Document NixOS 24.11 upgrade impact analysis

Key findings:
- PostgreSQL defaults to 16 (must pin to 15)
- Forgejo 7.0→9.0 (review release notes, backup DB)
- conduwuit discontinued (we use continuwuity fork, OK)
- mautrix-slack, nginx, ACME: no breaking changes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/nixos-24.11-upgrade-notes.md

@@ -0,0 +1,109 @@
+# NixOS 24.11 Upgrade Notes for ops-jrz1
+
+Review completed: 2026-01-10
+
+## Summary
+
+| Component | Impact | Action Required |
+|-----------|--------|-----------------|
+| PostgreSQL | HIGH | Pin to v15 before upgrade |
+| Forgejo | MEDIUM | Review 8.0/9.0 release notes |
+| Matrix (continuwuity) | NONE | Already using the fork |
+| mautrix-slack | NONE | No breaking changes |
+| nginx | NONE | We don't use gd/geoip |
+| Python | LOW | Monitor maubot |
+| ACME | NONE | No changes |
+
+## PostgreSQL
+
+**Change:** Default version bumped from 15 to 16. PostgreSQL 12 removed.
+
+**Risk:** If we upgrade without pinning, PostgreSQL will upgrade to 16 which requires `pg_upgrade` or dump/restore.
+
+**Action:** Pin to PostgreSQL 15 before upgrade (task 7qg):
+```nix
+services.postgresql.package = pkgs.postgresql_15;
+```
+
+**Other changes:**
+- `enableSystemd` → `systemdSupport` (we don't override this)
+- `initdbArgs` now shell-escaped (shouldn't affect us)
+- Hardened systemd settings by default (good)
+
+## Forgejo
+
+**Change:** Major upgrade path 7.0 → 9.0 (skipping 8.0).
+
+**Breaking changes:**
+- `services.forgejo.mailerPasswordFile` deprecated → use `services.forgejo.secrets.mailer.PASSWD`
+- Package defaults to `forgejo-lts` now
+- PAM authentication removed (we don't use it)
+
+**Action:** We don't use mailer, so no config changes needed. But should review:
+- [Forgejo 8.0 release notes](https://forgejo.org/releases/)
+- [Forgejo 9.0 release notes](https://forgejo.org/releases/)
+
+**Risk:** Database migrations run automatically. Backup before upgrade.
+
+## Matrix (conduwuit → continuwuity)
+
+**Change:** Upstream conduwuit discontinued in April 2025. Repository deleted.
+
+**Impact on us:** NONE - we already use `matrix-continuwuity` which is the community fork.
+
+**Note:** conduwuit package marked vulnerable in nixpkgs, will be removed in 25.11. Our config already uses the correct fork.
+
+## mautrix-slack
+
+**Change:** No breaking changes documented for 24.11.
+
+**Note:** The NixOS module may have been added/improved in this cycle. Our custom module should continue to work.
+
+**Related:** mautrix-meta (Facebook/Instagram) updated to 0.4 with breaking changes, but we don't use it.
+
+## nginx
+
+**Change:** `gd` and `geoip` dependencies removed from default build.
+
+**Impact:** NONE - we don't use image filter or GeoIP features.
+
+**If needed later:**
+```nix
+services.nginx.package = pkgs.nginx.override {
+  withImageFilter = true;
+  withGeoIP = true;
+};
+```
+
+## Python
+
+**Change:** `override` and `overrideDerivation` removed from buildPythonPackage in favor of `overridePythonAttrs`.
+
+**Impact:** LOW - affects package overrides, not runtime. Maubot should work fine.
+
+**Monitor:** If maubot plugins fail to build, may need adjustment.
+
+## systemd
+
+**Change:** cgroup v1 considered obsolete. `systemd.enableUnifiedCgroupHierarchy` option removed.
+
+**Impact:** NONE - we use cgroup v2 (default).
+
+## ACME / Let's Encrypt
+
+**Change:** No breaking changes.
+
+## Pre-Upgrade Checklist
+
+- [ ] Pin PostgreSQL to v15 (task 7qg)
+- [ ] Take verified backup (task asi) - **DONE: B2 backups operational**
+- [ ] Review Forgejo 8.0/9.0 release notes for database migrations
+- [ ] Note current NixOS generation number for rollback
+- [ ] Test upgrade in VM if possible
+
+## Sources
+
+- [NixOS 24.11 Release Notes](https://nixos.org/manual/nixos/stable/release-notes)
+- [NixOS 24.11 Announcement](https://nixos.org/blog/announcements/2024/nixos-2411/)
+- [nixpkgs release notes source](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md)
+- [conduwuit deprecation PR](https://github.com/NixOS/nixpkgs/pull/397902)