timeout=$((timeout - 1))
+    if [ $timeout -le 0 ]; then
+      echo "Postgres failed to become ready. Check $PGDATA/logfile"
+      exit 1
+    fi
+    sleep 1
+  done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@flake.nix` around lines 64 - 93, The setupPostgresScript currently starts
Postgres with ${pkgs.postgresql}/bin/pg_ctl start -w but then unconditionally
runs an until loop using ${pkgs.postgresql}/bin/pg_isready which can spin
forever if pg_ctl failed; modify setupPostgresScript to detect pg_ctl's exit
status and avoid an infinite loop by either (A) removing the redundant until
when pg_ctl -w succeeds, or (B) keeping the until but add a max retry / timeout
counter and exit non‑zero with an error message if
${pkgs.postgresql}/bin/pg_isready does not become ready within the timeout;
reference the pg_ctl start invocation, the ${pkgs.postgresql}/bin/pg_isready
check, and the PGDATA/PGPORT variables so the script logs failures and returns
failure instead of looping forever.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@flake.nix`:
- Around line 64-93: The setupPostgresScript currently starts Postgres with
${pkgs.postgresql}/bin/pg_ctl start -w but then unconditionally runs an until
loop using ${pkgs.postgresql}/bin/pg_isready which can spin forever if pg_ctl
failed; modify setupPostgresScript to detect pg_ctl's exit status and avoid an
infinite loop by either (A) removing the redundant until when pg_ctl -w
succeeds, or (B) keeping the until but add a max retry / timeout counter and
exit non‑zero with an error message if ${pkgs.postgresql}/bin/pg_isready does
not become ready within the timeout; reference the pg_ctl start invocation, the
${pkgs.postgresql}/bin/pg_isready check, and the PGDATA/PGPORT variables so the
script logs failures and returns failure instead of looping forever.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4808f26 and 1899504.

⛔ Files ignored due to path filters (1)

• tinfoil-proxy/dist/tinfoil-proxy-x86_64 is excluded by !**/dist/**

📒 Files selected for processing (3)

• .gitignore
• continuum-proxy-x86_64
• flake.nix

[coderabbitai]

🧹 Nitpick comments (1)

flake.nix (1)

83-86: Consider adding a timeout to the readiness loop.

If pg_ctl start succeeds but PostgreSQL crashes immediately after, the until loop on line 86 will spin indefinitely. Adding a timeout or iteration limit would prevent the shell from hanging.

♻️ Suggested improvement with timeout

           # Start Postgres
-          ${pkgs.postgresql}/bin/pg_ctl start -D "$PGDATA" -o "-h localhost -p $PGPORT -k $PGSOCKETS" -l "$PGDATA/logfile" -w
+          if ! ${pkgs.postgresql}/bin/pg_ctl start -D "$PGDATA" -o "-h localhost -p $PGPORT -k $PGSOCKETS" -l "$PGDATA/logfile" -w; then
+            echo "Failed to start PostgreSQL. Check $PGDATA/logfile for details." >&2
+            exit 1
+          fi

           # Wait for it to be ready
-          until ${pkgs.postgresql}/bin/pg_isready -h localhost -p $PGPORT >/dev/null 2>&1; do sleep 0.5; done
+          retries=10
+          until ${pkgs.postgresql}/bin/pg_isready -h localhost -p $PGPORT >/dev/null 2>&1; do
+            retries=$((retries - 1))
+            if [ $retries -le 0 ]; then
+              echo "PostgreSQL failed to become ready. Check $PGDATA/logfile for details." >&2
+              exit 1
+            fi
+            sleep 0.5
+          done

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@flake.nix` around lines 83 - 86, The readiness loop using
${pkgs.postgresql}/bin/pg_isready (after ${pkgs.postgresql}/bin/pg_ctl start)
may spin forever if Postgres crashes; modify the until loop to enforce a timeout
by tracking elapsed time or a maximum number of attempts (e.g., MAX_WAIT_SECONDS
or MAX_ATTEMPTS), break and exit non‑zero with a descriptive error if the
timeout is reached, and keep referencing PGDATA and PGPORT variables and the
pg_isready command so the new logic aborts cleanly when Postgres never becomes
ready.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@flake.nix`:
- Around line 83-86: The readiness loop using ${pkgs.postgresql}/bin/pg_isready
(after ${pkgs.postgresql}/bin/pg_ctl start) may spin forever if Postgres
crashes; modify the until loop to enforce a timeout by tracking elapsed time or
a maximum number of attempts (e.g., MAX_WAIT_SECONDS or MAX_ATTEMPTS), break and
exit non‑zero with a descriptive error if the timeout is reached, and keep
referencing PGDATA and PGPORT variables and the pg_isready command so the new
logic aborts cleanly when Postgres never becomes ready.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4808f26 and 1899504.

⛔ Files ignored due to path filters (1)

• tinfoil-proxy/dist/tinfoil-proxy-x86_64 is excluded by !**/dist/**

📒 Files selected for processing (3)

• .gitignore
• continuum-proxy-x86_64
• flake.nix