update(treewide): Update to NixOS 25.11

configuration/hardware-specific/vm.nix

@@ -43,6 +43,14 @@
     source = ../../keys/hosts/staging.key;
   };
 
+  # Pretend the acme renew succeeds.
+  #
+  # TODO(tlater): Set up pebble to retrieve certs "properly"
+  # instead
+  systemd.services."acme-order-renew-tlater.net".script = ''
+    touch out/acme-success
+  '';
+
   virtualisation.vmVariant = {
     virtualisation = {
       memorySize = 3941;

configuration/nginx/ssl.nix

@@ -51,20 +51,9 @@
       paths = [ "/var/lib/acme/tlater.net" ];
     };
 
-    systemd.services = {
+    systemd.services.nginx.serviceConfig.SupplementaryGroups = [
-      nginx.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ];
+      config.security.acme.certs."tlater.net".group
-
+    ];
-      # Don't attempt to retrieve a certificate if the domain name
-      # doesn't *actually* match the cert name
-      #
-      # TODO(tlater): Set up pebble to retrieve certs "properly"
-      # instead
-      "acme-tlater.net".serviceConfig.ExecCondition =
-        let
-          confirm = ''[[ "tlater.net" = "${config.services.nginx.domain}" ]]'';
-        in
-        ''${pkgs.runtimeShell} -c '${confirm}' '';
-    };
 
     sops.secrets = {
       "porkbun/api-key".owner = "acme";
@@ -85,10 +74,18 @@
 
             security.acme.certs."tlater.net".extraDomainNames = [ config.services.nginx.domain ];
 
-            services.nginx = {
+            # Pretend the acme renew succeeds.
-              domain = "testHost";
+            #
+            # TODO(tlater): Set up pebble to retrieve certs "properly"
+            # instead
+            systemd.services."acme-order-renew-tlater.net".script = ''
+              touch out/acme-success
+            '';
 
-              virtualHosts."${config.services.nginx.domain}" = {
+            services.nginx = {
+              domain = "testHost.test";
+
+              virtualHosts."${config.services.nginx.domain}.local" = {
                 useACMEHost = "tlater.net";
                 onlySSL = true;
                 enableHSTS = true;
@@ -109,6 +106,7 @@
               { pkgs, ... }:
               {
                 environment.systemPackages = [ pkgs.curl ];
+                networking.hosts."192.168.1.2" = [ "testHost.test" ];
               };
           };
 
@@ -125,7 +123,7 @@
                 "--silent",
                 "--dump-header -",
                 "--cacert /certs/tlater.net/fullchain.pem",
-                "https://testHost",
+                "https://testHost.test",
                 "-o /dev/null"
             ]))
 

configuration/services/foundryvtt.nix

@@ -23,7 +23,7 @@ in
       minifyStaticFiles = true;
       proxySSL = true;
       proxyPort = 443;
-      package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_13;
+      package = flake-inputs.foundryvtt.packages.${pkgs.stdenv.hostPlatform.system}.foundryvtt_13;
     };
 
     nginx.virtualHosts."${domain}" =

configuration/services/nextcloud.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  nextcloud = pkgs.nextcloud31;
+  nextcloud = pkgs.nextcloud32;
   hostName = "nextcloud.${config.services.nginx.domain}";
 in
 {
@@ -104,7 +104,7 @@ in
   };
 
   # Ensure that this service doesn't start before postgres is ready
-  systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
+  systemd.services.nextcloud-setup.after = [ "postgresql.target" ];
 
   sops.secrets."nextcloud/tlater" = {
     owner = "nextcloud";

configuration/services/ntfy-sh/default.nix

@@ -17,7 +17,6 @@ in
 
   services.ntfy-sh = {
     enable = true;
-    package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.ntfy-sh;
 
     environmentFile = config.sops.secrets."ntfy/users".path;
 

configuration/services/starbound.nix

@@ -19,7 +19,7 @@ in
 
     serviceConfig = {
       ExecStart = "${
-        flake-inputs.self.packages.${pkgs.system}.starbound
+        flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.starbound
       }/bin/launch-starbound ${./configs/starbound.json}";
 
       Type = "simple";

configuration/services/webserver.nix

@@ -20,7 +20,7 @@ in
     after = [ "network.target" ];
 
     script = ''
-      ${lib.getExe flake-inputs.self.packages.${pkgs.system}.webserver}
+      ${lib.getExe flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.webserver}
     '';
 
     environment = {

flake.lock

@@ -255,28 +255,15 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763509821,
+        "lastModified": 1764522689,
-        "narHash": "sha256-ibZr0ONEUA1W2WAdTzgm9/6jBE+tM20j1YW2FK4RZ/k=",
+        "narHash": "sha256-GzkEBSHGkj8EyOxnxQvl9sx0x2S7JzH0hwCziF176T8=",
-        "rev": "659aa6fa27619d04de231b4cc0c938905dfa01e9",
+        "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.05-small/nixos-25.05.812929.659aa6fa2761/nixexprs.tar.xz?lastModified=1763509821&rev=659aa6fa27619d04de231b4cc0c938905dfa01e9"
+        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.650.8bb5646e0bed/nixexprs.tar.xz?lastModified=1764522689&rev=8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f"
       },
       "original": {
         "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz"
+        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
-      }
-    },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1763835633,
-        "narHash": "sha256-nzRnw0UkYQpDm0o20AKvG/5oHCXy5qEGOsFAVhB5NmA=",
-        "rev": "050e09e091117c3d7328c7b2b7b577492c43c134",
-        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable/nixos-25.11pre900642.050e09e09111/nixexprs.tar.xz?lastModified=1763835633&rev=050e09e091117c3d7328c7b2b7b577492c43c134"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
       }
     },
     "pre-commit-hooks": {
@@ -325,7 +312,6 @@
         "flint": "flint",
         "foundryvtt": "foundryvtt",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "sonnenshift": "sonnenshift",
         "sops-nix": "sops-nix"
       }
@@ -338,11 +324,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763619077,
+        "lastModified": 1764578400,
-        "narHash": "sha256-dlfamaoIzFEgwgtzPJuw5Tl5SqjbWcV8CsbP2hVBeuI=",
+        "narHash": "sha256-8V0SpIcYyjpP+nAHfYJDof7CofLTwVVDo5QLZ0epjOQ=",
         "ref": "refs/heads/main",
-        "rev": "64a2c8a3743ea6897ecac6692fba8aebc3389fca",
+        "rev": "bf17617899692c9c2bfebfce87320a4174e6dc28",
-        "revCount": 26,
+        "revCount": 27,
         "type": "git",
         "url": "ssh://git@github.com/sonnenshift/battery-manager"
       },

flake.nix

@@ -2,8 +2,7 @@
   description = "tlater.net host configuration";
 
   inputs = {
-    nixpkgs.url = "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz";
+    nixpkgs.url = "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz";
-    nixpkgs-unstable.url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz";
 
     ## Nix/OS utilities
 
@@ -138,10 +137,7 @@
       packages.${system} = {
         default = vm.config.system.build.vm;
       }
-      // import ./pkgs {
+      // import ./pkgs { pkgs = nixpkgs.legacyPackages.${system}; };
-        pkgs = nixpkgs.legacyPackages.${system};
-        flake-inputs = inputs;
-      };
 
       ###################
       # Utility scripts #

modules/crowdsec/default.nix

@@ -271,7 +271,7 @@ in
         # To add completions; sadly need to hand-roll this since
         # neither `symlinkJoin` nor `buildEnv` have collision
         # handling.
-        (pkgs.runCommandNoCCLocal "cscli" { } ''
+        (pkgs.runCommandLocal "cscli" { } ''
           mkdir -p $out
           ln -s ${cscli}/bin $out/bin
           ln -s ${cfg.package}/share $out/share

modules/crowdsec/remediations/cs-firewall-bouncer.nix

@@ -6,7 +6,7 @@
   ...
 }:
 let
-  inherit (flake-inputs.self.packages.${pkgs.system}) crowdsec-firewall-bouncer;
+  inherit (flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}) crowdsec-firewall-bouncer;
 
   crowdsecCfg = config.security.crowdsec;
   cfg = crowdsecCfg.remediationComponents.firewallBouncer;

pkgs/default.nix

@@ -1,8 +1,5 @@
-{ pkgs, flake-inputs }:
+{ pkgs }:
-let
-  inherit (flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}) ast-grep;
-in
 pkgs.lib.packagesFromDirectoryRecursive {
-  callPackage = pkgs.lib.callPackageWith (pkgs // { inherit ast-grep; });
+  inherit (pkgs) callPackage;
   directory = ./packages;
 }