feat(web-arm): channel → nixos-26.05 #141

Merged

dominik.polakovics merged 1 commit from afk/109 into main 2026-06-08 13:41:19 +02:00

Conversation 1 Commits 1 Files changed 8 +41 -25

dominik.polakovics commented 2026-06-08 13:08:12 +02:00

Owner

Copy link

Bumps web-arm to nixos-26.05 — 5/6 of the staged fleet upgrade (#101–#112). stateVersion stays 22.05. This is the eval-only gate; full build/runtime verification on the aarch64 host is the separate verify job (#110).

Changes

• Channel → nixos-26.05.
• permittedInsecurePackages → allowInsecurePredicate covering pypy2.7-* (prefix) + openssl-1.1.1v/openssl-1.1.1w, mirroring nb/nas/fw. 26.05's makePythonWriter interpreter guard force-evaluates the whole pypy2Packages set (via the users-groups shell-program assertion); defining the predicate disables the old list, so the openssl allowances fold into the same predicate.
• Dropped the docker_29 pin and reverted the sa-core (ScanA11y) scanner path to the default pkgs.docker. The pin + its redirect were 25.11-only workarounds (#123); 26.05's default docker is maintained.
• ACME credentialsFile → environmentFile on every per-site cert (fueltide.io ×6, reptide.eu ×4, api.reptide.eu ×1) and in the powersync module ×1. 26.05 dropped the credentialsFile rename alias; environmentFile (same EnvironmentFile shape) is valid on both channels.
• Grafana security.secret_key wired to the existing grafana-secret-key sops secret (owner = "grafana") via the file-provider ($__file{…}). 26.05 removed the default and adds a hard non-null assertion. The value preserves the historical 25.11 module default so the already-encrypted datasource secrets stay readable — rotating to a strong key is a separate, deliberate step.
• postgresql_14 confirmed present on the nixos-26.05 branch — pin kept, no major migration.

Secrets

No secret editing required — grafana-secret-key was already added to hosts/web-arm/secrets.yaml in b0bd638 (value = the old SW2YcwTIb9zpOOhoPsMm default). This PR only declares + references it.

Verification

• Pre-commit dry-build (eval) green for web-arm.
• Out of scope (per #109): build/runtime verification of web-arm's services (nextcloud, collabora, mysql, matomo, typo3, bitwarden, rustdesk, atticd, victoriametrics, powersync) — aarch64, runs on the host at deploy. That's the [5/6 · verify] job (#110).

Closes #109

Bumps web-arm to nixos-26.05 — 5/6 of the staged fleet upgrade (#101–#112). `stateVersion` stays 22.05. This is the **eval-only** gate; full build/runtime verification on the aarch64 host is the separate verify job (#110). ## Changes - **Channel** → `nixos-26.05`. - **`permittedInsecurePackages` → `allowInsecurePredicate`** covering `pypy2.7-*` (prefix) + `openssl-1.1.1v`/`openssl-1.1.1w`, mirroring nb/nas/fw. 26.05's `makePythonWriter` interpreter guard force-evaluates the whole `pypy2Packages` set (via the users-groups shell-program assertion); defining the predicate disables the old list, so the openssl allowances fold into the same predicate. - **Dropped the `docker_29` pin** and reverted the sa-core (ScanA11y) scanner `path` to the default `pkgs.docker`. The pin + its redirect were 25.11-only workarounds (#123); 26.05's default docker is maintained. - **ACME `credentialsFile` → `environmentFile`** on every per-site cert (fueltide.io ×6, reptide.eu ×4, api.reptide.eu ×1) and in the powersync module ×1. 26.05 dropped the `credentialsFile` rename alias; `environmentFile` (same `EnvironmentFile` shape) is valid on both channels. - **Grafana `security.secret_key`** wired to the existing `grafana-secret-key` sops secret (`owner = "grafana"`) via the file-provider (`$__file{…}`). 26.05 removed the default and adds a hard non-null assertion. The value preserves the historical 25.11 module default so the already-encrypted datasource secrets stay readable — rotating to a strong key is a separate, deliberate step. - **`postgresql_14`** confirmed present on the nixos-26.05 branch — pin kept, **no** major migration. ## Secrets No secret editing required — `grafana-secret-key` was already added to `hosts/web-arm/secrets.yaml` in b0bd638 (value = the old `SW2YcwTIb9zpOOhoPsMm` default). This PR only declares + references it. ## Verification - Pre-commit dry-build (eval) green for web-arm. - Out of scope (per #109): build/runtime verification of web-arm's services (nextcloud, collabora, mysql, matomo, typo3, bitwarden, rustdesk, atticd, victoriametrics, powersync) — aarch64, runs on the host at deploy. That's the [5/6 · verify] job (#110). Closes #109

dominik.polakovics added 1 commit 2026-06-08 13:08:12 +02:00

feat(web-arm): channel → nixos-26.05 ... 0f19d3c989

Bump web-arm to nixos-26.05 (5/6 of the staged fleet upgrade) and handle
what 26.05 surfaces. stateVersion stays 22.05; this is the eval-only gate
(#109), full build/runtime verification is the separate verify job (#110).

- permittedInsecurePackages → allowInsecurePredicate (pypy2.7-* prefix +
  openssl-1.1.1v/w), mirroring nb/nas/fw: 26.05's makePythonWriter guard
  force-evaluates pypy2Packages via the users-groups shell-program assertion.
- Drop the temporary docker_29 pin and revert the sa-core scanner path to the
  default pkgs.docker (26.05's default docker is maintained; the pin + its
  redirect were 25.11-only workarounds from #123).
- ACME credentialsFile → environmentFile on every per-site cert and in the
  powersync module (26.05 dropped the credentialsFile rename alias;
  environmentFile is valid on both channels).
- Wire grafana security.secret_key to the existing grafana-secret-key sops
  secret via a file-provider (26.05 removed the default and asserts non-null).
  Value preserves the historical 25.11 module default so the already-encrypted
  datasource secrets stay readable; rotating to a strong key is separate.
- postgresql_14 confirmed present on 26.05 — pin kept, no major migration.

Closes #109

dominik.polakovics commented 2026-06-08 13:37:27 +02:00

Author

Owner

Copy link

This was generated by AI while landing a PR.

Validation: PASS — /land-pr audit of #141 (web-arm → nixos-26.05, 5/6 of the staged fleet upgrade #101–#112).

Checked

• AFK contract: Closes #109 present and correct (the [5/6 · bump] issue, open). Sequencing hold satisfied — the paired prior verify #108 (mail, 4/6) is closed.
• Conventions: title is Conventional Commits + host scope; the diff hand-edits no secrets.yaml; system.stateVersion untouched (stays 22.05); modules imported by explicit path.
• allowInsecurePredicate (replaces permittedInsecurePackages): lib is in scope ({ config, lib, pkgs, ... }); grep confirms no other module in web-arm's closure sets permittedInsecurePackages or allowInsecurePredicate, so nothing is silently un-permitted. Mirrors nb/nas/fw. Carries over the two openssl-1.1.1{v,w} allowances.
• docker pin drop + sa-core → pkgs.docker: both docker references now resolve to the channel default — consistent.
• ACME credentialsFile → environmentFile ×12: branch grep confirms zero credentialsFile option assignments remain in web-arm's closure; matches the already-migrated shared utils/modules/lego/lego.nix default (documented behavior-preserving rename, same EnvironmentFile shape).
• Grafana secret_key: wired to the grafana-secret-key SOPS secret, which exists in hosts/web-arm/secrets.yaml (added in b0bd638, owner = "grafana"); preserves the historical 25.11 default so encrypted datasource secrets stay readable.

Verification signal relied on: the repo's commit-time pre-commit dry-build (eval), reported green in the PR body — not re-run, per the repo's gate model. Caveats stated for the record:

• eval is arch-agnostic: it does not exercise web-arm's aarch64 build or service runtime. That is deliberately out of scope here and tracked in the paired verify issue #110 (reboot + verify nextcloud / postgres / PowerSync / Grafana datasources / etc.).
• The diff changes no derivation src/*Hash, so the eval-only build-gap does not bite this diff.
• "26.05's default docker is maintained" is eval-gated — the predicate carries no docker entry, so a green eval is itself the proof that 26.05's pkgs.docker isn't flagged insecure (the nixos MCP index doesn't yet carry 26.05 to confirm the version independently).

No blockers.

> *This was generated by AI while landing a PR.* **Validation: PASS** — `/land-pr` audit of #141 (web-arm → `nixos-26.05`, 5/6 of the staged fleet upgrade #101–#112). **Checked** - **AFK contract:** `Closes #109` present and correct (the `[5/6 · bump]` issue, open). Sequencing hold satisfied — the paired prior verify #108 (mail, 4/6) is closed. - **Conventions:** title is Conventional Commits + host scope; the diff hand-edits no `secrets.yaml`; `system.stateVersion` untouched (stays 22.05); modules imported by explicit path. - **`allowInsecurePredicate`** (replaces `permittedInsecurePackages`): `lib` is in scope (`{ config, lib, pkgs, ... }`); grep confirms no other module in web-arm's closure sets `permittedInsecurePackages` or `allowInsecurePredicate`, so nothing is silently un-permitted. Mirrors nb/nas/fw. Carries over the two `openssl-1.1.1{v,w}` allowances. - **docker pin drop + `sa-core` → `pkgs.docker`:** both docker references now resolve to the channel default — consistent. - **ACME `credentialsFile` → `environmentFile` ×12:** branch grep confirms zero `credentialsFile` option assignments remain in web-arm's closure; matches the already-migrated shared `utils/modules/lego/lego.nix` default (documented behavior-preserving rename, same `EnvironmentFile` shape). - **Grafana `secret_key`:** wired to the `grafana-secret-key` SOPS secret, which exists in `hosts/web-arm/secrets.yaml` (added in `b0bd638`, `owner = "grafana"`); preserves the historical 25.11 default so encrypted datasource secrets stay readable. **Verification signal relied on:** the repo's commit-time pre-commit **dry-build (eval)**, reported green in the PR body — not re-run, per the repo's gate model. Caveats stated for the record: - eval is **arch-agnostic**: it does not exercise web-arm's aarch64 build or service runtime. That is deliberately out of scope here and tracked in the paired verify issue **#110** (reboot + verify nextcloud / postgres / PowerSync / Grafana datasources / etc.). - The diff changes **no derivation `src`/`*Hash`**, so the eval-only build-gap does not bite this diff. - "26.05's default docker is maintained" is **eval-gated** — the predicate carries no docker entry, so a green eval is itself the proof that 26.05's `pkgs.docker` isn't flagged insecure (the nixos MCP index doesn't yet carry 26.05 to confirm the version independently). No blockers.

dominik.polakovics merged commit ae05571216 into main 2026-06-08 13:41:19 +02:00

dominik.polakovics referenced this pull request from a commit 2026-06-08 13:41:20 +02:00

Merge pull request 'feat(web-arm): channel → nixos-26.05' (#141) from afk/109 into main

dominik.polakovics referenced this pull request 2026-06-08 14:11:18 +02:00

web-arm: reboot onto 26.05 + verify [upgrade 5/6 · verify] #110

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

  

enhancement

  

in-progress

  

needs-info

  

needs-triage

  

p0

  

ready-for-agent

  

ready-for-human

  

wontfix

No labels

bug

enhancement

in-progress

needs-info

needs-triage

p0

ready-for-agent

ready-for-human

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

Cloonar/nixos!141

No description provided.