Cloonar/nixos
2
0
Fork 0
Code Issues 9 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat(amzebs-01): channel → nixos-26.05 #142

Merged
dominik.polakovics merged 1 commit from afk/111 into main 2026-06-08 20:56:44 +02:00
Conversation 1 Commits 1 Files changed 3 +28 -5
dominik.polakovics commented 2026-06-08 14:40:21 +02:00
Owner
Copy link

Closes #111

Bumps hosts/amzebs-01/channel to nixos-26.05 — the final host (6/6) of the staged 25.11→26.05 fleet upgrade. This is the eval-only PR; the full build + runtime verification (reboot onto the 6.18 kernel, Laravel/MySQL/mail-filtering checks) is the separate verify job #112. system.stateVersion stays 25.11.

26.05 changes handled

  • nixpkgs.config.allowInsecurePredicate (new): permits pypy2.7-* (CVE-2025-47273), which 26.05's makePythonWriter interpreter-guard tautology force-evaluates via the users-groups shell-program assertion (pkgs.fishfetch-cargo-vendor-util). amzebs carried no prior insecure allowance, so this is a fresh single-reason predicate (mirrors nb/nas). The members never enter the closure — only force-evaluated — so the whole family is permitted by prefix.

  • postfix → RFC-42 settings shape: services.postfix.{hostname,domain,config} moved under services.postfix.settings.main (keys/values unchanged, only the option path moved):

    • hostnamesettings.main.myhostname
    • domainsettings.main.mydomain
    • config = { … }settings.main
    • The old top-level hostname duplicated config.myhostname (both amzebs-01.amz.at), so the merge keeps exactly one settings.main.myhostname.
    • mapFiles."header_checks" unchanged (survives on 26.05).
    • postfix is loopback-only (no inbound TLS), so the removed sslCert/sslKey/smtpd_tls_* options are N/A — no migration needed.

Left as-is (eval-safe; verified at #112)

  • rspamd: config untouched. The NixOS option surface amzebs uses (enable/extraConfig/postfix.enable) is eval-safe; rspamd-4.0 config semantics (dkim_signing/arc/milter_headers) are runtime and are checked at #112.
  • Kernel pin: boot.kernelPackages 6.18 guard self-disables once the channel default reaches ≥6.18.22 (same as nas); no edit needed.

Verification

Pre-commit dry-build (scripts/test-configuration amzebs-01, eval against the 26.05 channel) is green. nixpkgs-fmt clean.

Out of scope (confirmed N/A)

promtail (amzebs is already on alloy, no promtail import); ACME credentialsFile (HTTP-01 only); docker/postgres/grafana pins (none on amzebs); new SOPS secrets (none introduced).

🎉 Final host — merging this puts the whole fleet on 26.05.

Closes #111 Bumps `hosts/amzebs-01/channel` to `nixos-26.05` — the final host (6/6) of the staged 25.11→26.05 fleet upgrade. This is the **eval-only** PR; the full build + runtime verification (reboot onto the 6.18 kernel, Laravel/MySQL/mail-filtering checks) is the separate verify job **#112**. `system.stateVersion` stays `25.11`. ### 26.05 changes handled - **`nixpkgs.config.allowInsecurePredicate` (new):** permits `pypy2.7-*` (CVE-2025-47273), which 26.05's `makePythonWriter` interpreter-guard tautology force-evaluates via the users-groups shell-program assertion (`pkgs.fish` → `fetch-cargo-vendor-util`). amzebs carried no prior insecure allowance, so this is a fresh single-reason predicate (mirrors nb/nas). The members never enter the closure — only force-evaluated — so the whole family is permitted by prefix. - **postfix → RFC-42 `settings` shape:** `services.postfix.{hostname,domain,config}` moved under `services.postfix.settings.main` (keys/values unchanged, only the option path moved): - `hostname` → `settings.main.myhostname` - `domain` → `settings.main.mydomain` - `config = { … }` → `settings.main` - The old top-level `hostname` duplicated `config.myhostname` (both `amzebs-01.amz.at`), so the merge keeps **exactly one** `settings.main.myhostname`. - `mapFiles."header_checks"` unchanged (survives on 26.05). - postfix is loopback-only (no inbound TLS), so the removed `sslCert`/`sslKey`/`smtpd_tls_*` options are **N/A** — no migration needed. ### Left as-is (eval-safe; verified at #112) - **rspamd:** config untouched. The NixOS option surface amzebs uses (`enable`/`extraConfig`/`postfix.enable`) is eval-safe; rspamd-4.0 config *semantics* (dkim_signing/arc/milter_headers) are runtime and are checked at #112. - **Kernel pin:** `boot.kernelPackages` 6.18 guard self-disables once the channel default reaches ≥6.18.22 (same as nas); no edit needed. ### Verification Pre-commit dry-build (`scripts/test-configuration amzebs-01`, eval against the 26.05 channel) is green. `nixpkgs-fmt` clean. ### Out of scope (confirmed N/A) promtail (amzebs is already on alloy, no promtail import); ACME `credentialsFile` (HTTP-01 only); docker/postgres/grafana pins (none on amzebs); new SOPS secrets (none introduced). 🎉 Final host — merging this puts the whole fleet on 26.05.
Final host of the staged 25.11→26.05 fleet upgrade (6/6). Eval-only gate;
system.stateVersion stays 25.11. Full build + runtime verification (6.18
kernel, Laravel/MySQL/mail-filtering) is the separate verify job #112.

26.05 changes handled:

- nixpkgs.config.allowInsecurePredicate (new): permits pypy2.7-* (CVE-2025-47273),
  force-evaluated by 26.05's makePythonWriter interpreter-guard tautology via the
  users-groups shell-program assertion. amzebs carried no prior insecure allowance,
  so this is a fresh single-reason predicate (mirrors nb/nas).
- postfix migrated to the RFC-42 settings shape: services.postfix.{hostname,domain,
  config} → settings.main.{myhostname,mydomain,…}. The old top-level hostname
  duplicated config.myhostname, so exactly one settings.main.myhostname remains.
  mapFiles."header_checks" unchanged. postfix is loopback-only, so the removed
  sslCert/sslKey/smtpd_tls_* options are N/A.

Kernel pin (linuxPackages_6_18) and rspamd config left as-is — both eval-safe; the
6.18 kernel guard self-disables once the channel default catches up.
dominik.polakovics commented 2026-06-08 20:56:02 +02:00
Author
Owner
Copy link

This was generated by AI while landing a PR.

Validation: PASS — final host (6/6) of the staged 25.11→26.05 fleet upgrade.

Checked

  • State: open, mergeable, not a draft.
  • AFK contract: head afk/111 carries a valid Closes #111 — the merge auto-closes the issue and releases the branch claim.
  • Convention: title is Conventional Commits with host scope; no secrets.yaml edits; system.stateVersion untouched (stays 25.11); modules imported by explicit path; nixpkgs-fmt clean.
  • allowInsecurePredicate (configuration.nix): identical pypy2.7- prefix pattern already shipped on fw/nas/nb/web-arm; lib is in module scope. Verified amzebs had no prior permittedInsecurePackages/allowInsecure* on main, so the predicate — which replaces the default list check — shadows nothing. No regression.
  • postfix settings.main (modules/postfix.nix): RFC-42 rewrite migration mirroring what mail already shipped on 26.05. Behaviour-preserving: the dedup'd myhostname and the relocated mydomain keep identical values (amzebs-01.amz.at / amz.at); mapFiles."header_checks" unchanged; no leftover config/hostname/domain.

Verification signal relied on: the repo's declared gate — the pre-commit dry-build (eval against the 26.05 channel), green at commit time. Not re-run.

Caveat (by design, not a blocker): this is the eval-only bump half of the bump/verify pair. The eval gate does not catch 26.05 build-time failures (udevadm verify, broken pkgs) or runtime semantics (reboot onto the 6.18 kernel, Laravel/MySQL, postfix delivery, rspamd DKIM). Those are deferred to the paired verify job #112.

Verdict: ready to merge.

> *This was generated by AI while landing a PR.* **Validation: PASS** — final host (6/6) of the staged 25.11→26.05 fleet upgrade. **Checked** - **State:** open, mergeable, not a draft. - **AFK contract:** head `afk/111` carries a valid `Closes #111` — the merge auto-closes the issue and releases the branch claim. - **Convention:** title is Conventional Commits with host scope; no `secrets.yaml` edits; `system.stateVersion` untouched (stays 25.11); modules imported by explicit path; nixpkgs-fmt clean. - **`allowInsecurePredicate` (configuration.nix):** identical `pypy2.7-` prefix pattern already shipped on fw/nas/nb/web-arm; `lib` is in module scope. Verified amzebs had **no** prior `permittedInsecurePackages`/`allowInsecure*` on `main`, so the predicate — which replaces the default list check — shadows nothing. No regression. - **postfix `settings.main` (modules/postfix.nix):** RFC-42 rewrite migration mirroring what `mail` already shipped on 26.05. Behaviour-preserving: the dedup'd `myhostname` and the relocated `mydomain` keep identical values (`amzebs-01.amz.at` / `amz.at`); `mapFiles."header_checks"` unchanged; no leftover `config`/`hostname`/`domain`. **Verification signal relied on:** the repo's declared gate — the pre-commit dry-build (eval against the 26.05 channel), green at commit time. Not re-run. **Caveat (by design, not a blocker):** this is the **eval-only bump** half of the bump/verify pair. The eval gate does not catch 26.05 build-time failures (udevadm verify, broken pkgs) or runtime semantics (reboot onto the 6.18 kernel, Laravel/MySQL, postfix delivery, rspamd DKIM). Those are deferred to the paired verify job **#112**. **Verdict:** ready to merge.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

   
enhancement

   
in-progress

   
needs-info

   
needs-triage

   
p0

   
ready-for-agent

   
ready-for-human

   
wontfix
No labels
bug
enhancement
in-progress
needs-info
needs-triage
p0
ready-for-agent
ready-for-human
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Cloonar/nixos!142
No description provided.