Pin NixOS service versions via nixpkgs-services overlay #321

Merged

eblume merged 3 commits from pin-nixos-service-versions into main

2026-04-01 21:37:58 -07:00

Author	SHA1	Message	Date
Erich Blume	264e057e57	Add nixpkgs-services to flake.lock Generated by `nix flake lock` — adds the nixpkgs-services input (pinned to the same nixpkgs commit) for the service version overlay. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 21:36:09 -07:00
Erich Blume	696bc49290	Add SPA cache policy for authentik in Caddy Authentik's frontend uses content-hashed JS chunks, but the HTML pages that reference them had no Cache-Control headers. When the server restarts with new chunk hashes, browsers serve stale cached HTML that 404s on old chunk names, showing a throbber instead of the login form. Set Cache-Control: no-cache on /if/* (HTML flow pages) so browsers always revalidate, and Cache-Control: immutable on /static/dist/* (hashed assets) for efficient caching. Adds a reusable `cache_policy: spa` option to caddy_services. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 21:28:28 -07:00
Erich Blume	a890bcc882	Pin NixOS service versions via nixpkgs-services overlay Discovered during service review that nix-container-builder was running 12.7.2 but service-versions.yaml said 12.6.4 — flake updates had silently upgraded it. Add a nixpkgs-services flake input pinned to a specific nixpkgs commit, with an overlay that pulls forgejo-runner, snowflake, and k3s from it. The Dagger flake-update pipeline now excludes this input. Also adds k3s and minikube to service-versions.yaml tracking. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 21:12:38 -07:00

Author

SHA1

Message

Date

Erich Blume

264e057e57

Add nixpkgs-services to flake.lock

Generated by `nix flake lock` — adds the nixpkgs-services input
(pinned to the same nixpkgs commit) for the service version overlay.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-01 21:36:09 -07:00

Erich Blume

696bc49290

Add SPA cache policy for authentik in Caddy

Authentik's frontend uses content-hashed JS chunks, but the HTML pages
that reference them had no Cache-Control headers. When the server
restarts with new chunk hashes, browsers serve stale cached HTML that
404s on old chunk names, showing a throbber instead of the login form.

Set Cache-Control: no-cache on /if/* (HTML flow pages) so browsers
always revalidate, and Cache-Control: immutable on /static/dist/*
(hashed assets) for efficient caching. Adds a reusable `cache_policy:
spa` option to caddy_services.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-01 21:28:28 -07:00

Erich Blume

a890bcc882

Pin NixOS service versions via nixpkgs-services overlay

Discovered during service review that nix-container-builder was running
12.7.2 but service-versions.yaml said 12.6.4 — flake updates had silently
upgraded it. Add a nixpkgs-services flake input pinned to a specific
nixpkgs commit, with an overlay that pulls forgejo-runner, snowflake, and
k3s from it. The Dagger flake-update pipeline now excludes this input.

Also adds k3s and minikube to service-versions.yaml tracking.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-01 21:12:38 -07:00