Upgrade to NixOS 26.05 #142

Open
opened 2026-06-24 11:36:12 +00:00 by fabianhauser · 0 comments
Owner

Upgrade the infrastructure flake from NixOS 25.11 to 26.05.

TODO

  • update resolved configuration structure

Flake / state

  • Bump nixpkgs input to nixos-26.05 and update flake.lock; confirm srvos, sops-nix, disko, deploy-rs, treefmt-nix, git-hooks-nix still build/follow
  • Bump per-host system.stateVersion to "26.05" and review impact — we explicitly pin the version-sensitive services (postgresql_14/postgresql_15, nextcloud33) so those won't auto-migrate; verify no other state-dependent default changes in a breaking way

srvos

  • Re-validate srvos.nixosModules.server against 26.05; confirm the 3 overrides are still needed/correct (networking.useNetworkd, services.userborn.enable, boot.initrd.systemd.enable)
  • boot.initrd.systemd.enable = false: keep for now — our luks-ssh remote-unlock relies on the scripted initrd (network.udhcpc, network.ssh, cryptsetup-askpass). 26.05 still supports scripted initrd, but track migrating luks-ssh to systemd initrd (systemd-networkd + systemd-ask-password) as separate future work
  • Check srvos main for new mkDefault defaults that overlap our SSH/nix/security config

Services in use

  • Forgejo (pkgs.forgejo): major bump in 26.05 (forgejo-lts → v15) — review breaking changes + DB migration in release notes
  • PostgreSQL: confirm postgresql_14 (Nextcloud) and postgresql_15 still present in 26.05; pg14 nears EOL — plan DB major upgrade if dropped
  • Telegraf/Prometheus: verify inputs/options vs srvos mixins-telegraf
  • Vaultwarden: verify package/options
  • Headscale / Tailscale (vpn-server, vpn-exit-node): verify policy/option compatibility

Networking

  • systemd-resolved / networkd / firewall: check option changes
Upgrade the infrastructure flake from NixOS 25.11 to 26.05. ## TODO - [ ] update resolved configuration structure ### Flake / state - [ ] Bump `nixpkgs` input to `nixos-26.05` and update `flake.lock`; confirm srvos, sops-nix, disko, deploy-rs, treefmt-nix, git-hooks-nix still build/follow - [ ] Bump per-host `system.stateVersion` to `"26.05"` and review impact — we explicitly pin the version-sensitive services (`postgresql_14`/`postgresql_15`, `nextcloud33`) so those won't auto-migrate; verify no other state-dependent default changes in a breaking way ### srvos - [ ] Re-validate `srvos.nixosModules.server` against 26.05; confirm the 3 overrides are still needed/correct (`networking.useNetworkd`, `services.userborn.enable`, `boot.initrd.systemd.enable`) - [ ] `boot.initrd.systemd.enable = false`: keep for now — our `luks-ssh` remote-unlock relies on the scripted initrd (`network.udhcpc`, `network.ssh`, `cryptsetup-askpass`). 26.05 still supports scripted initrd, but track migrating `luks-ssh` to systemd initrd (systemd-networkd + `systemd-ask-password`) as separate future work - [ ] Check srvos main for new `mkDefault` defaults that overlap our SSH/nix/security config ### Services in use - [ ] Forgejo (`pkgs.forgejo`): major bump in 26.05 (forgejo-lts → v15) — review breaking changes + DB migration in release notes - [ ] PostgreSQL: confirm `postgresql_14` (Nextcloud) and `postgresql_15` still present in 26.05; pg14 nears EOL — plan DB major upgrade if dropped - [ ] Telegraf/Prometheus: verify inputs/options vs srvos `mixins-telegraf` - [ ] Vaultwarden: verify package/options - [ ] Headscale / Tailscale (vpn-server, vpn-exit-node): verify policy/option compatibility ### Networking - [ ] systemd-resolved / networkd / firewall: check option changes
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
qo.is/infrastructure#142
No description provided.