92d7646d52
- Remove beads from VPS deployment (kept locally for dev workflow) - Add slack-bot-token and slack-app-token secrets with devs group access - Remove dead acme-email secret reference - Increase egress limits from 30/min to 150/min (burst 60→300) - Change egress blocking from REJECT to DROP for better app behavior - Add egress-status script for user self-diagnosis - Update dev-slack-direct.md with new /run/secrets access patterns 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
79 lines
2.4 KiB
Nix
79 lines
2.4 KiB
Nix
{
|
|
description = "ops-jrz1 NixOS server configuration with Matrix platform";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
|
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
|
|
|
sops-nix = {
|
|
url = "github:Mic92/sops-nix/c2ea1186c0cbfa4d06d406ae50f3e4b085ddc9b3"; # Pin to June 2024 version compatible with nixpkgs 24.05
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
opencode = {
|
|
url = "github:sst/opencode/f6fe709f6ee75427ba64829af25b64d9a3111569";
|
|
inputs.nixpkgs.follows = "nixpkgs-unstable";
|
|
};
|
|
};
|
|
|
|
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, ... }@inputs:
|
|
let
|
|
system = "x86_64-linux";
|
|
in {
|
|
# Pre-deploy checks: nix flake check
|
|
checks.${system} = {
|
|
# Verify production config evaluates and builds
|
|
ops-jrz1-config = self.nixosConfigurations.ops-jrz1.config.system.build.toplevel;
|
|
|
|
# Verify VM config evaluates (lighter weight)
|
|
ops-jrz1-vm-config = self.nixosConfigurations.ops-jrz1-vm.config.system.build.toplevel;
|
|
};
|
|
|
|
nixosConfigurations = {
|
|
# Production configuration (for actual VPS deployment)
|
|
ops-jrz1 = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
specialArgs = {
|
|
pkgs-unstable = import nixpkgs-unstable {
|
|
system = "x86_64-linux";
|
|
config = {
|
|
allowUnfree = true;
|
|
permittedInsecurePackages = [
|
|
"olm-3.2.16" # Required by mautrix bridges
|
|
];
|
|
};
|
|
};
|
|
opencode = inputs.opencode.packages.x86_64-linux.default;
|
|
};
|
|
modules = [
|
|
./configuration.nix
|
|
./hosts/ops-jrz1.nix
|
|
sops-nix.nixosModules.sops
|
|
];
|
|
};
|
|
|
|
# VM testing configuration (for local validation before deployment)
|
|
ops-jrz1-vm = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
specialArgs = {
|
|
pkgs-unstable = import nixpkgs-unstable {
|
|
system = "x86_64-linux";
|
|
config = {
|
|
allowUnfree = true;
|
|
permittedInsecurePackages = [
|
|
"olm-3.2.16" # Required by mautrix bridges (VM testing only)
|
|
];
|
|
};
|
|
};
|
|
opencode = inputs.opencode.packages.x86_64-linux.default;
|
|
};
|
|
modules = [
|
|
./configuration.nix
|
|
./hosts/ops-jrz1-vm.nix
|
|
# Note: No sops-nix for VM testing
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|