chore(deps): lock file maintenance

The default config for automatic ACME no longer works in Caddy <2.8.0.
This is due to changes with ZeroSSL's auth. Update to unstable Caddy
which is new enough to renew certs again.

Context: https://github.com/caddyserver/caddy/releases/tag/v2.8.0

Add `pkgs.unstable` as an overlay as recommended on the NixOS wiki. This
is needed here as Caddy must be runnable on all architectures.

darwin/jakehillion-mba-m2-15/configuration.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  config = {
+    system.stateVersion = 4;
+
+    networking.hostName = "jakehillion-mba-m2-15";
+
+    nix = {
+      useDaemon = true;
+    };
+
+    programs.zsh.enable = true;
+
+    security.pam.enableSudoTouchIdAuth = true;
+
+    environment.systemPackages = with pkgs; [
+      htop
+      mosh
+      neovim
+      nix
+    ];
+  };
+}

flake.lock

@@ -2,7 +2,9 @@
   "nodes": {
     "agenix": {
       "inputs": {
-        "darwin": "darwin",
+        "darwin": [
+          "darwin"
+        ],
         "home-manager": [
           "home-manager"
         ],
@@ -28,21 +30,19 @@
     "darwin": {
       "inputs": {
         "nixpkgs": [
-          "agenix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1700795494,
-        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "lastModified": 1725189302,
+        "narHash": "sha256-IhXok/kwQqtusPsoguQLCHA+h6gKvgdCrkhIaN+kByA=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "rev": "7c4b53a7d9f3a3df902b3fddf2ae245ef20ebcda",
         "type": "github"
       },
       "original": {
         "owner": "lnl7",
-        "ref": "master",
         "repo": "nix-darwin",
         "type": "github"
       }
@@ -93,11 +93,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1724435763,
-        "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=",
+        "lastModified": 1725180166,
+        "narHash": "sha256-fzssXuGR/mCeGbzM1ExaTqDz7QDGta3WA4jJsZyRruo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be",
+        "rev": "471e3eb0a114265bcd62d11d58ba8d3421ee68eb",
         "type": "github"
       },
       "original": {
@@ -124,11 +124,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1724878143,
-        "narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=",
+        "lastModified": 1725477728,
+        "narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef",
+        "rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce",
         "type": "github"
       },
       "original": {
@@ -139,11 +139,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1724855419,
-        "narHash": "sha256-WXHSyOF4nBX0cvHN3DfmEMcLOVdKH6tnMk9FQ8wTNRc=",
+        "lastModified": 1725001927,
+        "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ae2fc9e0e42caaf3f068c1bfdc11c71734125e06",
+        "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
         "type": "github"
       },
       "original": {
@@ -155,11 +155,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1724819573,
-        "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
+        "lastModified": 1725103162,
+        "narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2",
+        "rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b",
         "type": "github"
       },
       "original": {
@@ -172,6 +172,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "darwin": "darwin",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "home-manager-unstable": "home-manager-unstable",

flake.nix

@@ -7,8 +7,12 @@
 
     flake-utils.url = "github:numtide/flake-utils";
 
+    darwin.url = "github:lnl7/nix-darwin";
+    darwin.inputs.nixpkgs.follows = "nixpkgs";
+
     agenix.url = "github:ryantm/agenix";
     agenix.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.inputs.darwin.follows = "darwin";
     agenix.inputs.home-manager.follows = "home-manager";
 
     home-manager.url = "github:nix-community/home-manager/release-24.05";
@@ -21,47 +25,67 @@
 
   description = "Hillion Nix flake";
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, impermanence, ... }@inputs: {
-    nixosConfigurations =
-      let
-        fqdns = builtins.attrNames (builtins.readDir ./hosts);
-        getSystemOverlays = system: nixpkgsConfig: [
-          (final: prev: {
-            "storj" = final.callPackage ./pkgs/storj.nix { };
-          })
-        ];
-        mkHost = fqdn:
-          let
-            system = builtins.readFile ./hosts/${fqdn}/system;
-            func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
-            home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
-          in
-          func {
-            inherit system;
-            specialArgs = inputs;
-            modules = [
-              ./hosts/${fqdn}/default.nix
-              ./modules/default.nix
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-hardware, flake-utils, agenix, home-manager, home-manager-unstable, darwin, impermanence, ... }@inputs:
+    let
+      getSystemOverlays = system: nixpkgsConfig: [
+        (final: prev: {
+          unstable = nixpkgs-unstable.legacyPackages.${prev.system};
+          "storj" = final.callPackage ./pkgs/storj.nix { };
+        })
+      ];
+    in
+    {
+      nixosConfigurations =
+        let
+          fqdns = builtins.attrNames (builtins.readDir ./hosts);
+          mkHost = fqdn:
+            let
+              system = builtins.readFile ./hosts/${fqdn}/system;
+              func = if builtins.pathExists ./hosts/${fqdn}/unstable then nixpkgs-unstable.lib.nixosSystem else nixpkgs.lib.nixosSystem;
+              home-manager-pick = if builtins.pathExists ./hosts/${fqdn}/unstable then home-manager-unstable else home-manager;
+            in
+            func {
+              inherit system;
+              specialArgs = inputs;
+              modules = [
+                ./hosts/${fqdn}/default.nix
+                ./modules/default.nix
 
-              agenix.nixosModules.default
-              impermanence.nixosModules.impermanence
+                agenix.nixosModules.default
+                impermanence.nixosModules.impermanence
 
-              home-manager-pick.nixosModules.default
-              {
-                home-manager.sharedModules = [
-                  impermanence.nixosModules.home-manager.impermanence
-                ];
-              }
+                home-manager-pick.nixosModules.default
+                {
+                  home-manager.sharedModules = [
+                    impermanence.nixosModules.home-manager.impermanence
+                  ];
+                }
 
-              ({ config, ... }: {
-                system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
-                nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
-              })
-            ];
-          };
-      in
-      nixpkgs.lib.genAttrs fqdns mkHost;
-  } // flake-utils.lib.eachDefaultSystem (system: {
-    formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
-  });
+                ({ config, ... }: {
+                  system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
+                  nixpkgs.overlays = getSystemOverlays config.nixpkgs.hostPlatform.system config.nixpkgs.config;
+                })
+              ];
+            };
+        in
+        nixpkgs.lib.genAttrs fqdns mkHost;
+
+      darwinConfigurations = {
+        jakehillion-mba-m2-15 = darwin.lib.darwinSystem {
+          system = "aarch64-darwin";
+          specialArgs = inputs;
+
+          modules = [
+            ./darwin/jakehillion-mba-m2-15/configuration.nix
+
+            ({ config, ... }: {
+              nixpkgs.overlays = getSystemOverlays "aarch64-darwin" config.nixpkgs.config;
+            })
+          ];
+        };
+      };
+
+    } // flake-utils.lib.eachDefaultSystem (system: {
+      formatter = nixpkgs.legacyPackages.${system}.nixpkgs-fmt;
+    });
 }

hosts/sodium.pop.ts.hillion.co.uk/default.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, nixpkgs-unstable, lib, nixos-hardware, ... }:
+{ config, pkgs, lib, nixos-hardware, ... }:
 
 {
   imports = [

modules/impermanence.nix

@@ -60,6 +60,7 @@ in
           (lib.lists.optional config.custom.services.unifi.enable "/var/lib/unifi") ++
           (lib.lists.optional (config.virtualisation.oci-containers.containers != { }) "/var/lib/containers") ++
           (lib.lists.optional config.services.tang.enable "/var/lib/private/tang") ++
+          (lib.lists.optional config.services.caddy.enable "/var/lib/caddy") ++
           (lib.lists.optional config.services.step-ca.enable "/var/lib/step-ca/db");
         };
       }

modules/resilio.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, config, nixpkgs-unstable, ... }:
+{ pkgs, lib, config, ... }:
 
 let
   cfg = config.custom.resilio;

modules/services/gitea/gitea.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, nixpkgs-unstable, ... }:
+{ config, pkgs, lib, ... }:
 
 let
   cfg = config.custom.services.gitea;
@@ -55,7 +55,7 @@ in
 
     services.gitea = {
       enable = true;
-      package = nixpkgs-unstable.legacyPackages.x86_64-linux.gitea;
+      package = pkgs.unstable.gitea;
       mailerPasswordFile = config.age.secrets."gitea/mailer_password".path;
 
       appName = "Hillion Gitea";

modules/www/global.nix

@@ -33,6 +33,11 @@ in
 
     services.caddy = {
       enable = true;
+      package = pkgs.unstable.caddy;
+
+      globalConfig = ''
+        email acme@hillion.co.uk
+      '';
 
       virtualHosts = {
         "hillion.co.uk".extraConfig = ''