7 changed files with 821 additions and 171 deletions
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@ -1,5 +1,6 @@
 {
  pkgs,
+  flake-inputs,
  config,
  lib,
  ...
@ -20,7 +21,7 @@ in
  services = {
    matrix-conduit = {
      enable = true;
-      package = pkgs.matrix-continuwuity;
+      package = flake-inputs.continuwuity.packages.${pkgs.system}.default;
      settings.global = {
        address = "127.0.0.1";
        server_name = domain;
--- a/configuration/services/conduit/matrix-hookshot.nix
+++ b/configuration/services/conduit/matrix-hookshot.nix
@ -29,29 +29,16 @@ let
    };

    # Encryption support
-    # TODO(tlater): Enable when
-    # https://github.com/matrix-org/matrix-hookshot/issues/1060 is
-    # fixed
-    # extraSettings = {
-    #   "de.sorunome.msc2409.push_ephemeral" = true;
-    #   push_ephemeral = true;
-    #   "org.matrix.msc3202" = true;
-    # };
+    extraSettings = {
+      "de.sorunome.msc2409.push_ephemeral" = true;
+      push_ephemeral = true;
+      "org.matrix.msc3202" = true;
+    };

    runtimeRegistration = "${cfg.registrationFile}";
  };
 in
 {
-  # users = {
-  #   users.matrix-hookshot = {
-  #     home = "/run/matrix-hookshot";
-  #     group = "matrix-hookshot";
-  #     isSystemUser = true;
-  #   };
-
-  #   groups.matrix-hookshot = { };
-  # };
-
  systemd.services.matrix-hookshot = {
    serviceConfig = {
      Type = lib.mkForce "exec";
@ -62,7 +49,6 @@ in
      # Some library in matrix-hookshot wants a home directory
      Environment = [ "HOME=/run/matrix-hookshot" ];

-      # User = "matrix-hookshot";
      DynamicUser = true;
      StateDirectory = "matrix-hookshot";
      RuntimeDirectory = "matrix-hookshot";
@ -76,11 +62,7 @@ in
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
-      RestrictAddressFamilies = [
-        # "AF_UNIX"
-        "AF_INET"
-        "AF_INET6"
-      ];
+      RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
      LockPersonality = true;
      RestrictRealtime = true;
      ProtectProc = "invisible";
@ -89,11 +71,6 @@ in
    };
  };

-  # services.redis.servers.matrix-hookshot = {
-  #   enable = true;
-  #   user = "matrix-hookshot";
-  # };
-
  services.matrix-hookshot = {
    enable = true;

@ -112,8 +89,6 @@ in

      bot.displayname = "Hookshot";

-      # cache.redisUri = "redis://${config.services.redis.servers.matrix-hookshot.unixSocket}";
-
      generic = {
        enabled = true;
        outbound = false;
@ -123,10 +98,7 @@ in
        allowJsTransformationFunctions = true;
      };

-      # TODO(tlater): Enable when
-      # https://github.com/matrix-org/matrix-hookshot/issues/1060 is
-      # fixed
-      # encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore";
+      encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore";

      permissions = [
        {
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@ -1,4 +1,9 @@
-{ pkgs, config, ... }:
+{
+  pkgs,
+  config,
+  flake-inputs,
+  ...
+}:
 let
  domain = "metrics.${config.services.nginx.domain}";
 in
@ -30,7 +35,7 @@ in

    declarativePlugins = [
      pkgs.grafanaPlugins.victoriametrics-metrics-datasource
-      pkgs.grafanaPlugins.victoriametrics-logs-datasource
+      flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.grafanaPlugins.victoriametrics-logs-datasource
    ];

    provision = {
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@ -5,7 +5,7 @@
  ...
 }:
 let
-  nextcloud = pkgs.nextcloud31;
+  nextcloud = pkgs.nextcloud30;
  hostName = "nextcloud.${config.services.nginx.domain}";
 in
 {
@ -19,10 +19,10 @@ in
          packageOverrides = _: prev: {
            extensions = prev.extensions // {
              pgsql = prev.extensions.pgsql.overrideAttrs (_: {
-                configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package.pg_config}" ];
+                configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package}" ];
              });
              pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (_: {
-                configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package.pg_config}" ];
+                configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package}" ];
              });
            };
          };
--- a/flake.lock
+++ b/flake.lock
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,12 @@
  description = "tlater.net host configuration";

  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
+    continuwuity = {
+      url = "git+https://forgejo.ellis.link/continuwuation/continuwuity.git?ref=refs/tags/v0.5.0-rc.5";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@ -247,7 +247,10 @@ in
            online_client = {
              # By default, we don't let crowdsec phone home, since
              # this is usually within NixOS users' concerns.
-              sharing = lib.mkDefault false;
+              #
+              # TODO: Enable when this option becomes available
+              # (1.6.4, current nixpkgs-unstable)
+              # sharing = lib.mkDefault false;
              credentials_path = cfg.centralApiCredentials;
            };
          };