feat(nas): channel → nixos-26.05 #117

Merged

dominik.polakovics merged 1 commit from afk/103 into main

2026-06-07 12:53:57 +02:00

dominik.polakovics commented

2026-06-07 12:17:51 +02:00

Owner

Bumps hosts/nas/channel to nixos-26.05 (staged fleet upgrade 2/6, after nb).

26.05 removed three things nas depends on, so the bump is more than a one-line channel change. Each removal is handled nas-locally so no other host is touched:

pyload vendored. 26.05 removed the pyload-ng package and the services.pyload module (CVEs + unmaintained upstream). Re-provided nas-locally: pkgs/pyload-ng (rebuilds the 25.11 derivation directly — pinned commit, declarative-env patch, relaxed bounds) plus its orphaned deps dukpy and flask-themes2, wired through overlays/pyload-ng.nix. The removed module is vendored as modules/pyload-service.nix under the option path services.pyloadVendored (26.05 forbids redefining the removed services.pyload). The generated unit/user/group are still named pyload, so modules/pyload.nix overrides apply unchanged. CVEs consciously accepted — LAN-only — and gated via allowInsecurePredicate.
permittedInsecurePackages → allowInsecurePredicate. Consolidates both insecure allowances: the vendored pyload-ng, and pypy2.7-* (26.05's makePythonWriter interpreter guard force-evaluates the pypy2 set during any Rust package's fetch-cargo-vendor-util; the insecure members never enter the closure).
promtail dropped. 26.05 removed services.promtail (Promtail is EOL). ⚠️ This pauses central journald→Loki shipping on nas (local journald is intact). See note below — this is a fleet-wide concern, not nas-specific.

Kernel pin (linuxPackages_6_18) self-collapses on 26.05 as designed (default kernel is already 6.18). stateVersion unchanged (24.05).

Verification

Full nix-build '<nixpkgs/nixos>' -A system against nixos-26.05 — green:

builds nixos-system-nas-26.05.1183.6b316287bae2
vendored pyload-ng, dukpy, flask-themes2 build and land in the closure (unit-pyload.service realized)
udev rules pass 26.05's udevadm verify (eval alone would not catch this)

Closes #103. Reboot/verify onto 26.05 is the human follow-up in #104.

⚠️ Fleet-wide follow-up: promtail removal

utils/modules/promtail is shared by amzebs-01, fw, mail, nas, web-arm. nas is the first to 26.05, so it drops the import here, but every remaining host bump (#105–#112) hits the same removal. There is currently no tracking issue for migrating central logging to grafana-alloy (or formally retiring it). Worth filing before the next host bump so logging isn't silently lost fleet-wide.

Bumps `hosts/nas/channel` to **nixos-26.05** (staged fleet upgrade 2/6, after nb). 26.05 removed three things nas depends on, so the bump is more than a one-line channel change. Each removal is handled nas-locally so no other host is touched: - **pyload vendored.** 26.05 removed the `pyload-ng` package *and* the `services.pyload` module (CVEs + unmaintained upstream). Re-provided nas-locally: `pkgs/pyload-ng` (rebuilds the 25.11 derivation directly — pinned commit, declarative-env patch, relaxed bounds) plus its orphaned deps `dukpy` and `flask-themes2`, wired through `overlays/pyload-ng.nix`. The removed module is vendored as `modules/pyload-service.nix` under the option path `services.pyloadVendored` (26.05 forbids redefining the removed `services.pyload`). The generated unit/user/group are still named `pyload`, so `modules/pyload.nix` overrides apply unchanged. CVEs consciously accepted — LAN-only — and gated via `allowInsecurePredicate`. - **`permittedInsecurePackages` → `allowInsecurePredicate`.** Consolidates both insecure allowances: the vendored `pyload-ng`, and `pypy2.7-*` (26.05's `makePythonWriter` interpreter guard force-evaluates the pypy2 set during any Rust package's `fetch-cargo-vendor-util`; the insecure members never enter the closure). - **promtail dropped.** 26.05 removed `services.promtail` (Promtail is EOL). ⚠️ This **pauses central journald→Loki shipping on nas** (local journald is intact). See note below — this is a fleet-wide concern, not nas-specific. Kernel pin (`linuxPackages_6_18`) self-collapses on 26.05 as designed (default kernel is already 6.18). `stateVersion` unchanged (24.05). ## Verification Full `nix-build '<nixpkgs/nixos>' -A system` against nixos-26.05 — **green**: - builds `nixos-system-nas-26.05.1183.6b316287bae2` - vendored `pyload-ng`, `dukpy`, `flask-themes2` build and land in the closure (`unit-pyload.service` realized) - udev rules pass 26.05's `udevadm verify` (eval alone would not catch this) Closes #103. Reboot/verify onto 26.05 is the human follow-up in #104. ## ⚠️ Fleet-wide follow-up: promtail removal `utils/modules/promtail` is shared by **amzebs-01, fw, mail, nas, web-arm**. nas is the first to 26.05, so it drops the import here, but every remaining host bump (#105–#112) hits the same removal. There is currently **no tracking issue** for migrating central logging to grafana-alloy (or formally retiring it). Worth filing before the next host bump so logging isn't silently lost fleet-wide.

dominik.polakovics added 1 commit

2026-06-07 12:17:51 +02:00

feat(nas): channel → nixos-26.05 01d4593dc3

Flip hosts/nas/channel to nixos-26.05 and fix what the bump surfaced. The
kernel pin (linuxPackages_6_18 behind versionOlder 6.18.22) self-disables as
designed — 26.05 ships 6.18.34. stateVersion stays 24.05.

26.05 removals/regressions handled, all scoped to hosts/nas:

- pypy2.7-*: 26.05's makePythonWriter interpreter guard force-evaluates the
  whole pypy2Packages set (via fetch-cargo-vendor-util for any fetchCargoVendor
  Rust package, e.g. pkgs.fish, pulled in by the users-groups shell-program
  assertion), tripping now-insecure pypy2.7-setuptools. Add an
  allowInsecurePredicate permitting pypy2.7-* by prefix (mirrors nb). Since the
  predicate replaces the permittedInsecurePackages list, the existing pyload-ng
  allowance is folded into it.

- services.pyload removed: vendor the 25.11 module locally as
  services.pyloadVendored (renamed to avoid the rename.nix removed-option
  collision). The generated service/user keep the pyload name, so pyload.nix's
  overrides apply unchanged.

- pyload-ng package removed (+ orphaned deps dukpy, flask-themes2): vendor all
  three nas-locally via an overlay shadowing the shared one. CVE acceptance is
  unchanged (knownVulnerabilities carried over, still gated by the predicate);
  pyload stays LAN-only.

- services.promtail removed (EOL): drop the promtail import from nas. Central
  journald->loki shipping is paused pending a fleet-wide migration to
  grafana-alloy; local journald is unaffected.

Kept entirely under hosts/nas so the pre-commit hook rebuilds only nas.
Verified: nas eval is green and a full system-closure build succeeds on 26.05.

dominik.polakovics referenced this pull request

2026-06-07 12:53:04 +02:00

feat(logging): migrate fleet journal shipping from promtail to grafana-alloy #118

dominik.polakovics commented

2026-06-07 12:53:27 +02:00

Author

Owner

This was generated by AI during triage.

Filed the promtail→alloy migration as #118 (the fleet-wide follow-up noted above). Per its sequencing, it should land before fw (#105) is armed so the remaining 26.05 bumps don't silently lose central logging.

> *This was generated by AI during triage.* Filed the promtail→alloy migration as #118 (the fleet-wide follow-up noted above). Per its sequencing, it should land before fw (#105) is armed so the remaining 26.05 bumps don't silently lose central logging.

dominik.polakovics merged commit 921a4219d9 into main

2026-06-07 12:53:57 +02:00

dominik.polakovics deleted branch afk/103

2026-06-07 12:53:57 +02:00

dominik.polakovics referenced this pull request from a commit

2026-06-07 12:53:58 +02:00

Merge pull request 'feat(nas): channel → nixos-26.05' (#117) from afk/103 into main