- Created musiclink repo on Forgejo
- Added dan's devserver SSH key to Forgejo
- Switched musiclink flake input from local path to git+ssh
- Updated musiclink testing room config in modules/musiclink.nix
- Add backup-b2-failed oneshot for OnFailure notification
- Add onFailure handler to both backup-b2 and backup-b2-check
- Add network-online.target dependency to backup-b2-check
- Add TimeoutStartSec (2h for backup, 1h for check)
Found via ops-review lenses.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Prevents automatic upgrade to PostgreSQL 16 when upgrading NixOS.
This allows a safer two-step approach: upgrade NixOS first, then
pg_upgrade later.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Closes r177. Critical DR gap - user home directories and ACME
certificates were not being backed up.
Excludes common caches that can be rebuilt:
- .cache, .npm/_cacache, .bun/install/cache
- node_modules, .nix-profile, .nix-defexpr
- Trash
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
ssh-hardening.nix had fatal bugs:
- UsePAM=false breaks NixOS SSH auth
- Protocol=2 deprecated, crashes modern sshd
- AllowUsers defaulted to ["admin"], locks out all users
Partial fixes applied but module still unsafe to enable.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changes:
- Fix nginx proxy_pass directives to use 127.0.0.1 instead of localhost
- Fix bridge homeserverUrl to use explicit IPv4 address
- Enable debug logging on conduwuit
- Add spec-kit framework files to .gitignore
- Document deployment in comprehensive worklog
Resolves connection refused errors from localhost resolving to IPv6 [::1]
while services bind only to IPv4 127.0.0.1. Bridge now fully operational
with bidirectional Slack-Matrix message flow working.
Matrix packages (mautrix-*, matrix-continuwuity) only exist in
nixpkgs-unstable, not in nixpkgs 24.05 stable. This commit updates
all module defaults and references to use pkgs-unstable.
Changes:
- Add pkgs-unstable to module function signatures (4 modules)
- Update package option defaults from pkgs.* to pkgs-unstable.*
- Configure pkgs-unstable in flake.nix to permit olm-3.2.16
- Add VM config permittedInsecurePackages for olm (mautrix dependency)
The olm library is deprecated with known CVEs but required by mautrix
bridges. This is acceptable for testing; production should migrate to
newer cryptography implementations when available.
This maintains our stable base system (NixOS 24.05) while using
unstable only for Matrix ecosystem packages under active development.
