Cloonar/nixos

Fork 0

feat(amzebs-01): channel → nixos-26.05 [upgrade 6/6 · bump] #111

New issue

Closed

opened 2026-06-06 12:07:04 +02:00 by dominik.polakovics · 2 comments

dominik.polakovics commented

2026-06-06 12:07:04 +02:00

Owner

▶ Hold until [5/6 · verify] is closed. Then arm: relabel ready-for-agent. Final host.

Task: bump hosts/amzebs-01/channel to nixos-26.05; open PR.

26.05 specifics for amzebs-01:

Postfix: sslCert/sslKey removed → migrate to settings.main.smtpd_tls_chain_files only if used (verify; eval flags). Host runs postfix + rspamd.
rspamd → 4.0: check config compat.
Kernel pin (linuxPackages_6_18) self-disables to 6.18, same as nas.
MySQL/MariaDB, php82, nginx: no 26.05 breaking change.
stateVersion stays 25.11.

Acceptance: pre-commit eval green against 26.05; PR notes any postfix/rspamd change.

▶ **Hold** until [5/6 · verify] is closed. Then arm: relabel `ready-for-agent`. Final host. **Task:** bump `hosts/amzebs-01/channel` to `nixos-26.05`; open PR. **26.05 specifics for amzebs-01:** - **Postfix:** `sslCert`/`sslKey` removed → migrate to `settings.main.smtpd_tls_chain_files` **only if used** (verify; eval flags). Host runs postfix + rspamd. - **rspamd → 4.0:** check config compat. - Kernel pin (`linuxPackages_6_18`) self-disables to 6.18, same as nas. - **MySQL/MariaDB**, **php82**, **nginx**: no 26.05 breaking change. - stateVersion stays `25.11`. **Acceptance:** pre-commit eval green against 26.05; PR notes any postfix/rspamd change.

dominik.polakovics added the

needs-triage

label

2026-06-06 12:07:04 +02:00

dominik.polakovics referenced this issue

2026-06-07 12:53:04 +02:00

feat(logging): migrate fleet journal shipping from promtail to grafana-alloy #118

dominik.polakovics commented

2026-06-07 15:09:54 +02:00

Author

Owner

This was generated by AI during triage.

Scope addition: drop promtail on the 26.05 bump

26.05 removed services.promtail (EOL), so this bump must also drop amzebs-01's ./utils/modules/promtail import (mirror nb/nas: replace with a paused-shipping comment referencing the separate promtail->alloy migration #118). amzebs-01 is a plain promtail client; alloy setup is not in scope here.

Full agent brief will be posted when this issue is armed.

> *This was generated by AI during triage.* ## Scope addition: drop promtail on the 26.05 bump 26.05 **removed `services.promtail`** (EOL), so this bump must also drop amzebs-01's `./utils/modules/promtail` import (mirror nb/nas: replace with a paused-shipping comment referencing the separate promtail->alloy migration #118). amzebs-01 is a plain promtail client; alloy setup is not in scope here. Full agent brief will be posted when this issue is armed.

dominik.polakovics referenced this issue

2026-06-08 14:11:18 +02:00

web-arm: reboot onto 26.05 + verify [upgrade 5/6 · verify] #110

dominik.polakovics commented

2026-06-08 14:31:31 +02:00

Author

Owner

This was generated by AI during triage.

Agent Brief

Category: enhancement
Summary: Bump amzebs-01 to nixos-26.05 (6/6 — the final host of the staged fleet upgrade) and fix what 26.05 surfaces. Eval-only gate; system.stateVersion stays 25.11.

Current behavior:
amzebs-01 tracks https://channels.nixos.org/nixos-25.11. It runs a Laravel stack (nginx + php82-fpm + MySQL/MariaDB), a loopback-only postfix submission relay configured through the pre-26.05 services.postfix.{hostname,domain,config} options, rspamd (DKIM + ARC signing + postfix milter), and ships journals via grafana-alloy. It declares no nixpkgs.config.permittedInsecurePackages/allowInsecurePredicate, and every ACME cert uses the HTTP-01 challenge (acmeRoot), not DNS-01.

Desired behavior:
amzebs-01 tracks nixos-26.05 and the pre-commit dry-build (eval) is green, with all current runtime behavior preserved. Full build + runtime verification (reboot onto the 6.18 kernel; Laravel/MySQL/mail-filtering checks) is the separate verify job #112 — not this PR.

26.05 changes to handle:

Add a nixpkgs.config.allowInsecurePredicate (eval-blocking, near-certain). 26.05's makePythonWriter interpreter guard is a tautology that force-evaluates the whole pypy2Packages set — pulled in via the users-groups shell-program assertion that evaluates pkgs.fish — tripping the now-insecure pypy2.7-* members (CVE-2025-47273). nb/nas/fw/web-arm all needed this; amzebs-01 will too. It carries no existing insecure allowance, so add a fresh predicate whose only clause is the pypy2.7 prefix (mirror the nb/nas shape, single reason):
```
nixpkgs.config.allowInsecurePredicate =
  pkg:
  let name = pkg.name or "${pkg.pname or ""}-${pkg.version or ""}"; in
  lib.hasPrefix "pypy2.7-" name;
```
If 26.05 additionally flags any other amzebs package insecure, fold it into the same predicate (none expected — there's no openssl-1.1.1v/w allowance to migrate here, unlike the other hosts).
Migrate postfix to the 26.05 settings shape. The RFC-42 postfix rewrite renamed services.postfix.{hostname,domain,config,masterConfig} under services.postfix.settings.{main,master} (keys/values unchanged — only the option path moved). amzebs-01 currently sets hostname, domain, and a config = { … } map. Move them all under settings.main: hostname → settings.main.myhostname, domain → settings.main.mydomain, and merge the config map into settings.main. Watch the duplicate: the config map already sets myhostname, so after folding in the old top-level hostname there must be exactly one settings.main.myhostname — drop the redundant one. mapFiles."header_checks" stays as-is (it survives on 26.05). The host that already runs postfix on 26.05 (mail) is the reference for the exact shape. Pre-commit eval is the gate.
Kernel pin — leave it. boot.kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.18.22") (lib.mkDefault pkgs.linuxPackages_6_18) self-disables once the channel default reaches ≥6.18.22 (same as nas). It's a correct guard; no edit needed.
rspamd 4.0 — don't touch the config. The NixOS option surface amzebs uses (services.rspamd.enable/extraConfig/postfix.enable) is eval-safe. rspamd-4.0 config semantics (the dkim_signing/arc/milter_headers blocks) are runtime and are verified at #112 — do not edit the rspamd config speculatively here.

Acceptance criteria:

hosts/amzebs-01/channel = https://channels.nixos.org/nixos-26.05
nixpkgs.config.allowInsecurePredicate present, covering pypy2.7-* (plus anything else 26.05 eval flags)
postfix migrated: hostname/domain/config → settings.main (exactly one myhostname); mapFiles intact; no deprecated postfix option remains
system.stateVersion unchanged (25.11)
pre-commit dry-build (eval) green for amzebs-01
PR opened, Closes #111

Out of scope (confirmed N/A — don't chase these):

promtail: already removed fleet-wide (alloy fan-out #125); amzebs imports ./utils/modules/alloy and has no promtail import. This supersedes the 2026-06-07 comment above — there is nothing to drop.
postfix sslCert/sslKey/smtpd_tls_*: N/A — postfix is loopback-only (inet_interfaces = loopback-only, localhost-only mynetworks), no inbound TLS, no cert options.
ACME credentialsFile → environmentFile: N/A — amzebs uses HTTP-01 (acmeRoot) on every cert; no DNS-01 credentialsFile (this was web-arm-specific).
docker_29 pin / postgresql_14 / grafana secret_key: N/A — amzebs has no docker pin, uses MySQL/MariaDB (not postgres), and runs no grafana.
New SOPS secret: none — rspamd-dkim-key and mysql-readonly-password already exist; the bump introduces none.
Build/runtime verification: amzebs is a remote AWS host; the full 26.05 build, the 6.18 kernel, and Laravel/MySQL/mail-filtering checks are the [6/6 · verify] job (#112).

🎉 Final host — merge + verify puts the whole fleet on 26.05.

> *This was generated by AI during triage.* ## Agent Brief **Category:** enhancement **Summary:** Bump amzebs-01 to nixos-26.05 (6/6 — the final host of the staged fleet upgrade) and fix what 26.05 surfaces. Eval-only gate; `system.stateVersion` stays 25.11. **Current behavior:** amzebs-01 tracks `https://channels.nixos.org/nixos-25.11`. It runs a Laravel stack (nginx + php82-fpm + MySQL/MariaDB), a loopback-only postfix submission relay configured through the pre-26.05 `services.postfix.{hostname,domain,config}` options, rspamd (DKIM + ARC signing + postfix milter), and ships journals via grafana-alloy. It declares **no** `nixpkgs.config.permittedInsecurePackages`/`allowInsecurePredicate`, and every ACME cert uses the HTTP-01 challenge (`acmeRoot`), not DNS-01. **Desired behavior:** amzebs-01 tracks nixos-26.05 and the pre-commit dry-build (eval) is green, with all current runtime behavior preserved. Full build + runtime verification (reboot onto the 6.18 kernel; Laravel/MySQL/mail-filtering checks) is the separate verify job **#112** — not this PR. **26.05 changes to handle:** 1. **Add a `nixpkgs.config.allowInsecurePredicate` (eval-blocking, near-certain).** 26.05's `makePythonWriter` interpreter guard is a tautology that force-evaluates the whole `pypy2Packages` set — pulled in via the `users-groups` shell-program assertion that evaluates `pkgs.fish` — tripping the now-insecure `pypy2.7-*` members (CVE-2025-47273). nb/nas/fw/web-arm all needed this; amzebs-01 will too. It carries **no** existing insecure allowance, so add a fresh predicate whose only clause is the pypy2.7 prefix (mirror the nb/nas shape, single reason): ```nix nixpkgs.config.allowInsecurePredicate = pkg: let name = pkg.name or "${pkg.pname or ""}-${pkg.version or ""}"; in lib.hasPrefix "pypy2.7-" name; ``` If 26.05 additionally flags any other amzebs package insecure, fold it into the same predicate (none expected — there's no openssl-1.1.1v/w allowance to migrate here, unlike the other hosts). 2. **Migrate postfix to the 26.05 `settings` shape.** The RFC-42 postfix rewrite renamed `services.postfix.{hostname,domain,config,masterConfig}` under `services.postfix.settings.{main,master}` (keys/values unchanged — only the option path moved). amzebs-01 currently sets `hostname`, `domain`, and a `config = { … }` map. Move them all under `settings.main`: `hostname → settings.main.myhostname`, `domain → settings.main.mydomain`, and merge the `config` map into `settings.main`. **Watch the duplicate:** the `config` map already sets `myhostname`, so after folding in the old top-level `hostname` there must be exactly one `settings.main.myhostname` — drop the redundant one. `mapFiles."header_checks"` stays as-is (it survives on 26.05). The host that already runs postfix on 26.05 (`mail`) is the reference for the exact shape. Pre-commit eval is the gate. 3. **Kernel pin — leave it.** `boot.kernelPackages = lib.mkIf (lib.versionOlder pkgs.linux.version "6.18.22") (lib.mkDefault pkgs.linuxPackages_6_18)` self-disables once the channel default reaches ≥6.18.22 (same as nas). It's a correct guard; no edit needed. 4. **rspamd 4.0 — don't touch the config.** The NixOS option surface amzebs uses (`services.rspamd.enable`/`extraConfig`/`postfix.enable`) is eval-safe. rspamd-4.0 config *semantics* (the `dkim_signing`/`arc`/`milter_headers` blocks) are runtime and are verified at **#112** — do not edit the rspamd config speculatively here. **Acceptance criteria:** - [ ] `hosts/amzebs-01/channel` = `https://channels.nixos.org/nixos-26.05` - [ ] `nixpkgs.config.allowInsecurePredicate` present, covering `pypy2.7-*` (plus anything else 26.05 eval flags) - [ ] postfix migrated: `hostname`/`domain`/`config` → `settings.main` (exactly one `myhostname`); `mapFiles` intact; no deprecated postfix option remains - [ ] `system.stateVersion` unchanged (25.11) - [ ] pre-commit dry-build (eval) green for amzebs-01 - [ ] PR opened, `Closes #111` **Out of scope (confirmed N/A — don't chase these):** - **promtail:** already removed fleet-wide (alloy fan-out #125); amzebs imports `./utils/modules/alloy` and has no promtail import. This **supersedes the 2026-06-07 comment above** — there is nothing to drop. - **postfix `sslCert`/`sslKey`/`smtpd_tls_*`:** N/A — postfix is loopback-only (`inet_interfaces = loopback-only`, localhost-only `mynetworks`), no inbound TLS, no cert options. - **ACME `credentialsFile` → `environmentFile`:** N/A — amzebs uses HTTP-01 (`acmeRoot`) on every cert; no DNS-01 `credentialsFile` (this was web-arm-specific). - **docker_29 pin / postgresql_14 / grafana `secret_key`:** N/A — amzebs has no docker pin, uses MySQL/MariaDB (not postgres), and runs no grafana. - **New SOPS secret:** none — `rspamd-dkim-key` and `mysql-readonly-password` already exist; the bump introduces none. - **Build/runtime verification:** amzebs is a remote AWS host; the full 26.05 build, the 6.18 kernel, and Laravel/MySQL/mail-filtering checks are the [6/6 · verify] job (#112). 🎉 Final host — merge + verify puts the whole fleet on 26.05.

dominik.polakovics added

enhancement

ready-for-agent

and removed

needs-triage

labels

2026-06-08 14:32:24 +02:00

dominik.polakovics referenced this issue from a pull request that will close it,

2026-06-08 14:40:21 +02:00

feat(amzebs-01): channel → nixos-26.05 #142

dominik.polakovics closed this issue

2026-06-08 20:56:45 +02:00