feat(fw): channel → nixos-26.05 #128

Merged

dominik.polakovics merged 1 commit from afk/105 into main 2026-06-07 20:33:43 +02:00

Conversation 0 Commits 1 Files changed 6 +57 -15

dominik.polakovics commented 2026-06-07 20:29:22 +02:00

Owner

Copy link

Bumps fw to the nixos-26.05 channel (upgrade 3/6 of the staged fleet upgrade) and fixes every breakage the bump surfaces. This is the keystone host: it bumps fw and the microVM guests whose nixpkgs track the host (dev, fj-runner-1/2, web-02). openclaw is a raw QEMU/Ubuntu guest and is untouched. stateVersion stays 22.05.

Changes

• permittedInsecurePackages → allowInsecurePredicate (host + web-02): 26.05's makePythonWriter interpreter guard force-evaluates the whole pypy2Packages set (via fetch-cargo-vendor-util, pulled in by the users-groups shell-program assertion), tripping the now-insecure pypy2.7-* members — the same guard nb and nas hit. Defining the predicate disables the permittedInsecurePackages list, so the existing openssl-1.1.1w (host) and olm-3.2.16 (web-02, for the matrix bridges) allowances fold into it. web-02 is its own nixpkgs instance and carries its own predicate; there matrix-authentication-service trips the same guard.
• cmp-spell: 26.05's vimPlugins license manifest mismarks cmp-spell (f3fora, MIT) as unfree; the dev guest's nvim pulls it in via utils/modules/development. Added to fw's explicit allowUnfreePredicate allowlist.
• docker_29 pin dropped (dev guest): #123 pinned docker_29 to dodge the EOL/insecure docker_28 default on 25.11; 26.05's default docker is maintained, so the temporary pin is removed exactly as its comment promised.
• microvm /nix/store fsType (fj-runner-1/2, web-02): the pinned microvm.nix rev bind-mounts the /nix/store virtiofs share into place without an fsType, and 26.05 reads fileSystems.*.fsType eagerly (no more "auto" default). Set explicitly on the guests that mount the share directly at /nix/store. The dev guest mounts it at /nix/.ro-store under a writableStoreOverlay, so its /nix/store is the overlay and is unaffected. mkDefault yields once microvm.nix is bumped.
• lego/acme (shared utils/modules/lego): security.acme.defaults.credentialsFile lost its rename alias in 26.05 → switch to environmentFile (same EnvironmentFile shape, HETZNER_API_KEY=…). environmentFile already works on 25.11, so mail and web-arm (still on 25.11, sharing this module) stay green.

Verification

• Pre-commit eval green on all 6 hosts: fw + its guests on 26.05; mail and web-arm on 25.11 (validates the shared lego change is backward-compatible); nas/nb (26.05) and amzebs-01 (25.11) unaffected.
• The two 26.05 build-only gates that slipped earlier bumps are N/A for fw: it has no custom udev rules (so the %-escaping gate that needed nb follow-up #116 can't fire) and sets no allowBroken (a broken-on-26.05 package would fail at eval, which is green).
• Dry-run build of fw's full system closure (host + all 5 guests) on 26.05 succeeds — the whole closure is instantiable; 1326 paths (≈3 GB) substitute from cache.nixos.org. The remaining from-source derivations are fw's pre-existing custom pins (invidious/Crystal, n8n/pnpm, mautrix-mattermost/Go, ai-mailer/Go), which already build from source today and will compile against the 26.05 toolchain for the first time at deploy. A full local realize was not run — that matches the eval-only bump convention, and the build-on-hardware happens at #106.
• Build/boot on the real hardware is the paired verify issue #106 (keystone reboot — restarts all 5 guests and blips internal DNS + the git.cloonar.com deploy substrate; needs a maintenance window with local console).

---

Recovered from a crashed AFK run — the worktree's uncommitted work was intact and was rebased onto current main. Part of the staged 25.11→26.05 fleet upgrade; paired verify: #106.

Bumps fw to the `nixos-26.05` channel (upgrade **3/6** of the staged fleet upgrade) and fixes every breakage the bump surfaces. This is the keystone host: it bumps fw and the microVM guests whose nixpkgs track the host (`dev`, `fj-runner-1/2`, `web-02`). `openclaw` is a raw QEMU/Ubuntu guest and is untouched. `stateVersion` stays 22.05. ## Changes - **permittedInsecurePackages → allowInsecurePredicate** (host + `web-02`): 26.05's `makePythonWriter` interpreter guard force-evaluates the whole `pypy2Packages` set (via `fetch-cargo-vendor-util`, pulled in by the users-groups shell-program assertion), tripping the now-insecure `pypy2.7-*` members — the same guard nb and nas hit. Defining the predicate disables the `permittedInsecurePackages` list, so the existing `openssl-1.1.1w` (host) and `olm-3.2.16` (`web-02`, for the matrix bridges) allowances fold into it. `web-02` is its own nixpkgs instance and carries its own predicate; there `matrix-authentication-service` trips the same guard. - **cmp-spell**: 26.05's vimPlugins license manifest mismarks `cmp-spell` (f3fora, MIT) as unfree; the `dev` guest's nvim pulls it in via `utils/modules/development`. Added to fw's explicit `allowUnfreePredicate` allowlist. - **docker_29 pin dropped** (`dev` guest): #123 pinned `docker_29` to dodge the EOL/insecure `docker_28` default on 25.11; 26.05's default docker is maintained, so the temporary pin is removed exactly as its comment promised. - **microvm `/nix/store` fsType** (`fj-runner-1/2`, `web-02`): the pinned microvm.nix rev bind-mounts the `/nix/store` virtiofs share into place without an `fsType`, and 26.05 reads `fileSystems.*.fsType` eagerly (no more `"auto"` default). Set explicitly on the guests that mount the share directly at `/nix/store`. The `dev` guest mounts it at `/nix/.ro-store` under a `writableStoreOverlay`, so its `/nix/store` is the overlay and is unaffected. `mkDefault` yields once microvm.nix is bumped. - **lego/acme** (shared `utils/modules/lego`): `security.acme.defaults.credentialsFile` lost its rename alias in 26.05 → switch to `environmentFile` (same `EnvironmentFile` shape, `HETZNER_API_KEY=…`). `environmentFile` already works on 25.11, so **mail** and **web-arm** (still on 25.11, sharing this module) stay green. ## Verification - **Pre-commit eval green on all 6 hosts**: fw + its guests on **26.05**; mail and web-arm on **25.11** (validates the shared `lego` change is backward-compatible); nas/nb (26.05) and amzebs-01 (25.11) unaffected. - The two 26.05 build-only gates that slipped earlier bumps are **N/A for fw**: it has **no custom udev rules** (so the `%`-escaping gate that needed nb follow-up #116 can't fire) and sets **no `allowBroken`** (a broken-on-26.05 package would fail at eval, which is green). - **Dry-run build of fw's full system closure (host + all 5 guests) on 26.05 succeeds** — the whole closure is instantiable; 1326 paths (≈3 GB) substitute from cache.nixos.org. The remaining from-source derivations are fw's pre-existing custom pins (invidious/Crystal, n8n/pnpm, mautrix-mattermost/Go, ai-mailer/Go), which already build from source today and will compile against the 26.05 toolchain for the first time at deploy. A full local *realize* was not run — that matches the eval-only bump convention, and the build-on-hardware happens at #106. - Build/boot on the real hardware is the paired **verify issue #106** (keystone reboot — restarts all 5 guests and blips internal DNS + the git.cloonar.com deploy substrate; needs a maintenance window with local console). --- Recovered from a crashed AFK run — the worktree's uncommitted work was intact and was rebased onto current `main`. Part of the staged 25.11→26.05 fleet upgrade; paired verify: #106.

dominik.polakovics added 1 commit 2026-06-07 20:29:22 +02:00

feat(fw): channel → nixos-26.05 ... 04b1d4f8e9

Bump hosts/fw/channel to nixos-26.05 and fix what the upgrade surfaces. This
bumps fw and the microVM guests whose nixpkgs track the host (dev, fj-runner-1/2,
web-02); openclaw is a raw QEMU/Ubuntu guest and is unaffected. stateVersion
stays 22.05.

26.05 removals/regressions handled:

- permittedInsecurePackages -> allowInsecurePredicate: 26.05's makePythonWriter
  interpreter guard force-evaluates the whole pypy2Packages set (via
  fetch-cargo-vendor-util pulled in by the users-groups shell-program assertion),
  tripping the now-insecure pypy2.7-* members. Same guard nb and nas hit. Defining
  the predicate disables the permittedInsecurePackages list, so the existing
  openssl-1.1.1w allowance folds into it. Mirrored on the web-02 guest (its own
  nixpkgs instance) where matrix-authentication-service trips the same guard; its
  olm-3.2.16 allowance folds in there.

- cmp-spell: 26.05's vimPlugins license manifest mismarks cmp-spell (f3fora,
  MIT) as unfree; the dev guest's nvim pulls it in via utils/modules/development.
  Add it to fw's explicit allowUnfreePredicate allowlist.

- docker_29 pin dropped on the dev guest: PR #123 pinned docker_29 to dodge the
  EOL/insecure docker_28 default on 25.11; 26.05's default docker is maintained,
  so the temporary pin is removed as that comment promised.

- microvm /nix/store fsType: the pinned microvm.nix rev bind-mounts the
  /nix/store virtiofs share into place without an fsType, and 26.05 reads
  fileSystems.*.fsType eagerly (no more "auto" default). Set it explicitly on the
  fj-runner and web-02 guests, which mount the share directly at /nix/store. The
  dev guest mounts the share at /nix/.ro-store under a writableStoreOverlay, so
  its /nix/store is the overlay and is unaffected. mkDefault yields once
  microvm.nix is bumped.

- lego/acme (shared module): security.acme.defaults.credentialsFile lost its
  rename alias in 26.05; switch to environmentFile (same EnvironmentFile shape,
  HETZNER_API_KEY=...). environmentFile already works on 25.11, so mail and
  web-arm (still on 25.11, sharing this module) stay green.

Acceptance: pre-commit eval green for fw and its guests on 26.05.

dominik.polakovics referenced this pull request 2026-06-07 20:30:49 +02:00

feat(fw): channel → nixos-26.05 [upgrade 3/6 · bump] #105

dominik.polakovics merged commit 4d8597bbcc into main 2026-06-07 20:33:43 +02:00

dominik.polakovics deleted branch afk/105 2026-06-07 20:33:43 +02:00

dominik.polakovics referenced this pull request from a commit 2026-06-07 20:33:45 +02:00

Merge pull request 'feat(fw): channel → nixos-26.05' (#128) from afk/105 into main

dominik.polakovics referenced this pull request 2026-06-07 22:26:13 +02:00

fw: reboot onto 26.05 + verify [upgrade 3/6 · verify] #106

dominik.polakovics referenced this pull request 2026-06-07 22:26:15 +02:00

feat(fw): channel → nixos-26.05 [upgrade 3/6 · bump] #105

dominik.polakovics referenced this pull request 2026-06-07 22:26:59 +02:00

feat(mail): channel → nixos-26.05 [upgrade 4/6 · bump] #107

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

  

enhancement

  

in-progress

  

needs-info

  

needs-triage

  

p0

  

ready-for-agent

  

ready-for-human

  

wontfix

No labels

bug

enhancement

in-progress

needs-info

needs-triage

p0

ready-for-agent

ready-for-human

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

Cloonar/nixos!128

No description provided.