From 5e14963d513b5d34f397c634f26706a7b82bc28d Mon Sep 17 00:00:00 2001
From: autonomic-bot <maxf.account@proton.me>
Date: Thu, 28 May 2026 22:05:09 +0100
Subject: [PATCH] =?UTF-8?q?feat(2):=20declarative=20Docker=20Hub=20auth=20?=
 =?UTF-8?q?=E2=80=94=20sops=20dockerhub=5Fauth=20+=20config.json=20templat?=
 =?UTF-8?q?e=20(rate-limit=20fix)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- secrets submodule -> cdd5e0a (adds sops dockerhub_auth = base64 nptest2:PAT).
- nix/modules/secrets.nix: sops.secrets.dockerhub_auth + sops.templates."docker-config.json"
  renders /root/.docker/config.json (0600 root) so abra/docker pulls authenticate (200/6h
  per-account) instead of the exhausted 100/6h shared-IP anon limit. Survives 1c rebuild.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 nix/modules/secrets.nix | 20 ++++++++++++++++++++
 secrets                 |  2 +-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix
index f2a9059..4b934c1 100644
--- a/nix/modules/secrets.nix
+++ b/nix/modules/secrets.nix
@@ -48,11 +48,31 @@
         path = "/var/lib/ci-certs/live/privkey.pem";
         mode = "0400"; # private key — root only
       };
+
+      # Phase-2 rate-limit fix (Class A1 registry creds, operator-2026-05-28). Authenticated Docker
+      # Hub pulls (200/6h per-account) replace the exhausted 100/6h shared-IP anonymous limit that
+      # was blocking heavy recipe deploys with `toomanyrequests`. Value is base64("nptest2:<PAT>")
+      # — i.e. the exact `auth` field docker config.json expects — so the template below is a pure
+      # render with no runtime base64. Read-only PAT; both the host exec runner and manual root
+      # deploys run as root (drone-runner-exec User=root), so /root/.docker/config.json covers both.
+      dockerhub_auth = { };
     };
 
     # EnvironmentFile for the host exec runner: DRONE_RPC_SECRET rendered from the sops secret.
     templates."drone-runner.env".content = ''
       DRONE_RPC_SECRET=${config.sops.placeholder.drone_rpc_secret}
     '';
+
+    # Declarative root docker auth — survives a 1c rebuild (replaces the imperative `docker login`).
+    # abra runs `docker stack deploy` as root and reads this config.json to authenticate Docker Hub
+    # pulls (manifest resolution + image pulls). 0600/root-only since it embeds the PAT.
+    templates."docker-config.json" = {
+      path = "/root/.docker/config.json";
+      mode = "0600";
+      owner = "root";
+      content = ''
+        {"auths":{"https://index.docker.io/v1/":{"auth":"${config.sops.placeholder.dockerhub_auth}"}}}
+      '';
+    };
   };
 }
diff --git a/secrets b/secrets
index 2312f1c..cdd5e0a 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit 2312f1cc67a9569c2254181ba7d3cc0cd91c9244
+Subproject commit cdd5e0ad258ab8ffe70b754f11fceb2fe63ee53e