Remove redundant olm permission from VM config

VM imports configuration.nix which already has the permission.
Clarified comments explaining why both flake.nix and configuration.nix
need the permission (different pkgs sources).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

configuration.nix

@@ -174,9 +174,8 @@ in
     defaults.email = "dlei@duck.com";
   };
 
-  # Allow deprecated olm library for Matrix bridges
-  # Note: olm is deprecated with known CVEs but required by mautrix bridges
-  # This is necessary for Matrix bridge functionality until alternatives are available
+  # Allow deprecated olm library for Matrix bridges (maubot uses mautrix which needs olm)
+  # Note: Also permitted in flake.nix for pkgs-unstable (mautrix-slack)
   nixpkgs.config.permittedInsecurePackages = [
     "olm-3.2.16"
   ];

hosts/ops-jrz1-vm.nix

@@ -19,12 +19,7 @@
     # Note: Skip matrix-secrets for VM (no sops-nix in VM)
   ];
 
-  # Allow deprecated olm library for Matrix bridges (VM testing only)
-  # Note: olm is deprecated with known CVEs but required by mautrix bridges
-  # This is acceptable for local testing; production should migrate to newer crypto
-  nixpkgs.config.permittedInsecurePackages = [
-    "olm-3.2.16"
-  ];
+  # Note: olm-3.2.16 is permitted in flake.nix where pkgs-unstable is defined
 
   # VM-specific settings
   networking.hostName = "ops-jrz1-vm";