Pin NixOS service versions via nixpkgs-services overlay (#321)

## Summary - Add `nixpkgs-services` flake input pinned to a specific nixpkgs commit, with an overlay that pulls `forgejo-runner`, `snowflake`, and `k3s` from it instead of the rolling `nixpkgs` - Dagger `flake-update` pipeline now excludes `nixpkgs-services` via `--exclude` - Fix stale nix-container-builder version in service-versions.yaml (was 12.6.4, actually running 12.7.2) - Add k3s and minikube to service-versions.yaml tracking - Document the pinning approach in review-services how-to and ringtail reference ## Motivation During service review, discovered that flake updates had silently upgraded forgejo-runner from 12.6.4 → 12.7.2 without updating service-versions.yaml. This "sneak-in upgrade" bypasses the service review process. The overlay ensures these three services only change versions deliberately. ## Test plan - [ ] Verify `nix flake update` from `nixos/ringtail/` does not change `nixpkgs-services` lock entry - [ ] Verify `mise run provision-ringtail` builds successfully with the overlay - [ ] Confirm running service versions unchanged after deploy 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #321
2026-04-01 21:37:57 -07:00 · 2026-04-01 21:37:57 -07:00 · a18a424866
commit a18a424866
parent cfbf4cadbd
9 changed files with 91 additions and 10 deletions
--- a/nixos/ringtail/flake.nix
+++ b/nixos/ringtail/flake.nix
@ -3,6 +3,12 @@

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
+
+    # Pinned nixpkgs for versioned services (forgejo-runner, snowflake, k3s).
+    # Update this deliberately during service reviews, not via `nix flake update`.
+    # Current versions: forgejo-runner 12.7.2, snowflake 2.11.0, k3s 1.34.5+k3s1
+    nixpkgs-services.url = "github:NixOS/nixpkgs/1073dad219cb244572b74da2b20c7fe39cb3fa9e";
+
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
@ -13,7 +19,7 @@
    };
  };

-  outputs = { nixpkgs, disko, home-manager, ... }: {
+  outputs = { nixpkgs, nixpkgs-services, disko, home-manager, ... }: {
    nixosConfigurations.ringtail = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
@ -22,6 +28,18 @@
        ./disk-config.nix
        ./hardware-configuration.nix
        ./configuration.nix
+        # Pin versioned services to nixpkgs-services instead of the rolling nixpkgs.
+        # This prevents `nix flake update nixpkgs` from silently upgrading them.
+        # Bump nixpkgs-services explicitly during service reviews.
+        ({ ... }: {
+          nixpkgs.overlays = [
+            (final: prev: let svcPkgs = nixpkgs-services.legacyPackages.x86_64-linux; in {
+              forgejo-runner = svcPkgs.forgejo-runner;
+              snowflake = svcPkgs.snowflake;
+              k3s = svcPkgs.k3s;
+            })
+          ];
+        })
      ];
    };
  };