75515c7e53
- nixpkgs: 24.05 (Dec 2024) → 24.11 (Jun 2025) - sops-nix: unpinned (now follows nixpkgs) - nixpkgs-unstable: Dec 2025 → Jan 2026 Key version changes: - PostgreSQL 15.10 → 15.13 (pinned to v15) - Forgejo 7.0.12 → 7.0.15 LTS - Matrix-continuwuity 0.5.0-rc → 0.5.1 stable - maubot 0.4.2 → 0.5.0 - systemd 255 → 256 Build verified, deployment in separate task. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
103 lines
3.1 KiB
Nix
103 lines
3.1 KiB
Nix
{
|
|
description = "ops-jrz1 NixOS server configuration with Matrix platform";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
|
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
|
|
|
sops-nix = {
|
|
url = "github:Mic92/sops-nix";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
opencode = {
|
|
url = "github:sst/opencode/f6fe709f6ee75427ba64829af25b64d9a3111569";
|
|
inputs.nixpkgs.follows = "nixpkgs-unstable";
|
|
};
|
|
};
|
|
|
|
outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, ... }@inputs:
|
|
let
|
|
system = "x86_64-linux";
|
|
pkgs = import nixpkgs { inherit system; };
|
|
pkgs-unstable = import nixpkgs-unstable {
|
|
inherit system;
|
|
config = {
|
|
allowUnfree = true;
|
|
permittedInsecurePackages = [ "olm-3.2.16" ];
|
|
};
|
|
};
|
|
opencode = inputs.opencode.packages.${system}.default;
|
|
in {
|
|
# Pre-deploy checks: nix flake check
|
|
checks.${system} = {
|
|
# Verify production config evaluates and builds
|
|
ops-jrz1-config = self.nixosConfigurations.ops-jrz1.config.system.build.toplevel;
|
|
|
|
# Verify VM config evaluates (lighter weight)
|
|
ops-jrz1-vm-config = self.nixosConfigurations.ops-jrz1-vm.config.system.build.toplevel;
|
|
|
|
# Shell script linting (errors and warnings)
|
|
shellcheck = pkgs.runCommand "shellcheck-scripts" {
|
|
nativeBuildInputs = [ pkgs.shellcheck ];
|
|
src = ./scripts;
|
|
} ''
|
|
cd $src
|
|
shellcheck *.sh killswitch cpu-watchdog egress-watchdog egress-status
|
|
touch $out
|
|
'';
|
|
|
|
# VM integration test - boots VM and verifies services
|
|
vm-integration = import ./tests/vm-integration.nix {
|
|
inherit pkgs pkgs-unstable opencode;
|
|
};
|
|
};
|
|
|
|
nixosConfigurations = {
|
|
# Production configuration (for actual VPS deployment)
|
|
ops-jrz1 = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
specialArgs = {
|
|
pkgs-unstable = import nixpkgs-unstable {
|
|
system = "x86_64-linux";
|
|
config = {
|
|
allowUnfree = true;
|
|
permittedInsecurePackages = [
|
|
"olm-3.2.16" # Required by mautrix bridges
|
|
];
|
|
};
|
|
};
|
|
opencode = inputs.opencode.packages.x86_64-linux.default;
|
|
};
|
|
modules = [
|
|
./configuration.nix
|
|
./hosts/ops-jrz1.nix
|
|
sops-nix.nixosModules.sops
|
|
];
|
|
};
|
|
|
|
# VM testing configuration (for local validation before deployment)
|
|
ops-jrz1-vm = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
specialArgs = {
|
|
pkgs-unstable = import nixpkgs-unstable {
|
|
system = "x86_64-linux";
|
|
config = {
|
|
allowUnfree = true;
|
|
permittedInsecurePackages = [
|
|
"olm-3.2.16" # Required by mautrix bridges (VM testing only)
|
|
];
|
|
};
|
|
};
|
|
opencode = inputs.opencode.packages.x86_64-linux.default;
|
|
};
|
|
modules = [
|
|
./configuration.nix
|
|
./hosts/ops-jrz1-vm.nix
|
|
# Note: No sops-nix for VM testing
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|