bump(flake.lock): Update other inputs

configuration/hardware-specific/vm.nix

@@ -43,6 +43,14 @@
     source = ../../keys/hosts/staging.key;
   };
 
+  # Pretend the acme renew succeeds.
+  #
+  # TODO(tlater): Set up pebble to retrieve certs "properly"
+  # instead
+  systemd.services."acme-order-renew-tlater.net".script = ''
+    touch out/acme-success
+  '';
+
   virtualisation.vmVariant = {
     virtualisation = {
       memorySize = 3941;

configuration/nginx/ssl.nix

@@ -51,20 +51,9 @@
       paths = [ "/var/lib/acme/tlater.net" ];
     };
 
-    systemd.services = {
-      nginx.serviceConfig.SupplementaryGroups = [ config.security.acme.certs."tlater.net".group ];
-
-      # Don't attempt to retrieve a certificate if the domain name
-      # doesn't *actually* match the cert name
-      #
-      # TODO(tlater): Set up pebble to retrieve certs "properly"
-      # instead
-      "acme-tlater.net".serviceConfig.ExecCondition =
-        let
-          confirm = ''[[ "tlater.net" = "${config.services.nginx.domain}" ]]'';
-        in
-        ''${pkgs.runtimeShell} -c '${confirm}' '';
-    };
+    systemd.services.nginx.serviceConfig.SupplementaryGroups = [
+      config.security.acme.certs."tlater.net".group
+    ];
 
     sops.secrets = {
       "porkbun/api-key".owner = "acme";
@@ -85,10 +74,18 @@
 
             security.acme.certs."tlater.net".extraDomainNames = [ config.services.nginx.domain ];
 
-            services.nginx = {
-              domain = "testHost";
+            # Pretend the acme renew succeeds.
+            #
+            # TODO(tlater): Set up pebble to retrieve certs "properly"
+            # instead
+            systemd.services."acme-order-renew-tlater.net".script = ''
+              touch out/acme-success
+            '';
 
-              virtualHosts."${config.services.nginx.domain}" = {
+            services.nginx = {
+              domain = "testHost.test";
+
+              virtualHosts."${config.services.nginx.domain}.local" = {
                 useACMEHost = "tlater.net";
                 onlySSL = true;
                 enableHSTS = true;
@@ -109,6 +106,7 @@
               { pkgs, ... }:
               {
                 environment.systemPackages = [ pkgs.curl ];
+                networking.hosts."192.168.1.2" = [ "testHost.test" ];
               };
           };
 
@@ -125,7 +123,7 @@
                 "--silent",
                 "--dump-header -",
                 "--cacert /certs/tlater.net/fullchain.pem",
-                "https://testHost",
+                "https://testHost.test",
                 "-o /dev/null"
             ]))
 

configuration/services/conduit/default.nix

@@ -12,10 +12,7 @@ let
   turn-realm = "turn.${config.services.nginx.domain}";
 in
 {
-  imports = [
-    ./heisenbridge.nix
-    ./matrix-hookshot.nix
-  ];
+  imports = [ ./heisenbridge.nix ];
 
   networking.firewall = {
     allowedTCPPorts = [

configuration/services/conduit/matrix-hookshot.nix

@@ -1,172 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-let
-  matrixLib = pkgs.callPackage ./lib.nix { };
-
-  cfg = config.services.matrix-hookshot;
-  conduitCfg = config.services.matrix-conduit;
-
-  domain = conduitCfg.settings.global.server_name;
-
-  registration = matrixLib.writeRegistrationScript {
-    id = "matrix-hookshot";
-    url = "http://127.0.0.1:9993";
-    sender_localpart = "hookshot";
-
-    namespaces = {
-      aliases = [ ];
-      rooms = [ ];
-      users = [
-        {
-          regex = "@${cfg.settings.generic.userIdPrefix}.*:${domain}";
-          exclusive = true;
-        }
-      ];
-    };
-
-    # Encryption support
-    # TODO(tlater): Enable when
-    # https://github.com/matrix-org/matrix-hookshot/issues/1060 is
-    # fixed
-    # extraSettings = {
-    #   "de.sorunome.msc2409.push_ephemeral" = true;
-    #   push_ephemeral = true;
-    #   "org.matrix.msc3202" = true;
-    # };
-
-    runtimeRegistration = "${cfg.registrationFile}";
-  };
-in
-{
-  # users = {
-  #   users.matrix-hookshot = {
-  #     home = "/run/matrix-hookshot";
-  #     group = "matrix-hookshot";
-  #     isSystemUser = true;
-  #   };
-
-  #   groups.matrix-hookshot = { };
-  # };
-
-  systemd.services.matrix-hookshot = {
-    serviceConfig = {
-      Type = lib.mkForce "exec";
-
-      LoadCredential = "matrix-hookshot:/run/secrets/matrix-hookshot";
-      inherit (registration) ExecStartPre;
-
-      # Some library in matrix-hookshot wants a home directory
-      Environment = [ "HOME=/run/matrix-hookshot" ];
-
-      # User = "matrix-hookshot";
-      DynamicUser = true;
-      StateDirectory = "matrix-hookshot";
-      RuntimeDirectory = "matrix-hookshot";
-      RuntimeDirectoryMode = "0700";
-
-      RestrictNamespaces = true;
-      PrivateUsers = true;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = [
-        # "AF_UNIX"
-        "AF_INET"
-        "AF_INET6"
-      ];
-      LockPersonality = true;
-      RestrictRealtime = true;
-      ProtectProc = "invisible";
-      ProcSubset = "pid";
-      UMask = 77;
-    };
-  };
-
-  # services.redis.servers.matrix-hookshot = {
-  #   enable = true;
-  #   user = "matrix-hookshot";
-  # };
-
-  services.matrix-hookshot = {
-    enable = true;
-
-    serviceDependencies = [ "conduit.service" ];
-
-    registrationFile = "/run/matrix-hookshot/registration.yaml";
-
-    settings = {
-      bridge = {
-        inherit domain;
-        url = "http://localhost:${toString conduitCfg.settings.global.port}";
-        mediaUrl = conduitCfg.settings.global.well_known.client;
-        port = 9993;
-        bindAddress = "127.0.0.1";
-      };
-
-      bot.displayname = "Hookshot";
-
-      # cache.redisUri = "redis://${config.services.redis.servers.matrix-hookshot.unixSocket}";
-
-      generic = {
-        enabled = true;
-        outbound = false;
-        # Only allow webhooks from localhost for the moment
-        urlPrefix = "http://127.0.0.1:9000/webhook";
-        userIdPrefix = "_webhooks_";
-        allowJsTransformationFunctions = true;
-      };
-
-      # TODO(tlater): Enable when
-      # https://github.com/matrix-org/matrix-hookshot/issues/1060 is
-      # fixed
-      # encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore";
-
-      permissions = [
-        {
-          actor = "matrix.tlater.net";
-          services = [
-            {
-              service = "*";
-              level = "notifications";
-            }
-          ];
-        }
-        {
-          actor = "@tlater:matrix.tlater.net";
-          services = [
-            {
-              service = "*";
-              level = "admin";
-            }
-          ];
-        }
-      ];
-
-      listeners = [
-        {
-          port = 9000;
-          resources = [ "webhooks" ];
-        }
-        {
-          port = 9001;
-          resources = [ "metrics" ];
-        }
-      ];
-
-      metrics.enabled = true;
-    };
-  };
-
-  sops.secrets = {
-    # Accessed via systemd cred through /run/secrets/matrix-hookshot
-    "matrix-hookshot/as-token" = { };
-    "matrix-hookshot/hs-token" = { };
-  };
-}

configuration/services/foundryvtt.nix

@@ -23,7 +23,7 @@ in
       minifyStaticFiles = true;
       proxySSL = true;
       proxyPort = 443;
-      package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_13;
+      package = flake-inputs.foundryvtt.packages.${pkgs.stdenv.hostPlatform.system}.foundryvtt_13;
     };
 
     nginx.virtualHosts."${domain}" =

configuration/services/immich.nix

@@ -18,6 +18,9 @@ in
       enable = true;
       settings.server.externalDomain = "https://${hostName}";
 
+      # We're using vectorchord now
+      database.enableVectors = false;
+
       environment.IMMICH_TELEMETRY_INCLUDE = "all";
     };
 

configuration/services/metrics/grafana.nix

@@ -57,6 +57,19 @@ in
           access = "proxy";
         }
       ];
+
+      alerting.contactPoints.settings.contactPoints = [
+        {
+          name = "ntfy";
+          receivers = [
+            {
+              uid = "ntfy";
+              type = "webhook";
+              settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana";
+            }
+          ];
+        }
+      ];
     };
   };
 

configuration/services/metrics/victoriametrics.nix

@@ -89,10 +89,6 @@ in
         "127.0.0.1:8082"
       ];
 
-      # Configured in the hookshot listeners, but it's hard to filter
-      # the correct values out of that config.
-      matrixHookshot.targets = [ "127.0.0.1:9001" ];
-
       victorialogs.targets = [ config.services.victorialogs.bindAddress ];
     };
   };

configuration/services/nextcloud.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  nextcloud = pkgs.nextcloud31;
+  nextcloud = pkgs.nextcloud32;
   hostName = "nextcloud.${config.services.nginx.domain}";
 in
 {
@@ -104,7 +104,7 @@ in
   };
 
   # Ensure that this service doesn't start before postgres is ready
-  systemd.services.nextcloud-setup.after = [ "postgresql.service" ];
+  systemd.services.nextcloud-setup.after = [ "postgresql.target" ];
 
   sops.secrets."nextcloud/tlater" = {
     owner = "nextcloud";

configuration/services/ntfy-sh/default.nix

@@ -17,7 +17,6 @@ in
 
   services.ntfy-sh = {
     enable = true;
-    package = flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.ntfy-sh;
 
     environmentFile = config.sops.secrets."ntfy/users".path;
 

configuration/services/starbound.nix

@@ -19,7 +19,7 @@ in
 
     serviceConfig = {
       ExecStart = "${
-        flake-inputs.self.packages.${pkgs.system}.starbound
+        flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.starbound
       }/bin/launch-starbound ${./configs/starbound.json}";
 
       Type = "simple";

configuration/services/webserver.nix

@@ -20,7 +20,7 @@ in
     after = [ "network.target" ];
 
     script = ''
-      ${lib.getExe flake-inputs.self.packages.${pkgs.system}.webserver}
+      ${lib.getExe flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.webserver}
     '';
 
     environment = {

flake.lock

@@ -123,11 +123,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1762276996,
-        "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
+        "lastModified": 1764350888,
+        "narHash": "sha256-6Rp18zavTlnlZzcoLoBTJMBahL2FycVkw2rAEs3cQvo=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
+        "rev": "2055a08fd0e2fd41318279a5355eb8a161accf26",
         "type": "github"
       },
       "original": {
@@ -201,11 +201,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1761916399,
-        "narHash": "sha256-wLZ8km5ftKlIDdHJrFiDQivXc5b+7DRxmBp2347H5g8=",
+        "lastModified": 1764578815,
+        "narHash": "sha256-WZ8+pH/cLjv3geonV3VFwtfa8IuTkPHb60a1ACQpOmc=",
         "owner": "reckenrode",
         "repo": "nix-foundryvtt",
-        "rev": "8cceb7af3dfbe465b5108db5c098b097edf85790",
+        "rev": "1b875fb942c4ef926fd7aade7db327be363f7179",
         "type": "github"
       },
       "original": {
@@ -255,28 +255,15 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763509821,
-        "narHash": "sha256-ibZr0ONEUA1W2WAdTzgm9/6jBE+tM20j1YW2FK4RZ/k=",
-        "rev": "659aa6fa27619d04de231b4cc0c938905dfa01e9",
+        "lastModified": 1764522689,
+        "narHash": "sha256-GzkEBSHGkj8EyOxnxQvl9sx0x2S7JzH0hwCziF176T8=",
+        "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.05-small/nixos-25.05.812929.659aa6fa2761/nixexprs.tar.xz?lastModified=1763509821&rev=659aa6fa27619d04de231b4cc0c938905dfa01e9"
+        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.650.8bb5646e0bed/nixexprs.tar.xz?lastModified=1764522689&rev=8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f"
       },
       "original": {
         "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz"
-      }
-    },
-    "nixpkgs-unstable": {
-      "locked": {
-        "lastModified": 1763835633,
-        "narHash": "sha256-nzRnw0UkYQpDm0o20AKvG/5oHCXy5qEGOsFAVhB5NmA=",
-        "rev": "050e09e091117c3d7328c7b2b7b577492c43c134",
-        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable/nixos-25.11pre900642.050e09e09111/nixexprs.tar.xz?lastModified=1763835633&rev=050e09e091117c3d7328c7b2b7b577492c43c134"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
+        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
       }
     },
     "pre-commit-hooks": {
@@ -325,7 +312,6 @@
         "flint": "flint",
         "foundryvtt": "foundryvtt",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-unstable": "nixpkgs-unstable",
         "sonnenshift": "sonnenshift",
         "sops-nix": "sops-nix"
       }
@@ -338,11 +324,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763619077,
-        "narHash": "sha256-dlfamaoIzFEgwgtzPJuw5Tl5SqjbWcV8CsbP2hVBeuI=",
+        "lastModified": 1764578400,
+        "narHash": "sha256-8V0SpIcYyjpP+nAHfYJDof7CofLTwVVDo5QLZ0epjOQ=",
         "ref": "refs/heads/main",
-        "rev": "64a2c8a3743ea6897ecac6692fba8aebc3389fca",
-        "revCount": 26,
+        "rev": "bf17617899692c9c2bfebfce87320a4174e6dc28",
+        "revCount": 27,
         "type": "git",
         "url": "ssh://git@github.com/sonnenshift/battery-manager"
       },
@@ -358,11 +344,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1763607916,
-        "narHash": "sha256-VefBA1JWRXM929mBAFohFUtQJLUnEwZ2vmYUNkFnSjE=",
+        "lastModified": 1764483358,
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "877bb495a6f8faf0d89fc10bd142c4b7ed2bcc0b",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,8 +2,7 @@
   description = "tlater.net host configuration";
 
   inputs = {
-    nixpkgs.url = "https://channels.nixos.org/nixos-25.05-small/nixexprs.tar.xz";
-    nixpkgs-unstable.url = "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz";
+    nixpkgs.url = "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz";
 
     ## Nix/OS utilities
 
@@ -138,10 +137,7 @@
       packages.${system} = {
         default = vm.config.system.build.vm;
       }
-      // import ./pkgs {
-        pkgs = nixpkgs.legacyPackages.${system};
-        flake-inputs = inputs;
-      };
+      // import ./pkgs { pkgs = nixpkgs.legacyPackages.${system}; };
 
       ###################
       # Utility scripts #

keys/production.yaml

@@ -20,9 +20,6 @@ steam:
 heisenbridge:
     as-token: ENC[AES256_GCM,data:+2yo6T18j34622H8ZWblAFB2phLw1q0k0vUQEZ5sFj7dQaRnkEiAMi0R3p17Zq0pOtGEC0RRZuPLYkcZ1oKP0w==,iv:lGwrQYp//FufpmJocrLIVyy9RK7lEEVcpAi0wmkjr34=,tag:yV06UbhAYJQz36O2XdhY+A==,type:str]
     hs-token: ENC[AES256_GCM,data:u52WpkQFd/J7JFoE/rfNluebyZQLOokvkVdL7+AEAvrhJhrkJli1ztkD79lbC+6tGUH4tT3T+nX9wvGKnrRUQg==,iv:as+9fVuvMg2IoE2WIKD9mHi+znhNcWRh5Zq+yr0xcDQ=,tag:mZ7fh7U0MfgI8hyq/28Bcg==,type:str]
-matrix-hookshot:
-    as-token: ENC[AES256_GCM,data:nXTanPhDyDF7R3AllLqpM5dzljBrHwlh1KJnTGIi5PhbDY2lPj4+uXkMEwvm1u+hQjPyM7vKZPfK+0/dms6Y7A==,iv:fSakJN+yai0gfOJKFxxaxgyUtk0pNmIeqVgrdq92/24=,tag:Qc7+SUnm5/Nq5+QIScR9kQ==,type:str]
-    hs-token: ENC[AES256_GCM,data:Bwyj0JTTN0NNnwOs1zA8CqbtZSNcvlINeT7QVc2eJiHda92J6vQk7bSxy6KuqCN9DxlUsK13ggYjNORY2vic5w==,iv:Npnp8arYQ3Yb6CXrnKgE03hD7ZjGINPa/DwFI8D+5tA=,tag:FqNE6yI0nF4puEUw9MGAjQ==,type:str]
 wireguard:
     server-key: ENC[AES256_GCM,data:mXb7ZznJHf5CgV8rI4uzPBATMRbmd7LimgtCkQM9kAjbIaGwUBqJZBN3fXs=,iv:3Po1Orinzov9rnEm9cLzgJY1PeD+5Jl9115MriABHh8=,tag:E/2CjDO1JCvJzxCnqKcNyw==,type:str]
 restic:
@@ -32,8 +29,8 @@ turn:
     env: ENC[AES256_GCM,data:kt5nhVo9pb/ZbPUEcqSYXxN9YMgQKnFb5VRfFFS/qoIaJ73uD2fuJKqcxAyVRrdLqnSAWSQBgTgunBzdP7xqLAK2qt8DYAQWHkIe9uxFbSXZpdmw,iv:9lq6SFwTFN4GGm6gPiJpUMasMdnHVF6XLGYrsyG3kjU=,tag:428Qf9DOiiHt/Wjb188b8g==,type:str]
     secret: ENC[AES256_GCM,data:si7ee6Xfhdgdyzbp6aQpF7pz3TmTBb7iQ82lRPVXNDg9JfHI+lbmgAsSnRLX5qMCA6P9R045sSMosqidL8QwRg==,iv:SrhpZKK8D45yxCEfDb9P3TwtA14+qEI+wcRqcN/a6pw=,tag:PiwV+mOL9xHJgJft6sc61g==,type:str]
 sops:
-    lastmodified: "2025-11-29T14:52:24Z"
-    mac: ENC[AES256_GCM,data:RC18s48jxRFQMtbmu74P7G4uhm2yHk9TB0wN7z4g8SNE3nfkYMvHAJqPr3A3dO+T33zkTFcSRm7fhWItUahTCW3fO10u6kDvWbnyjlSuAy86Tkz2iqeW4iSOzKswDptAgb/B+juAHhEMxDnkG5vpPlIcD0SVP89NlflXftogOqw=,iv:2vN2TJvzePzBJfUeBxvGXwGmRsB5sopqyWm9uUv/rzA=,tag:C6UOWrUxVsRMFncL1y1eTQ==,type:str]
+    lastmodified: "2025-12-01T11:39:17Z"
+    mac: ENC[AES256_GCM,data:TwhGOW/V9/IoBifzh1MSwy/ff7ONTnxEmwERD8Yl2E27WG/6dTVz0/nIlZ8KsEKLC6vB2m+sJT+14Q9KCj4Cn/bWV1PmhytktGPxLQpgF55+pZlSK1aLUPLq0hwE93b4MAeOvzoOXtCQguh1dsB2RkinabFoMeZ2xJ7Kc+jHlfA=,iv:Ri8aEA4tssGDv2UuKeza8vs94IovM9GARLIEapb9Ya0=,tag:MDgAffj7ndmMwpw7mBXNRg==,type:str]
     pgp:
         - created_at: "2025-10-03T21:38:48Z"
           enc: |-

keys/staging.yaml

@@ -21,9 +21,6 @@ steam:
 heisenbridge:
     as-token: ENC[AES256_GCM,data:tXbOeo7nv8I=,iv:wJAKcOXX9nGIw4n38ThOoj29u7dUWhsxSQG/p79JlEw=,tag:rTVaGS2UuWcea1uBa8YX2g==,type:str]
     hs-token: ENC[AES256_GCM,data:VBwvwomv0Xg=,iv:q6INtJ+rg+QiXj8uBdBzQYQZUBBXp+9odxDHwvu8Jxc=,tag:XKhm8nxygAkKaiVPJ2Fcdg==,type:str]
-matrix-hookshot:
-    as-token: ENC[AES256_GCM,data:uSUOo4f2KqA=,iv:Xb9G8Ecv6m59m51kDw2bOfq3SMJt4g9/6/EdH74R+KM=,tag:K9MSfO2c2Y4rlf0eYrmTnw==,type:str]
-    hs-token: ENC[AES256_GCM,data:0KsyA06InL4=,iv:zAR0Y1fk8SyodcSLBHlQ8I+BAmttz9Hkd8Q3OREFqs4=,tag:t1Et8N/3seq95DeGoUd7Sw==,type:str]
 wireguard:
     server-key: ENC[AES256_GCM,data:FvY897XdKoa/mckE8JQLCkklsnYD6Wz1wpsu5t3uhEnW3iarnDQxF9msuYU=,iv:jqGXfekM+Vs+J9b5nlZ5Skd1ZKHajoUo2Dc4tMYPm1w=,tag:EehikjI/FCU8wqtpvJRamQ==,type:str]
 restic:
@@ -33,8 +30,8 @@ turn:
     env: ENC[AES256_GCM,data:xjIz/AY109lyiL5N01p5T3HcYco/rM5CJSRTtg==,iv:16bW6OpyOK/QL0QPGQp/Baa9xyT8E3ZsYkwqmjuofk0=,tag:J5re3uKxIykw3YunvQWBgg==,type:str]
     secret: ENC[AES256_GCM,data:eQ7dAocoZtg=,iv:fgzjTPv30WqTKlLy+yMn5MsKQgjhPnwlGFFwYEg3gWs=,tag:1ze33U1NBkgMX/9SiaBNQg==,type:str]
 sops:
-    lastmodified: "2025-11-29T11:54:33Z"
-    mac: ENC[AES256_GCM,data:SaTvwxfARVou/ZjrWfdC8J6je8l89Zuumdz7PkmY2Tl2CQVxZmEt4AyV4bWiCtWhJmfH1Qa8m4Q+DyqimjapgYT5cUB1yxlknp233bB/+5C5k3KozU2hmh80KYgR496FtQvI74p0qw/lw00CGCR3WHNcIc0dbTiDzC90HlOpafg=,iv:vxMCAjpgyWvxk18LalmFhwOb5b2ThCDq1KTaX2OPvpM=,tag:QMA+tC4hs/FBnuVDye38Vg==,type:str]
+    lastmodified: "2025-12-01T11:39:26Z"
+    mac: ENC[AES256_GCM,data:11VQAYk8Am0k8OO6BtU17qpuEhcJ8ylRhJWQNHVAsmi5BCFjD1zU3NkWhtSstPrBcqHMenG+9XuEzpNnbccHI2ru0qlILsQvNj5OKo96FnvYtzApYlApoAzOetCx08Lfxa4RGLN/XCUSuccjBIU2PZRWEK+z+Cm1wHUFeqc1xPc=,iv:6y9j55Cld+GoOVGWAqsEgURRna6dHA2mGZwHVA+ZOE8=,tag:bSZi3nYmYrn3nFT2+RBPUQ==,type:str]
     pgp:
         - created_at: "2025-10-03T21:38:26Z"
           enc: |-

modules/crowdsec/default.nix

@@ -271,7 +271,7 @@ in
         # To add completions; sadly need to hand-roll this since
         # neither `symlinkJoin` nor `buildEnv` have collision
         # handling.
-        (pkgs.runCommandNoCCLocal "cscli" { } ''
+        (pkgs.runCommandLocal "cscli" { } ''
           mkdir -p $out
           ln -s ${cscli}/bin $out/bin
           ln -s ${cfg.package}/share $out/share

modules/crowdsec/remediations/cs-firewall-bouncer.nix

@@ -6,7 +6,7 @@
   ...
 }:
 let
-  inherit (flake-inputs.self.packages.${pkgs.system}) crowdsec-firewall-bouncer;
+  inherit (flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}) crowdsec-firewall-bouncer;
 
   crowdsecCfg = config.security.crowdsec;
   cfg = crowdsecCfg.remediationComponents.firewallBouncer;

pkgs/default.nix

@@ -1,8 +1,5 @@
-{ pkgs, flake-inputs }:
-let
-  inherit (flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}) ast-grep;
-in
+{ pkgs }:
 pkgs.lib.packagesFromDirectoryRecursive {
-  callPackage = pkgs.lib.callPackageWith (pkgs // { inherit ast-grep; });
+  inherit (pkgs) callPackage;
   directory = ./packages;
 }