Pin NixOS service versions via nixpkgs-services overlay #321

Merged

eblume merged 3 commits from pin-nixos-service-versions into main

2026-04-01 21:37:58 -07:00

eblume commented

2026-04-01 21:13:10 -07:00

Owner

Summary

Add nixpkgs-services flake input pinned to a specific nixpkgs commit, with an overlay that pulls forgejo-runner, snowflake, and k3s from it instead of the rolling nixpkgs
Dagger flake-update pipeline now excludes nixpkgs-services via --exclude
Fix stale nix-container-builder version in service-versions.yaml (was 12.6.4, actually running 12.7.2)
Add k3s and minikube to service-versions.yaml tracking
Document the pinning approach in review-services how-to and ringtail reference

Motivation

During service review, discovered that flake updates had silently upgraded forgejo-runner from 12.6.4 → 12.7.2 without updating service-versions.yaml. This "sneak-in upgrade" bypasses the service review process. The overlay ensures these three services only change versions deliberately.

Test plan

Verify nix flake update from nixos/ringtail/ does not change nixpkgs-services lock entry
Verify mise run provision-ringtail builds successfully with the overlay
Confirm running service versions unchanged after deploy

🤖 Generated with Claude Code

## Summary - Add `nixpkgs-services` flake input pinned to a specific nixpkgs commit, with an overlay that pulls `forgejo-runner`, `snowflake`, and `k3s` from it instead of the rolling `nixpkgs` - Dagger `flake-update` pipeline now excludes `nixpkgs-services` via `--exclude` - Fix stale nix-container-builder version in service-versions.yaml (was 12.6.4, actually running 12.7.2) - Add k3s and minikube to service-versions.yaml tracking - Document the pinning approach in review-services how-to and ringtail reference ## Motivation During service review, discovered that flake updates had silently upgraded forgejo-runner from 12.6.4 → 12.7.2 without updating service-versions.yaml. This "sneak-in upgrade" bypasses the service review process. The overlay ensures these three services only change versions deliberately. ## Test plan - [ ] Verify `nix flake update` from `nixos/ringtail/` does not change `nixpkgs-services` lock entry - [ ] Verify `mise run provision-ringtail` builds successfully with the overlay - [ ] Confirm running service versions unchanged after deploy 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit

2026-04-01 21:13:11 -07:00

Pin NixOS service versions via nixpkgs-services overlay a890bcc882

Discovered during service review that nix-container-builder was running
12.7.2 but service-versions.yaml said 12.6.4 — flake updates had silently
upgraded it. Add a nixpkgs-services flake input pinned to a specific
nixpkgs commit, with an overlay that pulls forgejo-runner, snowflake, and
k3s from it. The Dagger flake-update pipeline now excludes this input.

Also adds k3s and minikube to service-versions.yaml tracking.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit

2026-04-01 21:29:35 -07:00

Add SPA cache policy for authentik in Caddy 696bc49290

Authentik's frontend uses content-hashed JS chunks, but the HTML pages
that reference them had no Cache-Control headers. When the server
restarts with new chunk hashes, browsers serve stale cached HTML that
404s on old chunk names, showing a throbber instead of the login form.

Set Cache-Control: no-cache on /if/* (HTML flow pages) so browsers
always revalidate, and Cache-Control: immutable on /static/dist/*
(hashed assets) for efficient caching. Adds a reusable `cache_policy:
spa` option to caddy_services.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit

2026-04-01 21:36:21 -07:00

Add nixpkgs-services to flake.lock 264e057e57

Generated by `nix flake lock` — adds the nixpkgs-services input
(pinned to the same nixpkgs commit) for the service version overlay.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>