fix(fw,web-arm): pin docker_29 to unblock fleet eval #123

Merged

dominik.polakovics merged 1 commit from fix/docker_29-eval-unblock into main

2026-06-07 14:55:56 +02:00

dominik.polakovics commented

2026-06-07 14:50:05 +02:00

Owner

What & why

Two coupled changes that unblock the promtail→alloy migration (#118):

1. docker_29 pin — unblock the eval gate

The 25.11 default docker (docker-28.5.2) has been EOL/insecure since Nov 2025 and refuses to evaluate, so the pre-commit hook (which dry-builds all hosts on any shared-path change) was red for fw and web-arm. Fixed on the two hosts still on 25.11:

fw dev microVM — pin virtualisation.docker.package = pkgs.docker_29 (docker comes from utils/modules/development).
web-arm — pin the same at host level, and redirect sa-core.nix's systemd service path from a bare pkgs.docker (= docker_28, which bypassed the pin) to config.virtualisation.docker.package.

Each host's 26.05 bump makes these redundant (drop them then).

2. alloy sops scaffold — prep for #118

.sops.yaml: new creation rule for utils/modules/alloy/ mirroring promtail's exact recipient set.
utils/modules/alloy/secrets.yaml: empty placeholder, to be populated out-of-band.

No host imports the alloy module yet, so this part is inert until #121 (PR1).

Follow-up required (manual sops step)

Populate the secret before #121 lands:

nix-shell -p sops --run 'sops utils/modules/alloy/secrets.yaml'

add: alloy-env: LOKI_PASSWORD=<the existing loki password>

Verification

Pre-commit hook green for all six hosts (amzebs-01, fw, mail, nas, nb, web-arm).

Part of #118 (promtail→alloy migration)
Unblocks #121 (alloy module + nas canary), #122 (fan-out + delete promtail)

## What & why Two coupled changes that unblock the promtail→alloy migration (#118): ### 1. docker_29 pin — unblock the eval gate The 25.11 default docker (`docker-28.5.2`) has been EOL/insecure since Nov 2025 and **refuses to evaluate**, so the pre-commit hook (which dry-builds *all* hosts on any shared-path change) was red for fw and web-arm. Fixed on the two hosts still on 25.11: - **fw `dev` microVM** — pin `virtualisation.docker.package = pkgs.docker_29` (docker comes from `utils/modules/development`). - **web-arm** — pin the same at host level, **and** redirect `sa-core.nix`'s systemd service `path` from a bare `pkgs.docker` (= docker_28, which bypassed the pin) to `config.virtualisation.docker.package`. Each host's 26.05 bump makes these redundant (drop them then). ### 2. alloy sops scaffold — prep for #118 - `.sops.yaml`: new creation rule for `utils/modules/alloy/` mirroring promtail's exact recipient set. - `utils/modules/alloy/secrets.yaml`: empty placeholder, to be populated out-of-band. No host imports the alloy module yet, so this part is inert until **#121** (PR1). ## Follow-up required (manual sops step) Populate the secret before #121 lands: ``` nix-shell -p sops --run 'sops utils/modules/alloy/secrets.yaml' ``` add: `alloy-env: LOKI_PASSWORD=<the existing loki password>` ## Verification Pre-commit hook green for all six hosts (amzebs-01, fw, mail, nas, nb, web-arm). ## Related - Part of #118 (promtail→alloy migration) - Unblocks #121 (alloy module + nas canary), #122 (fan-out + delete promtail)

dominik.polakovics added 1 commit

2026-06-07 14:50:06 +02:00

fix(fw,web-arm): pin docker_29 to unblock fleet eval ef905ce932

The 25.11 default docker (docker_28) is EOL/insecure since Nov 2025 and refuses to evaluate, reddening the pre-commit gate for every shared-path change. Restore a green fleet eval on the two hosts still on 25.11: pin virtualisation.docker.package = docker_29 on the fw 'dev' microVM (docker comes from utils/modules/development) and on web-arm, and redirect web-arm's sa-core service from a bare pkgs.docker (= docker_28) to the host's docker package. Each host's 26.05 bump makes these redundant.

Also scaffolds the sops plumbing for the upcoming promtail->alloy migration (#118): a .sops.yaml creation rule for utils/modules/alloy/ mirroring promtail's recipients, plus an empty secrets.yaml placeholder to be populated out-of-band. No host imports the alloy module yet, so this is inert until PR1 (#121).

dominik.polakovics referenced this pull request

2026-06-07 14:50:36 +02:00

feat(logging): migrate fleet journal shipping from promtail to grafana-alloy #118

dominik.polakovics merged commit 4d7a2e86e4 into main

2026-06-07 14:55:56 +02:00

dominik.polakovics deleted branch fix/docker_29-eval-unblock

2026-06-07 14:55:56 +02:00

dominik.polakovics referenced this pull request from a commit

2026-06-07 14:55:57 +02:00

Merge pull request 'fix(fw,web-arm): pin docker_29 to unblock fleet eval' (#123) from fix/docker_29-eval-unblock into main

dominik.polakovics referenced this pull request

2026-06-07 15:09:54 +02:00